You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@shiro.apache.org by Alex Orlov <oo...@mail.ru> on 2020/11/04 10:07:11 UTC
Principal in Shiro
Hi all,
I am learning Shiro and have a difficulty with understanding what is Principal in Shiro.
As I understand from this https://stackoverflow.com/a/5025140/5057736 Principal is a higher
level of user, system etc. For example, if in our application can work human users, external
systems, then they (users and systems) are principals.
However, from Shiro Terminology ( https://shiro.apache.org/terminology.html ) : A Principal is any
identifying attribute of an application user (Subject). An ‘identifying attribute’ can be anything that
makes sense to your application - a username, a surname, a given name, a social security number,
a user ID, etc.
So, could anyone explain what is Principal — is it a User or User.getId()?
--
Best regards, Alex Orlov
Re[2]: Principal in Shiro
Posted by Alex Orlov <oo...@mail.ru>.
Could you explain what is correct? The question is if a principal is an ACTOR or
ACTOR’S attribute. Everyone should agree that user != username, shouldn’t he?
--
Best regards, Alex Orlov
>Среда, 4 ноября 2020, 15:01 +03:00 от Benjamin Marwell <bm...@apache.org>:
>
>Correct.
>
>To complete the picture:
>
>https://shiro.apache.org/terminology.html
>
>Also, the PrincipalCollection knows which realms the user is known in. This is why most methods return such a collection, not a single Principal.
>
>Most apps only have one realm, but they could have multiple realms. E.g. LDAP and a config file.
>
>
>
>On Wed, 4 Nov 2020, 12:30 Andreas Reichel, < andreas@manticore-projects.com > wrote:
>>
>>
>>
>>On Wed, 2020-11-04 at 13:07 +0300, Alex Orlov wrote:
>>>So, could anyone explain what is Principal — is it a User or User.getId()?
>>>
>>
>>Good afternoon Alex.
>>
>>while I am just a Shiro user (but not a developer), my understanding is, that a Principal is anything you (or a service) can authenticate or authorize against.
>>Any entity, you can send to a service and get a response ( "yes" authenticated) for, is a principal.
>>
>>The nature of this principal depends on the service itself.
>>If the authentication service expects a Username, then this Username is a Principal. But if the service expects a Global Unique Token, then this Username would not qualify as a Principal (but the Token would).
>>
>>Cheers!
>>Andreas
Re: Re[4]: Principal in Shiro
Posted by Brian Demers <br...@gmail.com>.
Sort of, the Subject would be the actor, the Subject has principals
On Wed, Nov 4, 2020 at 11:34 AM Alex Orlov <oo...@mail.ru> wrote:
> Thank you for such detailed explanation. In a result, just to check that
> my understanding is correct, can we say:
>
> Principal is a subset of Subject, so Principal is an actor. However, as
> Shiro supports different security types, Shiro uses Principal as an actor’s
> identifying attribute for generic approach.
>
> --
> Best regards, Alex Orlov
>
> Среда, 4 ноября 2020, 18:37 +03:00 от Brian Demers <bd...@apache.org>:
>
> The SO answer looks pretty good to me, but it's pretty high level.
> You also need to take into account how they are used in context and naming
> conventions (e.g. Java has `java.security.principal`)
>
> A principal could be any object, it's commonly a String, i.e. a username
> or email address. These may or may not be the identifier for the
> principal. It's common for usernames and email addresses to change as the
> result of a marriage or adoption, so another identifier might be used.
>
> Another common case of an AuthenticationToken is Bearer tokens,
> Shiro's Bearer token:
> https://github.com/apache/shiro/blob/master/core/src/main/java/org/apache/shiro/authc/BearerToken.java.
> Is modeled as a string, but it is NOT a principal identifier, really it's
> ONLY a credential.
>
> A bearer token might be an opaque string, or it could be a security token
> (e.g. a JWT/PASETO/etc), when the token is validated, it _might_ not
> contain any identifier.
>
> Similar to a certificate-based authentication, you might just have the
> cert as an object and NOT a String.
>
> In practice... when we talk about human users they often have some sort of
> string identifier, because we naturally think username/password
> authentication. This is NOT universal though.
>
>
> Sorry for the rambling answer, I'm not sure If I've answered your question
> or not.
> -Brian
>
>
> On Wed, Nov 4, 2020 at 8:31 AM Alex Orlov <ooo_saturn7@mail.ru
> <//...@mail.ru>> wrote:
>
> Let me explain the reason of this the question.
>
> From the SO asnwer (https://stackoverflow.com/a/5025140/5057736):
>
> *"Principal* - A subset of *subject* that is represented by an account,
> role or other unique identifier. When we get to the level of implementation
> details, principals are the unique keys we use in access control lists.
> They may represent human users, automation, applications, connections, etc.
> …
> Subject/Object inherits from the same terms as used in grammar. In a
> sentence the subject is the actor and the object is the thing acted on.*"*
>
> So, Principal is a subset of Subject → principal is an actor.
>
> However, in Shiro A *Principal* is any identifying attribute of an
> application user (Subject).
>
> So, I try to understand: 1) The SO answer is wrong. 2) Shiro is wrong 3) I
> understand everything wrong.
>
> if #2 then AuthenticationToken should be
>
> public interface AuthenticationToken extends Serializable {
> public Object getPrincipalId();//added "Id"
> public Object getCredentials();
> }
>
>
>
> --
> Best regards, Alex Orlov
>
>
> Среда, 4 ноября 2020, 15:01 +03:00 от Benjamin Marwell <
> bmarwell@apache.org
> <//...@apache.org>>:
>
> Correct.
>
> To complete the picture:
>
> https://shiro.apache.org/terminology.html
>
> Also, the PrincipalCollection knows which realms the user is known in.
> This is why most methods return such a collection, not a single Principal.
>
> Most apps only have one realm, but they could have multiple realms. E.g.
> LDAP and a config file.
>
>
>
>
> On Wed, 4 Nov 2020, 12:30 Andreas Reichel, <andreas@manticore-projects.com
> <http://e.mail.ru/compose/?mailto=mailto%3aandreas@manticore%2dprojects.com>>
> wrote:
>
>
>
>
> On Wed, 2020-11-04 at 13:07 +0300, Alex Orlov wrote:
>
> So, could anyone explain what is Principal — is it a User or User.getId()?
>
>
>
> Good afternoon Alex.
>
> while I am just a Shiro user (but not a developer), my understanding is,
> that a Principal is anything you (or a service) can authenticate or
> authorize against.
> Any entity, you can send to a service and get a response ( "yes"
> authenticated) for, is a principal.
>
> The nature of this principal depends on the service itself.
> If the authentication service expects a Username, then this Username is a
> Principal. But if the service expects a Global Unique Token, then this
> Username would not qualify as a Principal (but the Token would).
>
> Cheers!
> Andreas
>
>
Re[4]: Principal in Shiro
Posted by Alex Orlov <oo...@mail.ru>.
Thank you for such detailed explanation. In a result, just to check that my understanding is correct, can we say:
Principal is a subset of Subject, so Principal is an actor. However, as Shiro supports different security types, Shiro uses Principal as an actor’s identifying attribute for generic approach.
--
Best regards, Alex Orlov
>Среда, 4 ноября 2020, 18:37 +03:00 от Brian Demers <bd...@apache.org>:
>
>The SO answer looks pretty good to me, but it's pretty high level.
>You also need to take into account how they are used in context and naming conventions (e.g. Java has `java.security.principal`)
>
>A principal could be any object, it's commonly a String, i.e. a username or email address. These may or may not be the identifier for the principal. It's common for usernames and email addresses to change as the result of a marriage or adoption, so another identifier might be used.
>
>Another common case of an AuthenticationToken is Bearer tokens,
>Shiro's Bearer token: https://github.com/apache/shiro/blob/master/core/src/main/java/org/apache/shiro/authc/BearerToken.java . Is modeled as a string, but it is NOT a principal identifier, really it's ONLY a credential.
>
>A bearer token might be an opaque string, or it could be a security token (e.g. a JWT/PASETO/etc), when the token is validated, it _might_ not contain any identifier.
>
>Similar to a certificate-based authentication, you might just have the cert as an object and NOT a String.
>
>In practice... when we talk about human users they often have some sort of string identifier, because we naturally think username/password authentication. This is NOT universal though.
>
>
>Sorry for the rambling answer, I'm not sure If I've answered your question or not.
>-Brian
>
>On Wed, Nov 4, 2020 at 8:31 AM Alex Orlov < ooo_saturn7@mail.ru > wrote:
>>Let me explain the reason of this the question.
>>
>>From the SO asnwer ( https://stackoverflow.com/a/5025140/5057736 ):
>>
>>"Principal - A subset of subject that is represented by an account, role or other unique identifier. When we get to the level of implementation details, principals are the unique keys we use in access control lists. They may represent human users, automation, applications, connections, etc.
>>…
>>Subject/Object inherits from the same terms as used in grammar. In a sentence the subject is the actor and the object is the thing acted on. "
>>
>>So, Principal is a subset of Subject → principal is an actor.
>>
>>However, in Shiro A Principal is any identifying attribute of an application user (Subject).
>>
>>So, I try to understand: 1) The SO answer is wrong. 2) Shiro is wrong 3) I understand everything wrong.
>>
>>if #2 then AuthenticationToken should be
>>
>>public interface AuthenticationToken extends Serializable {
>> public Object getPrincipalId();//added "Id"
>> public Object getCredentials();
>>}
>>
>>
>>
>>--
>>Best regards, Alex Orlov
>>>Среда, 4 ноября 2020, 15:01 +03:00 от Benjamin Marwell < bmarwell@apache.org >:
>>>
>>>Correct.
>>>
>>>To complete the picture:
>>>
>>>https://shiro.apache.org/terminology.html
>>>
>>>Also, the PrincipalCollection knows which realms the user is known in. This is why most methods return such a collection, not a single Principal.
>>>
>>>Most apps only have one realm, but they could have multiple realms. E.g. LDAP and a config file.
>>>
>>>
>>>
>>>On Wed, 4 Nov 2020, 12:30 Andreas Reichel, < andreas@manticore-projects.com > wrote:
>>>>
>>>>
>>>>
>>>>On Wed, 2020-11-04 at 13:07 +0300, Alex Orlov wrote:
>>>>>So, could anyone explain what is Principal — is it a User or User.getId()?
>>>>>
>>>>
>>>>Good afternoon Alex.
>>>>
>>>>while I am just a Shiro user (but not a developer), my understanding is, that a Principal is anything you (or a service) can authenticate or authorize against.
>>>>Any entity, you can send to a service and get a response ( "yes" authenticated) for, is a principal.
>>>>
>>>>The nature of this principal depends on the service itself.
>>>>If the authentication service expects a Username, then this Username is a Principal. But if the service expects a Global Unique Token, then this Username would not qualify as a Principal (but the Token would).
>>>>
>>>>Cheers!
>>>>Andreas
Re: Re[2]: Principal in Shiro
Posted by Brian Demers <bd...@apache.org>.
The SO answer looks pretty good to me, but it's pretty high level.
You also need to take into account how they are used in context and naming
conventions (e.g. Java has `java.security.principal`)
A principal could be any object, it's commonly a String, i.e. a username or
email address. These may or may not be the identifier for the principal.
It's common for usernames and email addresses to change as the result of a
marriage or adoption, so another identifier might be used.
Another common case of an AuthenticationToken is Bearer tokens,
Shiro's Bearer token:
https://github.com/apache/shiro/blob/master/core/src/main/java/org/apache/shiro/authc/BearerToken.java.
Is modeled as a string, but it is NOT a principal identifier, really it's
ONLY a credential.
A bearer token might be an opaque string, or it could be a security token
(e.g. a JWT/PASETO/etc), when the token is validated, it _might_ not
contain any identifier.
Similar to a certificate-based authentication, you might just have the cert
as an object and NOT a String.
In practice... when we talk about human users they often have some sort of
string identifier, because we naturally think username/password
authentication. This is NOT universal though.
Sorry for the rambling answer, I'm not sure If I've answered your question
or not.
-Brian
On Wed, Nov 4, 2020 at 8:31 AM Alex Orlov <oo...@mail.ru> wrote:
> Let me explain the reason of this the question.
>
> From the SO asnwer (https://stackoverflow.com/a/5025140/5057736):
>
> *"Principal* - A subset of *subject* that is represented by an account,
> role or other unique identifier. When we get to the level of implementation
> details, principals are the unique keys we use in access control lists.
> They may represent human users, automation, applications, connections, etc.
> …
> Subject/Object inherits from the same terms as used in grammar. In a
> sentence the subject is the actor and the object is the thing acted on.*"*
>
> So, Principal is a subset of Subject → principal is an actor.
>
> However, in Shiro A *Principal* is any identifying attribute of an
> application user (Subject).
>
> So, I try to understand: 1) The SO answer is wrong. 2) Shiro is wrong 3) I
> understand everything wrong.
>
> if #2 then AuthenticationToken should be
>
> public interface AuthenticationToken extends Serializable {
> public Object getPrincipalId();//added "Id"
> public Object getCredentials();
> }
>
>
>
> --
> Best regards, Alex Orlov
>
> Среда, 4 ноября 2020, 15:01 +03:00 от Benjamin Marwell <
> bmarwell@apache.org>:
>
> Correct.
>
> To complete the picture:
>
> https://shiro.apache.org/terminology.html
>
> Also, the PrincipalCollection knows which realms the user is known in.
> This is why most methods return such a collection, not a single Principal.
>
> Most apps only have one realm, but they could have multiple realms. E.g.
> LDAP and a config file.
>
>
>
>
> On Wed, 4 Nov 2020, 12:30 Andreas Reichel, <andreas@manticore-projects.com
> <//e.mail.ru/compose/?mailto=mailto%3aandreas@manticore%2dprojects.com>>
> wrote:
>
>
>
>
> On Wed, 2020-11-04 at 13:07 +0300, Alex Orlov wrote:
>
> So, could anyone explain what is Principal — is it a User or User.getId()?
>
>
>
> Good afternoon Alex.
>
> while I am just a Shiro user (but not a developer), my understanding is,
> that a Principal is anything you (or a service) can authenticate or
> authorize against.
> Any entity, you can send to a service and get a response ( "yes"
> authenticated) for, is a principal.
>
> The nature of this principal depends on the service itself.
> If the authentication service expects a Username, then this Username is a
> Principal. But if the service expects a Global Unique Token, then this
> Username would not qualify as a Principal (but the Token would).
>
> Cheers!
> Andreas
>
>
Re[2]: Principal in Shiro
Posted by Alex Orlov <oo...@mail.ru>.
Let me explain the reason of this the question.
From the SO asnwer ( https://stackoverflow.com/a/5025140/5057736 ):
"Principal - A subset of subject that is represented by an account, role or other unique identifier. When we get to the level of implementation details, principals are the unique keys we use in access control lists. They may represent human users, automation, applications, connections, etc.
…
Subject/Object inherits from the same terms as used in grammar. In a sentence the subject is the actor and the object is the thing acted on. "
So, Principal is a subset of Subject → principal is an actor.
However, in Shiro A Principal is any identifying attribute of an application user (Subject).
So, I try to understand: 1) The SO answer is wrong. 2) Shiro is wrong 3) I understand everything wrong.
if #2 then AuthenticationToken should be
public interface AuthenticationToken extends Serializable {
public Object getPrincipalId();//added "Id"
public Object getCredentials();
}
--
Best regards, Alex Orlov
>Среда, 4 ноября 2020, 15:01 +03:00 от Benjamin Marwell <bm...@apache.org>:
>
>Correct.
>
>To complete the picture:
>
>https://shiro.apache.org/terminology.html
>
>Also, the PrincipalCollection knows which realms the user is known in. This is why most methods return such a collection, not a single Principal.
>
>Most apps only have one realm, but they could have multiple realms. E.g. LDAP and a config file.
>
>
>
>On Wed, 4 Nov 2020, 12:30 Andreas Reichel, < andreas@manticore-projects.com > wrote:
>>
>>
>>
>>On Wed, 2020-11-04 at 13:07 +0300, Alex Orlov wrote:
>>>So, could anyone explain what is Principal — is it a User or User.getId()?
>>>
>>
>>Good afternoon Alex.
>>
>>while I am just a Shiro user (but not a developer), my understanding is, that a Principal is anything you (or a service) can authenticate or authorize against.
>>Any entity, you can send to a service and get a response ( "yes" authenticated) for, is a principal.
>>
>>The nature of this principal depends on the service itself.
>>If the authentication service expects a Username, then this Username is a Principal. But if the service expects a Global Unique Token, then this Username would not qualify as a Principal (but the Token would).
>>
>>Cheers!
>>Andreas
Re: Principal in Shiro
Posted by Benjamin Marwell <bm...@apache.org>.
Correct.
To complete the picture:
https://shiro.apache.org/terminology.html
Also, the PrincipalCollection knows which realms the user is known in. This
is why most methods return such a collection, not a single Principal.
Most apps only have one realm, but they could have multiple realms. E.g.
LDAP and a config file.
On Wed, 4 Nov 2020, 12:30 Andreas Reichel, <an...@manticore-projects.com>
wrote:
>
>
> On Wed, 2020-11-04 at 13:07 +0300, Alex Orlov wrote:
>
> So, could anyone explain what is Principal — is it a User or User.getId()?
>
>
>
> Good afternoon Alex.
>
> while I am just a Shiro user (but not a developer), my understanding is,
> that a Principal is anything you (or a service) can authenticate or
> authorize against.
> Any entity, you can send to a service and get a response ( "yes"
> authenticated) for, is a principal.
>
> The nature of this principal depends on the service itself.
> If the authentication service expects a Username, then this Username is a
> Principal. But if the service expects a Global Unique Token, then this
> Username would not qualify as a Principal (but the Token would).
>
> Cheers!
> Andreas
>
Re: Principal in Shiro
Posted by Andreas Reichel <an...@manticore-projects.com>.
On Wed, 2020-11-04 at 13:07 +0300, Alex Orlov wrote:
> So, could anyone explain what is Principal — is it a User or
> User.getId()?
>
Good afternoon Alex.
while I am just a Shiro user (but not a developer), my understanding
is, that a Principal is anything you (or a service) can authenticate or
authorize against.
Any entity, you can send to a service and get a response ( "yes"
authenticated) for, is a principal.
The nature of this principal depends on the service itself.
If the authentication service expects a Username, then this Username is
a Principal. But if the service expects a Global Unique Token, then
this Username would not qualify as a Principal (but the Token would).
Cheers!
Andreas