68

I'm looking for a replacement for JCaptcha, which doesn't seem to be maintained any more, and isn't very good to begin with. The replacement has to integrate nicely with JavaEE webapps.

As I can see it, there are three options:

  • JCaptcha - No longer maintained, crude API
  • SimpleCaptcha - much nicer API, nicer captchas, but seems to be Java6 only
  • ReCaptcha - easy to use, uses remote web-service to generate captchas, but not much control over look and feel

Has anyone used any others, that they'd recommend?

Roman C
  • 49,761
  • 33
  • 66
  • 176
skaffman
  • 398,947
  • 96
  • 818
  • 769
  • As I was exploring other captcha lib I can across http://captcha.com/doc/java/captcha-for-java.html maybe it can help some ! – Adelin Apr 25 '15 at 09:08
  • There is a nice Captcha offline implementation here: http://javalite.io/captcha . You just need one class: https://github.com/javalite/activeweb/blob/master/activeweb/src/main/java/org/javalite/activeweb/Captcha.java – Dherik Apr 17 '19 at 19:32

6 Answers6

73

I am the author of SimpleCaptcha. While I would recommend -- for humanity's sake -- using ReCaptcha where you can, I provided SimpleCaptcha because some organizations have policies which prohibit libraries like ReCaptcha. SimpleCaptcha is meant to be entirely stand-alone, with no external dependencies: as long as you are in a J2EE container, you should be good.

Also, SimpleCaptcha is now available for either Java 1.5 or Java 6.

jchilders
  • 351
  • 1
  • 5
  • 10
  • 1
    What are SimpleCaptcha's dependencies exactly? I'm using Tomcat 7 and get a java.lang.VerifyError whenever I add a GimpyRenderer to my captcha, which is too bad because I like SimpleCaptcha's API a lot better than Kaptcha's. – spaaarky21 Feb 04 '11 at 17:27
  • 2
    your solution works great, but the last maven repo where i had it from (http://repo.enonic.com/maven) is down, no other locations... i'll put a jar into my git, but still it would be great to git it in maven. – sab Jan 25 '13 at 12:04
  • @jchilders I need to use SimpleCaptcha as osgi bundle. That's why I try to build it as maven project. For this I need jhlabs, but the version of sources I donwloaded from http://www.jhlabs.com/ip/filters/download.html is not compatible. Can you say what version of jhlabs did you use? –  Feb 13 '15 at 09:22
  • 1
    And more, could you make your project available for building and as Maven project. I see a lot of people try need it. –  Feb 13 '15 at 10:29
26

ReCaptcha is the only captcha you should use, because it's the only captcha that makes the world better (improve OCR results to old text), with almost unlimited database.

All other captchas are usually limited by its database, or do nothing good to this world.

EDIT :: I found steps how to implement captcha using recaptcha.

You can check both Online and Offline captcha using java here

ELITE
  • 5,815
  • 3
  • 19
  • 29
Francis
  • 11,388
  • 2
  • 33
  • 37
  • 24
    OK, but benefit to humanity wasn't really on my list of priorities :) Also, JCaptcha and SimpleCaptcha generate randomised captchas, so database size is not an issue. – skaffman May 01 '09 at 07:24
  • 3
    one more thing - many captchas with colorful / rotated backgrounds / lines / images, are too complex for majority user (ex, the famous Cat Number used by rapidshare). recaptcha, on the contrary, is based on real English words so it's eaiser for most people. You won't want to apply a captcha that 90% people will send you the mail saying that "I can't pass the cpatcha)... – Francis May 01 '09 at 07:32
  • 6
    I question the statement that randomized capthas are more easily attacked than database backed captcha. On the subject of ReCaptcha, one benefit is that what it puts in front of the human is a word which a quality OCR implementation has already failed on. – Lawrence Dol May 02 '09 at 07:22
  • 2
    reCaptcha is a 3rd party process and can be down or not allowed by the organisation that needs it. – mplungjan Jun 13 '12 at 11:40
  • You should be careful before using ReCaptcha for a commercial website, because it occasionally shows offensive words/pictures, and may offend customers. – fabspro Aug 25 '12 at 09:17
  • 7
    recaptcha is too hard for lots of humans, it's just unreadable quite frequently – OlegYch Sep 19 '12 at 21:17
  • 3
    I wonder if reCaptcha's humanity benifit would ever reach people in China Mainland who's behind the great firewall. :) http://stackoverflow.com/questions/23780387/recaptcha-availability-in-china – Hoang Tran Oct 29 '14 at 09:29
  • 1
    A problem with recaptcha is that the user's network must allow connections to google, and as surprising as it may sound, in a very very large part of the world, google's not allowed. A self-hosted solution therefore offers improved network compatibility. – goat Sep 21 '17 at 00:09
  • the link is dead. If this is referencing google's recaptcha, it requires browser internet access to google's server. If you're in an isolated network, it's not for you – spy Aug 18 '18 at 12:57
21

What happens when ReCaptcha is down/unavailable? Does your service simply stop? Do you simply stop signing people up when it's down? Do you allow users to sign up even if ReCaptcha isn't running? If so, what are the security implications of this? Especially if you use CAPTCHA for more than just signup, e.g. reset password forms, login forms, ... which would not be acceptable to use without the CAPTCHA component.

The Java world of CAPTCHAs is in a sad state, with SimpleCaptcha seemingly the best solution for those of us out there that cannot accept a hosted service.

Mike
  • 2,417
  • 1
  • 24
  • 33
  • 3
    Come on, do you really think your service is more stable than ReCaptcha, especially when google accuired it? Even Facebook is using ReCaptcha, so don't worry unless you are running a bigger service than Facebook... I still don'think there's any captcha system better than ReCaptcha. – Francis Nov 18 '09 at 03:19
  • 6
    Google has been down several times before (Not just Gmail, but search as well). If you have your own service, that is only used by you, then you can comfortably say that when your captcha is down, your whole system is down. I do wonder what Facebook would do in the event of an outage - would they have to bare it until fixed? Do they have a backup plan? Is an outage even that important to them? If you provide services more important than viewing who poked you, or you have a SLA requirement, then the solution is not as simple as 'just wait it out'. – Mike Nov 27 '09 at 13:02
  • @Mike - a sensible website will only use CAPTCHA technologies sparingly, and the loss of CAPTCHA functionality will only impact a small subset of the sire's functionality. – Stephen C Feb 08 '11 at 05:00
  • @Stephen - A small subset can be critical functionality. How about not being able to reset passwords? Or add new users? Or perform some time sensitive operation. – Mike Feb 10 '11 at 09:40
  • @Mike - 2 of those 3 are not normally critical, and the last is ... umm ... so non-specific it is meaningless. And the rest of your site will still work for your existing users who haven't forgotten their passwords. THAT is my point. – Stephen C Feb 10 '11 at 14:08
  • 3
    @Stephen - When the CEO is knocking on your door asking why they can't reset their password after forgetting it for the N'th time, or can't add the latest big cheese customer into the system, "not normally critical" doesn't cut it. It comes down to what your service is offering, and the SLA requirements for it. "Not normally critical" is a matter of SLA and shouldn't be dismissed outright. – Mike Feb 16 '11 at 22:37
  • @Mike - well, I guess if you **really** have those issues you should do something about it. Like implement an administrative interface that allows you to add / reset accounts without the user needing to do the captcha thing. Or find a commercial product that offers SLAs or the option of an in-house installation. (If the CEO demands SLAs he can pay for it!) But your (hypothetical?) use-case is pretty exceptional ... IMO. – Stephen C Feb 16 '11 at 23:12
  • Google is much stable than you !... ! ... !! – Makky Apr 24 '12 at 15:41
  • 3
    @Makky - In the time since I made this post, we've had 2 recaptcha failures. One when the URL changed (https://groups.google.com/forum/?fromgroups#!topic/recaptcha/V7qswqBnA1o), and one when the IP addresses changed (https://groups.google.com/forum/?fromgroups#!topic/recaptcha/_Lg_MHsGKLw). And yes, both times the bigwigs were knocking on our door wondering why they couldn't log in. If we had a self-hosted solution, the only time the captcha would be down is when the target system is also down. – Mike Apr 24 '12 at 16:04
  • @Mike didn't know that !! Thanks for that info though !! They should provide the stand-alone API rather than accessing via URL :) – Makky Apr 25 '12 at 11:07
  • 1
    @Makky How do you propose to access a google-controlled server without using DNS? – fabspro Aug 25 '12 at 09:19
  • ReCaptcha will not work in China – Ed Randall Sep 07 '17 at 14:17
11

I created http://kaptcha.googlecode.com before recaptcha became as popular as it is today. It also offers you the ability to host it yourself, which may be necessary in some situations.

Kaptcha is a heavily modified and updated version of SimpleCaptcha and supports JDK5/6.

Public Profile
  • 1,817
  • 1
  • 21
  • 20
  • Hi Jon Stevens, I am not sure why, I couldnt get Kaptcha to work on google app engine. Regards, Xuwei –  Jan 31 '11 at 18:00
  • Is that `com.google.code.kaptcha:kaptcha:jar`? We have `${basedir}/src/main/webapp/WEB-INF/lib/kaptcha-2.3.2.jar` in our app but I would like to replace it with a version that comes from Maven Central. But the only thing I can find there, is `com.github.penggle:kaptcha` version 2.3.3. Is that the same? – Amedee Van Gasse Mar 07 '16 at 14:19
  • Good question, that is a huge failure of the design of maven in my opinion. Things you download from Maven Central could come from anywhere, so.... who knows. I'm guessing the answer is no. I'm the original author and the exported project from Google code is here: https://github.com/lookfirst/kaptcha I also ran across this clone which makes some changes including adding a pom: https://github.com/axet/kaptcha – Public Profile Mar 08 '16 at 05:09
  • I compared the source and they are the same - but indeed as you say, there is no total guarantee that the source corresponds to the jar. However I tried it out and it seems to work as expected. _caveat emptor_ – Amedee Van Gasse Mar 08 '16 at 06:45
5

SimpleCaptcha is really nice and easy to use.

Here's an example how to use SimpleCaptcha with JSF 2.0 (the homepage has an example for JSP)

Note that I'm not even bothering to store the captcha value in the bean, I'm only validating it.

The bean:

// imports missing here

@ManagedBean
@SessionScoped
public class LoginBean implements Serializable
{
    public void validateCaptcha(FacesContext context,
                                UIComponent componentToValidate,
                                Object value)
            throws ValidatorException
    {
        HttpSession session = (HttpSession) context.getExternalContext().getSession(false);
        Captcha secretcaptcha = (Captcha) session.getAttribute(Captcha.NAME);
        if (secretcaptcha.isCorrect(value.toString()))
            return;

        // optional: clear field
        ((HtmlInputText) componentToValidate).setSubmittedValue("");

        throw new ValidatorException(new FacesMessage("Captcha does not match"));
    }
}

The relevant segment of the facelet:

<h:form id="CaptchaForm">
    Type this: <br/>
    <h:graphicImage id="CaptchaImgID" value="/simpleCaptcha.png"/> <br/>
    <h:inputText id="CaptchaID"
                 required="true"
                 requiredMessage="Captcha missing"
                 validator="#{loginBean.validateCaptcha}"
                 validatorMessage="Captcha does not match"
                 immediate="true">
    </h:inputText>
    <br/>
    <h:commandButton value="Check"/>

    <p/>
    <!-- message for the input field -->
    <h:message id="CaptchaMsgID" for="CaptchaID" style="color:red" />
</h:form>

The relevant segment of the web.xml:

<servlet>
    <servlet-name>SimpleCaptcha</servlet-name>
    <servlet-class>nl.captcha.servlet.SimpleCaptchaServlet</servlet-class>
    <init-param>
        <param-name>captcha-width</param-name>
        <param-value>250</param-value>
    </init-param>
    <init-param>
        <param-name>captcha-height</param-name>
        <param-value>75</param-value>
    </init-param>
</servlet>
<servlet-mapping>
    <servlet-name>SimpleCaptcha</servlet-name>
    <url-pattern>/simpleCaptcha.png</url-pattern>
</servlet-mapping>

Enjoy :-)

Tilman Hausherr
  • 17,731
  • 7
  • 58
  • 97
  • there might be a flaw here: what if I only request the captcha image once, and then never request the captcha image again, just use the text from it always? Does simplecaptcha has something like captcha.invalidate_currentimage? – nosam Mar 17 '12 at 06:04
  • I don't understand the question, what do you mean with "just use the text from it always"? The image isn't cached, due to the headers, so the browser requests it again each time the JSF page is shown. http://sourceforge.net/tracker/?func=detail&aid=1546896&group_id=147810&atid=769555 – Tilman Hausherr Jun 21 '12 at 11:46
3

Kaptcha is a nice alternative to Recaptcha if you are looking to host your own captcha service instead of relying on a third party captcha service (like recaptcha).

Sasi
  • 757
  • 5
  • 16