« Brendan’s descent into the blogsphere
Apache Foundation’s exponential rise »

Verifying *real* usernames/passwords in Java with Shaj

# 2005-04-21 18:06:23 -0400 | Java | 7 Comments

For all of Java’s authentication/security API’s, there is actually no way of verifying a user’s password with the underlying operating system. We wanted to support this kind of authentication in FishEye1, so I sat down one weekend and cooked up in C some win32 and Unix code to verify usernames/passwords, added a dash of JNI and then topped it all nicely with a simple Java interface.

And I liked it so much I bought the company released it as open source: Shaj (Simple Host Authentication for Java).

I’m a big fan of no-fuss API’s. This is how you use Shaj: 

String domain = ...; // a win32 domain, or the name of a PAM service
boolean correctPassword = Shaj.checkPassword(domain, "username", "password");

// Shaj can even check group membership:
boolean inGroup = Shaj.checkGroupMembership(domain, "username", "somegroup");

Drop me a note if you find Shaj useful. We’ve been using this code in FishEye for a while now; the first release of Shaj is 0.5, but it will rapidly hit 1.0 (pending some more field trials). Shaj is released under the Apache License 2.0, so you will have no troubles using it in your project.

1 Speaking of FishEye: introductory pricing is about to end, so if you are thinking of buying it, get cracking.

You can follow any responses to this entry through the RSS 2.0 feed.

7 Responses to this entry:

  1. 2005-04-21 09:06:14 -0400 # PA Says:

    Hmmm… isn’t what Java Authentication and Authorization Service (JAAS) is supposedly doing?

    http://java.sun.com/products/jaas/
    http://java.sun.com/j2se/1.4.2/docs/guide/security/jaas/tutorials/GeneralAcnOnly.html

  2. 2005-04-21 09:26:32 -0400 # Matt Quail Says:

    > Hmmm… isn’t what Java Authentication and Authorization Service (JAAS) is supposedly doing?

    Nope. Or rather, JAAS provides not "LoginModule" for "system authentication". But I intend to add a JAAS adapter to Shaj so you can plug the two together.

    (If JAAS does do "system authentication", can someone send me working code, because I could never get it to work.)

  3. 2005-04-22 06:08:16 -0400 # Anonymous Coward Says:

    http://free.tagish.net/jaas/doc.html

  4. 2005-04-22 14:31:12 -0400 # Gregg Bolinger Says:

    This is a really nice package. Works great, simple, and I can actually use it in a project. Great work!

  5. 2005-05-01 07:36:44 -0400 # john Says:

    hi, i tried to use Shaj for a practice but it seems that it is not working right to check my local linux computer for proper username and password.<br>
    Here is my code from test.java:<br>
    <pre>
    import com.cenqua.shaj.Shaj;

    public class test{
    public static void main(String[] args){
    boolean correctPassword = Shaj.checkPassword(null, "john", "test");
    if (correctPassword)
    System.out.println("Authorized User.");
    else
    System.out.println("Incorrect UserName/Password.");
    }
    }//end of test

    </pre>

    any ideas why it is not working?<br>
    thanks!

  6. 2005-05-06 07:38:36 -0400 # Chris Says:

    Shaj does not seem to work for me. I tried shaj.checkPassword(null, user, pw); on Mac OS X but it return false. Any ideas?

  7. 2005-05-06 10:52:44 -0400 # spud Says:

    Chirs, you definitely need to setup a PAM “service” and not pass in null as the first argument. See http://opensource.cenqua.com/shaj/api/com/cenqua/shaj/PAMAuthenticator.html

Leave a Reply

Click here to leave a reply