A JBoss Security Extension Layer
 The JBossSX security extension provides support for a security proxy layer
and an extensible JAAS subject based authentication and authorization layer.
The security proxy layer allows custom security to be added to an EJB in
a way that is independent of the EJB business object. This is done by adding
a security proxy delegate to the existing SecurityInterceptor plugin.
The JBossSX security extension provides support for a security proxy layer
and an extensible JAAS subject based authentication and authorization layer.
The security proxy layer allows custom security to be added to an EJB in
a way that is independent of the EJB business object. This is done by adding
a security proxy delegate to the existing SecurityInterceptor plugin.
The basic extension is indepdent of JAAS, but the bulk of the JBossSX module
is a JAAS based implementation of the proxy layer. The following elements are
included in the release:
	- A new SRPLoginModule and JMX services that provide a crptographically secure
	login mechanism. This is an implementation of the RFC2945, the 'Secure Remote Password'
	cryptographic authentication system developed by Tom Wu (tjw@CS.Stanford.EDU).
	From an abstract of a paper by Wu:
 ... a new password authentication and key-exchange protocol	suitable for
	authenticating	users and exchanging keys over an untrusted network. The
	new protocol resists dictionary	attacks mounted by either passive or active
	network intruders, allowing, in principle, even weak passphrases to be used
	safely. It also offers perfect forward secrecy, which protects past sessions
	and passwords against future compromises. Finally, user passwords are stored
	in a form that is not plaintext-equivalent to the password itself, so an
	attacker who captures the password database cannot use it directly to
	compromise security and gain immediate access to the host. This new protocol
	combines techniques of zero-knowledge proofs with asymmetric key exchange
	protocols and offers significantly improved performance over comparably
	strong extended methods that resist stolen-verifier	attacks such as Augmented
	EKE or B-SPEKE.
 See 
	http://www-cs-students.stanford.edu/~tjw/srp/ for details on SRP.
- A custom implementation of the javax.security.auth.Policy and
	javax.security.auth.login.Configuration classes that combines the notions
	of user authentication and authorization into a multiple security domain
	notion. Each security domain can define its own login module stack and user
	based permissions. The authentication and authorization information is
	accessed through a store abstraction(IAppPolicyStore) that allows for
	integrating with arbitrary security stores.
	
- An XML based implementation of IAppPolicyStore that allows for
	security domain information to be represented by an XML document.
	
- Updated JAAS based security manager that adds an authentication
	credential cache policy that lazily refreshes/expires the credentials.
	
- A sample implementation of a JAAS based security proxy to demonstrate
	the usage of the contrib security elements.
	
- A sample implementation of a security proxy that does not use JAAS
	to demonstrate non-JAAS custom security.
The JBossSX module is integrated with the current JBoss core module as
three jar files:
	
		- client/jbosssx-client.jar
- lib/jboss-jaas.jar
- lib/ext/jbosssx.jar