Integrate JCaptcha with Spring Security framework

8/17/2019 Integrate JCaptcha with Spring Security framework

1/27

Integrating

JCaptcha withSpring Security


2/27

Introduction

This document explains how to integrate Jcaptcha with Spring Security framework. Currently,Jcaptcha verifier is written inside Spring Security's uthentication !anager. "owever, there is a

more optimi#ed way in Jcaptcha is not a part of Spring Security's uthentication !anager whichwhich I am still exploring.

Create New Maven Project

Create a new simple !aven $ro%ect in &clipse. ou can search the docmentation for the sameonline.

Create pom.xml (replace XXXX with your desired value)


3/27


4/27


5/27


6/27


7/27


8/27

Create captchacontext.xml

This file contains all the details a(out how Jcaptcha image is created at runtime.


9/27

implementation tae wor&s +rom a listJ an& can mae composition to createa text easier to rea& +or a h)man eing. *n the example the @or&Heneratornee&s a Iictionnar1 to get real wor&s +rom. %%'


10/27


11/27

securitycontext.xml (!prin" !ecurity con#i"uration) (replaceXXXX with your desired value)

I am using plaintext password )no hashing and salting* for this example. +otice the code in (old for

Jcaptcha. Jcaptcha mainly has filters,

-* Capture ilter

* /erifier ilter

The purpose of the Capture $ilter is to store the information entered (y the user in the C$TC"form. 0hereas the %eri#ier #ilter&s purpose is to verify the captcha entered (y the user. If the resultis valid, allow the user to proceed1 otherwise, it will show the login page again.

In this example, Captcha Verifier Filter is added inside Spring Security Authentication Manager.


12/27


13/27

Maven 'pdate Clean and Install

-* 2ight click on pro%ect from pro%ect explorer

* select 2un s 34 !aven Clean

5* 2ight click on pro%ect from pro%ect explorer6* select 2un s 34 !aven Install

7* 2ight click on $ro%ect from pro%ect explorer8* Select !aven34 9pdate $ro%ect

$aces!ervlet related rror

This step is a must to avoid %avax.faces.we(app.acesServlet related errors.-* 2ight click on $ro%ect

* Select :eployment ssem(ly5* dd !aven :ependiencies directive

faces3config.xml )declare all managed (eans and xhtml files here*

#acescon#i".xml (replace XXXX with your desired value)


14/27


15/27

/ @return the active#in /public $tring get-ctive#inL 7

if Laces?ontext.get?)rrent*nstance L.getxternal?ontextL.get$essionMapL.containse1L"-?*(E#*," 7

this.active#in = L$tring aces?ontext.get?)rrent*nstance L.getxternal?ontextL.get$essionMapL.getL"-?*(E#*,"

8 else 7this.active#in = "welcome"

8

return active#in8

public void set-ctive#inL$tring active#in 7

aces?ontext.get?)rrent*nstance L.getxternal?ontextL.get$essionMapL

.p)tL"-?*(E#*,"J active#inthis.active#in = active#in

8

public $tring get2ealile$toragePathL 7return aces?ontext.get?)rrent*nstance L.getxternal?ontextL

.get2ealPathL"/"8

public $tring navigateL$tring active#in$tr 7if Lnull K= active#in$tr 7

set-ctive#inLactive#in$tr8

return get-ctive#inL8

public void a&&acesMessageL$everit1 sevJ $tring msg 7aces?ontext.get?)rrent*nstance L.a&&MessageLnullJ

new acesMessageLsevJ msgJ ""8

public $tring getCser,ameParamL 7if Laces?ontext.get?)rrent*nstance L.getxternal?ontextL

.get$essionMapL.containse1L"C$2E,-MEP-2-M" 7this.)ser,ameParam = L$tring

aces?ontext.get?)rrent*nstance L.getxternal?ontextL.get$essionMapL.getL"C$2E,-MEP-2-M"

8return )ser,ameParam

8

public boolean is#ogge&*nCserL 7xternal?ontext ext?txt = aces?ontext.get?)rrent*nstance L

.getxternal?ontextL$tring remoteCser = ext?txt.get2emoteCserLif LremoteCser K= null 7

return true

8 else return false8


16/27

/ @param )ser,ameParam the )ser,ameParam to set /public void setCser,ameParamL$tring )ser,ameParam 7

this.)ser,ameParam = )ser,ameParam8

8

+o"in'IController.java (replace XXXX with your desiredvalue)

This %ava class with authenticate user through spring security using the entered username andpassword com(ination and Jcaptcha.

package .)i

import javax.+aces.context.aces?ontext

import org.spring+ramewor.eans.+actor1.annotation.-)towire&import org.spring+ramewor.stereot1pe.?ontrollerimport .sec)rit1.-)thentication$ervice

Q?ontrollerpublic class #oginC*?ontroller extends AaseC*?ontroller 7

private static final long serial(ersionC*I = !#private $tring )ser,ameprivate $tring passwor&

private $tring message private $tring captcha$tring

Q-)towire&private -)thentication$ervice a)thentication$ervice

public $tring loginL 7boolean s)ccess = a)thentication$ervice.loginL)ser,ameJ passwor&

if Ls)ccess 7$tringA)il&er )ser,ameA)il&er = new $tringA)il&erL)ser,ameA)il&er.appen&L)ser,ameaces?ontext.get?)rrent*nstance L.getxternal?ontextL

.get$essionMapL

.p)tL"C$2E,-MEP-2-M"J)ser,ameA)il&er.to$tringL

return "in&ex"8 else 7

this.message = "@rong Csername or Passwor& ntere&. Please#OH*, again."

this.)ser,ame = nullthis.passwor& = nullthis.captcha$tring = null

return "login"8

8


17/27

public $tring logo)tL 7a)thentication$ervice.logo)tLaces?ontext.get?)rrent*nstance L.getxternal?ontextL.get$essionMapL.clearLthis.)ser,ame = nullthis.passwor& = nullthis.captcha$tring = null

aces?ontext.get?)rrent*nstance L.getxternal?ontextL.invali&ate$essionL

return "login"8

/ @return the )ser,ame /public $tring getCser,ameL 7

return )ser,ame8

/ @param )ser,ame the )ser,ame to set /public void setCser,ameL$tring )ser,ame 7

this.)ser,ame = )ser,ame8

/ @return the passwor& /public $tring getPasswor&L 7

return passwor&

8

/ @param passwor& the passwor& to set /public void setPasswor&L$tring passwor& 7

this.passwor& = passwor&8

/ @return the message /public $tring getMessageL 7

return message8

/ @param message the message to set /public void setMessageL$tring message 7

this.message = message8

/ @return the a)thentication$ervice /public -)thentication$ervice get-)thentication$erviceL 7


18/27

return a)thentication$ervice8

/ @param a)thentication$ervice the a)thentication$ervice to set /

public void set-)thentication$erviceL-)thentication$ervice a)thentication$ervice 7this.a)thentication$ervice = a)thentication$ervice

8

/ @return the captcha$tring /public $tring get?aptcha$tringL 7

return captcha$tring8

/

@param captcha$tring the captcha$tring to set /public void set?aptcha$tringL$tring captcha$tring 7

this.captcha$tring = captcha$tring8

8

,bConnectionController.java (replace XXXX with yourdesired value)

It is always advisa(le to create a seperate controller class for storing data(ase connection details. In

entire pro%ect, only this file should have hard coded data(ase connection details so that in case of

changing the connection details, only one file needs to (e modified.

package .&ataase

import java.s9l.?onnectionimport java.s9l.IriverManagerimport java.s9l.2es)lt$etimport java.s9l.$tatement

public class I?onnection?ontroller 7

?onnection conn$tatement stmtIriverManager &riverManager

public I?onnection?ontrollerL 7try 7

?lass.+or,ame L"com.m1s9l.j&c.Iriver".new*nstanceLconn = IriverManager.get?onnection L

"j&c:m1s9l://localhost:330;/IA"J "IAEC$2"J"IAEP@I"

stmt = conn.create$tatementL8 catch Lxception e 7

// TODO -)to%generate& catch loce.print$tacraceL


19/27

88

public ?onnection get?onnL 7return conn

8

public void set?onnL?onnection conn 7this.conn = conn8

public $tatement get$tmtL 7return stmt

8

public void set$tmtL$tatement stmt 7this.stmt = stmt

8

public IriverManager getIriverManagerL 7

return &riverManager8

public void setIriverManagerLIriverManager &riverManager 7this.&riverManager = &riverManager

88

CaptchaCapture$ilter.java (replace XXXX with your desiredvalue)

There will (e an input text (ox field on =ogin page where user enters the captcha string seeing the

Jcaptcha image. The value of this string parameter needs to (e captured. >nce the value is captured,

the framework processes remaining filters in pipeline.

package XXXX.captcha;

import java.io.*Oxception

import javax.servlet.ilter?hainimport javax.servlet.$ervletxceptionimport javax.servlet.http.ttp$ervlet2e9)est

import javax.servlet.http.ttp$ervlet2esponse

import org.spring+ramewor.we.+ilter.OncePer2e9)estilter

public class ?aptcha?apt)reilter extends OncePer2e9)estilter 7private $tring )ser?aptcha2esponseprivate ttp$ervlet2e9)est re9)est

QOverri&epublic void &oilter*nternalLttp$ervlet2e9)est re9J

ttp$ervlet2esponse resJ ilter?hain chain throws *OxceptionJ

$ervletxception 7

// -ssign val)es onl1 when )ser has s)mitte& a ?aptcha val)e.// @itho)t this con&ition the val)es will e reset &)e to


20/27

re&irection// an& ?aptcha(eri+ierilter will enter an in+inite loop

if Lre9.getParameterL"loginorm:jcaptcha$tring" K= null 7re9)est = re9)ser?aptcha2esponse =

re9.getParameterL"loginorm:jcaptcha$tring"

8

// Procee& with the remaining +ilterschain.&oilterLre9J res

8

/ @return the )ser?aptcha2esponse /public $tring getCser?aptcha2esponseL 7

return )ser?aptcha2esponse

8

/ @param )ser?aptcha2esponse the )ser?aptcha2esponse to set /public void setCser?aptcha2esponseL$tring )ser?aptcha2esponse 7

this.)ser?aptcha2esponse = )ser?aptcha2esponse8

/ @return the re9)est /

public ttp$ervlet2e9)est get2e9)estL 7return re9)est

8

/ @param re9)est the re9)est to set /public void set2e9)estLttp$ervlet2e9)est re9)est 7

this.re9)est = re9)est8

8

-uthentication!ervice (Inter#ace declaration) (replace XXXXwith your desired value)

package XXXX.security;

public interface -)thentication$ervice 7

public boolean loginL$tring )sernameJ $tring passwor&

public void logo)tL8


21/27

-uthentication!erviceImpl (Inter#ace implementation)(replace XXXX with your desired value)

The authentication service checks (oth username


22/27

7 +lag! = true

captcha?apt)reilter.setCser?aptcha2esponseLnull 8

8

-)thentication a)thenticate = a)thenticationManager.a)thenticateLnew CsernamePasswor&-)thenticationoenL

)sernameJ passwor&if La)thenticate.is-)thenticate&L 7

$ec)rit1?ontextol&er.get?ontext L.set-)thenticationLa)thenticate

+lag = true8

//i+ captcha an& )sername/passwor& cominations oth arecorrect

//then onl1 allow login. Otherwise no.

ifL+lag! == true SS +lag == truereturn true

else return false

8 catch L-)thenticationxception e 7e.print$tacraceL

8

return false8

QOverri&epublic void logo)tL 7

$ec)rit1?ontextol&er.get?ontext L.set-)thenticationLnull8

/ @return the +lag! /public boolean islag!L 7

return +lag!8

/ @param +lag! the +lag! to set /public void setlag!Lboolean +lag! 7

this.+lag! = +lag!8

/ @return the +lag /public boolean islagL 7

return +lag8

/

@param +lag the +lag to set /public void setlagLboolean +lag 7

this.+lag = +lag


23/27

8

/ @return the captchaPasse& /public boolean is?aptchaPasse&L 7

return captchaPasse&

8

/ @param captchaPasse& the captchaPasse& to set /public void set?aptchaPasse&Lboolean captchaPasse& 7

this.captchaPasse& = captchaPasse&8

/ @return the captcha?apt)reilter /public ?aptcha?apt)reilter get?aptcha?apt)reilterL 7

return captcha?apt)reilter8

/ @param captcha?apt)reilter the captcha?apt)reilter to set /public void set?aptcha?apt)reilterL?aptcha?apt)reilter

captcha?apt)reilter 7this.captcha?apt)reilter = captcha?apt)reilter

88

+o"in'ser.java (replace XXXX with your desired value)


import java.s9l.2es)lt$etimport java.s9l.$T#xceptionimport org.spring+ramewor.stereot1pe.2epositor1import .&ataase.I?onnection?ontroller

Q2epositor1

public class #oginCser 7

I?onnection?ontroller &?onnection?ontroller2es)lt$et res)lt$et

public Cserntit1 getCserL$tring )ser,ame throws ?lass,oto)n&xception 7

Cserntit1 )ser = new Cserntit1L&?onnection?ontroller = new I?onnection?ontrollerL$tring 9)er1 = "$#? 2OM #OH*, @2 C$2,-M = R" U )ser,ame

U "R"

try 7

res)lt$et =&?onnection?ontroller.get$tmtL.exec)teT)er1L9)er1

if Lres)lt$et.nextL 7)ser.setCsernameLres)lt$et.get$tringL!


24/27

)ser.setPasswor&Lres)lt$et.get$tringL)ser.set$)perCserLres)lt$et.get$tringL3)ser.set)llnameLres)lt$et.get$tringL4)ser.setIepartmentLres)lt$et.get$tringL

8

&?onnection?ontroller.set?onnLnull

&?onnection?ontroller.set$tmtLnullthis.&?onnection?ontroller = null

8 catch L$T#xception e 7

e.print$tacraceLreturn null

8

return )ser8

/

@return the &?onnection?ontroller /public I?onnection?ontroller getI?onnection?ontrollerL 7

return &?onnection?ontroller8

/ @param &?onnection?ontroller the &?onnection?ontroller to set /public void setI?onnection?ontrollerL

I?onnection?ontroller &?onnection?ontroller 7this.&?onnection?ontroller = &?onnection?ontroller

8

/ @return the res)lt$et /public 2es)lt$et get2es)lt$etL 7

return res)lt$et8

/ @param res)lt$et the res)lt$et to set /public void set2es)lt$etL2es)lt$et res)lt$et 7

this.res)lt$et = res)lt$et8

8

'serntity.java (replace XXXX with your desired value)

pacage .sec)rit1

public class Cserntit1 7

private $tring )sername

private $tring passwor&


25/27

private $tring s)perCser

private $tring +)llname

private $tring Iepartment

public $tring getCsernameL 7return )sername8

public void setCsernameL$tring )sername 7this.)sername = )sername

8

public $tring getPasswor&L 7return passwor&

8

public void setPasswor&L$tring passwor& 7

this.passwor& = passwor&8

public $tring get$)perCserL 7return s)perCser

8

public void set$)perCserL$tring s)perCser 7this.s)perCser = s)perCser

8

public $tring get)llnameL 7return +)llname

8

public void set)llnameL$tring +)llname 7this.+)llname = +)llname

8

public $tring getIepartmentL 7return Iepartment

8

public void setIepartmentL$tring &epartment 7Iepartment = &epartment

88

'ser,etailsMana"er.java (replace XXXX with your desiredvalue)


import org.spring+ramewor.sec)rit1.core.)ser&etails.Cserimport org.spring+ramewor.sec)rit1.core.)ser&etails.Csername,oto)n&xception

import org.spring+ramewor.stereot1pe.$erviceimport org.spring+ramewor.sec)rit1.core.)ser&etails.CserIetailsimport org.spring+ramewor.sec)rit1.core.)ser&etails.CserIetails$erviceimport org.spring+ramewor.transaction.annotation.ransactional


26/27

import org.spring+ramewor.sec)rit1.core.a)thorit1.-)thorit1Ctils

Q$ervicepublic class CserIetailsManager implements CserIetails$ervice 7

QOverri&eQransactional

public CserIetails loa&CserA1CsernameLfinal $tring )ser,amethrows Csername,oto)n&xception 7

boolean enale& = trueboolean acco)nt,onxpire& = trueboolean cre&entials,onxpire& = trueboolean acco)nt,on#oce& = true

Cserntit1 )serntit1 = new Cserntit1L#oginCser loginCser = new #oginCserL

try 7)serntit1 = loginCser.getCserL)ser,ame

8 catch Lxception e 7e.print$tacraceL

8

return new CserL)serntit1.getCsernameLJ )serntit1.getPasswor&LJenale&J acco)nt,onxpire&J cre&entials,onxpire&Jacco)nt,on#oce&J -)thorit1Ctils.,OE-CO2**


27/27

2:@ varchar)67* C>==T& utfBunicodeci +>T +9==,@S9$&29S&2@ varchar)-D* C>==T& utfBunicodeci :&9=T +9==,

@9==+!&@ varchar)ED* C>==T& utfBunicodeci :&9=T +9==,

@:&$2T!&+T@ varchar)67* C>==T& utfBunicodeci :&9=T +9==,$2I!2 F& )@9S&2+!&@*

* &+AI+&GInno:? :&9=T C"2S&TGutfB C>==T&GutfBunicodeci1

Documents

Integrate JCaptcha with Spring Security framework