JCAPTCHA with AppFuse via Struts

Here's my way of integrating JCAPTCHA with AppFuse to utilize captcha images within the Acegi security framework. This method is my own extension of an excellent article by Petr Matul'k that was focused solely on JCAPTCHA-SpringFramework integration. My method extends this for use with the kickstart application AppFuse by Matt Raible, leveraging Struts and many of Matt's constructs from AppFuse.

There are two ways that JCAPTCHA can be used with this implementation: 1) Acegi-Security method, and 2) Custom Captcha method. Both implementation methods can be used simultaneously as well, as they work together and leverage 95% of the same code. The example below shows how to captcha-secure the AppFuse signup.html page.

The Acegi-Security method allows you to use the Acegi captcha provider framework to provide security to your web application. Generally this means that there will be a resource, like a file url, that you want to secure with a captcha. You add the url to the Acegi configuration as a protected resource and when a user browses to that url, they get a captcha challenge. If they pass the captcha challenge, they get access to the resource, and henceforth are considered a "human" within the Acegi framework. When the user logs out, their session is invalidated, and they are no longer considered a human by the webapp. The next time they try to view the protected url resource, they are challenged with a captcha again.

The Custom Captcha method allows you to use a captcha image within any form, as part of that form. Therefore your user will most likely be entering other information (like user registration info) on the same form and the captcha will appear at the bottom of the form. The test for humanity occurs in the controller level of the AppFuse (Struts) MVC infrastructure, in a custom Struts Action. The humanity check is always performed within the Struts Action, regardless of the state of "isHuman" within the Acegi security framework.

If you wish to use my methods below, here are the prerequisites: 1) AppFuse v1.9, 2) Acegi-Security v1.0.0-FINAL, 3) JCAPTCHA v1.0-RC3. I also assume that you've already generated a webapp using AppFuse and you've already started customizing the webapp for your business needs. When I refer to "myapp" below, I'm talking about the generated application, and java packages, that you created from AppFuse.

1. AppFuse needs to be patched to Acegi-Security v1.0.0-FINAL to fix a few bugs. Do this by placing the new Acegi jar file in: myapp/lib/spring-1.2.7/acegi-security-1.0.0.jar and deleting the old acegi-security-1.0.0-RC2.jar file.

   Add JCAPTCHA to your webapp by creating the myapp/lib/jcaptcha-1.0-RC3/ directory and placing the jcaptcha-all-1.0-RC3.jar inside it. Then edit the myapp/lib/lib.properties file and add:

   # # jCaptcha image-based human testing # jcaptcha.version=1.0-RC3 jcaptcha.jar=${lib.dir}/jcaptcha-${jcaptcha.version}/jcaptcha-all-${jcaptcha.version}.jar
   Then you need to tell ant to use the jcaptcha jar file for compiling, so edit the myapp/properties.xml and add: <pathelement location="${jcaptcha.jar}"/> as a child of to the <path id="service.compile.classpath"> and <path id="web.compile.classpath"> elements. Now tell ant to add JCAPTCHA to the webapp's war file by editing the build.xml file and adding <lib file="${jcaptcha.jar}"/> to the <war> tag of the <target name="package-web" ...> target.

2. This would be a good point to do a clean build of yor war file using ant. The application should compile and run just fine. The upgraded Acegi-Security jar and added JCAPTCHA jar should now live in the war file's WEB-INF/lib directory. If the compile, war file, and application are still working, then proceed to the next step.

3. The next step is to get JCAPTCHA to generate images that are accessible via a web browser. This will be done with servlet that generates jpeg captcha images using JCAPTCHA and the SpringFramework. Start by defining the servlet in the myapp/web/WEB-INF/web.xml file as:

   <servlet> <servlet-name>jcaptcha</servlet-name> <servlet-class>com.myapp.webapp.servlet.ImageCaptchaServlet</servlet-class> <load-on-startup>3</load-on-startup> </servlet> <servlet-mapping> <servlet-name>jcaptcha</servlet-name> <url-pattern>/captcha.jpg</url-pattern> </servlet-mapping>

4. Now define the JCAPTCHA configuration in the SpringFramework by adding a bean to the file: myapp/WEB-INF/applicationContext-security.xml. You will need to read an excellent tutorial detailing how to configure JCAPTCHA with SpringFramework. Specifically, the imageEngine defined in the bean below needs to be flushed out to configure image generation: it won't work as shown and the details are beyond the scope of this post.

   <bean id="imageCaptchaService" class="com.octo.captcha.service.multitype.GenericManageableCaptchaService"> <constructor-arg index="0"> <ref bean="imageEngine"/> </constructor-arg> <constructor-arg index="1"> <value>180</value> </constructor-arg> <constructor-arg index="2"> <value>180000</value> </constructor-arg> </bean>

5. Here's the servlet code that renders the JPEG captcha images and registers the session ID with the JCAPTCHA infrastructure. Create the file as myapp/src/web/com/myapp/webapp/servlet/ImageCaptchaServlet.java. After creating this servlet and configuring JCAPTCHA via the SpringFramework, you should be able to compile the webapp, create the war, deploy to your container, and see captcha images via a url like: http://127.0.0.1:8080/myapp/captcha.jpg. If the servlet is not generating images, recheck the configuration before proceeding.

   package com.myapp.webapp.servlet; import java.awt.image.BufferedImage; import java.io.ByteArrayOutputStream; import java.io.IOException; import javax.servlet.ServletConfig; import javax.servlet.ServletException; import javax.servlet.ServletOutputStream; import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import org.springframework.context.ApplicationContext; import org.springframework.web.context.support.WebApplicationContextUtils; import com.octo.captcha.service.CaptchaServiceException; import com.octo.captcha.service.image.ImageCaptchaService; import com.sun.image.codec.jpeg.JPEGCodec; import com.sun.image.codec.jpeg.JPEGImageEncoder; /** * Servlet generates CAPTCHA jpeg images based on the JCAPTCHA package. It's * configured via spring, and requires a ImageCaptchaService bean with the * id=imageCaptchaService * * @author Jason Thrasher */ public class ImageCaptchaServlet extends HttpServlet { private static final long serialVersionUID = 3258417209566116145L; public void init(ServletConfig servletConfig) throws ServletException { super.init(servletConfig); } protected void doGet(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws ServletException, IOException { byte[] captchaChallengeAsJpeg = null; // the output stream to render the captcha image as jpeg into ByteArrayOutputStream jpegOutputStream = new ByteArrayOutputStream(); try { // get the image captcha service defined via the SpringFramework ApplicationContext ctx = WebApplicationContextUtils .getRequiredWebApplicationContext(getServletContext()); Object bean = ctx.getBean("imageCaptchaService"); ImageCaptchaService imageCaptchaService = (ImageCaptchaService) bean; // get the session id that will identify the generated captcha. // the same id must be used to validate the response, the session id // is a good candidate! String captchaId = httpServletRequest.getSession().getId(); // call the ImageCaptchaService getChallenge method BufferedImage challenge = imageCaptchaService .getImageChallengeForID(captchaId, httpServletRequest .getLocale()); // a jpeg encoder JPEGImageEncoder jpegEncoder = JPEGCodec .createJPEGEncoder(jpegOutputStream); jpegEncoder.encode(challenge); } catch (IllegalArgumentException e) { httpServletResponse.sendError(HttpServletResponse.SC_NOT_FOUND); return; } catch (CaptchaServiceException e) { httpServletResponse .sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR); return; } captchaChallengeAsJpeg = jpegOutputStream.toByteArray(); // flush it in the response httpServletResponse.setHeader("Cache-Control", "no-store"); httpServletResponse.setHeader("Pragma", "no-cache"); httpServletResponse.setDateHeader("Expires", 0); httpServletResponse.setContentType("image/jpeg"); ServletOutputStream responseOutputStream = httpServletResponse .getOutputStream(); responseOutputStream.write(captchaChallengeAsJpeg); responseOutputStream.flush(); responseOutputStream.close(); } }

6. The servlet should now be generating captcha images just fine. This next section details the Acegi-Security method (versus the Custom Captcha method) to secure a web resource, like a url, using that captcha image. First, we define a proxy according to the CaptchaServiceProxy defined by Acegi. This allows Acegi to access JCAPTCHA.

   package com.myapp.service; import org.acegisecurity.captcha.CaptchaServiceProxy; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; import com.octo.captcha.service.CaptchaServiceException; import com.octo.captcha.service.image.ImageCaptchaService; /** * Allows the SpringFramework acegi-security captcha package to access the the * JCAPTCHA service. Captcha validation results are logged. * * @author Petr Matul'k, modified by Jason Thrasher * @see http://weblog.morosystems.cz/spring/Spring-Acegi-JCaptcha-integration */ public class JCaptchaServiceProxyImpl implements CaptchaServiceProxy { protected static final Log log = LogFactory .getLog(JCaptchaServiceProxyImpl.class); private ImageCaptchaService jcaptchaService; public boolean validateReponseForId(String id, Object response) { log.debug("validating captcha response"); try { boolean isHuman = jcaptchaService.validateResponseForID(id, response).booleanValue(); if (isHuman) { log.debug("captcha passed"); } else { log.warn("captcha failed"); } return isHuman; } catch (CaptchaServiceException cse) { // fixes known bug in JCaptcha log.warn("captcha validation failed due to exception", cse); return false; } } public void setJcaptchaService(ImageCaptchaService jcaptchaService) { this.jcaptchaService = jcaptchaService; } }

7. Struts uses Forms and Actions to handle user interaction. A CaptchaForm needs to be defined to handle manipulation of the "next url" that the user is forwarded to when they successfully pass the captcha. Create the following file as myapp/src/web/com/myapp/webapp/form/CaptchaForm.java. Note that there are several meta-tags in this file that are used to generate the appropriate struts-config.xml entries.

   package com.myapp.webapp.form; import javax.servlet.http.HttpServletRequest; import org.apache.struts.action.ActionMapping; /** * Struts form handles CAPTCHA process and tracking of the next URL and * parameters to forward the successful captcha-check to. * * @author Jason Thrasher * @struts.form name="captchaForm" */ public class CaptchaForm extends BaseForm implements java.io.Serializable { protected String captchaResponse; protected String originalRequestMethod; protected String originalRequestUrl; protected String originalRequestParameters; /** Default empty constructor. */ public CaptchaForm() { } public String getCaptchaResponse() { return this.captchaResponse; } /** * @struts.validator type="required" */ public void setCaptchaResponse(String captchaResponse) { this.captchaResponse = captchaResponse; } public String getOriginalRequestMethod() { return this.originalRequestMethod; } public void setOriginalRequestMethod(String originalRequestMethod) { this.originalRequestMethod = originalRequestMethod; } public String getOriginalRequestUrl() { return this.originalRequestUrl; } public void setOriginalRequestUrl(String originalRequestUrl) { this.originalRequestUrl = originalRequestUrl; } public String getOriginalRequestParameters() { return this.originalRequestParameters; } public void setOriginalRequestParameters(String originalRequestParameters) { this.originalRequestParameters = originalRequestParameters; } /** * @see org.apache.struts.action.ActionForm#reset(org.apache.struts.action.ActionMapping, * javax.servlet.http.HttpServletRequest) */ public void reset(ActionMapping mapping, HttpServletRequest request) { // reset any boolean data types to false setCaptchaResponse(""); } }

8. A struts Action needs to be defined to handle checking of the humanity state inside the Acegi framework. The action also saves the "next url" back to the form and other parameters back to the form. This action is unaware of the JCAPTCHA api, it only uses the Acegi and Struts classes. Create it as: myapp/src/web/com/myapp/webapp/action/CaptchaAction.java. Note that there are several meta-tags in this file that are used to generate the appropriate struts-config.xml entries.

   package com.myapp.webapp.action; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import org.acegisecurity.captcha.CaptchaSecurityContext; import org.acegisecurity.context.SecurityContext; import org.acegisecurity.context.SecurityContextHolder; import org.apache.struts.action.ActionForm; import org.apache.struts.action.ActionForward; import org.apache.struts.action.ActionMapping; import com.myapp.webapp.form.CaptchaForm; /** * Action class to allow users to create teams. * * @author Jason Thrasher * * @struts.action name="captchaForm" path="/captcha" scope="request" * validate="false" input="failure" * * @struts.action-forward name="failure" path="/WEB-INF/pages/captcha.jsp" */ public final class CaptchaAction extends BaseAction { public ActionForward execute(ActionMapping mapping, ActionForm form, HttpServletRequest request, HttpServletResponse response) throws Exception { if (form instanceof CaptchaForm) { // store values in the form, if not null CaptchaForm cForm = (CaptchaForm) form; if (request.getParameter("original_request_method") != null) { cForm.setOriginalRequestMethod(request .getParameter("original_request_method")); } if (request.getParameter("original_requestUrl") != null) { cForm.setOriginalRequestUrl(request .getParameter("original_requestUrl")); } if (request.getParameter("original_request_parameters") != null) { cForm.setOriginalRequestParameters(request .getParameter("original_request_parameters")); } // test the security context SecurityContext sContext = SecurityContextHolder.getContext(); if (sContext instanceof CaptchaSecurityContext) { CaptchaSecurityContext captchaContext = (CaptchaSecurityContext) sContext; log.debug("requestCnt: " + captchaContext .getHumanRestrictedResourcesRequestsCount() + " lastPassedDateMillis: " + captchaContext.getLastPassedCaptchaDateInMillis() + " authentication: " + captchaContext.getAuthentication().toString()); if (captchaContext.isHuman()) { log.debug("captcha found a human, forward to: " + request.getParameter("original_requestUrl")); // build forward url by chopping the original // TODO: handle when orig is null String orig = cForm.getOriginalRequestUrl(); String ctx = request.getContextPath(); String inhouse = orig.substring(ctx.length() + orig.indexOf(ctx)); log.debug("ctx=" + ctx + " inhouse=" + inhouse); ActionForward next = new ActionForward(inhouse, true); return next; } else { log.warn("captcha failed, must retest"); } } else { log.error("securityContext is not CaptchaSecurityContext"); } } else { log.error("CaptchaForm not found"); } // default response return mapping.findForward("failure"); } }

9. You will need a JSP page to render the form captcha image. Create the file below as myapp/web/pages/captcha.jsp

   <%@ include file="/common/taglibs.jsp"%> <title><fmt:message key="captchaForm.title"/></title> <content tag="heading"><fmt:message key="captchaForm.heading"/></content> <body id="signup"/> <p><fmt:message key="captchaForm.message"/></p> <div class="separator"></div> <html:form action="/captcha" styleId="captchaForm" onsubmit="return validateUserForm(this)"> <script language="JavaScript" type="text/javascript"> <!-- //function gets the next captcha image function next() { var now = new Date(); var newSrc = 'captcha.jpg?' + now.getTime(); if (document.images) { document.images.captcha.src = newSrc; } } //--> </script > <table class="detail"> <tr> <th> <tft:label key="captchaForm.prompt"/> </th> <td> <a href="javascript:next();"> <img src="captcha.jpg" name="captcha" alt="If the image is illegible, click it to get another one." /> </a> <html:text property="captchaResponse" styleId="captchaResponse"/> <html:hidden property="originalRequestMethod"/> <html:hidden property="originalRequestUrl"/> <html:hidden property="originalRequestParameters"/> <html:errors property="captchaAnswer"/> </td> </tr> <tr> <td></td> <td class="buttonBar"> <html:submit styleClass="button" onclick="bCancel=false"> <fmt:message key="button.captcha"/> </html:submit> </td> </tr> </table> </html:form> <script type="text/javascript"> Form.focusFirstElement(document.forms['captchaForm']); </script> <html:javascript formName="captchaForm" cdata="false" dynamicJavascript="true" staticJavascript="false"/> <script type="text/javascript" src="<c:url value="/scripts/validator.jsp"/>"></script>

10. Append the appropriate text to myapp/web/WEB-INF/classes/ApplicationResources.properties as needed below. This is used to render messages within the JSP.

    errors.captcha={0} did not match the image, please try again. button.captcha=I have a heartbeat! userForm.captcha=* Captcha Word # -- generic captcha form captchaForm.title=CAPTCHA captchaForm.heading=Heartbeat Test captchaForm.message=Please verify that you have a heartbeat. This helps us to avoid spam, keep your private information private, and makes it hard for bad people to join your team. captchaForm.prompt=Enter the letters found in the following image

11. Edit the myapp/web/WEB-INF/applicationContext-security.xml file to integrate Acegi with your JCAPTCHA proxy created above. In the <bean id="filterChainProxy" class="org.acegisecurity.util.FilterChainProxy"> entry, change:

    /**=httpSessionContextIntegrationFilter,authenticationProcessingFilter,remoteUserFilter,rememberMeProcessingFilter,anonymousProcessingFilter,exceptionTranslationFilter,filterInvocationInterceptor
    to:
    /**=httpSessionContextIntegrationFilter,captchaValidationProcessingFilter,channelProcessingFilter,authenticationProcessingFilter,remoteUserFilter,rememberMeProcessingFilter,anonymousProcessingFilter,exceptionTranslationFilter,filterInvocationInterceptor
    Replace:
    <bean id="httpSessionContextIntegrationFilter" class="org.acegisecurity.context.HttpSessionContextIntegrationFilter"/>
    with:
    <bean id="httpSessionContextIntegrationFilter" class="org.acegisecurity.context.HttpSessionContextIntegrationFilter"> <property name="context"><value>org.acegisecurity.captcha.CaptchaSecurityContextImpl</value></property> </bean>
    In this section we need to define the resource that is being protected:
    
    <!-- ===================== SSL SWITCHING ==================== --> <bean id="channelProcessingFilter" class="org.acegisecurity.securechannel.ChannelProcessingFilter">
    
    replace the contents of <value/> with:
    <value> CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON PATTERN_TYPE_APACHE_ANT /signup.html=REQUIRES_CAPTCHA_ONCE_ABOVE_THRESOLD_REQUESTS </value>
    Replace the entire:
    <bean id="channelDecisionManager" class="org.acegisecurity.securechannel.ChannelDecisionManagerImpl">
    with this:
    <bean id="channelDecisionManager" class="org.acegisecurity.securechannel.ChannelDecisionManagerImpl"> <property name="channelProcessors"> <list> <ref local="testOnceAfterMaxRequestsCaptchaChannelProcessor"/> <ref local="alwaysTestAfterTimeInMillisCaptchaChannelProcessor"/> <ref local="alwaysTestAfterMaxRequestsCaptchaChannelProcessor"/> <ref local="alwaysTestBelowAverageTimeInMillisBetweenRequestsChannelProcessor"/> </list> </property> </bean>
    Finally, insert the new bean definitions below. Note that the "captchaResponse" parameter must match the one in the JSP file, and the "imageCaptchaService" bean id was defined earlier when we setup the captcha.jpg url.
    <!-- REQUIRES_CAPTCHA_ONCE_ABOVE_THRESOLD_REQUESTS --> <bean id="testOnceAfterMaxRequestsCaptchaChannelProcessor" class="org.acegisecurity.captcha.TestOnceAfterMaxRequestsCaptchaChannelProcessor"> <property name="thresold"> <value>1</value> </property> <property name="entryPoint"> <ref bean="captchaEntryPoint" /> </property> </bean> <!-- REQUIRES_CAPTCHA_ABOVE_THRESOLD_REQUESTS --> <bean id="alwaysTestAfterMaxRequestsCaptchaChannelProcessor" class="org.acegisecurity.captcha.AlwaysTestAfterMaxRequestsCaptchaChannelProcessor"> <property name="thresold"> <value>5</value> </property> <property name="entryPoint"> <ref bean="captchaEntryPoint" /> </property> </bean> <!-- REQUIRES_CAPTCHA_AFTER_THRESOLD_IN_MILLIS --> <bean id="alwaysTestAfterTimeInMillisCaptchaChannelProcessor" class="org.acegisecurity.captcha.AlwaysTestAfterTimeInMillisCaptchaChannelProcessor"> <property name="thresold"> <value>5000</value> </property> <property name="entryPoint"> <ref bean="captchaEntryPoint" /> </property> </bean> <!-- REQUIRES_CAPTCHA_BELOW_AVERAGE_TIME_IN_MILLIS_REQUESTS --> <bean id="alwaysTestBelowAverageTimeInMillisBetweenRequestsChannelProcessor" class="org.acegisecurity.captcha.AlwaysTestBelowAverageTimeInMillisBetweenRequestsChannelProcessor"> <property name="thresold"> <value>20000</value> </property> <property name="entryPoint"> <ref bean="captchaEntryPoint" /> </property> </bean> <bean id="captchaEntryPoint" class="org.acegisecurity.captcha.CaptchaEntryPoint"> <property name="captchaFormUrl"> <value>/captcha.html</value> </property> <property name="includeOriginalRequest"> <value>true</value> </property> <property name="includeOriginalParameters"> <value>true</value> </property> </bean> <bean id="captchaValidationProcessingFilter" class="org.acegisecurity.captcha.CaptchaValidationProcessingFilter"> <property name="captchaService"> <ref bean="captchaService" /> </property> <property name="captchaValidationParameter"> <value>captchaResponse</value> </property> </bean> <!-- imageCaptchaService is injected into captchaImageCreateController as well as to captchaService beans --> <bean id="captchaService" class="com.myapp.service.JCaptchaServiceProxyImpl" > <property name="jcaptchaService" ref="imageCaptchaService" /> </bean>

12. Next, add a Acegi servlet filter to the web.xml file so that the new channelFilter captures jsp and html page requests. Edit the myapp/web/WEB-INF/web.xml file by adding a new filter immediately after this securityFilter:
<filter>
  <filter-name>securityFilter</filter-name>
 <filter-class>org.acegisecurity.util.FilterToBeanProxy</filter-class>
  <init-param>
    <param-name>targetClass</param-name>
    <param-value>org.acegisecurity.util.FilterChainProxy</param-value>
  </init-param>
</filter>

    

    <filter> <filter-name>channelFilter</filter-name> <filter-class>org.acegisecurity.util.FilterToBeanProxy</filter-class> <init-param> <param-name>targetClass</param-name> <param-value>org.acegisecurity.securechannel.ChannelProcessingFilter</param-value> </init-param> </filter> <filter-mapping> <filter-name>channelFilter</filter-name> <url-pattern>*.html</url-pattern> </filter-mapping> <filter-mapping> <filter-name>channelFilter</filter-name> <url-pattern>*.jsp</url-pattern> </filter-mapping>

13. At this point, your webapp should be ready to use Acegi to protect the /signup.html url via captcha. Use ant to clean and rebuild the war file, then redeploy the war to the servlet container. The application's login page should still be the default page. When you choose the "Signup" link, you should see the captcha challenge JSP page render. If you click on the captcha image, you should get a new image (just incase the captcha us too hard). If you fill in the captcha response box corretly and submit the form, you should be presented with the signup.html page. You shouldn't be challenged via captcha again, until your session is invalidated.

14. The Custom Captcha method of adding captcha to an AppFuse project is to use add a challenge to an existing form. The same captcha.jsp servlet is used to generate images. The first step is to modify the myapp/web/pages/signup.jsp file to add the captcha:

    <tr> <th> <tft:label key="userForm.captcha" styleClass="required"/> </th> <td> <script language="JavaScript" type="text/javascript"> <!-- //function gets the next captcha image function next() { var now = new Date(); var newSrc = 'captcha.jpg?' + now.getTime(); if (document.images) { document.images.captcha.src = newSrc; } } //--> </script > <a href="javascript:next();"><img src="captcha.jpg" alt="If the image is illegible, click it to get another one." name="captcha" /></a> <br /> <html:text property="captcha" styleId="captcha"/> <html:errors property="captcha"/> </td> </tr>

15. Now modify the AppFuse-generated file myapp/src/web/com/myapp/webapp/action/SignupAction.java to provide a humanity check by calling the imageCaptchaService bean defined in Spring. Add the following code block after the User user = (User) convert(form); line.

    // get the captcha key try { String captchaId = request.getSession().getId(); //get access to the service Object bean = getBean("imageCaptchaService"); GenericManageableCaptchaService service = (GenericManageableCaptchaService)bean; String question = "UNKNOWN"; // String question = service.getTextChallengeForID(captchaId, // request.getLocale()); String answer = user.getCaptcha(); // validate that the user is human boolean isHuman = false; isHuman = service.validateResponseForID(captchaId, answer) .booleanValue(); // log the output if (!isHuman) { log.warn("captcha failed challenge: /"" + question + "/" response: /"" + answer + "/""); errors.add(ActionMessages.GLOBAL_MESSAGE, new ActionMessage("errors.captcha", userForm.getCaptcha())); saveErrors(request, errors); return mapping.getInputForward(); } } catch (Exception e) { log.fatal("failed to validate captcha", e); errors.add(ActionMessages.GLOBAL_MESSAGE, new ActionMessage("errors.captcha", userForm.getCaptcha())); saveErrors(request, errors); return mapping.getInputForward(); }

16. Lastly, add the captcha element to the user object. Edit the file: myapp/src/dao/com/myapp/model/User.java, by adding the following code block.

    protected String captcha; //validates a human, not stored in db public String getCaptcha() { return captcha; } public void setCaptcha(String captcha) { this.captcha = captcha; }

17. Now recompile, rebuild and redeploy the war file, and you should have a captcha challenge within both on the first request to the singup.html page, and ON the signup.html page. You would probably frustrate users if you used both, but the proof of concept now exists and you can use either method as you see fit within your webapp.