Network authentication by a client (to a server) is scoped and controlled by the client's {@link javax.security.auth.Subject}. The client's subject is the current subject associated with the thread making the remote call. The subject for a thread normally is set using {@link javax.security.auth.Subject#doAs Subject.doAs}, and is retrieved from a thread by calling {@link javax.security.auth.Subject#getSubject Subject.getSubject} with the thread's current access control context (givenby calling {@link java.security.AccessController#getContext AccessController.getContext}).
A client can only authenticate itself in a remote call as some subset of the principals in its Subject, and only if that subject contains the necessary public and/or private credentials required for the authentication mechanism used by the proxy and server implementations. However, additional principals and credentials might be derived as a result of authentication. A client generally must have permission (such as {@link net.jini.security.AuthenticationPermission}) to authenticate itself in a remote call.
In the server, the result of authenticating the client typically is represented by a subject containing the subset of authenticated client principals plus any derived principals, and the public credentials used during authentication plus any derived public credentials. This subject typically is used by the server for authorization (access control) decisions; in particular, it is used to decide if the client is permitted to make the remote call. This subject normally does not contain any private credentials, and so cannot be used for authentication in further remote calls, unless {@link Delegation} is used.
Serialization for this class is guaranteed to produce instances that are comparable with ==.
@author Sun Microsystems, Inc.
@see ClientMaxPrincipal
@see ClientMaxPrincipalType
@see ClientMinPrincipal
@see ClientMinPrincipalType
@see Delegation
@see net.jini.security.AuthenticationPermission
@since 2.0
| |