For all of Java's authentication/security API's, there is actually no way of verifying a user's password with the underlying operating system. Shaj is a simple Java library that allows your Java app to verify users with the underlying operating system. Shaj also allows you to check group membership.

Shaj is not an authenication library; it's not a replacement for JAAS, which can use an underlying operating system to authenticate and authorize users as well via the various operating system-specific modules. It's meant for simple validation purposes.

Shaj currently supports Windows and Unix (PAM), and comes with pre-compiled JNI libraries for win32, Linux, Mac OS-X and Solaris. Shaj should work on Java 1.2+ JVM's. Shaj is written in C and Java.

Shaj is licensed under the Apache 2.0 License.

This sounds like a fantastic feature, my question is: Under Apache 2.0 License, if I incorporate this library into my code, does my application now become subject to Apache 2.0 License or do I just need to include the materials to uphold the Apache license for Shaj?

If using Shaj doesn't interfere with how I license my own product, that sounds great.

-Chris

The Apache 2.0 License is not "viral" in this way. The last paragraph in section 4 should address you question: http://www.apache.org/licenses/LICENSE-2.0.html

Or to put it another way: as the author of Shaj, I'm more than happy for you to use Shaj in your application :D

Actually, this sums it up best: http://www.apache.org/foundation/licence-FAQ.html#WhatDoesItMEAN

Some basic documentation as to how to set up and what all classes to use would have been great.
Do you think you will become popolar just like that - by making every user to go thru the source code. ?

There are already today JAAS Modules to perform this

Java Authentication and Authorization Service (JAAS)
http://java.sun.com/products/jaas/index.jsp

There are already today JAAS Modules to perform this

Bruno,

If you have working JAAS code that allows you to verify usernames and passwords of arbitrary users (on win32/linux/solaris/osx), I'd love to see it.

Matt Quail,
Why can't?
see com.sun.security.auth package.

Why can't? see com.sun.security.auth package.

Kewan,
I'd love to be proven wrong, but those com.sun.security.auth classes (NTLoginModule and UnixModule) only retrieve the current user, not any arbitrary user.

Here you go, for Win32 at least.
http://free.tagish.net/jaas/index.jsp

Some basic documentation as to how to set up and what all classes to use would have been great.

Sean, Shaj is easy to setup and use, the documenation is here (it links through to the javadoc):
 http://opensource.cenqua.com/shaj/doc.html

Hurrah!

A great idea.
Perfect for app side or web side user authentication I presume?

i.e. an intranet web site where they still enter their passwd, but the server can then use Shaj to check it via the 'NTLM stuff' (been a while since I was involved with this).

Jonathan

Look's nice but is there any possibility how to check password in hash form, which you get from IE when using NTLM auth?

Thanks

hi, i tried to use Shaj for a practice but it seems that it is not working right to check my local linux computer for proper username and password.<br>
Here is my code from test.java:<br>

import com.cenqua.shaj.Shaj;

public class test{
public static void main(String[] args){
boolean correctPassword = Shaj.checkPassword(null, "john", "test");
if (correctPassword)
System.out.println("Authorized User.");
else
System.out.println("Incorrect UserName/Password.");
}
}//end of test



any ideas why it is not working?<br>
thanks!