In an interview interviewer asked me why you need private credentials in JAAS?
We can access both public credentials and private credentials like :
Set<Object> privateCredentials = subject.getPrivateCredentials();
Set<Object> publicCredentials = subject.getPublicCredentials();
Both ( privateCredentials and publicCredentials ) are accessible and the way of access are same.
So, what is the significance for tow types of credentials?
From "Java and Internet Security" book by Theodore Shrader, Bruce A. Rich, Anthony J. Nadalin:
With somewhat more controversy, the JAAS designers concluded that Principals may have some sort of proof of identity that they need to be able to provide at a moment’s notice, and these proofs of identity may include sensitive information, so a set of public credentials and a set of private credentials were also added to Subject. Since the content of a credential may vary widely across authentication mechanisms, from a simple password to a fingerprint (to infinity and beyondl), the type of a credential was simply left as java.lang.Obiect. Relationships between Principals and credentials, if any, were left as an exercise for the implementer of the particular Principal class (or more likely, the particular LoginModule class). From a JAAS perspective, the only difference between private and public credentials is that a particular javax.security.auth.AuthPermission is required for access to the set of private credentials.