Integrating Captcha with Spring Security

Question

What is appropriate way to integrate SpringSecurity with Capcha ?

I have following use case : When user will tries to login, if we he failed to login N times, captcha will be displayed, so authentication will be using three parameters : username, password, captcha. But Spring Security doesn't support built in Captcha handling.

I just start thinking about implementation. And have following variants:

• Adding separate security filter in Spring Security filter stack,
• Entirely rewrite AuthenticationProcessingFilter to support some Captcha
• Use some programmatic authentication with interception captcha logic and then transfering username and password to Spring Security

As a Captcha implementation I think about JCaptcha, but what your thougths?

Answer 1

As an alternative to using JCaptcha, if you'd like to use the reCAPTCHA Service on your site, then check out the free Section 4.4 ( direct PDF link ) of the new Spring in Practice book (currently in beta).

This shows you integration with Spring MVC and Spring Validation. Since the integration is on the front-end, w/external APIs, Spring Security doesn't really come into the picture here.

I am not sure what your use case is? Are you hoping to use captchas as an alternative to authentication to prove "human"-ness?

Answer 2

Take a look at this article: Spring Security 3: Integrating reCAPTCHA Service .

This uses two filters to make reCAPTCHA integration as seamless and unobstrusive as possible. That means your existing Spring Security implementation will not break. No need to touch existing classes

Answer 3

Kaptcha很容易使用。

Answer 4

I've done integration with reCaptcha and Spring Security (Spring Web Flow + JSF) by defining custom security filter. Maybe it isn't most elegant, but works good. You can look at my blog - unfortunately in polish, but maybe will help You or someone...

http://marioosh.net/blog/?p=1087