com.cenqua.shaj
Class PAMAuthenticator

java.lang.Object
  com.cenqua.shaj.Authenticator
      com.cenqua.shaj.PAMAuthenticator

public class PAMAuthenticator

extends Authenticator

Checks passwords against the local PAM service.

PAM (Pluggable Authentication Modules) is common authentication mechanism on many Unix systems (e.g. Linux, Solaris, OS-X).

Shaj needs to be told which service name to use when conversing with PAM (this is the domain argument). You can create a new service name in your PAM configuration (typically /etc/pam.conf or /etc/pam.d/), or tell Shaj to use an existing service name (such as other, login or xscreensaver).

This class contains some static methods that can be used if you wish to call to PAM directly.

Some platform-specific advice for configuring PAM follows (assuming you want to create a PAM service named shaj:)

Linux: On many Linux distributions, you may need to create a /etc/pam.d/shaj file containing:

auth       required     pam_stack.so service=system-auth

Mac OS-X: On a default OS-X installation, you may need to create a /etc/pam.d/shaj file containing:

auth       sufficient     pam_securityserver.so
auth       required       pam_deny.so

Solaris: If your are using the default pam_unix_auth PAM configuration on Solaris, then you may need to add a line like this to your /etc/pam.conf file:

shaj auth requisite          pam_authtok_get.so.1
shaj auth required           pam_unix_auth.so.1

If you test this and it does not work, it is probably because when using pam_unix_auth on Solaris, the process doing the password check needs read access to /etc/shadow. Giving the process Shaj is running in read access to this file may solve this problem, but using permissions other than 0400 for /etc/shadow is not recommended. You should discuss this with your system administrators first, and possibly change to a PAM module other than pam_unix_auth.

Constructor Summary

PAMAuthenticator()

Method Summary

boolean	checkGroupMembership(java.lang.String domain, java.lang.String username, java.lang.String group, Log log) Tests if a user is a member of a specific group.
static boolean	checkPAMGroupMembership(java.lang.String username, java.lang.String group, Log log) Tests a user for membership in a unix group.
static boolean	checkPAMPassword(java.lang.String service, java.lang.String username, java.lang.String password, Log log) Checks a user's password in PAM.
boolean	checkPassword(java.lang.String domain, java.lang.String username, java.lang.String password, Log log) Checks a user's password.
static boolean	isSupported() Determines if this Authenticator can be used on the underlying platform.

Methods inherited from class com.cenqua.shaj.Authenticator

getDefault

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

PAMAuthenticator

public PAMAuthenticator()

Method Detail

isSupported

public static boolean isSupported()

Determines if this Authenticator can be used on the underlying platform.

Returns:

true if this platform supports PAM authentication.

checkPassword

public boolean checkPassword(java.lang.String domain,
                             java.lang.String username,
                             java.lang.String password,
                             Log log)

Description copied from class: Authenticator

Checks a user's password.

Specified by:

checkPassword in class Authenticator

Parameters:

domain - the (platform-specific) domain/service to used to perform the check. May be null (which has a platform-specific meaning).

username - the username

password - the password to verify

log - where to log errors/debugging

Returns:

true if the password matches the username

checkGroupMembership

public boolean checkGroupMembership(java.lang.String domain,
                                    java.lang.String username,
                                    java.lang.String group,
                                    Log log)

Description copied from class: Authenticator

Tests if a user is a member of a specific group.

Specified by:

checkGroupMembership in class Authenticator

Parameters:

domain - the (platform-specific) domain/service to used to perform the check. May be null (which has a platform-specific meaning).

username - the username to test for membership

group - the group to look in

log - where to log errors/debugging

Returns:

true if the user is a member of the group

checkPAMPassword

public static boolean checkPAMPassword(java.lang.String service,
                                       java.lang.String username,
                                       java.lang.String password,
                                       Log log)

Checks a user's password in PAM.

Parameters:

service - the PAM service to use. May be null (in which case "other" is used).

username - the username

password - the password to verify

log - where to log errors/debugging

Returns:

true if the password matches the username

Throws:

java.lang.IllegalArgumentException - if username or password are null.

java.lang.IllegalStateException - if Shaj did not load correctly (if Shaj.init() returns false).

checkPAMGroupMembership

public static boolean checkPAMGroupMembership(java.lang.String username,
                                              java.lang.String group,
                                              Log log)

Tests a user for membership in a unix group.

Note The getgrent(3) system call is used to test group membership, not PAM as the name of this method might suggest. (PAM has no group-membership testing functions.)

Parameters:

username - the username to test for membership

group - the group to look in

log - where to log errors/debugging

Returns:

true if the user is a member of the group

Throws:

java.lang.IllegalArgumentException - if username or group are null.

java.lang.IllegalStateException - if Shaj did not load correctly (if Shaj.init() returns false).