//
you're reading...
Ajax, Captcha, Java, Javascript, Uncategorized

Captcha Intoduction-ReCaptcha Implementation

A CAPTCHA is a program that can generate and grade tests that humans can pass but current computer programs cannot.I t helps you in in preventing your site from a specific type of attack: “bots” in which a script will be executed to submit forms automatically in order to attack your site and bring it to a halt.

Few days back I got the requirement to introduce captcha on my web registration page in my J2EE app. To be very frank I felt actually delighted to do this, as for a long time I was thinking  try my hands on captcha implementation.Two years back I  tried this but at that time I only got to know JCAPTCHA but it’s documentation was not thorough ,recaptcha was somewhat specific for php , so I  did not proceed at that time.

Now this time I started the search again and what I got to know was there is something called  SimpleCaptcha(http://simplecaptcha.sourceforge.net/) which I found to be sufficient and good enough. The advantage with simple Captcha was that implementation was damn easy,it was in java , it was totally on your server side which means that there is no need to connect to any third party on internet for captcha verification.  But I was not very sure about the strength of the algorithm which produces images and it required  httpsession which was creating some problem for me. Otherwise I found it to be good .

So I decided to go with reCaptcha (http://www.google.com/recaptcha/captcha)as I found its documentation to be very useful and implementation was also very straight forward. And I liked the recaptcha concept as well.The recaptcha comes with plugin for various languages like php, java etc.

So first thing one should do , if you wish to use recaptcha in your application, is to register your website name on http://www.google.com/recaptcha(max it will take 5 mins).  You would get a private key and a public key. Store it safely somewhere , we have to use it later.You can use this key for development on dev environment i.e localhost urls as well.

Now for the UI component I had to go from a static HTML page to a action class. So I was a bit worried about  how words in recaptcha divs would come for static HTML page.  But there is a solution to this. This thing can be done through Ajax based script which is very simple as written below:

<script type="text/javascript" src="/js/jquery-1.6.2.min.js">
<script type="text/javascript" src="http://www.google.com/recaptcha/api/js/recaptcha_ajax.js">

<script type="text/javascript">

Recaptcha.create("public key", 'div_name', {
theme: 'white'
});

</script>

Just make a div in your page namely ‘div_name’ , include this script in your page and you will be able to see the recaptcha images in your page. Simple Isn’t it. It will work for your jsps or any web page as well.You can use different themes as well. Don’t forget to use your public key here.You can also call few js functions like Recaptcha.reload() which generates a new image every time  it is called.

The div will be populated with captcha stuff and it will contain two fields namely recaptcha_challenge_field(the image part) and recaptcha_response_field(the user input part).Now fill the captcha user input filed and submit it like any normal form submission(get, post). If you do not want to  use ajax stuff , you can use sricplets in your jsp. You have to import a jar  from (http://code.google.com/p/recaptcha/downloads/list?q=label:java-Latest). This is all about the client side. So now we come to how handle and verify the submitted captcha value on  server side of our code.

To handle server side verification of captcha you have to connect to the recaptcha server through a http post method which you will make in your application and connect pro-grammatically using urls , open urls, making connection and  posting parameters . There is a very easy way to do this, Google gives a link to download jar which contains the  classes to do this stuff , so that we do need to take the pain to write this part.After downloading the jar you can write the code for captcha verification.Import the jars for recaptcha from (http://code.google.com/p/recaptcha/downloads/list?q=label:java-Latest)

The code is very simple and it looks like this

import net.tanesha.recaptcha.ReCaptchaImpl;
import net.tanesha.recaptcha.ReCaptchaResponse;

public static boolean isCaptchaValid(HttpServletRequest request)
{

boolean  valid=true;

String remoteAddr = request.getRemoteAddr();
ReCaptchaImpl reCaptcha = new ReCaptchaImpl();
reCaptcha.setPrivateKey(CaptchaPrivateKey);

String challenge = request.getParameter("recaptcha_challenge_field");
String uresponse = request.getParameter("recaptcha_response_field");
ReCaptchaResponse reCaptchaResponse = reCaptcha.checkAnswer(remoteAddr, challenge, uresponse);

if (reCaptchaResponse.isValid()) {
valid=true;
} else {
valid=false;
}

return valid;

}

You have to use your private key here which we generated earlier, get parameters value for response and challenge from request and then finally use this API call:

ReCaptchaResponse reCaptchaResponse = reCaptcha.checkAnswer(remoteAddr, challenge, uresponse);

When you look inside the source you will see its actually making a http post to http://api-verify.recaptcha.net/verify with your response and challenge words as parameters . So in order to save time I preferred using the provided API. If you want to do it yourself you can go ahead and do it yourself.Now it will return you the reCaptchaResponse object which will tell you whether response was right or wrong. If wrong it will return false and you can check the error message through getErrorMessage(). Do not forget to use correct private key otherwise it will always return false. Now you have got the response for captcha , its  up to your application logic what you want to do next.

Few things which I would say to be cautious of are :

1)You should always reload a new reCaptcha after a successful verification of captcha on captcha server . If you submit the form with same Captcha two times it will return false next time even the response is same as last one. (I was using ajax for form submission that’s why when another field was not validated , I was sent back to the input page  , was trying to submit the form with same Captcha value , you may use ReCaptcha.reload on any error )

2)If you are consistently getting false while verification of captcha , check your private key , the error message returned does not say clearly that key is not correct.

So that’s all about reCaptcha , I guess you will be able to implemement this after reading the blog.If you have any questions you can ask me and infact for Simple Captcha you can ask , I will try to your questions if possible.

Thanks

Gaurav

Advertisements

About Gaurav Mutreja

Well I think a lot !! Now I would like to speak a bit!

Discussion

No comments yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: