Captcha Protection

Captcha is simple but powerful way of detecting bots. In simples form you would always challenge user with captcha.
With Nixer plugin you could dynamically control when captcha should be enabled.

Integration

Currently plugin provides integration only with Google Recaptcha V2.

To integrate captcha application needs to:

  • sign-up for recaptcha
  • displayed it in view
  • verified captcha response on server
  • connect it to Spring Security

Installation

Captcha Nixer plugin is distributed through Maven Central.

It requires dependency to Core Nixer plugin as well.

dependencies {
    implementation("io.nixer:nixer-plugin-core:0.1.1.3")
    implementation("io.nixer:nixer-plugin-captcha:0.1.1.3")
}

Signup

To start with Recaptcha you need to create API key pair for your application. Follow official guide to sign-up and create keys.

Put your keys in application properties.

nixer.captcha.recaptcha.verifyUrl=https://www.google.com/recaptcha/api/siteverify
nixer.captcha.recaptcha.key.site=<site_key>
nixer.captcha.recaptcha.key.secret=<secret_key>

When performing automated tests for your application your tools will fail due to captcha check. That’s what captcha is for. To solve that problem Recaptcha provides test API keys which makes verification accept any captcha value.

Displaying Captcha

We assume that mitigation behaviors such as captcha could be dynamically controlled. Because of that displaying captcha should be conditional. Plugin doesn’t provide ready to use view for login. In sample project found in link you could find how to use Thymeleaf templating engine to render captcha conditionally. Captcha response code should be submitted as part of login form.

Verifying Captcha

Verification of captcha is done as part of authentication process.

Use following properties to control captcha check for login.

nixer.login.captcha.condition=SESSION_CONTROLLED
nixer.login.captcha.param=g-recaptcha-response

Spring Security Setup

Setting up captcha for login requires adding CaptchaConfigurer as postprocessor.

Captcha For Endpoint

It might be useful to protect not only login but also other endpoints. To do that you could use CaptchaValidator in form of standard bean validation.

Here is example how it may look like.

@PostMapping("/userSubscribe")
public String userSubscribe(@ModelAttribute("g-recaptcha-response") 
                            @Captcha(action = "user_subscribe", message = "Captcha error") 
                            String captcha) {
    ...
}

Detailed Configuration

Http Client

Verification of captcha is done via Http API. With following properties you could configure http client.

nixer.captcha.recaptcha.http.timeout.connect=2000
nixer.captcha.recaptcha.http.timeout.read=2000
nixer.captcha.recaptcha.http.timeout.connectionRequest=2000
nixer.captcha.recaptcha.http.maxConnections=10

Captcha Metrics

Micrometer metrics will be reported by default if meterRegistry bean is registered. Captcha metrics are reported under name captcha. To disable metrics use standard spring boot metrics filter, e.g.

management.metrics.enable.captcha=false

Having multiple endpoints protected with captcha you could use action tag to tell metrics apart.