摘自：Inside java 2 Platform Security - 2nd Ed，published by Addison Wesley,2003

8.4.1 Subjects and PRincipals
Users often depend on computing services to assist them in performing work. Furthermore, services themselves might subsequently interact with other services.

JAAS uses the term subject to refer to a system entity, sUCh as a user or a computing service.
JAAS用術語subject來表示系統實體，比如一個用戶或者一個計算服務。

To identify the subjects with which it interacts, a computing service typically relies on names. However, a subject might not have the same name for each service and, in fact, may even have a different name for each individual service.
服務通常以來名字來標識那些和它交互的subject.然而一個subject一般不會用同一個名字面向每個服務，實際上，甚至subject會用各不相同的名字面向每個服務。

The term principal represents a name associated with a subject [71]. Because a subject may have multiple names, potentially one for each service with which it interacts, a subject in JAAS comprises a set of principals.
術語principal表示和一個subject關聯的名字。因為一個subject可以有多個名字，以便和不同的服務交互時采用不同的名字，一個subject由一組principal組成。

Once a subject is authenticated, an instance of javax.security.auth.Subject is created to represent that subject and is populated with objects that implement the java.security.Principal interface.
一旦subject通過了認證，系統就會生成一個javax.security.auth.Subject的實例來表示該subject，并且加入一些實現java.security.Principal接口的對象到Subject實例中。

Authentication represents the process by which one system entity verifies the identity of another and must be performed in a secure fashion; otherwise, an intruder may impersonate others to gain access to a system.
認證就是一個系統實體驗證另一個實體的身份的過程，并且必須在安全的方式下進行；否則入侵者就會偽裝成別的實體進入系統。

Authentication typically involves the subject demonstrating possession of some form of evidence to prove its identity. Such evidence may be information only the subject would be likely to know or have, such as a passWord or smart card, or that only the subject could produce, such as signed data using a private key.
認證時，通常是一個subject出示其某種證據來證實它的身份。這些證據可以是這個subject知道或者擁有的信息，比如密碼或者智能卡。。。

When it attempts to authenticate to a service, a subject typically provides the proof of its identity along with its name. If the authentication attempt succeeds, the service associates a service-specific Principal, using the given name, with the Subject. applications and services can determine the identity of the Subject simply by referencing the relevant Principal associated with that Subject.
當它試圖通過某個服務的認證時，subject通常隨它的名字一起提供它身份的證實。假如認證通過了，服務會將一個特屬于該服務的Principal和Subject關聯，名字和subject請求認證時的名字相同。應用程序和服務可以通過參考Subject關聯的Principal來識別Subject的身份。

Reliance on named principals usually derives from the fact that a service implements a conventional access control model of security [69]. This model allows a service to define a set of protected resources and the conditions under which named principals may access those resources.