Verifying *real* usernames/passwords in Java with Shaj

21 Apr 2005

For all of Java's authentication/security API's, there is actually no way of verifying a user's password with the underlying operating system. We wanted to support this kind of authentication in FishEye1, so I sat down one weekend and cooked up in C some win32 and Unix code to verify usernames/passwords, added a dash of JNI and then topped it all nicely with a simple Java interface.

And I liked it so much I bought the company released it as open source: Shaj (Simple Host Authentication for Java).

I'm a big fan of no-fuss API's. This is how you use Shaj:

String domain = ...; // a win32 domain, or the name of a PAM service
boolean correctPassword = Shaj.checkPassword(domain, "username", "password");

// Shaj can even check group membership:
boolean inGroup = Shaj.checkGroupMembership(domain, "username", "somegroup");

Drop me a note if you find Shaj useful. We've been using this code in FishEye for a while now; the first release of Shaj is 0.5, but it will rapidly hit 1.0 (pending some more field trials). Shaj is released under the Apache License 2.0, so you will have no troubles using it in your project.

1 Speaking of FishEye: introductory pricing is about to end, so if you are thinking of buying it, get cracking.

  • Home
  • Blog