Menu
Why are the name "realm" chosen for something that seems like (at least for me) to be a group of security constraints and the users allowed to access. I may be wrong. If I translate it to my mother tongue I get that it is a "kingdom, territory". I don't understand it.
Principal: An entity that can be authenticated by an authentication protocol in a security service that is deployed in an enterprise. A principal is identified by using a principal name and authenticated by using authentication data.
And principal, which make no sense what so ever in my mother tounge is even harder. Could someone explain?
http://docs.oracle.com/javaee/6/tutorial/doc/bnbxj.html
377
A realm is a security policy domain defined for a web or application server. The protected resources on a server can be partitioned into a set of protection spaces, each with its own authentication scheme and/or authorization database containing a collection of users and groups.
An authentication realm is a grouping of authentication resources, including: An authentication server, which verifies a user's identity. The system forwards credentials submitted on a sign-in page to an authentication server.
A realm is a security policy domain defined for a web or application server. It is also a string, passed as part of an HTTP request during basic authentication, that defines a protection space.
The word "realm" is used here as a spatial analogy for a set -- things can be inside a set or not inside, same as a kingdom. A security "realm" is a set such that all things in that set are affected by the same rules, but that things from outside that region are treated as foreign, suspicious, or otherwise have less than full access to things inside that realm.
To understand how this might work, consider a Medieval castle. The people inside the castle are assumed to be more loyal to the king than the people outside, so security focuses on keeping the enemies outside from getting in. Within the castle, there is a keep where only the most trusted are allowed, and security mechanisms (guards and gates) limit access to the keep from the rest of the castle.
You might see terms like "security domains" and "trust domains" in the security literature. These are other ways of saying "realm".
A "principal" is that to which authority can be granted or denied. It can be a user, a role, a machine, etc. It is the "principal" (first or foremost) entity in the authority matrix.
"Principal" is (IIRC) related to the word "prince" and is used in the sense of something that can exercise significant but not unlimited authority.
The definition quoted in the OP muddles "authentication" and "authorization" which is a common mistake. Just think about Princes exercising power within limitations which requires authorization. In Java-EE in particular, principals are involved in IBAC (or a related scheme like RBAC) but the term is used more broadly in the security literature in a way that is independent of whether authentication happens but not of whether authorization happens.
One possible source of confusion: you might think a prince should rule a principality, but the analogy breaks down here. In feudal Europe, maybe there was a 1:1 relationship between princes and principalities (a kind of realm), but there is no 1:1 relationship between principals and realms. A given realm is not necessarily ruled by any particular principal.
71
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
