Using SASL is actually quite simple and straightforward. You have to
create a SaslClient (sc) on your client side, and a SaslServer (ss) on
your server side. Then on both sides you have to write a loop that is
controlled by the sc/ss object. During this loop the callback handler,
that you provided when creating the Sasl* objects will receive callbacks.
After the loop finishes, you will know wether the authentication was
successful or not.

All you need to know to successfully use SASL is described here:

Java SASL Programming Guide -
http://java.sun.com/javase/6/docs/technotes/guides/security/sasl/sasl-refguide.html

Ah, and one thing I should mention: you have to define the messages in
your application protocol, that will encapsulate the SASL-messages to be
exchanged. This is only indicated in the above guide through "send(...)"
and "msg.receive()" calls. If you need an idea how to do this, look into
the RFCs regarding the use of SASL in SMTP or NNTP (Sorry too lazy to look
'em up for you). However it's quite easy, just define messages, that can
transport some binary data (the SASL data), and have an associated status
of Continue, Success or Error. (Just look at the "send(...)" calls in the
guide, and you'll know what types of messages you need.

cu

  SRP has good properties. An attacker who observes the client/server
traffic, or who interacts with the client while masquerading as the
server, or who is a man-in-the-middle between the actual client and
server does not learn enough to determine the password or anything else
that would be sufficient to log in.
  RFC2945 describes SRP-3 (http://www.ietf.org/rfc/rfc2945.txt), which
may be little outdated. SRP-6 is even better
(http://srp.stanford.edu/design.html).
  The multiprecision arithmetic can all be done using functions in
BigInteger.

--Mike Amling