jsr375-experts@javaee-security-spec.java.net

[jsr375-experts] Re: 2-TerminologyUserVsCaller ACTION: cast vote

From: arjan tijms <arjan.tijms_at_gmail.com>
Date: Wed, 24 Jun 2015 17:13:02 +0200

Hi,

On Tue, Jun 23, 2015 at 11:15 PM, Adam Bien <abien_at_adam-bien.com> wrote:
> I like “caller” better.
>
> However: So far (<Java EE 8) “principal” was for me the authenticated user or caller. The questions is whether the “principal” is an already established term or whether it is just my perception.

I hear you.

This is another well known point of confusion in (Java) security. It's
not Java EE though, but Java SE and various other frameworks as well.

The problem is that "Principal" is more akin to the concept
"Attribute". There are many kinds of Principals; a caller principal, a
group principal a run-as principal and more. So it's not Caller vs
Principal, but "Caller Principal" vs "User Principal". From the
Principal you get the name, so you end up with "Caller name" and "User
name".

The overarching thing is the "Subject", which corresponds to the
"authentication identity" and represents a "bag of Principals".

Kind regards,
Arjan Tijms






>
> adam
>
>
>> On 18.06.2015, at 23:28, arjan tijms <arjan.tijms_at_gmail.com> wrote:
>>
>> Hi,
>>
>> Another concept for which there are different terms in use is what we often call using simple language the "logged-in user", and with some more formal language sometimes the "authenticated/authentication identity".
>>
>> Next to the logged-in/authentication user/identity, there's another variant; the run-as user/identity.
>>
>> In Java EE there's one extra step even. Various API methods return a single principal from the user/identity called the "user principal" or the "caller principal".
>>
>> To put these terms somewhat in context, consider the following sentence from the JASPIC spec, B.1:
>>
>> "When the authentication identity is provided to the container as a bag of principals in a Subject, the container needs some way to recognize which of the principals in the subject should be returned as the caller or user Principal."
>>
>> Now it's this last term that's specifically problematic in Java EE "caller or user principal". https://java.net/jira/browse/JAVAEE_SECURITY_SPEC-2 shows that various APIs in Java EE use either "caller" or "principal" now.
>>
>> For this issue I'd like to ask you again to vote for a term, or propose a new term. Again, it's a non-binding vote of course and to establish a working term. As the previous vote ran for a long time, I'd like to set this vote to *2 weeks*.
>>
>> The list of terms is currently the following:
>>
>> 1. user (principal)
>> 2. caller (principal)
>> 3. ???
>>
>> Pedro already expressed a preference for "caller" in the issue, which is my preference as well (but consistency is my top concern).
>>
>> So we now have
>>
>> 2 out of 14 voted:
>>
>> Pedro Igor: caller
>> Arjan Tijms: caller
>>
>> Kind regards,
>> Arjan Tijms
>>
>>
>>
>>
>>
>