JAAS, Securing J2EE Applications: Securing Web Components - Subject, Principal and Credentials

(Page 3 of 7 )

 

These three are the most recurring terms in JAAS. They also relate to the core classes of this package. In this section I will be discussing  these terms and their use in the process of providing security.

Subject:

In short, a subject refers to a person, i.e. a user or another system. The users of system depend on various resources provided by the system to perform various computational tasks. These resources are almost always in the form of Services. In certain cases a system itself must depend on the services running on other systems. So, in both cases, whether it is a person who utilizes system services or another system, JAAS must authenticate them. So in the terminology of JAAS, both become subjects.

Principal:

A service is always associated with the name of the subject that is making use of that service. And each subject can use many different services under different names. So principal, in essence, is the name associated with a subject. In other words the name that associates a subject with a service is the principal. Like subject, principal is one of the core classes.

Credentials:

A service, at times, would attach security attributes (also data) to a subject other than the principal. Most of the time these attributes are nothing but the information supplied by the subject for authentication. Such attributes are termed credentials. Credentials may be any type of objects. They can include passwords, Kerberos tickets, and public key certificates. The pluggable feature of JAAS ensures that third party credential implementations may also be incorporated within JAAS without much ado.

The next question obviously would be, how are these related in code? Let’s take a look.

As I have already discussed, each subject may have multiple names. A subject would have a set of principals:

          public interface Principal

{

          public String getName()

}

public final class Subject

{

          public Set getPrincipals() { }

}

Similarly

           public final class Subject {

                   ...

                   public Set getPublicCredentials() { }  // not security checked

                   public Set getPrivateCredentials() { } // security checked

              }

In more explanatory terms, the subject class has a method which returns principals associated with the subject. Since there can be many principals associated with a single instance of a subject, the return type is a collection-Set. The subject class has better methods for Credentials. Here two types of credentials come into the picture: public credentials and private credentials. The public credentials contain the Subject instance’s Public Keys, Kerberos tickets, and so on, whereas the private credentials contain Private Keys, passwords, and so forth. Thus, the subject contains methods to get the credentials and principals associated with it.

Next: Implementing the JAAS Security Module >>
 

More Java Articles
More By A.P.Rajshekhar

Comments On: JAAS, Securing J2EE Applications: Securing Web Components

· HiThank you for reading. Hope it was helpful. Please comment.A.P.Rajshekhar    · Very well structured and helpful for a newbie like me. The "almost" is because I...    · found it very helpful, it only lacks references to specific server aplication...    · Thhanks for your comments. Since here the context is Web Applicatin, so there is no...    · Hi thanks for that article, it helped clear a lot of confusion i was having about...    · Hi liked the explanation of JAASLoginFilter. But what i am not able to understand...   >>> Post your comment now!