I've been working through the SRP example in the JBoss dev guide (http://docs.jboss.org/jbossas/jboss4guide/r1/html/ch8.chapter.html#ch8.srp.sect).
I'm wondering if it would be possible to use SRP to authenticate a JBoss Web Services SEI? The problem I'm having when trying to think about how such a thing would happen is how the actual SRP handshaking would occur.
One way this might happen would be (before the actual web-services SEI call) an SRP negotiation inolving standard XML/SOAP messages?
Alternatively, does/can the SRP auth happen at some lower protocol level (sort of like SSL works -- maybe at the transport layer)?
According to the JBoss dev guide, the current JBoss SRP classes have:
+ An implementation of the SRP handshake protocol that is independent of any particular client/server protocol
+ An RMI implementation of the handshake protocol as the default client/server SRP implementation
Check out the source for the handshake. The only way this could be used with a webservice client would be a custom authenticator that did something like a DIGEST auth challenge.