The Artima Developer Community
Sponsored Link

Dynamic Permission Grants
A Conversation with Bob Scheifler, Part V
by Bill Venners
August 5, 2002

<<  Page 4 of 5  >>


Subject versus Principal

Bill Venners: What's the difference between a subject and a principal?

Bob Scheifler: A subject is a container that has principals and their credentials. Credentials prove you are the principals. If I am a client that makes a remote call to you, I will authenticate to you. The basis of that authentication is the subject that the client's thread executes under. The set of potential principals that I might authenticate as are the principals in the subject. I will prove the identity of those principals with the credentials in the subject.

Bill Venners: Every thread operates on behalf of one subject.

Bob Scheifler: Typically, yes. It is actually a little more complicated than that. The leaf-most executed subject is the one you will use for authentication. There is essentially a notion of a current subject for a thread.

Bill Venners: What do you mean by leaf-most?

Bob Scheifler: There may be a cascade of subjects executing. I might say execute this code as Bob, but that code says execute this subsidiary code as Alice. Are you both Bob and Alice at that point? The answer is no. You are just Alice. But Bob is still there in the sense that when you finish executing as Alice, you start executing again as Bob. At the time we do a dynamic grant, we grant not just to the class loader, but also to the combination of the principals of the current subject and the class loader. If you have a simple application that you only execute as one identity, it doesn't matter that you grant to the subject. It only matters when you have a virtual machine in which different threads execute as different identities either because you have multiple services that share a VM or you have a service that executes code as client identity for the client.

You must make sure you don't step on each other toes. Both Bob and Alice run on the same VM. The fact that Bob decides to trust the proxy doesn't mean that Alice should trust the proxy.

Bill Venners: They may have the same proxy.

Bob Scheifler: They may have the same proxy, but they want to segregate who trusts whom for that purpose. Tying it to principals is the way that you can do that segregation. So the dynamic policy mechanism is to say in addition to the standard Java security policy object, we implemented an additional interface that allows us to do these dynamics grants.

<<  Page 4 of 5  >>

Sponsored Links

Copyright © 1996-2018 Artima, Inc. All Rights Reserved. - Privacy Policy - Terms of Use