Subject (Java SE 15 & JDK 15) (original) (raw)

All Implemented Interfaces:

[Serializable](../../../java/io/Serializable.html "interface in java.io")

public final class Subject extends Object implements Serializable

A Subject represents a grouping of related information for a single entity, such as a person. Such information includes the Subject's identities as well as its security-related attributes (passwords and cryptographic keys, for example).

Subjects may potentially have multiple identities. Each identity is represented as a Principal within the Subject. Principals simply bind names to aSubject. For example, a Subject that happens to be a person, Alice, might have two Principals: one which binds "Alice Bar", the name on her driver license, to the Subject, and another which binds, "999-99-9999", the number on her student identification card, to the Subject. Both Principals refer to the sameSubject even though each has a different name.

A Subject may also own security-related attributes, which are referred to as credentials. Sensitive credentials that require special protection, such as private cryptographic keys, are stored within a private credentialSet. Credentials intended to be shared, such as public key certificates or Kerberos server tickets are stored within a public credential Set. Different permissions are required to access and modify the different credential Sets.

To retrieve all the Principals associated with a Subject, invoke the getPrincipals method. To retrieve all the public or private credentials belonging to a Subject, invoke the getPublicCredentials method orgetPrivateCredentials method, respectively. To modify the returned Set of Principals and credentials, use the methods defined in the Set class. For example:

  Subject subject;
  Principal principal;
  Object credential;

  // add a Principal and credential to the Subject
  subject.getPrincipals().add(principal);
  subject.getPublicCredentials().add(credential);

This Subject class implements Serializable. While the Principals associated with the Subject are serialized, the credentials associated with the Subject are not. Note that the java.security.Principal class does not implement Serializable. Therefore all concretePrincipal implementations associated with Subjects must implement Serializable.

Since:

1.4

Constructor Summary

Constructors

Constructor	Description
Subject()	Create an instance of a Subject with an empty Set of Principals and empty Sets of public and private credentials.
Subject(boolean readOnly,Set principals,[Set](../../../java/util/Set.html "interface in java.util") pubCredentials,Set<?> privCredentials)	Create an instance of a Subject with Principals and credentials.

Method Summary

Modifier and Type	Method	Description
static T	doAs(Subject subject,PrivilegedAction action)	Perform work as a particular Subject.
static T	doAs(Subject subject,PrivilegedExceptionAction action)	Perform work as a particular Subject.
static T	doAsPrivileged(Subject subject,PrivilegedAction action,AccessControlContext acc)	Perform privileged work as a particular Subject.
static T	doAsPrivileged(Subject subject,PrivilegedExceptionAction action,AccessControlContext acc)	Perform privileged work as a particular Subject.
boolean	equals(Object o)	Compares the specified Object with this Subject for equality.
Set<Principal>	getPrincipals()	Return the Set of Principals associated with thisSubject.
<T extends Principal>Set	getPrincipals(Class c)	Return a Set of Principals associated with thisSubject that are instances or subclasses of the specifiedClass.
Set<Object>	getPrivateCredentials()	Return the Set of private credentials held by thisSubject.
Set	getPrivateCredentials(Class c)	Return a Set of private credentials associated with thisSubject that are instances or subclasses of the specifiedClass.
Set<Object>	getPublicCredentials()	Return the Set of public credentials held by thisSubject.
Set	getPublicCredentials(Class c)	Return a Set of public credentials associated with thisSubject that are instances or subclasses of the specifiedClass.
static Subject	getSubject(AccessControlContext acc)	Get the Subject associated with the providedAccessControlContext.
int	hashCode()	Returns a hashcode for this Subject.
boolean	isReadOnly()	Query whether this Subject is read-only.
void	setReadOnly()	Set this Subject to be read-only.
String	toString()	Return the String representation of this Subject.

Constructor Details
- Subject
public Subject()
Create an instance of a Subject with an empty Set of Principals and empty Sets of public and private credentials.
The newly constructed Sets check whether this Subject has been set read-only before permitting subsequent modifications. The newly created Sets also prevent illegal modifications by ensuring that callers have sufficient permissions. These Sets also prohibit null elements, and attempts to add or query a null element will result in a NullPointerException.
To modify the Principals Set, the caller must haveAuthPermission("modifyPrincipals"). To modify the public credential Set, the caller must haveAuthPermission("modifyPublicCredentials"). To modify the private credential Set, the caller must haveAuthPermission("modifyPrivateCredentials").
- Subject
public Subject(boolean readOnly,Set principals,[Set](../../../java/util/Set.html "interface in java.util") pubCredentials,Set<?> privCredentials)
Create an instance of a Subject with Principals and credentials.
The Principals and credentials from the specified Sets are copied into newly constructed Sets. These newly created Sets check whether this Subject has been set read-only before permitting subsequent modifications. The newly created Sets also prevent illegal modifications by ensuring that callers have sufficient permissions. These Sets also prohibit null elements, and attempts to add or query a null element will result in a NullPointerException.
To modify the Principals Set, the caller must haveAuthPermission("modifyPrincipals"). To modify the public credential Set, the caller must haveAuthPermission("modifyPublicCredentials"). To modify the private credential Set, the caller must haveAuthPermission("modifyPrivateCredentials").
Parameters:
readOnly - true if the Subject is to be read-only, and false otherwise.
principals - the Set of Principals to be associated with this Subject.
pubCredentials - the Set of public credentials to be associated with this Subject.
privCredentials - the Set of private credentials to be associated with this Subject.
Throws:
[NullPointerException](../../../java/lang/NullPointerException.html "class in java.lang") - if the specifiedprincipals, pubCredentials, or privCredentials are null, or a null value exists within any of these three Sets.
Method Details
- setReadOnly
public void setReadOnly()
Set this Subject to be read-only.
Modifications (additions and removals) to this Subject'sPrincipal Set and credential Sets will be disallowed. The destroy operation on this Subject's credentials will still be permitted.
Subsequent attempts to modify the Subject's Principal and credential Sets will result in anIllegalStateException being thrown. Also, once a Subject is read-only, it can not be reset to being writable again.
Throws:
[SecurityException](../../../java/lang/SecurityException.html "class in java.lang") - if a security manager is installed and the caller does not have anAuthPermission("setReadOnly") permission to set thisSubject to be read-only.
- isReadOnly
public boolean isReadOnly()
Query whether this Subject is read-only.
Returns:
true if this Subject is read-only, false otherwise.
- getSubject
Get the Subject associated with the providedAccessControlContext.
The AccessControlContext may contain many Subjects (from nested doAs calls). In this situation, the most recent Subject associated with the AccessControlContext is returned.
Parameters:
acc - the AccessControlContext from which to retrieve the Subject.
Returns:
the Subject associated with the providedAccessControlContext, or null if no Subject is associated with the provided AccessControlContext.
Throws:
[SecurityException](../../../java/lang/SecurityException.html "class in java.lang") - if a security manager is installed and the caller does not have anAuthPermission("getSubject") permission to get theSubject.
[NullPointerException](../../../java/lang/NullPointerException.html "class in java.lang") - if the providedAccessControlContext is null.
- doAs
Perform work as a particular Subject.
This method first retrieves the current Thread'sAccessControlContext viaAccessController.getContext, and then instantiates a new AccessControlContext using the retrieved context along with a newSubjectDomainCombiner (constructed using the provided Subject). Finally, this method invokes AccessController.doPrivileged, passing it the provided PrivilegedAction, as well as the newly constructed AccessControlContext.
Type Parameters:
T - the type of the value returned by the PrivilegedAction'srun method.
Parameters:
subject - the Subject that the specifiedaction will run as. This parameter may be null.
action - the code to be run as the specifiedSubject.
Returns:
the value returned by the PrivilegedAction'srun method.
Throws:
[NullPointerException](../../../java/lang/NullPointerException.html "class in java.lang") - if the PrivilegedAction is null.
[SecurityException](../../../java/lang/SecurityException.html "class in java.lang") - if a security manager is installed and the caller does not have anAuthPermission("doAs") permission to invoke this method.
- doAs
Perform work as a particular Subject.
This method first retrieves the current Thread'sAccessControlContext viaAccessController.getContext, and then instantiates a new AccessControlContext using the retrieved context along with a newSubjectDomainCombiner (constructed using the provided Subject). Finally, this method invokes AccessController.doPrivileged, passing it the provided PrivilegedExceptionAction, as well as the newly constructed AccessControlContext.
Type Parameters:
T - the type of the value returned by the PrivilegedExceptionAction's run method.
Parameters:
subject - the Subject that the specifiedaction will run as. This parameter may be null.
action - the code to be run as the specifiedSubject.
Returns:
the value returned by the PrivilegedExceptionAction's run method.
Throws:
[PrivilegedActionException](../../../java/security/PrivilegedActionException.html "class in java.security") - if thePrivilegedExceptionAction.run method throws a checked exception.
[NullPointerException](../../../java/lang/NullPointerException.html "class in java.lang") - if the specifiedPrivilegedExceptionAction isnull.
[SecurityException](../../../java/lang/SecurityException.html "class in java.lang") - if a security manager is installed and the caller does not have anAuthPermission("doAs") permission to invoke this method.
- doAsPrivileged
Perform privileged work as a particular Subject.
This method behaves exactly as Subject.doAs, except that instead of retrieving the current Thread'sAccessControlContext, it uses the providedAccessControlContext. If the providedAccessControlContext is null, this method instantiates a new AccessControlContext with an empty collection of ProtectionDomains.
Type Parameters:
T - the type of the value returned by the PrivilegedAction'srun method.
Parameters:
subject - the Subject that the specifiedaction will run as. This parameter may be null.
action - the code to be run as the specifiedSubject.
acc - the AccessControlContext to be tied to the specified subject and action.
Returns:
the value returned by the PrivilegedAction'srun method.
Throws:
[NullPointerException](../../../java/lang/NullPointerException.html "class in java.lang") - if the PrivilegedAction is null.
[SecurityException](../../../java/lang/SecurityException.html "class in java.lang") - if a security manager is installed and the caller does not have aAuthPermission("doAsPrivileged") permission to invoke this method.
- doAsPrivileged
Perform privileged work as a particular Subject.
This method behaves exactly as Subject.doAs, except that instead of retrieving the current Thread'sAccessControlContext, it uses the providedAccessControlContext. If the providedAccessControlContext is null, this method instantiates a new AccessControlContext with an empty collection of ProtectionDomains.
Type Parameters:
T - the type of the value returned by the PrivilegedExceptionAction's run method.
Parameters:
subject - the Subject that the specifiedaction will run as. This parameter may be null.
action - the code to be run as the specifiedSubject.
acc - the AccessControlContext to be tied to the specified subject and action.
Returns:
the value returned by the PrivilegedExceptionAction's run method.
Throws:
[PrivilegedActionException](../../../java/security/PrivilegedActionException.html "class in java.security") - if thePrivilegedExceptionAction.run method throws a checked exception.
[NullPointerException](../../../java/lang/NullPointerException.html "class in java.lang") - if the specifiedPrivilegedExceptionAction isnull.
[SecurityException](../../../java/lang/SecurityException.html "class in java.lang") - if a security manager is installed and the caller does not have aAuthPermission("doAsPrivileged") permission to invoke this method.
- getPrincipals
Return the Set of Principals associated with thisSubject. Each Principal represents an identity for this Subject.
The returned Set is backed by this Subject's internal Principal Set. Any modification to the returned Set affects the internalPrincipal Set as well.
If a security manager is installed, the caller must have aAuthPermission("modifyPrincipals") permission to modify the returned set, or a SecurityException will be thrown.
Returns:
the Set of Principals associated with thisSubject.
- getPrincipals
Return a Set of Principals associated with thisSubject that are instances or subclasses of the specifiedClass.
The returned Set is not backed by this Subject's internal Principal Set. A newSet is created and returned for each method invocation. Modifications to the returned Set will not affect the internal Principal Set.
Type Parameters:
T - the type of the class modeled by c
Parameters:
c - the returned Set of Principals will all be instances of this class.
Returns:
a Set of Principals that are instances of the specified Class.
Throws:
[NullPointerException](../../../java/lang/NullPointerException.html "class in java.lang") - if the specified Class is null.
- getPublicCredentials
public Set<Object> getPublicCredentials()
Return the Set of public credentials held by thisSubject.
The returned Set is backed by this Subject's internal public Credential Set. Any modification to the returned Set affects the internal public Credential Set as well.
If a security manager is installed, the caller must have aAuthPermission("modifyPublicCredentials") permission to modify the returned set, or a SecurityException will be thrown.
Returns:
a Set of public credentials held by thisSubject.
- getPrivateCredentials
public Set<Object> getPrivateCredentials()
Return the Set of private credentials held by thisSubject.
The returned Set is backed by this Subject's internal private Credential Set. Any modification to the returned Set affects the internal private Credential Set as well.
If a security manager is installed, the caller must have aAuthPermission("modifyPrivateCredentials") permission to modify the returned set, or a SecurityException will be thrown.
While iterating through the Set, a SecurityException is thrown if a security manager is installed and the caller does not have a PrivateCredentialPermission to access a particular Credential. The Iterator is nevertheless advanced to the next element in the Set.
Returns:
a Set of private credentials held by thisSubject.
- getPublicCredentials
public Set getPublicCredentials(Class c)
Return a Set of public credentials associated with thisSubject that are instances or subclasses of the specifiedClass.
The returned Set is not backed by this Subject's internal public Credential Set. A newSet is created and returned for each method invocation. Modifications to the returned Set will not affect the internal public Credential Set.
Type Parameters:
T - the type of the class modeled by c
Parameters:
c - the returned Set of public credentials will all be instances of this class.
Returns:
a Set of public credentials that are instances of the specified Class.
Throws:
[NullPointerException](../../../java/lang/NullPointerException.html "class in java.lang") - if the specified Class is null.
- getPrivateCredentials
public Set getPrivateCredentials(Class c)
Return a Set of private credentials associated with thisSubject that are instances or subclasses of the specifiedClass.
If a security manager is installed, the caller must have aPrivateCredentialPermission to access all of the requested Credentials, or a SecurityException will be thrown.
The returned Set is not backed by this Subject's internal private Credential Set. A newSet is created and returned for each method invocation. Modifications to the returned Set will not affect the internal private Credential Set.
Type Parameters:
T - the type of the class modeled by c
Parameters:
c - the returned Set of private credentials will all be instances of this class.
Returns:
a Set of private credentials that are instances of the specified Class.
Throws:
[NullPointerException](../../../java/lang/NullPointerException.html "class in java.lang") - if the specified Class is null.
- equals
public boolean equals(Object o)
Compares the specified Object with this Subject for equality. Returns true if the given object is also a Subject and the two Subject instances are equivalent. More formally, two Subject instances are equal if their Principal and Credential Sets are equal.
Overrides:
[equals](../../../java/lang/Object.html#equals%28java.lang.Object%29) in class [Object](../../../java/lang/Object.html "class in java.lang")
Parameters:
o - Object to be compared for equality with thisSubject.
Returns:
true if the specified Object is equal to thisSubject.
Throws:
[SecurityException](../../../java/lang/SecurityException.html "class in java.lang") - if a security manager is installed and the caller does not have a PrivateCredentialPermission permission to access the private credentials for thisSubject or the provided Subject.
See Also:
Object.hashCode(), HashMap
- toString
Return the String representation of this Subject.
Overrides:
[toString](../../../java/lang/Object.html#toString%28%29) in class [Object](../../../java/lang/Object.html "class in java.lang")
Returns:
the String representation of this Subject.
- hashCode
public int hashCode()
Returns a hashcode for this Subject.
Overrides:
[hashCode](../../../java/lang/Object.html#hashCode%28%29) in class [Object](../../../java/lang/Object.html "class in java.lang")
Returns:
a hashcode for this Subject.
Throws:
[SecurityException](../../../java/lang/SecurityException.html "class in java.lang") - if a security manager is installed and the caller does not have a PrivateCredentialPermission permission to access this Subject's private credentials.
See Also:
Object.equals(java.lang.Object), System.identityHashCode(java.lang.Object)

Subject (Java SE 15 & JDK 15) (original) (raw)

Constructor Summary

Method Summary

Constructor Details

Subject

Subject

Method Details

setReadOnly

isReadOnly

getSubject

doAs

doAs

doAsPrivileged

doAsPrivileged

getPrincipals

getPrincipals

getPublicCredentials

getPrivateCredentials

getPublicCredentials

getPrivateCredentials

equals

toString

hashCode