Netscape 8.0: You choose between IE or Mozilla Annotating language extensions
Mar 08

JCAPTCHA: Open Source Security Plugin

Java, Security, Tech Add comments

Since installing mt-scode for MoveableType, I wondered if there was a Java framework that would easily allow you to add CAPTCHA style authentication to our apps.

There is an open source framework: JCAPTCHA.

There is an article on the framework Use a CAPTCHA-based authentication module for J2EE Web applications

Spam has become one of the biggest menaces on the Web. Many community-based applications force authentication only to distinguish a valid user from an automated spam-bot, which can be overkill in some cases. CAPTCHAs help in differentiating between real users and automated bots. In this article, Anand Raman uses CAPTCHAs as weak authentication mechanisms for J2EE Web applications. He begins with a quick introduction to both the J2EE Web application security model and CAPTCHAs. He then builds on these concepts to implement a JAAS (Java Authentication and Authorization Service) login module using CAPTCHAs and integrates it with an application server’s existing security infrastructure. The artifacts are based on standard J2EE security mechanisms. Hence, the module can be reused on any J2EE application or across different application servers with some minor modifications.

We have been using Acegi security recently, rather than CMS, and it would be nice to plug this in over there.

I often worry about the images. On one site I had to reload 3 times to get an image in which I could actually read!

7 Responses to “JCAPTCHA: Open Source Security Plugin”

  1. Richard Osbaldeston Says:

    You could always use the ask me a question CAPTCHA, I’m waiting for someone to create one that’ll ask question from the certification exams, or something related to the post category.. how many semi-colons are strictly necessary in the following groovy script..? That way you could also weed out the nonsense from anybody not qualified enough to make any comments.

    The answer is of course 5 – no wait 3!! I meant 3, oh cr<eof>

  2. Richard Osbaldeston Says:

    Thinking about it has anybody profiled a typical spam attack? I mean what to the logs show, do they browse the site and hit the comment button like a user or just blast blocks of spam. Where do they harvest the information? the rss feeds? aggregators? maybe we could do some filtering based on behaviour?

  3. Anand Raman Says:

    you are probably correct. Container managed security is passe and acegi security is the in thing. I wrote this article as a proof of concept.

    Infact the jcaptcha project itself provides a couple of authentication mechanims.

    I am sure the concept can be easily plugged in with acegi security .

  4. marc antoine garrigue Says:

    Many thanks for your brillant article Anand! and thank you Dion for referencing it!

    Concerning your comments :
    ACEGI : i’m currently working on a acegi-module, but the framework (as all other security framework) does not handle humanity concept. see :

    This is also true for the J2EE security : handling humanity as a regular login process excludes all other authentication mecanism.
    This is why most applications (like this blog ;)) handle humanity as an application logic feature, not as a security feature, and this is bad.

    certification exams captcha : this is a great idea ! and very easy to implement with the jcaptcha framework. All we need is a large private (solutions not exposed) exam database.

    filtering based on behaviour : see



    I don’t understand the purpose of the article. Would the article have been different if it had been the Microsoft application. It starts with a question about an application. Then it adds a box whose contents have to do with Spamming. Then the commentators start babout certification. Would people be barred from sending emails until they pass the certification. I believe the spammers will pass the certification with ease because they are very knoledgeable people whose pockets are deep enough to buy talents and devices.

    I believe that hackers and spammers as well as scammers can’t be detered until this whole shitty method of browsing the internet is shelved and replaced by a new method which is basically server orientede wherein the clients just send the commands for surfing to a server and the servers just fulfill the commands.


  6. auxi Says:


  7. cdcd Says:

Leave a Reply

Spam is a pain, I am sorry to have to do this to you, but can you answer the question below?

Q: What are the first four letters in the word British?