68

I'm looking for a replacement for JCaptcha, which doesn't seem to be maintained any more, and isn't very good to begin with. The replacement has to integrate nicely with JavaEE webapps.

As I can see it, there are three options:

  • JCaptcha - No longer maintained, crude API
  • SimpleCaptcha - much nicer API, nicer captchas, but seems to be Java6 only
  • ReCaptcha - easy to use, uses remote web-service to generate captchas, but not much control over look and feel

Has anyone used any others, that they'd recommend?

Improve this question
2

6 Answers 6

Reset to default
73

I am the author of SimpleCaptcha. While I would recommend -- for humanity's sake -- using ReCaptcha where you can, I provided SimpleCaptcha because some organizations have policies which prohibit libraries like ReCaptcha. SimpleCaptcha is meant to be entirely stand-alone, with no external dependencies: as long as you are in a J2EE container, you should be good.

Also, SimpleCaptcha is now available for either Java 1.5 or Java 6.

Improve this answer
4
  • 1
    What are SimpleCaptcha's dependencies exactly? I'm using Tomcat 7 and get a java.lang.VerifyError whenever I add a GimpyRenderer to my captcha, which is too bad because I like SimpleCaptcha's API a lot better than Kaptcha's.
    – spaaarky21
    Feb 4, 2011 at 17:27
  • 2
    your solution works great, but the last maven repo where i had it from (repo.enonic.com/maven) is down, no other locations... i'll put a jar into my git, but still it would be great to git it in maven.
    – sab
    Jan 25, 2013 at 12:04
  • @jchilders I need to use SimpleCaptcha as osgi bundle. That's why I try to build it as maven project. For this I need jhlabs, but the version of sources I donwloaded from jhlabs.com/ip/filters/download.html is not compatible. Can you say what version of jhlabs did you use?
    – user2022068
    Feb 13, 2015 at 9:22
  • 1
    And more, could you make your project available for building and as Maven project. I see a lot of people try need it.
    – user2022068
    Feb 13, 2015 at 10:29
26

ReCaptcha is the only captcha you should use, because it's the only captcha that makes the world better (improve OCR results to old text), with almost unlimited database.

All other captchas are usually limited by its database, or do nothing good to this world.

EDIT :: I found steps how to implement captcha using recaptcha.

You can check both Online and Offline captcha using java here

Improve this answer
9
  • 24
    OK, but benefit to humanity wasn't really on my list of priorities :) Also, JCaptcha and SimpleCaptcha generate randomised captchas, so database size is not an issue.
    – skaffman
    May 1, 2009 at 7:24
  • 3
    one more thing - many captchas with colorful / rotated backgrounds / lines / images, are too complex for majority user (ex, the famous Cat Number used by rapidshare). recaptcha, on the contrary, is based on real English words so it's eaiser for most people. You won't want to apply a captcha that 90% people will send you the mail saying that "I can't pass the cpatcha)...
    – Francis
    May 1, 2009 at 7:32
  • 6
    I question the statement that randomized capthas are more easily attacked than database backed captcha. On the subject of ReCaptcha, one benefit is that what it puts in front of the human is a word which a quality OCR implementation has already failed on.
    – Lawrence Dol
    May 2, 2009 at 7:22
  • 7
    recaptcha is too hard for lots of humans, it's just unreadable quite frequently
    – OlegYch
    Sep 19, 2012 at 21:17
  • 3
    I wonder if reCaptcha's humanity benifit would ever reach people in China Mainland who's behind the great firewall. :) stackoverflow.com/questions/23780387/…
    – Hoang Tran
    Oct 29, 2014 at 9:29
21

What happens when ReCaptcha is down/unavailable? Does your service simply stop? Do you simply stop signing people up when it's down? Do you allow users to sign up even if ReCaptcha isn't running? If so, what are the security implications of this? Especially if you use CAPTCHA for more than just signup, e.g. reset password forms, login forms, ... which would not be acceptable to use without the CAPTCHA component.

The Java world of CAPTCHAs is in a sad state, with SimpleCaptcha seemingly the best solution for those of us out there that cannot accept a hosted service.

Improve this answer
12
  • 3
    Come on, do you really think your service is more stable than ReCaptcha, especially when google accuired it? Even Facebook is using ReCaptcha, so don't worry unless you are running a bigger service than Facebook... I still don'think there's any captcha system better than ReCaptcha.
    – Francis
    Nov 18, 2009 at 3:19
  • 7
    Google has been down several times before (Not just Gmail, but search as well). If you have your own service, that is only used by you, then you can comfortably say that when your captcha is down, your whole system is down. I do wonder what Facebook would do in the event of an outage - would they have to bare it until fixed? Do they have a backup plan? Is an outage even that important to them? If you provide services more important than viewing who poked you, or you have a SLA requirement, then the solution is not as simple as 'just wait it out'.
    – Mike
    Nov 27, 2009 at 13:02
  • 3
    @Stephen - When the CEO is knocking on your door asking why they can't reset their password after forgetting it for the N'th time, or can't add the latest big cheese customer into the system, "not normally critical" doesn't cut it. It comes down to what your service is offering, and the SLA requirements for it. "Not normally critical" is a matter of SLA and shouldn't be dismissed outright.
    – Mike
    Feb 16, 2011 at 22:37
  • 4
    @Makky - In the time since I made this post, we've had 2 recaptcha failures. One when the URL changed (groups.google.com/forum/?fromgroups#!topic/recaptcha/…), and one when the IP addresses changed (groups.google.com/forum/?fromgroups#!topic/recaptcha/…). And yes, both times the bigwigs were knocking on our door wondering why they couldn't log in. If we had a self-hosted solution, the only time the captcha would be down is when the target system is also down.
    – Mike
    Apr 24, 2012 at 16:04
  • 1
    @Makky How do you propose to access a google-controlled server without using DNS?
    – fabspro
    Aug 25, 2012 at 9:19
11

I created http://kaptcha.googlecode.com before recaptcha became as popular as it is today. It also offers you the ability to host it yourself, which may be necessary in some situations.

Kaptcha is a heavily modified and updated version of SimpleCaptcha and supports JDK5/6.

Improve this answer
4
  • Hi Jon Stevens, I am not sure why, I couldnt get Kaptcha to work on google app engine. Regards, Xuwei
    – user341827
    Jan 31, 2011 at 18:00
  • Is that com.google.code.kaptcha:kaptcha:jar? We have ${basedir}/src/main/webapp/WEB-INF/lib/kaptcha-2.3.2.jar in our app but I would like to replace it with a version that comes from Maven Central. But the only thing I can find there, is com.github.penggle:kaptcha version 2.3.3. Is that the same?
    – Amedee Van Gasse
    Mar 7, 2016 at 14:19
  • Good question, that is a huge failure of the design of maven in my opinion. Things you download from Maven Central could come from anywhere, so.... who knows. I'm guessing the answer is no. I'm the original author and the exported project from Google code is here: github.com/lookfirst/kaptcha I also ran across this clone which makes some changes including adding a pom: github.com/axet/kaptcha
    – Public Profile
    Mar 8, 2016 at 5:09
  • I compared the source and they are the same - but indeed as you say, there is no total guarantee that the source corresponds to the jar. However I tried it out and it seems to work as expected. caveat emptor
    – Amedee Van Gasse
    Mar 8, 2016 at 6:45
5

SimpleCaptcha is really nice and easy to use.

Here's an example how to use SimpleCaptcha with JSF 2.0 (the homepage has an example for JSP)

Note that I'm not even bothering to store the captcha value in the bean, I'm only validating it.

The bean:

// imports missing here

@ManagedBean
@SessionScoped
public class LoginBean implements Serializable
{
    public void validateCaptcha(FacesContext context,
                                UIComponent componentToValidate,
                                Object value)
            throws ValidatorException
    {
        HttpSession session = (HttpSession) context.getExternalContext().getSession(false);
        Captcha secretcaptcha = (Captcha) session.getAttribute(Captcha.NAME);
        if (secretcaptcha.isCorrect(value.toString()))
            return;

        // optional: clear field
        ((HtmlInputText) componentToValidate).setSubmittedValue("");

        throw new ValidatorException(new FacesMessage("Captcha does not match"));
    }
}

The relevant segment of the facelet:

<h:form id="CaptchaForm">
    Type this: <br/>
    <h:graphicImage id="CaptchaImgID" value="/simpleCaptcha.png"/> <br/>
    <h:inputText id="CaptchaID"
                 required="true"
                 requiredMessage="Captcha missing"
                 validator="#{loginBean.validateCaptcha}"
                 validatorMessage="Captcha does not match"
                 immediate="true">
    </h:inputText>
    <br/>
    <h:commandButton value="Check"/>

    <p/>
    <!-- message for the input field -->
    <h:message id="CaptchaMsgID" for="CaptchaID" style="color:red" />
</h:form>

The relevant segment of the web.xml:

<servlet>
    <servlet-name>SimpleCaptcha</servlet-name>
    <servlet-class>nl.captcha.servlet.SimpleCaptchaServlet</servlet-class>
    <init-param>
        <param-name>captcha-width</param-name>
        <param-value>250</param-value>
    </init-param>
    <init-param>
        <param-name>captcha-height</param-name>
        <param-value>75</param-value>
    </init-param>
</servlet>
<servlet-mapping>
    <servlet-name>SimpleCaptcha</servlet-name>
    <url-pattern>/simpleCaptcha.png</url-pattern>
</servlet-mapping>

Enjoy :-)

Improve this answer
2
  • there might be a flaw here: what if I only request the captcha image once, and then never request the captcha image again, just use the text from it always? Does simplecaptcha has something like captcha.invalidate_currentimage?
    – nosam
    Mar 17, 2012 at 6:04
  • I don't understand the question, what do you mean with "just use the text from it always"? The image isn't cached, due to the headers, so the browser requests it again each time the JSF page is shown. sourceforge.net/tracker/…
    – Tilman Hausherr
    Jun 21, 2012 at 11:46
3

Kaptcha is a nice alternative to Recaptcha if you are looking to host your own captcha service instead of relying on a third party captcha service (like recaptcha).

Improve this answer

Not the answer you're looking for? Browse other questions tagged or ask your own question.