User: stark
Date: 01/03/05 01:53:18
Added: docs SRP_LICENSE jboss-sx.jpg readme.html
security-policy.dtd security-policy.jpg
Log:
Initial version of the JBossSX module
Revision Changes Path
1.1 jbosssx/docs/SRP_LICENSE
Index: SRP_LICENSE
===================================================================
Licensing
---------
SRP is royalty-free worldwide for commercial and non-commercial use.
The SRP library has been carefully written not to depend on any
encumbered algorithms, and it is distributed under a standard
X11-style Open Source license which is shown below. This license
covers implementations based on the SRP library as well as
independent implementations based on RFC 2945.
The SRP distribution itself contains algorithms and code from
various freeware packages; these parts fall under both the SRP
Open Source license and the packages' own licenses. Care has
been taken to ensure that these licenses are compatible with
Open Source distribution, but it is the responsibility of the
licensee to comply with the terms of these licenses. This
disclaimer also applies to third-party libraries that may be
linked into the distribution, since they may contain patented
intellectual property. The file "Copyrights" contains a list
of the copyrights incorporated by portions of the software.
Broader use of the SRP authentication technology, such as variants
incorporating the use of an explicit server secret (SRP-Z), may
require a license; please contact the Stanford Office of Technology
Licensing (http://otl.stanford.edu/) for more information about
terms and conditions.
This software is covered under the following copyright:
/*
* Copyright (c) 1997-2000 The Stanford SRP Authentication Project
* All Rights Reserved.
*
* Permission is hereby granted, free of charge, to any person obtaining
* a copy of this software and associated documentation files (the
* "Software"), to deal in the Software without restriction, including
* without limitation the rights to use, copy, modify, merge, publish,
* distribute, sublicense, and/or sell copies of the Software, and to
* permit persons to whom the Software is furnished to do so, subject to
* the following conditions:
*
* The above copyright notice and this permission notice shall be
* included in all copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS-IS" AND WITHOUT WARRANTY OF ANY KIND,
* EXPRESS, IMPLIED OR OTHERWISE, INCLUDING WITHOUT LIMITATION, ANY
* WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
*
* IN NO EVENT SHALL STANFORD BE LIABLE FOR ANY SPECIAL, INCIDENTAL,
* INDIRECT OR CONSEQUENTIAL DAMAGES OF ANY KIND, OR ANY DAMAGES WHATSOEVER
* RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER OR NOT ADVISED OF
* THE POSSIBILITY OF DAMAGE, AND ON ANY THEORY OF LIABILITY, ARISING OUT
* OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*
* In addition, the following conditions apply:
*
* 1. Any software that incorporates the SRP authentication technology
* must display the following acknowlegment:
* "This product uses the 'Secure Remote Password' cryptographic
* authentication system developed by Tom Wu ([EMAIL PROTECTED])."
*
* 2. Any software that incorporates all or part of the SRP distribution
* itself must also display the following acknowledgment:
* "This product includes software developed by Tom Wu and Eugene
* Jhong for the SRP Distribution (http://srp.stanford.edu/srp/)."
*
* 3. Redistributions in source or binary form must retain an intact copy
* of this copyright notice and list of conditions.
*/
Address all questions regarding this license to:
Tom Wu
[EMAIL PROTECTED]
1.1 jbosssx/docs/jboss-sx.jpg
<<Binary file>>
1.1 jbosssx/docs/readme.html
Index: readme.html
===================================================================
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<head>
<title>Readme</title>
</head>
<body>
<h2>A JBoss Security Extension Layer</h2>
<img src="jboss-sx.jpg" width="256" height="113" border="0" alt="">
The JBossSX security extension provides support for a security proxy layer
and an extensible JAAS subject based authentication and authorization layer.
The security proxy layer allows custom security to be added to an EJB in
a way that is independent of the EJB business object. This is done by adding
a security proxy delegate to the existing SecurityInterceptor plugin.
<p>
The basic extension is indepdent of JAAS, but the bulk of the JBossSX module
is a JAAS based implementation of the proxy layer. The following elements are
included in the release:
<ul>
<li>A new SRPLoginModule and JMX services that provide a crptographically
secure
login mechanism. This is an implementation of the RFC2945, the 'Secure Remote
Password'
cryptographic authentication system developed by Tom Wu ([EMAIL PROTECTED]).
From an abstract of a paper by Wu:<br>
<cite>
... a new password authentication and key-exchange protocol suitable for
authenticating users and exchanging keys over an untrusted network. The
new protocol resists dictionary attacks mounted by either passive or active
network intruders, allowing, in principle, even weak passphrases to be used
safely. It also offers perfect forward secrecy, which protects past sessions
and passwords against future compromises. Finally, user passwords are stored
in a form that is not plaintext-equivalent to the password itself, so an
attacker who captures the password database cannot use it directly to
compromise security and gain immediate access to the host. This new protocol
combines techniques of zero-knowledge proofs with asymmetric key exchange
protocols and offers significantly improved performance over comparably
strong extended methods that resist stolen-verifier attacks such as
Augmented
EKE or B-SPEKE.
</cite><br>
See <a href="http://www-cs-students.stanford.edu/~tjw/srp/">
http://www-cs-students.stanford.edu/~tjw/srp/</a> for details on SRP.
<li>A custom implementation of the javax.security.auth.Policy and
javax.security.auth.login.Configuration classes that combines the notions
of user authentication and authorization into a multiple security domain
notion. Each security domain can define its own login module stack and user
based permissions. The authentication and authorization information is
accessed through a store abstraction(IAppPolicyStore) that allows for
integrating with arbitrary security stores.
<li>An XML based implementation of IAppPolicyStore that allows for
security domain information to be represented by an XML document.
<li>Updated JAAS based security manager that adds an authentication
credential cache policy that lazily refreshes/expires the credentials.
<li>A sample implementation of a JAAS based security proxy to demonstrate
the usage of the contrib security elements.
<li>A sample implementation of a security proxy that does not use JAAS
to demonstrate non-JAAS custom security.
</ul>
<p>The JBossSX module is integrated with the current JBoss core module as
three jar files:
<ul>
<li>client/jbosssx-client.jar</li>
<li>lib/jboss-jaas.jar</li>
<li>lib/ext/jbosssx.jar</li>
</ul>
</body>
</html>
1.1 jbosssx/docs/security-policy.dtd
Index: security-policy.dtd
===================================================================
<?xml version='1.0' encoding='UTF-8' ?>
<!--Generated by XML Authority-->
<!-- The root element of the security-policy document. A security policy document
represents a
union of the Java2 codebase+signers and JAAS subject+codebased+signers policy files.
The
org.jboss.security.SecurityPolicy class parses a security-policy document using the
org.jboss.security.SecurityPolicyParser and implements both the java.security.Policy
and
javax.security.auth.Policy interfaces.
-->
<!ELEMENT application-policy (keystore? , authentication? , authorization?)>
<!ATTLIST application-policy name CDATA 'other' >
<!-- A grant element grants the indicated permissions -->
<!ELEMENT grant (principal* , permission+)>
<!ATTLIST grant codebase CDATA #IMPLIED
signedby CDATA #IMPLIED >
<!-- A principal element represents a named principal. The code attribute is a class
that implements
the java.security.Principal interface. The name attribute corresponds to the
Principal#getName()
value.
-->
<!ELEMENT principal EMPTY>
<!ATTLIST principal code CDATA #REQUIRED
name CDATA #REQUIRED >
<!-- The permission element represents a java.security.Permission implementation.
Its code
attribute is the name of the class that implements the java.security.Permission
interface.
-->
<!ELEMENT permission EMPTY>
<!ATTLIST permission code CDATA #REQUIRED
actions CDATA #IMPLIED
name CDATA #REQUIRED
signedby CDATA #IMPLIED >
<!-- The target element is the optional target-name of its parent permission
element. It is the
string that the java.security.Prinicpal#getName() method returns.
-->
<!ELEMENT target (#PCDATA)>
<!-- The actions element represents the optional actions of its parent permission
element. It is the
string that the java.security.Principal#getActions() method returns.
-->
<!ELEMENT actions (#PCDATA)>
<!ELEMENT keystore EMPTY>
<!ATTLIST keystore href CDATA '.keystore'
type CDATA 'JKS' >
<!ELEMENT authentication (login-module+)>
<!ELEMENT authorization (grant+)>
<!ELEMENT login-module (module-option*)>
<!ATTLIST login-module code CDATA #REQUIRED
flag (required | requisite | sufficient | optional )
'required' >
<!ELEMENT module-option (#PCDATA)>
<!ATTLIST module-option name CDATA #REQUIRED >
<!ELEMENT policy (application-policy+)>
1.1 jbosssx/docs/security-policy.jpg
<<Binary file>>
![[jBoss-Dev] CVS update: jbosssx/docs SRP_LICENSE jboss-sx.jpgreadme.html security-policy.dtd security-policy.jpg](/search?l=jboss-dev@list.working-dogs.com&q=subject:%22%5C%5BjBoss%5C-Dev%5C%5D+CVS+update%5C%3A+jbosssx%5C%2Fdocs+SRP_LICENSE+jboss%5C-sx.jpgreadme.html+security%5C-policy.dtd+security%5C-policy.jpg%22&o=newest){kind=link}
