OpenJDK 1.23 · javax.security.auth.Subject · APIdia, the JavaDoc alternative

A Subject represents a grouping of related information for a single entity, such as a person. Such information includes the Subject's identities as well as its security-related attributes (passwords and cryptographic keys, for example).

Subjects may potentially have multiple identities. Each identity is represented as a Principal within the Subject. Principals simply bind names to a Subject. For example, a Subject that happens to be a person, Alice, might have two Principals: one which binds "Alice Bar", the name on her driver license, to the Subject, and another which binds, "999-99-9999", the number on her student identification card, to the Subject. Both Principals refer to the same Subject even though each has a different name.

A Subject may also own security-related attributes, which are referred to as credentials. Sensitive credentials that require special protection, such as private cryptographic keys, are stored within a private credential Set. Credentials intended to be shared, such as public key certificates or Kerberos server tickets are stored within a public credential Set. Different permissions are required to access and modify the different credential Sets.

To retrieve all the Principals associated with a Subject, invoke the getPrincipals method. To retrieve all the public or private credentials belonging to a Subject, invoke the getPublicCredentials method or getPrivateCredentials method, respectively. To modify the returned Set of Principals and credentials, use the methods defined in the Set class. For example:

     Subject subject;
     Principal principal;
     Object credential;

     // add a Principal and credential to the Subject
     subject.getPrincipals().add(principal);
     subject.getPublicCredentials().add(credential);

This Subject class implements Serializable. While the Principals associated with the Subject are serialized, the credentials associated with the Subject are not. Note that the java.security.Principal class does not implement Serializable. Therefore, all concrete Principal implementations associated with Subjects must implement Serializable.

Deprecated Methods and Replacements

The following methods in this class for user-based authorization that are dependent on Security Manager APIs are deprecated for removal:

Methods current() and callAs(Subject, Callable) are replacements for these methods, where current is mostly equivalent to getSubject(AccessController.getContext()) and callAs is similar to doAs except that the input type and exceptions thrown are slightly different.

These methods behave differently depending on whether a security manager is allowed or disallowed:

If a security manager is allowed, which means it is either already set or allowed to be set dynamically, a Subject object is associated with an AccessControlContext through a doAs or callAs call, and the subject can then be retrieved using the getSubject(AccessControlContext) or current method.
If a security manager is not allowed, which means it is not set and not allowed to be set dynamically, a doAs or callAs call binds a Subject object to the period of execution of an action, and the subject can be retrieved using the current method inside the action. This subject can be inherited by child threads if they are started and terminate within the execution of its parent thread using structured concurrency.

Modifier and Type	Class and Description
pack-priv static class	Subject.AuthPermissionHolder
private class	Subject.ClassSet<T> This class implements a `Set` which returns only members that are an instance of a specified Class.
private static class	Subject.SecureSet<E> Prevent modifications unless caller has permission.

Modifier and Type	Field and Description
private static final ProtectionDomain[]	NULL_PD_ARRAY
private static final int	PRINCIPAL_SET
pack-priv Set<Principal>	principals A `Set` that provides a view of all of this Subject's Principals
private static final int	PRIV_CREDENTIAL_SET
pack-priv transient Set<Object>	privCredentials
private static final int	PUB_CREDENTIAL_SET
pack-priv transient Set<Object>	pubCredentials Sets that provide a view of all of this Subject's Credentials
private volatile boolean	readOnly Whether this Subject is read-only
private static final ScopedValue<Subject>	SCOPED_SUBJECT
private static final long	serialVersionUID

Access	Constructor and Description
public	Subject() Create an instance of a `Subject` with an empty `Set` of Principals and empty Sets of public and private credentials.
public	Subject(boolean true if the `Subject` is to be read-only, and false otherwise. readOnly, Set<? extends Principal> the `Set` of Principals to be associated with this `Subject`. principals, Set<?> the `Set` of public credentials to be associated with this `Subject`. pubCredentials, Set<?> the `Set` of private credentials to be associated with this `Subject`. privCredentials) Create an instance of a `Subject` with Principals and credentials.

Method Summary

Modifier and Type	Method and Description
public static < the type of value returned by the `call` method of `action` T> T	Returns: the value returned by the `call` method of `action` callAs(final Subject the `Subject` that the specified `action` will run as. This parameter may be `null`. subject, final Callable<T> the code to be run with `subject` as its current subject. Must not be `null`. action) Executes a `Callable` with `subject` as the current subject.
private static <E> LinkedList<E>	collectionNullClean(Collection<? extends E> A `Collection` to be tested for null references coll) Tests for null-clean collections (both non-null reference and no null elements)
private static AccessControlContext	createContext(final Subject subject, final AccessControlContext acc) References Deprecated `AccessControlContext` is deprecated or references (maybe indirectly) at least one deprecated element.
public static Subject	Returns: the current subject, or `null` if a current subject is not installed or the current subject is set to `null`. current() Returns the current subject.
public static < the type of the value returned by the PrivilegedAction's `run` method. T> T	Returns: the value returned by the PrivilegedAction's `run` method. doAs(final Subject the `Subject` that the specified `action` will run as. This parameter may be `null`. subject, final PrivilegedAction<T> the code to be run as the specified `Subject`. action) Deprecated for removal since 18. This method depends on `AccessControlContext` which, in conjunction with the Security Manager, is deprecated and subject to removal in a future release. Perform work as a particular `Subject`.
public static < the type of the value returned by the PrivilegedExceptionAction's `run` method. T> T	Returns: the value returned by the PrivilegedExceptionAction's `run` method. doAs(final Subject the `Subject` that the specified `action` will run as. This parameter may be `null`. subject, final PrivilegedExceptionAction<T> the code to be run as the specified `Subject`. action) Deprecated for removal since 18. This method depends on `AccessControlContext` which, in conjunction with the Security Manager, is deprecated and subject to removal in a future release. Perform work as a particular `Subject`.
public static < the type of the value returned by the PrivilegedAction's `run` method. T> T	Returns: the value returned by the PrivilegedAction's `run` method. doAsPrivileged(final Subject the `Subject` that the specified `action` will run as. This parameter may be `null`. subject, final PrivilegedAction<T> the code to be run as the specified `Subject`. action, final AccessControlContext the `AccessControlContext` to be tied to the specified subject and action. acc) Deprecated for removal since 17. This method is only useful in conjunction with the Security Manager, which is deprecated and subject to removal in a future release. Perform privileged work as a particular `Subject`.
public static < the type of the value returned by the PrivilegedExceptionAction's `run` method. T> T	Returns: the value returned by the PrivilegedExceptionAction's `run` method. doAsPrivileged(final Subject the `Subject` that the specified `action` will run as. This parameter may be `null`. subject, final PrivilegedExceptionAction<T> the code to be run as the specified `Subject`. action, final AccessControlContext the `AccessControlContext` to be tied to the specified subject and action. acc) Deprecated for removal since 17. This method is only useful in conjunction with the Security Manager, which is deprecated and subject to removal in a future release. Perform privileged work as a particular `Subject`.
public boolean	Returns: true if the specified Object is equal to this `Subject`. equals(Object Object to be compared for equality with this `Subject`. o) Overrides java.lang.Object.equals. Compares the specified Object with this `Subject` for equality.
private int	getCredHashCode(Object o) get a credential's hashcode
public Set<Principal>	Returns: the `Set` of Principals associated with this `Subject`. getPrincipals() Return the `Set` of Principals associated with this `Subject`.
public < the type of the class modeled by `c` T extends Principal> Set<T>	Returns: a `Set` of Principals that are instances of the specified `Class`. getPrincipals(Class<T> the returned `Set` of Principals will all be instances of this class. c) Return a `Set` of Principals associated with this `Subject` that are instances or subclasses of the specified `Class`.
public Set<Object>	Returns: a `Set` of private credentials held by this `Subject`. getPrivateCredentials() Return the `Set` of private credentials held by this `Subject`.
public < the type of the class modeled by `c` T> Set<T>	Returns: a `Set` of private credentials that are instances of the specified `Class`. getPrivateCredentials(Class<T> the returned `Set` of private credentials will all be instances of this class. c) Return a `Set` of private credentials associated with this `Subject` that are instances or subclasses of the specified `Class`.
public Set<Object>	Returns: a `Set` of public credentials held by this `Subject`. getPublicCredentials() Return the `Set` of public credentials held by this `Subject`.
public < the type of the class modeled by `c` T> Set<T>	Returns: a `Set` of public credentials that are instances of the specified `Class`. getPublicCredentials(Class<T> the returned `Set` of public credentials will all be instances of this class. c) Return a `Set` of public credentials associated with this `Subject` that are instances or subclasses of the specified `Class`.
public static Subject	Returns: the `Subject` associated with the provided `AccessControlContext`, or `null` if no `Subject` is associated with the provided `AccessControlContext`. getSubject(final AccessControlContext the `AccessControlContext` from which to retrieve the `Subject`. acc) Deprecated for removal since 17. This method depends on `AccessControlContext` which, in conjunction with the Security Manager, is deprecated and subject to removal in a future release. Get the `Subject` associated with the provided `AccessControlContext`.
public int	Returns: a hashcode for this `Subject` hashCode() Overrides java.lang.Object.hashCode. Returns a hashcode for this `Subject`.
public boolean	Returns: true if this `Subject` is read-only, false otherwise. isReadOnly() Query whether this `Subject` is read-only.
private void	readObject(ObjectInputStream the `ObjectInputStream` from which data is read s) Reads this object from a stream (i.e., deserializes it)
public void	setReadOnly() Set this `Subject` to be read-only.
public String	Returns: the String representation of this `Subject`. toString() Overrides java.lang.Object.toString. Return the String representation of this `Subject`.
pack-priv String	toString(boolean includePrivateCredentials) package private convenience method to print out the Subject without firing off a security check when trying to access the Private Credentials
private void	writeObject(ObjectOutputStream the `ObjectOutputStream` to which data is written oos) Writes this object out to a stream (i.e., serializes it).

Inherited from java.lang.Object:: clone finalize getClass notify notifyAll wait wait wait

public final Class Subject

Deprecated Methods and Replacements

Nested and Inner Type Summary

Field Summary

Constructor Summary

Method Summary