CAPTCHA stands for: “Completely Automated Public Turing test to Tell Computers and Humans Apart”. It refers to a technology familiar to anyone who’s registered on a popular website – the “what word is shown on this image” challenge. As the “Turing test” alludes to, the purpose is to distinguish between humans and computers. Types of CAPTCHA:

* Photo/Image CAPTCHA
* Animated CAPTCHA
* Sound CAPTCHA
* Multiple choice questions
* Logic questions

CAPTCHA doesn’t prevent hackers or attackers to the site. It merely attempts to prevent bots and spammers.

How does CAPTCHA work?

CAPTCHA fools the bots by asking questions or generating pictures only human can answer. They contain distorted letters, different pictures with different letters in different shapes. After the user submits the answer CAPTCHA validate the answer. Since Bots cannot recognize each letter alone, this is a fairly difficult to break.

How to create CAPTCHA?
CAPTCHA can be written using any programming languages including Java. The code should provide three main functions. First, the code should generate a random picture with different properties. Second, validate the user answer. Third, make these pictures secure. Also, there are many things to make the code more reliable like” Rotate the text randomly, add random spaces in between characters, use a TTF fonts and change the font randomly every time, use a random text and image size every time, use more advanced text distortion and colors, move the lines randomly, store the password in a random cookie. In addition, there are CAPTCHA creator programs which allow users to choose their CAPTCHA shapes. Sophisticated libraries often provide extensions for developers to create their own algorithm for drawing images.
CAPTCHA benefits

* Preventing Comment Spam in Blogs.
* Protecting Website Registration.
* Protecting Email Addresses from Scrapers.
* Online Polls
* Search Engine Bots.
* Worms and Spam

Implementations of CAPTCHA
There are several implementations of CAPTCHA – commercial and open-source, in almost every programming language. The following are some Java based CAPTCHA frameworks
* reCaptcha (most popular, available as web-service)
* SimpleCaptcha (Java)
* JBoss Seam Captcha (for Java Seam based projects, works out of the box, can extend algorithm)
* jCaptcha (Java)
* Kaptcha (very simple java alternative to jCaptcha)
* … and many more

Problems
* When captchas get funky that humans with 20/20 vision start struggling; accessibility is far away
* Prone to common attacks
* The image challenge is inaccessible to visually impaired users. This problem is usually addressed by providing an alternative audio CAPTCHA for these users. However, many audio CAPTCHAs can be difficult to hear even to those with good hearing due to background noise and distorted pronunciation.
* Providing both image and audio CAPTCHAs is difficult to implement. ReCAPTCHA can simplify the process, but requires Javascript, and needs to be imbedded in your mark-up using iframes.
* Image CAPTCHAs are not infallible. A number of projects have shown that automatic character recognition software can often read the letters in the image.

Alternate Solutions
There are several alternatives to CAPTCHA. Most of them can be easily incorporated into an existing web framework:

• Dummy form elements

Dummy form elements can be added to trick bots into filling them and hiddeen those from users with CSS. Additionally, dummy elements should be named suggestively to fool the bots – for example, subject, name, URL. Then when form is submitted, system can check if any of these fields have been filled and if so you can isolate a “bot.”

• Session variable / GET request detection

This isn’t CAPTCHA alternative, but it can be used to filter out spam-bots. A variable is put in session when a GET request is made and when a form is submitted the system checks the session for that variable. This can filter out bots that submit request directly to POST without getting a page with the form. However this system can be easily fooled by creating a bot that acts like a web browser.

• Session variable with time computation

Similar to the above session idea where, time can be recorded when the form was loaded. On post, system calculates the time difference and if it’s less than say 5 seconds, it can be ignored as spam. However spam bots could easily adjust for this by building in a delay.

• 5 Layer Spam Filter

It uses some cunning techniques to identify bots without having to resort to CAPTCHA:

* Do fields hidden off-screen still get filled in
* Is the form filled in in seconds?
* Do they not have JavaScript enabled?
* Does Askimet mark it as spam
* Etc …

• Forced Visual cues

This is a simpler alternative. The webpage with a “yes” and a “no” radio button can make “no” the default and have the visitors state that they are not spammers by selecting “yes.”

• SAPTCHA (“Text based CAPTCHA)

SAPTCHA stands for Semi Automatic Public Turing Test to Tell Computers and Humans Apart.

The key concept is same as with CAPTCHA: user is presented with test question or instructions and must give correct answer to use resource. Main difference is that computer does not try to automatically generate “unique” test questions on each query; only verification of answer is automatic. Instead, unique test question and answer[s] is set by moderator or owner when SAPTCHA is installed, and should be easy to change if needed.
Comparison of SAPTCHA versus CAPTCHA features

Advantages of SAPTCHA over CAPTCHA:

1. SAPTCHA software is much easier to implement than CAPTCHA
2. Textual SAPTCHA does not discriminate against disabled who can use internet. [Audio CAPTCHA plus visual CAPTCHA would double effort and is thus very uncommon in practice]
3. There is methods for breaking image based CAPTCHAs. Even with popular CAPTCHA, the system may still get spammed by entirely automatic bot. SAPTCHAs can be much more varied and there won’t be common method of breaking until it becomes possible for computers to interpret human instructions in normal human language.

Advantages of CAPTCHA over SAPTCHA (disadvantages of SAPTCHA):

1. With SAPTCHA, when banning spammer, moderator must enter new question and answer. With CAPTCHA, though, there’s point 1 above (& CAPTCHA code won’t remain useful forever either), so for not extremely popular websites it seems highly unlikely that even in long run CAPTCHA would save work.
2. If SAPTCHA is used to protect registration, it is easier to register many accounts at once than with CAPTCHA; may matter with popular email services.
3. Verbal SAPTCHA is problematic when it is multi-language resource that needs frequent changes.

• Mouse Intervention CAPTCHA

A simple Mouse Intervention CAPTCHA implemented in a Java applet. The server generates some drawings and asks the user to click on all drawings with an odd number of edges. The mouse click events are recorded. As long as the mouse is clicked within the dark area of drawings with an odd number of edges, access is granted.

Conclusion
CAPTCHA is widely used across the internet including by Google, Yahoo and Microsoft. Hence discarding this solution should be done only for a ground-breaking alternative. With CAPTCHA, the criteria would be to pick an image/audio based CAPTCHA or text-based CAPTCHA for the project depending on the target user base. Once that’s decided, one of the several free libraries can be chosen to fit well into an existing technology stack. A relatively “light” library that provides easy extension hooks for custom extensions of CAPTCHA algorithms would be ideal.

In my application there is basically one table for all users. It contains the values I need for username, password, role, and the active flag that Spring Security supports. No, it wouldn’t be my first choice of table setup, but that’s what I have to work with.

I read through Chris Baker’s fine article in the Java DZONE and the way he did it was to override two values in the jdbc-user-service, which replaces the user-service authentication provider. He used:

<authentication-provider>
	<jdbc-user-service data-source-ref="dataSource"
	users-by-username-query="SELECT U.username, U.password, U.accountEnabled AS 'enabled' FROM User U where U.username=?"
	authorities-by-username-query="SELECT U.username, R.name as 'authority' FROM User U JOIN Authority A ON u.id = A.userId JOIN Role R ON R.id = A.roleId WHERE U.username=?"/>
</authentication-provider>

I wanted to do something similar, and initially banged out:

	<authentication-provider>
	<jdbc-user-service data-source-ref="baseDataSource"
	users-by-username-query="SELECT LOGONID, PASSWORD, ACTIVE FROM EMPLOYEE WHERE LOGONID=?"
	authorities-by-username-query="SELECT LOGONID, ROLE FROM EMPLOYEE WHERE LOGONID=?"/>
	</authentication-provider>

The result was that all employees were inactive for Spring Security. Why? Because the EMPLOYEE table’s ACTIVE column is a CHAR, and Spring Security expects a BIT or BOOLEAN. After tinkering around for a bit, I decided to modify the EMPLOYEE table to use a BOOLEAN instead. The actually posed a problem for DbUnit, surprise surprise. The workaround in Ant didn’t work for me, I had a weird classnotfound error that I couldn’t track back to ant, and just gave up after a while. I didn’t really want to change the column type anyway.

In the end, I played around with HSQL for a while and came up with

	<authentication-provider>
	<jdbc-user-service data-source-ref="baseDataSource"
	users-by-username-query="SELECT LOGONID, PASSWORD, CASE WHEN UCASE(ACTIVE)='T' THEN 1 ELSE 0 END FROM EMPLOYEE WHERE LOGONID=?"
	authorities-by-username-query="SELECT LOGONID, ROLE FROM EMPLOYEE WHERE LOGONID=?"/>
	</authentication-provider>

Disclaimer: There are other ways to do this that are identified in the Spring Security reference documentation. The documentation is very good, my only wish would be that they provide the default schema, and provide a description of the default roles.

I decided early on that I did not want to mess up the other developers on the project any more than I needed to, so I added a securityContext.xml file rather than integrate (what used to be) the reams and reams of configuration required for Acegi. Here is my latest version of Spring Security. This is really simple, but meets the basic needs of the project at this point in development:

<beans:beans xmlns="http://www.springframework.org/schema/security"
    xmlns:beans="http://www.springframework.org/schema/beans"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
                        http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-2.0.xsd">

	<global-method-security secured-annotations="enabled" />

    <http auto-config="true" access-denied-page="/jsp/accessDenied.jsp">
        <intercept-url pattern="/admin/*.do" access="ROLE_SUPERVISOR"/>
        <intercept-url pattern="/consultant/*.do" access="IS_AUTHENTICATED_REMEMBERED" />
        <intercept-url pattern="/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />

    	<intercept-url pattern="/jsp/login.jsp*" filters="none"/>

    	<form-login login-page="/jsp/login.jsp" authentication-failure-url="/jsp/login.jsp?login_error=1"/>

	<logout logout-success-url="/jsp/logout.jsp"/>

    </http>

    <authentication-provider>
        <user-service>
            <user name="joe" password="password" authorities="ROLE_SUPERVISOR, ROLE_USER" />
	    <user name="steve" password="DOC" authorities="ROLE_USER" />
	</user-service>
    </authentication-provider>

Not bad looking at all, especially compared with the old way. But note, this makes use of XML namespaces, and we’re not done yet.

I’m using a beanRefContext.xml that’s referring to both my applicationContext and my securityContext file:

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
	xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd">

	<bean id="org.reverttoconsole.app.context"
		class="org.springframework.context.support.ClassPathXmlApplicationContext">
		<constructor-arg>
			<list>
				<value>resources/org/reverttoconsole/app/applicationContext.xml</value>
				<value>resources/org/reverttoconsole/app/securityContext_2.0.xml</value>
			</list>
		</constructor-arg>
	</bean>

</beans>

This wires my two contexts up, in order. The applicationContext has no bearing on the security, except that it loads the security namespace, which the securityContext.xml uses:

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xmlns:util="http://www.springframework.org/schema/util"
       xmlns:aop="http://www.springframework.org/schema/aop"
       xmlns:jee="http://www.springframework.org/schema/jee"
       xmlns:tx="http://www.springframework.org/schema/tx"
       xmlns:security="http://www.springframework.org/schema/security"
       xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
                           http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util-2.0.xsd
                           http://www.springframework.org/schema/aop http://www.springframework.org/schema/aop/spring-aop-2.0.xsd
                           http://www.springframework.org/schema/jee http://www.springframework.org/schema/jee/spring-jee-2.0.xsd
                           http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-2.0.xsd
                           http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-2.0.xsd">

Lastly, the relevant additions to the web.xml file:

   <filter>
        <filter-name>springSecurityFilterChain</filter-name>
        <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
    </filter>

    <filter-mapping>
      <filter-name>springSecurityFilterChain</filter-name>
      <url-pattern>/*</url-pattern>
    </filter-mapping>

And that’s it!

Note: Recommended reading:
Spring Security Documentation

You can find a lot of Acegi security framework examples on the web these days. Unfortunately, nearly all of the examples use Acegi use the pre 1.0 version, which is before someone removed the SecurityEnforcementFilter..
The official description of this event follows:

org.acegisecurity.intercept.web.SecurityEnforcementFilter has moved to a new location and name, org.acegisecurity.ui.ExceptionTranslationFilter. In addition, the “filterSecurityInterceptor” property on the old SecurityEnforcementFilter class has been removed. This is because SecurityEnforcementFilter will no longer delegate to FilterSecurityInterceptor as it has in the past. Because this delegation feature has been removed (see SEC-144 for a background as to why), please add a new filter definition for FilterSecurityInterceptor to the end of your FilterChainProxy. Generally you’ll also rename the old SecurityEnforcementFilter entry in your FilterChainProxy to ExceptionTranslationFilter, more accurately reflecting its purpose. If you are not using FilterChainProxy (although we recommend that you do), you will need to add an additional filter entry to web.xml and use FilterToBeanProxy to access the FilterSecurityInterceptor.

Which is another way of saying if you need to implement a security system in a hurry like 90% of the developers out there, you’re SOL. This description will probably make a lot of sense to those familiar with Acegi, but it’s a daunting task to figure out if you’re new to the system. My efforts and example with Acegi 1.0.7 follow after the jump.

I joined a small team working on a small internal app and was assigned the task of introducing Acegi to the application.
They are using Spring MVC, Hibernate, and HSQLDB for development. Because Acegi introduces so many new bean wirings, I chose to introduce the security framework as a new XML file, calling it securityContext.xml.

The relevant pieces of the web.xml look like this:

<context-param></context-param>
<param-name>locatorFactorySelector</param-name> 		<!--
This item points to one beanRefContext. The beanRefContext then
holds a reference to the base applicationContext.xml.
-->
<param-value> 			classpath:/resources/org/reverttoconsole/app/beanRefContext.xml 		</param-value>

and

	<filter>
    	<filter-name>Acegi Filter Chain Proxy</filter-name>
		<filter-class>org.acegisecurity.util.FilterToBeanProxy</filter-class>
        <init-param>
        	<param-name>targetClass</param-name>
            <param-value>org.acegisecurity.util.FilterChainProxy</param-value>
        </init-param>
    </filter>
    <filter>
		<filter-name>LogoutFilter</filter-name>
		<filter-class>org.acegisecurity.util.FilterToBeanProxy</filter-class>
		<init-param>
			<param-name>targetBean</param-name>
			<param-value>logoutFilter</param-value>
		</init-param>
	</filter>
	<filter-mapping>
		<filter-name>LogoutFilter</filter-name>
		<url-pattern>/logout.do</url-pattern>
	</filter-mapping>
    <filter-mapping>
    	<filter-name>Acegi Filter Chain Proxy</filter-name>
		<url-pattern>/*</url-pattern>
    </filter-mapping>

The beanRefContext picks up my security xml addition:

<beans xmlns="http://www.springframework.org/schema/beans">
</beans>	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
	xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd"&gt;

	<bean id="org.reverttoconsole.app.context">
</bean>		class="org.springframework.context.support.ClassPathXmlApplicationContext"&gt;
		<constructor-arg>
<list>
				<value>resources/org/reverttoconsole/app/applicationContext.xml</value>
				<value>resources/org/reverttoconsole/app/securityContext.xml</value>
			</list>
		</constructor-arg>

and my additional security wiring looks like this:

<!--
  - A simple "base bones" Acegi Security configuration.
  -->

<beans>

	<bean id="filterChainProxy" class="org.acegisecurity.util.FilterChainProxy">
<property name="filterInvocationDefinitionSource">
			<value><!--[CDATA[
				CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
				PATTERN_TYPE_APACHE_ANT
				/**=httpSessionContextIntegrationFilter,logoutFilter,authenticationProcessingFilter,securityContextHolderAwareRequestFilter,rememberMeProcessingFilter,anonymousProcessingFilter,exceptionTranslationFilter,filterInvocationInterceptor
			]]--></value>
		</property>
	</bean>

	<bean id="httpSessionContextIntegrationFilter" class="org.acegisecurity.context.HttpSessionContextIntegrationFilter"></bean>

	<bean id="logoutFilter" class="org.acegisecurity.ui.logout.LogoutFilter">
		<constructor-arg value="/jsp/logout.jsp"/> <!-- URL redirected to after logout -->
		<constructor-arg>
			<list>
				<ref bean="rememberMeServices"/>
				<bean class="org.acegisecurity.ui.logout.SecurityContextLogoutHandler"/>
			</list>
		</constructor-arg>
		<property name="filterProcessesUrl" value="/logout.do" />
	</bean>

	<bean id="authenticationProcessingFilter" class="org.acegisecurity.ui.webapp.AuthenticationProcessingFilter">
<property name="authenticationManager" ref="authenticationManager"></property>
<property name="authenticationFailureUrl" value="/jsp/login.jsp?login_error=1"></property>
<property name="defaultTargetUrl" value="/index.html"></property>
<property name="filterProcessesUrl" value="/jsp/j_acegi_security_check"></property>
<property name="rememberMeServices" ref="rememberMeServices"></property>
	</bean>

	<bean id="securityContextHolderAwareRequestFilter" class="org.acegisecurity.wrapper.SecurityContextHolderAwareRequestFilter"></bean>

	<bean id="rememberMeProcessingFilter" class="org.acegisecurity.ui.rememberme.RememberMeProcessingFilter">
<property name="authenticationManager" ref="authenticationManager"></property>
<property name="rememberMeServices" ref="rememberMeServices"></property>
	</bean>

	<bean id="anonymousProcessingFilter" class="org.acegisecurity.providers.anonymous.AnonymousProcessingFilter">
<property name="key" value="changeThis"></property>
<property name="userAttribute" value="anonymousUser,ROLE_ANONYMOUS"></property>
	</bean>

	<bean id="exceptionTranslationFilter" class="org.acegisecurity.ui.ExceptionTranslationFilter">
<property name="authenticationEntryPoint">
			<bean class="org.acegisecurity.ui.webapp.AuthenticationProcessingFilterEntryPoint">
<property name="loginFormUrl" value="/jsp/login.jsp"></property>
<property name="forceHttps" value="false"></property>
			</bean>
		</property>
<property name="accessDeniedHandler">
			<bean class="org.acegisecurity.ui.AccessDeniedHandlerImpl">
<property name="errorPage" value="/jsp/accessDenied.jsp"></property>
			</bean>
		</property>
	</bean>

	<bean id="filterInvocationInterceptor" class="org.acegisecurity.intercept.web.FilterSecurityInterceptor">
<property name="authenticationManager" ref="authenticationManager"></property>
<property name="accessDecisionManager">
			<bean class="org.acegisecurity.vote.AffirmativeBased">
<property name="allowIfAllAbstainDecisions" value="false"></property>
<property name="decisionVoters">
<list>
						<bean class="org.acegisecurity.vote.RoleVoter"></bean>
						<bean class="org.acegisecurity.vote.AuthenticatedVoter"></bean>
					</list>
				</property>
			</bean>
		</property>
<!-- Defines two role groups; administrators and consultants -->
<property name="objectDefinitionSource">
			<value><!--[CDATA[
				CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
				PATTERN_TYPE_APACHE_ANT
				/admin/**=ROLE_SUPERVISOR
				/consultant/**=IS_AUTHENTICATED_REMEMBERED
				/**=IS_AUTHENTICATED_ANONYMOUSLY
			]]--></value>
		</property>
	</bean>

	<bean id="rememberMeServices" class="org.acegisecurity.ui.rememberme.TokenBasedRememberMeServices">
<property name="userDetailsService" ref="userDetailsService"></property>
<property name="key" value="changeThis"></property>
	</bean>

	<bean id="authenticationManager" class="org.acegisecurity.providers.ProviderManager">
<property name="providers">
<list>
				<ref local="daoAuthenticationProvider">
				<bean class="org.acegisecurity.providers.anonymous.AnonymousAuthenticationProvider">
<property name="key" value="changeThis1"></property>
				</bean>
				<bean class="org.acegisecurity.providers.rememberme.RememberMeAuthenticationProvider">
<property name="key" value="changeThis1"></property>
				</bean>
			</ref>
		</list>
	</property>

	<bean id="daoAuthenticationProvider" class="org.acegisecurity.providers.dao.DaoAuthenticationProvider">
<property name="userDetailsService" ref="userDetailsService"></property>
	</bean>

	<!-- UserDetailsService is the most commonly frequently Acegi Security interface implemented by end users -->
	<bean id="userDetailsService" class="org.acegisecurity.userdetails.memory.InMemoryDaoImpl">
<property name="userProperties">
			<bean class="org.springframework.beans.factory.config.PropertiesFactoryBean">
<property name="location" value="/WEB-INF/users.properties"></property>
			</bean>
		</property>
	</bean>

	<!-- This bean is optional; it isn't used by any other bean as it only listens and logs -->
	<bean id="loggerListener" class="org.acegisecurity.event.authentication.LoggerListener"></bean>

</bean></constructor-arg></bean></beans>

Note: this is borrowed almost completely from acegi-security-samples-tutorial. I’d recommend checking it out before using this example and particularly before looking for other examples online (it will save you a lot of time).
I’ve modified the section for roles; my application has two roles- administrators and consultants.

Please read the Acegi Security Quickstart article on the wiki if you wish to spare yourself some pain.