You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@shiro.apache.org by Alex Orlov <oo...@mail.ru> on 2020/11/04 16:34:18 UTC
Re[4]: Principal in Shiro
Thank you for such detailed explanation. In a result, just to check that my understanding is correct, can we say:
Principal is a subset of Subject, so Principal is an actor. However, as Shiro supports different security types, Shiro uses Principal as an actor’s identifying attribute for generic approach.
--
Best regards, Alex Orlov
>Среда, 4 ноября 2020, 18:37 +03:00 от Brian Demers <bd...@apache.org>:
>
>The SO answer looks pretty good to me, but it's pretty high level.
>You also need to take into account how they are used in context and naming conventions (e.g. Java has `java.security.principal`)
>
>A principal could be any object, it's commonly a String, i.e. a username or email address. These may or may not be the identifier for the principal. It's common for usernames and email addresses to change as the result of a marriage or adoption, so another identifier might be used.
>
>Another common case of an AuthenticationToken is Bearer tokens,
>Shiro's Bearer token: https://github.com/apache/shiro/blob/master/core/src/main/java/org/apache/shiro/authc/BearerToken.java . Is modeled as a string, but it is NOT a principal identifier, really it's ONLY a credential.
>
>A bearer token might be an opaque string, or it could be a security token (e.g. a JWT/PASETO/etc), when the token is validated, it _might_ not contain any identifier.
>
>Similar to a certificate-based authentication, you might just have the cert as an object and NOT a String.
>
>In practice... when we talk about human users they often have some sort of string identifier, because we naturally think username/password authentication. This is NOT universal though.
>
>
>Sorry for the rambling answer, I'm not sure If I've answered your question or not.
>-Brian
>
>On Wed, Nov 4, 2020 at 8:31 AM Alex Orlov < ooo_saturn7@mail.ru > wrote:
>>Let me explain the reason of this the question.
>>
>>From the SO asnwer ( https://stackoverflow.com/a/5025140/5057736 ):
>>
>>"Principal - A subset of subject that is represented by an account, role or other unique identifier. When we get to the level of implementation details, principals are the unique keys we use in access control lists. They may represent human users, automation, applications, connections, etc.
>>…
>>Subject/Object inherits from the same terms as used in grammar. In a sentence the subject is the actor and the object is the thing acted on. "
>>
>>So, Principal is a subset of Subject → principal is an actor.
>>
>>However, in Shiro A Principal is any identifying attribute of an application user (Subject).
>>
>>So, I try to understand: 1) The SO answer is wrong. 2) Shiro is wrong 3) I understand everything wrong.
>>
>>if #2 then AuthenticationToken should be
>>
>>public interface AuthenticationToken extends Serializable {
>> public Object getPrincipalId();//added "Id"
>> public Object getCredentials();
>>}
>>
>>
>>
>>--
>>Best regards, Alex Orlov
>>>Среда, 4 ноября 2020, 15:01 +03:00 от Benjamin Marwell < bmarwell@apache.org >:
>>>
>>>Correct.
>>>
>>>To complete the picture:
>>>
>>>https://shiro.apache.org/terminology.html
>>>
>>>Also, the PrincipalCollection knows which realms the user is known in. This is why most methods return such a collection, not a single Principal.
>>>
>>>Most apps only have one realm, but they could have multiple realms. E.g. LDAP and a config file.
>>>
>>>
>>>
>>>On Wed, 4 Nov 2020, 12:30 Andreas Reichel, < andreas@manticore-projects.com > wrote:
>>>>
>>>>
>>>>
>>>>On Wed, 2020-11-04 at 13:07 +0300, Alex Orlov wrote:
>>>>>So, could anyone explain what is Principal — is it a User or User.getId()?
>>>>>
>>>>
>>>>Good afternoon Alex.
>>>>
>>>>while I am just a Shiro user (but not a developer), my understanding is, that a Principal is anything you (or a service) can authenticate or authorize against.
>>>>Any entity, you can send to a service and get a response ( "yes" authenticated) for, is a principal.
>>>>
>>>>The nature of this principal depends on the service itself.
>>>>If the authentication service expects a Username, then this Username is a Principal. But if the service expects a Global Unique Token, then this Username would not qualify as a Principal (but the Token would).
>>>>
>>>>Cheers!
>>>>Andreas
Re: Re[4]: Principal in Shiro
Posted by Brian Demers <br...@gmail.com>.
Sort of, the Subject would be the actor, the Subject has principals
On Wed, Nov 4, 2020 at 11:34 AM Alex Orlov <oo...@mail.ru> wrote:
> Thank you for such detailed explanation. In a result, just to check that
> my understanding is correct, can we say:
>
> Principal is a subset of Subject, so Principal is an actor. However, as
> Shiro supports different security types, Shiro uses Principal as an actor’s
> identifying attribute for generic approach.
>
> --
> Best regards, Alex Orlov
>
> Среда, 4 ноября 2020, 18:37 +03:00 от Brian Demers <bd...@apache.org>:
>
> The SO answer looks pretty good to me, but it's pretty high level.
> You also need to take into account how they are used in context and naming
> conventions (e.g. Java has `java.security.principal`)
>
> A principal could be any object, it's commonly a String, i.e. a username
> or email address. These may or may not be the identifier for the
> principal. It's common for usernames and email addresses to change as the
> result of a marriage or adoption, so another identifier might be used.
>
> Another common case of an AuthenticationToken is Bearer tokens,
> Shiro's Bearer token:
> https://github.com/apache/shiro/blob/master/core/src/main/java/org/apache/shiro/authc/BearerToken.java.
> Is modeled as a string, but it is NOT a principal identifier, really it's
> ONLY a credential.
>
> A bearer token might be an opaque string, or it could be a security token
> (e.g. a JWT/PASETO/etc), when the token is validated, it _might_ not
> contain any identifier.
>
> Similar to a certificate-based authentication, you might just have the
> cert as an object and NOT a String.
>
> In practice... when we talk about human users they often have some sort of
> string identifier, because we naturally think username/password
> authentication. This is NOT universal though.
>
>
> Sorry for the rambling answer, I'm not sure If I've answered your question
> or not.
> -Brian
>
>
> On Wed, Nov 4, 2020 at 8:31 AM Alex Orlov <ooo_saturn7@mail.ru
> <//...@mail.ru>> wrote:
>
> Let me explain the reason of this the question.
>
> From the SO asnwer (https://stackoverflow.com/a/5025140/5057736):
>
> *"Principal* - A subset of *subject* that is represented by an account,
> role or other unique identifier. When we get to the level of implementation
> details, principals are the unique keys we use in access control lists.
> They may represent human users, automation, applications, connections, etc.
> …
> Subject/Object inherits from the same terms as used in grammar. In a
> sentence the subject is the actor and the object is the thing acted on.*"*
>
> So, Principal is a subset of Subject → principal is an actor.
>
> However, in Shiro A *Principal* is any identifying attribute of an
> application user (Subject).
>
> So, I try to understand: 1) The SO answer is wrong. 2) Shiro is wrong 3) I
> understand everything wrong.
>
> if #2 then AuthenticationToken should be
>
> public interface AuthenticationToken extends Serializable {
> public Object getPrincipalId();//added "Id"
> public Object getCredentials();
> }
>
>
>
> --
> Best regards, Alex Orlov
>
>
> Среда, 4 ноября 2020, 15:01 +03:00 от Benjamin Marwell <
> bmarwell@apache.org
> <//...@apache.org>>:
>
> Correct.
>
> To complete the picture:
>
> https://shiro.apache.org/terminology.html
>
> Also, the PrincipalCollection knows which realms the user is known in.
> This is why most methods return such a collection, not a single Principal.
>
> Most apps only have one realm, but they could have multiple realms. E.g.
> LDAP and a config file.
>
>
>
>
> On Wed, 4 Nov 2020, 12:30 Andreas Reichel, <andreas@manticore-projects.com
> <http://e.mail.ru/compose/?mailto=mailto%3aandreas@manticore%2dprojects.com>>
> wrote:
>
>
>
>
> On Wed, 2020-11-04 at 13:07 +0300, Alex Orlov wrote:
>
> So, could anyone explain what is Principal — is it a User or User.getId()?
>
>
>
> Good afternoon Alex.
>
> while I am just a Shiro user (but not a developer), my understanding is,
> that a Principal is anything you (or a service) can authenticate or
> authorize against.
> Any entity, you can send to a service and get a response ( "yes"
> authenticated) for, is a principal.
>
> The nature of this principal depends on the service itself.
> If the authentication service expects a Username, then this Username is a
> Principal. But if the service expects a Global Unique Token, then this
> Username would not qualify as a Principal (but the Token would).
>
> Cheers!
> Andreas
>
>