The Java Web 2.0 Application Stack: Steps to a CAPTCHA Implementation using JAVA/JSP

Wednesday, November 30, 2011

Steps to a CAPTCHA Implementation using JAVA/JSP

CAPTCHA can quickly and easily protect your web application against brute force and bot attacks or abuse. There are just a few simple steps to a CAPTCHA implementation in Java/JSP. The solution is simple and the documentation is quite clear, so I only provide the steps and quick links to those resources.

Step 1: Signup for a CAPTCHA account and generate keys for your website domains.
Navigate to http://www.google.com/recaptcha and signup for an account. After obtaining a login, generate keys for your domain.

Step 2: Find the developers guide for CAPTCHA
Navigate to http://code.google.com/apis/recaptcha/intro.html. From here, you'll find all the information you need. Notice in the left hand menu, there's a Java/JSP Plugin link available. Click into that.

Step 3: Download the Java/JSP Plugin and Implement
Navigate to http://code.google.com/apis/recaptcha/docs/java.html where you will find a link to download the plugin, which is a set of Java classes. Extract the source files into your web applications java source tree. The directions on the page are extremely straight forward.

The form page looks like:

 
<%@ page import="net.tanesha.recaptcha.ReCaptcha" %>
<%@ page import="net.tanesha.recaptcha.ReCaptchaFactory" %>

<html>
<body>
<form action="" method="post">
   <%
      ReCaptcha c = ReCaptchaFactory.newReCaptcha("your_public_key", "your_private_key", false);
      out.print(c.createRecaptchaHtml(null, null));
   %>
   <input type="submit" value="submit" />
</form>
</body>
</html>

You also may be using reCaptcha over https. In that case, follow the instructions from this page: http://code.google.com/apis/recaptcha/docs/tips.html

<script type="text/javascript"
   src="https://www.google.com/recaptcha/api/challenge?k=your_public_key">
</script>

<noscript>
   <iframe src="https://www.google.com/recaptcha/api/noscript?k=your_public_key"
       height="300" width="500" frameborder="0"></iframe><br>
   <textarea name="recaptcha_challenge_field" rows="3" cols="40">
   </textarea>
   <input type="hidden" name="recaptcha_response_field"
       value="manual_challenge">
</noscript>

When the form is submitted, the reCaptcha entries can be verified easily.

<%@ page import="net.tanesha.recaptcha.ReCaptchaImpl" %>
<%@ page import="net.tanesha.recaptcha.ReCaptchaResponse" %>

    <html>
       <body>
       <%
        String remoteAddr = request.getRemoteAddr();
        ReCaptchaImpl reCaptcha = new ReCaptchaImpl();
        reCaptcha.setPrivateKey("your_private_key");

        String challenge = request.getParameter("recaptcha_challenge_field");
        String uresponse = request.getParameter("recaptcha_response_field");
        ReCaptchaResponse reCaptchaResponse = reCaptcha.checkAnswer(remoteAddr, challenge, uresponse);

        if (reCaptchaResponse.isValid()) {
          out.print("Answer was entered correctly!");
        } else {
          out.print("Answer is wrong");
        }
      %>
      </body>
    </html>

Step 4: Give the JVM a time interval to refresh its DNS cache
By default the Java Virtual Machine (JVM) caches all DNS lookups forever instead of using the time-to-live (TTL) value which is specified in the DNS record of each host. To fix this issue for good, you can pass -Dsun.net.inetaddr.ttl=30 to your app-server (this tells Java to only cache DNS for 30 seconds).

There is a great article on the JVM and DNS caching. A must read at http://www.sdn.sap.com/irj/scn/weblogs?blog=/pub/wlg/1887

The steps above are quick and easy to implement, post back and let me know if you have any issues with the implementation and I will try and assist.