JGSS Package

This is the distribution site for the University of Illinois Systems Software Research Group 's JGSS package. The JGSS package provides Java programs access to Kerberos' Generic Security Services API. This API implements the Generic Security Service API defined in RFC-1508 and revised in the IETF Common Authentication Technology WG's Internet-Draft draft-ietf-cat-gssv2-??.txt . The API's services include the signing and sealing of messages, and a generic authentication mechanism.

How to Obtain and Build the Latest Version:

This package may be freely distributed. However, in order to make use of this package you must have:

Sun's Java Development Kit (version 1.0.0 or later).
MIT's Kerberos V5.

The latest version may be obtained and installed as follows:

Download the distribution file Beta 1.0 JGSS.b1.tar.gz or Alpha 2.0 JGSS.tar.gz .
Un-tar and uncompress JGSS.b1.tar.gz or JGSS.tar.gz. This should create a small directory tree whose root is called JGSS.
Edit the file JGSS/Makefile as follows:
- Set the JAVAHOME variable to the location of your java development kit.
- Set the KERBEROSHOME variable to the root of your Kerberos source tree.
Build the JGSS package. This should produce a shared library called JGSS/lib/libJGSS.so, and many .class files for the Java package in JGSS/security/GSS.

How to Use the security.GSS Package and Run the Demo

In order to use the security.GSS package in a Java application, you must:

Include JGSS in your CLASSPATH environment variable.
Include JGSS/lib in your LD_LIBRARY_PATH environment variable.

A GSS demo server and client are also built with the JGSS system. They can be found in the JGSS/demo directory. The server runs as a stand alone java application while the client can either run as a stand alone java application or a java applet fetched off the web. Since the server need access the private key table you must:

either run it with root priviledge
or make the key table readable to the server

To run the client as a stand alone java application, you must:

Execute Kerberos' kinit program.
Execute java ClientDemoApp.

To run the clinet as an applet, you must:

Execute Kerberos's kinit program.
Put JGSS/demo/demo.html, JGSS/demo/GSSClientApplet.class, JGSS/demo/ClientDemoWindow.class, JGSS/demo/Cool_Button.class, and JGSS/demo/Animation_Area.class in a directory where the HTTP web server can access
Start up netscape or appletviewer to access demo.html, e.g. http://gorgius.cs.uiuc.edu/demo.html
Because of the restriction of applets, the host where the HTTP web server resides has to be the same as the one where the demo server runs

Documentation

RFC-1508.
draft-ietf-cat-gssv2-??.txt.
Java package JGSS documentation (under construction).

Our Current Project

Our current project is to use the services provided by the JGSS package to implement our active capability security and protection model, which synthesizes several recent innovations in type safe scripting languages, extensible operating systems, and software protection. Essentially, this model extends traditional capabilities with user-definable scripts, called active capabilities, which are written in Java. The active capabilities are responsible for encapsulating the complicated fine-grained application-specific aspects of the security policy, leaving the underlying system to implement only a small set of basic primitives.

Not only is this system easily extensible, but it is better suited to handle revocation, propagation confinement, and auditing than traditional capability schemes. Because of these features, the active capability protection model will perform well in a large-scale distributed environment such as the internet.

Back to the SSRG Security page...

Please direct comments and questions to Tin Qian (tinq@cs.uiuc.edu), Zhaoyu Liu (zhaoyu@cs.uiuc.edu), or Tim Fraser (tfraser@cs.uiuc.edu)