Java Reference
In-Depth Information
of the Web application, implement appropriate of two interfaces related to credentials—
javax.
security.auth.Refreshable
and
javax.security.auth.Destroyable
.
he
javax.security.auth.Refreshable
interface provides the capability for a
credential to refresh itself. For example, a credential with a particular time-restricted lifespan
may implement this interface to allow callers to refresh the time period for which it is valid.
he implemented
refresh()
method appropriately updates or extends the validity of the
credential information (of course subjected to certain inherent authorization implementation
conditions).
Similarly, the
javax.security.auth.Destroyable
interface provides the capability
of destroying the contents within a credential object. he implemented
destroy()
method
clears the information associated within this credential object (again, subjected to certain inherent
authorization implementation conditions).
7.4.3.1.3 Subject
he JAAS deines the term and a class called subject that represents the source of a “request.”
Having deined
principal
and
credentials
, it is now easier to understand the term
subject
. he sub-
ject represents any entity, such as a person or a service in a Web or enterprise application. Once
the subject is authenticated, the subject is populated with associated principal and credentials
concerned with the request, as shown in Figure 7.4.
A subject is typically represented by a set of attributes called
principals
and
credentials
. A sub-
ject may represent many principals. For instance, let us assume that a person may be identiied
by two items—his/her name and his/her SSN. In this case we have two principals for the subject
under consideration—a Name Principal (for example, Uma hurman) and SSN Principal (for
example, 123-45-6789). A combination of these principals helps in distinguishing one subject
from others. Likewise, a subject may also own security-related attributes, called credentials. For
instance, sensitive credentials that require special protection, such as private cryptographic keys as
depicted in Figure 7.3, may be stored within a private credential set. he credential attributes are
intended to be shared, such as public key certiicates, and they are stored within a public credential
set. he JAAS module allows providing diferent “permissions” to access and modifying the dif-
ferent credential sets.
Principal
Subject
Private Credential
Public Credential
Password
user name
Private Key
Public Key
Figure 7.4
Java representation of a Subject class.
Search WWH ::
Custom Search