User: starksm
Date: 01/03/30 03:18:04
Modified: src/docs jbosssx.xml
Log:
Updated the SRP section
Revision Changes Path
1.3 +114 -59 manual/src/docs/jbosssx.xml
Index: jbosssx.xml
===================================================================
RCS file: /cvsroot/jboss/manual/src/docs/jbosssx.xml,v
retrieving revision 1.2
retrieving revision 1.3
diff -u -r1.2 -r1.3
--- jbosssx.xml 2001/03/29 11:24:50 1.2
+++ jbosssx.xml 2001/03/30 11:18:04 1.3
@@ -1,5 +1,6 @@
<?xml version = "1.0" encoding = "UTF-8"?>
-<!-- Version: $Revision: 1.2 $ -->
+
+<!-- Version: $Revision: 1.3 $ -->
<?xml-stylesheet href =
'file:///D:/usr/local/src/cvsroot/jBoss/manual/src/docs/jboss.xsl' type = 'text/xsl'?>
<chapter>
<title>JBossSX Security Extension Framework</title>
@@ -181,6 +182,7 @@
<para>
<literallayout><![CDATA[
<method>
+
<ejb-name>EJBNAME</ejb-name>
<method-name>*</method-name>
</method>
@@ -532,37 +534,33 @@
</section>
<section id = "sx.SRP">
<title>The Secure Remote Password(SRP) Protocol</title>
- <para>The Secure Remote Password(SRP) protocol is an implementation of
a
- public key exchange handshake described in RFC2945. The RFC2945
abstract
- states: <quote>This document describes a cryptographically strong
network
- authentication mechanism known as the Secure Remote Password (SRP)
protocol.
- This mechanism is suitable for negotiating secure connections using a
- user-supplied password, while eliminating the security problems
traditionally
- associated with reusable passwords. This system also performs a secure
key
- exchange in the process of authentication, allowing security layers
(privacy
- and/or integrity protection) to be enabled during the session. Trusted
key
- servers and certificate infrastructures are not required, and clients
are not
- required to store or manage any long-term keys. SRP offers both
security and
- deployment advantages over existing challenge-response techniques,
making it an
- ideal drop-in replacement where secure password authentication is
- needed.</quote>
+ <para>The SRP protocol is an implementation of a public key exchange
handshake described in RFC2945. The RFC2945 abstract states: <quote>This document
describes a cryptographically strong network authentication mechanism known as the
Secure Remote Password (SRP) protocol. This mechanism is suitable for negotiating
secure connections using a user-supplied password, while eliminating the security
problems traditionally associated with reusable passwords. This system also performs a
secure key exchange in the process of authentication, allowing security layers
(privacy and/or integrity protection) to be enabled during the session. Trusted key
servers and certificate infrastructures are not required, and clients are not required
to store or manage any long-term keys. SRP offers both security and deployment
advantages over existing challenge-response techniques, making it an ideal drop-in
replacement where secure password authentication is needed.</quote>
</para>
- <para>The JBossSX framework includes an implementation of SRP that
consists
- of the following elements:<itemizedlist>
- <listitem>
- <para>An implementation of the SRP handshake
protocol that is
- independent of any particular client/server
protocol</para>
- </listitem>
- <listitem>
- <para>An RMI implementation of the handshake
protocol as the default
- client/server SRP implimentation</para>
- </listitem>
- <listitem>
- <para>A JAAS LoginModule implementation that
uses the RMI
- implimentation for use in authenticating clients in a
secure fashion</para>
- </listitem>
- </itemizedlist>
- </para>
+ <para>The JBossSX framework includes an implementation of SRP that
consists of the following elements:</para>
+ <itemizedlist>
+ <listitem>
+ <para>An implementation of the SRP handshake protocol
that is independent of any particular client/server protocol</para>
+ </listitem>
+ <listitem>
+ <para>An RMI implementation of the handshake protocol
as the default client/server SRP implimentation</para>
+ </listitem>
+ <listitem>
+ <para>A JAAS LoginModule implementation that uses the
RMI implimentation for use in authenticating clients in a secure fashion</para>
+ </listitem>
+ <listitem>
+ <para>A JMX mbean for managing the RMI server
implementation. The mbean allows the RMI server implementation to be plugged into a
JMX framework and externalizes the configuration of the verification information
store. It also establishes a authentication cache that is bound into the JBoss server
JNDI namespace.</para>
+ </listitem>
+ </itemizedlist>
+ <para>
+ <xref linkend = "sx.SRP.diagram"/> gives a diagram of the key
components involved in the SRP client/server framework.</para>
+ <figure id = "sx.SRP.diagram">
+ <title>Components of the SRP Client-Server Framework</title>
+ <mediaobject>
+ <imageobject>
+ <imagedata fileref =
"images/jbosssx/SRPComponents.gif"/>
+ </imageobject>
+ </mediaobject>
+ </figure>
</section>
<section id = "sx.loginmodules">
<title>Custom LoginModules</title>
@@ -607,12 +605,42 @@
</itemizedlist>
</section>
<section id = "sx.login.AbstractServerLoginModule">
- <title>AbstractServerLoginModule</title>
+
<title>org.jboss.security.plugins.AbstractServerLoginModule</title>
<para>The AbstractServerLoginModule is an
abstract base class suitable that simplifies writing custom modules for the JBoss
server. It implements the Subject to Principals/Groups usage pattern described <xref
linkend = "sx.SubjectPatterns"/>. Any custom module you write should be a subclass of
AbstractServerLoginModule to ensure that it associates information with the
authenticated Subject in a manner consistent with the JBossSX supplied security
managers.</para>
</section>
<section id = "sx.login.JaasServerLoginModule">
- <title>JaasServerLoginModule</title>
- <para>The JaasServerLoginModule is a simple
properties file based module. It uses a users.properties to obtain the valid users and
their passwords and a roles.properties to assign roles to users.</para>
+
<title>org.jboss.security.plugins.samples.JaasServerLoginModule</title>
+ <para>The JaasServerLoginModule is a simple
properties file based login module that consults two Java Properties
+formatted text files for username to password("users.properties") and
+username to roles("roles.properties") mapping. The properties files are loaded
+during initialization using the thread context class loader. This means that
+these files can be placed into the J2EE deployment jar or the JBoss config
+directory.
+
+The users.properties file uses a format:
+<programlisting>
+ username1=password1
+ username2=password2
+ ...
+</programlisting>
+to define all valid usernames and their corresponding passwords.
+
+The roles.properties file uses a format:
+<programlisting>
+ username1=role1,role2,...
+ username1.RoleGroup1=role3,role4,...
+ username2=role1,role3,...
+</programlisting>
+to define the sets of roles for valid usernames. The "username.XXX" form of
+property name is used to assign the username roles to a particular named
+group of roles where the XXX portion of the property name is the group name.
+The "username=..." form is an abbreviation for "username.Roles=...".
+The following are therefore equivalent:
+<programlisting>
+ jduke=TheDuke,AnimatedCharacter
+ jduke.Roles=TheDuke,AnimatedCharacter
+</programlisting>
+ </para>
</section>
<section id = "sx.login.ProxyLoginModule">
<title>org.jboss.security.ProxyLoginModule</title>
@@ -675,33 +703,60 @@
<section>
<title>org.jboss.security.plugins.samples.DatabaseServerLoginModule</title>
<para>DatabaseServerLoginModule is a JDBC
based login module that supports authentication and role mapping. It is based on two
logical tables, Principals and Roles.
-A simple view of the schema is given in <xref linkend="sx.table.model" />
- <figure id="sx.table.model">
- <title>The DatabaseServerLoginModule Logical Tables</title>
- <mediaobject>
- <imageobject>
- <imagedata fileref =
"images/jbosssx/LMDatabaseModel.jpg" />
- </imageobject>
- </mediaobject>
- </figure>
-
-The Principals table associates the user principalID with the valid password and
the Roles table associates the principalIDd with its role sets. The tables are logical
in that you can specify the sql query that the login module uses so as long as the
result set has the same structure the tables and columns can be called anything.
+A simple view of the schema is given in <xref linkend = "sx.table.model"/>
+ <figure id = "sx.table.model">
+ <title>The
DatabaseServerLoginModule Logical Tables</title>
+ <mediaobject>
+ <imageobject>
+ <imagedata
fileref = "images/jbosssx/LMDatabaseModel.jpg"/>
+ </imageobject>
+ </mediaobject>
+ </figure>The Principals table
associates the user principalID with the valid password and the Roles table associates
the principalIDd with its role sets. The tables are logical in that you can specify
the sql query that the login module uses so as long as the result set has the same
structure the tables and columns can be called anything.
The module options are:</para>
- <itemizedlist>
- <listitem>
- <para>dsJndiName: The name of
the DataSource of the database containing the Principals and Roles tables</para>
- </listitem>
- <listitem>
- <para>principalsQuery: The
prepared statement query equivalent to,
+ <variablelist>
+ <varlistentry>
+ <term>dsJndiName</term>
+ <listitem>
+ <para>The name of the
DataSource of the database containing the Principals and Roles tables</para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>principalsQuery</term>
+ <listitem>
+ <para>The prepared
statement query equivalent to,
<quote>select Password from Principals where PrincipalID=?</quote>
- </para>
- </listitem>
- <listitem>
- <para>rolesQuery: The prepared
statement query equivalent to,<quote>select Role, RoleGroup from Roles where
PrincipalID=?</quote>
- </para>
- </listitem>
- </itemizedlist>
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>rolesQuery</term>
+ <listitem>
+ <para>The prepared
statement query equivalent to,<quote>select Role, RoleGroup from Roles where
PrincipalID=?</quote>
+ </para>
+ </listitem>
+ </varlistentry>
+ </variablelist>
+ </section>
+ <section>
+
<title>org.jboss.security.srp.jaas.SRPCacheLoginModule</title>
+ <para>SRPCacheLoginModule is server side login
module that validates a username and session client challenge response against the
cache of authentication info maintained by the SRPService mbean. This module needs a
CallbackHandler that supplies the user principal and credential via the
SecurityAssociationCallback object.
+
+The module options are:</para>
+ <variablelist>
+ <varlistentry>
+ <term>cacheJndiName</term>
+ <listitem>
+ <para>: The name of
the DataSource of the database containing the Principals and Roles tables</para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>domainName</term>
+ <listitem>
+ <para>the security
domain name</para>
+ </listitem>
+ </varlistentry>
+ </variablelist>
</section>
</section>
<section id = "ClientSideLoginModules">
@@ -791,4 +846,4 @@
</releaseinfo>
</biblioentry>
</bibliography>
-</chapter>
+</chapter>
\ No newline at end of file
_______________________________________________
Jboss-development mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/jboss-development
