What is the meaning and difference between subject, user and principal?

Question

In the context of security frameworks, a few terms commonly occur subject, user and principal, of which I have not been ab

Answer 1

Subject is the entity that requests a service. It can be a user or a process. Probably that is why the name Subject was chosen instead of user.

When a subject tries to access a service, the subject has to be authenticated first. Successful authentication ends with loading the Security Principals for that Subject. For example, in a Role Based Access Control system, an authenticated (logged-in) user will usually have two principals - userId and roleId. In such systems, the privileges(i.e who can access what) are specified for both roles and for users. During authorization(i.e checking whether the requested service should be permitted), the security system will check for accessibility against both the principals.

Therefore, from the perspective of authorization, principals are the actual entities for which access is allowed or disallowed. Subject is just a user/thread/process that holds some principals.