Integrating

JCaptcha with
Spring Security

Introduction
This document explains how to integrate Jcaptcha with Spring Security framework. Currently,
Jcaptcha verifier is written inside Spring Security's Authentication Manager. However, there is a
more optimized way in Jcaptcha is not a part of Spring Security's Authentication Manager which
which I am still exploring.

Create New Maven Project

Create a new simple Maven Project in Eclipse. You can search the docmentation for the same
online.

Create pom.xml (replace XXXX with your desired value)

<project xmlns="http://maven.apache.org/POM/4.0.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0
http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<groupId>XXXX</groupId>
<artifactId>XXXX</artifactId>
<version>0.0.1-SNAPSHOT</version>
<packaging>war</packaging>
<name>XXXX</name>
<description>XXXX</description>

<repositories>
<repository>
<id>sourceforge-releases</id>
<name>Sourceforge Releases</name>
<url>https://oss.sonatype.org/content/repositories/source
forge-releases</url>
</repository>
</repositories>
<properties>
<org.richfaces.bom.version>4.3.3.Final</org.richfaces.bom.version>
<maven.compiler.source>1.7</maven.compiler.source>
<maven.compiler.target>1.7</maven.compiler.target>
</properties>
<dependencyManagement>
<dependencies>
<dependency>
<groupId>org.richfaces</groupId>
<artifactId>richfaces-bom</artifactId>
<version>${org.richfaces.bom.version}</version>
<type>pom</type>
<scope>import</scope>

</dependency>
</dependencies>
</dependencyManagement>
<dependencies>
<dependency>
<groupId>org.richfaces.ui</groupId>
<artifactId>richfaces-components-ui</artifactId>
</dependency>
<dependency>
<groupId>org.richfaces.core</groupId>
<artifactId>richfaces-core-impl</artifactId>
</dependency>
<dependency>
<groupId>javax.faces</groupId>
<artifactId>javax.faces-api</artifactId>
</dependency>
<dependency>
<groupId>org.glassfish</groupId>
<artifactId>javax.faces</artifactId>
</dependency>
<dependency>
<groupId>javax.servlet</groupId>
<artifactId>javax.servlet-api</artifactId>
<scope>provided</scope>
</dependency>
<dependency>
<groupId>javax.servlet</groupId>
<artifactId>jstl</artifactId>
<version>1.2</version>
</dependency>
<dependency>
<groupId>mysql</groupId>
<artifactId>mysql-connector-java</artifactId>
<version>5.1.20</version>
</dependency>
<dependency>
<groupId>junit</groupId>
<artifactId>junit</artifactId>
<version>4.11</version>
</dependency>
<dependency>
<groupId>net.sourceforge.jexcelapi</groupId>
<artifactId>jxl</artifactId>
<version>2.6</version>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-core</artifactId>
<version>3.2.12.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework</groupId>

<artifactId>spring-beans</artifactId>
<version>3.2.12.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-aop</artifactId>
<version>3.2.12.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-orm</artifactId>
<version>3.2.12.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-config</artifactId>
<version>3.2.5.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-web</artifactId>
<version>3.2.5.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-instrument-tomcat</artifactId>
<version>3.2.12.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-tx</artifactId>
<version>3.2.12.RELEASE</version>
</dependency>

<dependency>
<groupId>com.octo.captcha</groupId>
<artifactId>jcaptcha-integration-simpleservlet</artifactId>
<version>2.0-alpha-1</version>
</dependency>
<dependency>
<groupId>commons-collections</groupId>
<artifactId>commons-collections</artifactId>
<version>3.2.1</version>
</dependency>
<dependency>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-api</artifactId>
<scope>compile</scope>
<version>1.6.4</version>
</dependency>

<dependency>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-ext</artifactId>
<scope>compile</scope>
<version>1.6.4</version>
</dependency>
<dependency>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-log4j12</artifactId>
<scope>compile</scope>
<version>1.6.4</version>
</dependency>
</dependencies>
<build>
<resources>
<resource>
<filtering>true</filtering>
<directory>src/test/resources</directory>
<includes>
<include>**/*.properties</include>
</includes>
<excludes>
<exclude>**/*local.properties</exclude>
</excludes>
</resource>
<resource>
<directory>src\main\resources</directory>
<includes>
<include>**/*.properties</include>
<include>**/*.xml</include>
<include>**/*.vm</include>
</includes>
</resource>
</resources>
<plugins>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-surefire-plugin</artifactId>
<configuration>
<additionalClasspathElements>
<additionalClasspathElement>src\main\webapp\WEBINF</additionalClasspathElement>
</additionalClasspathElements>
</configuration>
</plugin>
<plugin>
<groupId>org.apache.tomcat.maven</groupId>
<artifactId>tomcat7-maven-plugin</artifactId>
<version>2.0</version>
<configuration>
<server>devserver</server>
</configuration>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-war-plugin</artifactId>
<configuration>
<webXml>src\main\webapp\WEB-INF\web.xml</webXml>

</configuration>
</plugin>
</plugins>
</build>
</project>

The code in larger fint size is what is added extra for Jcaptcha.

web.xml (replace XXXX with your desired value)

Check the code in large font for changes related to Jcaptcha.
<?xml version="1.0" encoding="UTF-8"?>
<web-app version="2.5" xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd">
<description>XXXX</description>
<display-name>XXXX</display-name>
<context-param>
<param-name>com.sun.faces.sendPoweredByHeader</param-name>
<param-value>false</param-value>
</context-param>
<context-param>
<param-name>com.sun.faces.disableUnicodeEscaping</param-name>
<param-value>auto</param-value>
</context-param>
<context-param>
<param-name>com.sun.faces.externalizeJavaScript</param-name>
<param-value>true</param-value>
</context-param>
<context-param>
<param-name>javax.faces.application.CONFIG_FILES</param-name>
<param-value>/WEB-INF/faces-config.xml</param-value>
</context-param>
<context-param>
<param-name>javax.faces.DEFAULT_SUFFIX</param-name>
<param-value>.xhtml</param-value>
</context-param>
<context-param>
<param-name>org.richfaces.enableControlSkinning</param-name>
<param-value>true</param-value>
</context-param>
<context-param>
<param-name>org.richfaces.resourceOptimization.enabled</param-name>
<param-value>true</param-value>
</context-param>
<context-param>
<param-name>org.richfaces.skin</param-name>
<param-value>blueSky</param-value>
</context-param>
<servlet>
<servlet-name>Faces Servlet</servlet-name>
<servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>

<servlet-mapping>
<servlet-name>Faces Servlet</servlet-name>
<url-pattern>*.faces</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>Faces Servlet</servlet-name>
<url-pattern>/faces/*</url-pattern>
</servlet-mapping>
<welcome-file-list>
<welcome-file>login.faces</welcome-file>
</welcome-file-list>
<session-config>
<session-timeout>30</session-timeout>
</session-config>
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filterclass>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>

<servlet>
<servlet-name>jcaptcha</servlet-name>
<servletclass>com.octo.captcha.module.servlet.image.SimpleImageCa
ptchaServlet</servlet-class>
<load-on-startup>0</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>jcaptcha</servlet-name>
<url-pattern>/jcaptcha.jpg</url-pattern>
</servlet-mapping>
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>/WEB-INF/security-context.xml,
/WEB-INF/captcha-context.xml</param-value>
</context-param>
<listener>
<listenerclass>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
</web-app>

Create captcha-context.xml
This file contains all the details about how Jcaptcha image is created at runtime.
<?xml version="1.0" encoding="UTF-8"?>
<!-- JCaptch Beans -->
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:aop="http://www.springframework.org/schema/aop"
xmlns:context="http://www.springframework.org/schema/context"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
http://www.springframework.org/schema/aop
http://www.springframework.org/schema/aop/spring-aop-3.1.xsd
http://www.springframework.org/schema/context
http://www.springframework.org/schema/context/spring-context-3.1.xsd">
<bean id="captchaService"
class="com.octo.captcha.service.multitype.GenericManageableCaptchaService">
<constructor-arg index="0">
<ref bean="captchaEngine" />
</constructor-arg>
<constructor-arg type="int" index="1" value="180" /> <!-minGuarantedStorageDelayInSeconds -->
<constructor-arg type="int" index="2" value="180000" /> <!-maxCaptchaStoreSize -->
<constructor-arg type="int" index="3" value="75000" /> <!-captchaStoreLoadBeforeGarbageCollection -->
</bean>
<!-- There are several Engines pre-configured, but as we want to control
configuration, we have to use the GenericCaptchaEngine, which is built with
a list of captcha factories (factories are the real producer of captchas) -->
<bean id="captchaEngine"
class="com.octo.captcha.engine.GenericCaptchaEngine">
<constructor-arg index="0">
<list>
<ref bean="captchaFactory" />
</list>
</constructor-arg>
</bean>
<!-- CaptchaFactory needs A word generator, to create the text to read.
A wordToImage, to generate the captcha from the text. -->
<bean id="captchaFactory"
class="com.octo.captcha.image.gimpy.GimpyFactory">
<constructor-arg>
<ref bean="wordgen" />
</constructor-arg>
<constructor-arg>
<ref bean="wordtoimage" />
</constructor-arg>
</bean>
<!-- A WordGenerator creates a text to be read, it can be random, be a common

implementation take words from a list, and can make composition to create
a text easier to read for a human being. In the example the WordGenerator
needs a Dictionnary to get real words from. -->
<bean id="wordgen"
class="com.octo.captcha.component.word.wordgenerator.DictionaryWordGenerator">
<constructor-arg>
<ref bean="filedict" />
</constructor-arg>
</bean>
<!-- A Dictionary provides words, this one reads words from the one
provided by default, with almost 6000 english words. -->
<bean id="filedict"
class="com.octo.captcha.component.word.FileDictionary">
<constructor-arg index="0">
<value>toddlist</value>
</constructor-arg>
</bean>
<!-- WordToImage component is needed which is mainly created with three
others components A font generator, A background generator and A Text paster -->
<bean id="wordtoimage"
class="com.octo.captcha.component.image.wordtoimage.ComposedWordToImage">
<constructor-arg index="0">
<ref bean="fontGenRandom" />
</constructor-arg>
<constructor-arg index="1">
<ref bean="backGenUni" />
</constructor-arg>
<constructor-arg index="2">
<ref bean="simpleWhitePaster" />
</constructor-arg>
</bean>
<!-- A FontGenerator provide Fonts to a WordToImage -->
<bean id="fontGenRandom"
class="com.octo.captcha.component.image.fontgenerator.RandomFontGenerator">
<constructor-arg index="0">
<value>40</value>
</constructor-arg>
<constructor-arg index="1">
<value>50</value>
</constructor-arg>
<constructor-arg index="2">
<list>
<ref bean="fontArial" />
</list>
</constructor-arg>
</bean>
<bean id="fontArial" class="java.awt.Font">
<constructor-arg index="0">
<value>Arial</value>
</constructor-arg>

<constructor-arg index="1">
<value>0</value>
</constructor-arg>
<constructor-arg index="2">
<value>10</value>
</constructor-arg>
</bean>
<!-- The BackgrountGenerator component can be very simple like in the example,
single color, or more complex with real picture, or fancy computed shapes.
The first two arguments are always, the size (length and height) of the
resulting image -->
<bean id="backGenUni"
class="com.octo.captcha.component.image.backgroundgenerator.UniColorBackgroundG
enerator">
<constructor-arg index="0">
<value>225</value>
</constructor-arg>
<constructor-arg index="1">
<value>75</value>
</constructor-arg>
</bean>
<!-- The TextPaster pastes the text on the background. Commons arguments
for TextPaster are Minimal length of the text, Maximal length of the text
and A color generator component to create the text color -->
<bean id="simpleWhitePaster"
class="com.octo.captcha.component.image.textpaster.RandomTextPaster">
<constructor-arg type="java.lang.Integer" index="0">
<value>6</value>
</constructor-arg>
<constructor-arg type="java.lang.Integer" index="1">
<value>6</value>
</constructor-arg>
<constructor-arg type="java.awt.Color" index="2">
<ref bean="colorBlue" />
</constructor-arg>
</bean>
<bean id="colorBlue" class="java.awt.Color">
<constructor-arg index="0" type="int">
<value>0</value>
</constructor-arg>
<constructor-arg index="1" type="int">
<value>0</value>
</constructor-arg>
<constructor-arg index="2" type="int">
<value>255</value>
</constructor-arg>
</bean>
</beans>

security-context.xml (Spring Security configuration) (replace

XXXX with your desired value)
I am using plaintext password (no hashing and salting) for this example. Notice the code in bold for
Jcaptcha. Jcaptcha mainly has 2 filters,
1) Capture Filter
2) Verifier Filter
The purpose of the Capture Filter is to store the information entered by the user in the CAPTCHA
form. Whereas the Verifier filter's purpose is to verify the captcha entered by the user. If the result
is valid, allow the user to proceed; otherwise, it will show the login page again.
In this example, Captcha Verifier Filter is added inside Spring Security Authentication Manager.
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:aop="http://www.springframework.org/schema/aop"
xsi:schemaLocation="http://www.springframework.org/schema/aop
http://www.springframework.org/schema/aop/spring-aop-3.2.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.2.xsd
http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.2.xsd
http://www.springframework.org/schema/context
http://www.springframework.org/schema/context/spring-context-3.2.xsd">
<context:component-scan base-package="XXXX.*" />
<http disable-url-rewriting="true">
<form-login login-page="/login" default-target-url="/index"
authentication-failure-url="/login" usernameparameter="username"
password-parameter="password" />

<custom-filter ref="captchaCaptureFilter"
before="FORM_LOGIN_FILTER" />
<custom-filter after="CONCURRENT_SESSION_FILTER"
ref="concurrencyFilter" />
<session-management
session-authentication-strategy-ref="sas" />
<headers />
</http>

<beans:bean id="captchaCaptureFilter"
class="XXXX.captcha.CaptchaCaptureFilter" />
<beans:bean id="UserDetailsManager"
class="XXXX.security.UserDetailsManager" />
<beans:bean id="concurrencyFilter"
class="org.springframework.security.web.session.ConcurrentSessionFilter">
<beans:property name="sessionRegistry" ref="sessionRegistry" />
<beans:property name="expiredUrl" value="/sessionExpired" />

</beans:bean>
<beans:bean id="myAuthFilter"
class="org.springframework.security.web.authentication.UsernamePasswordAuthenti
cationFilter">
<beans:property name="sessionAuthenticationStrategy"
ref="sas" />
<beans:property name="authenticationManager"
ref="authenticationManager" />
</beans:bean>
<beans:bean id="sas"
class="org.springframework.security.web.authentication.session.CompositeSession
AuthenticationStrategy">
<beans:constructor-arg>
<beans:list>
<beans:bean
class="org.springframework.security.web.authentication.session.ConcurrentSessio
nControlAuthenticationStrategy">
<beans:constructor-arg ref="sessionRegistry" />
<beans:property name="maximumSessions" value="1"
/>
<beans:property name="exceptionIfMaximumExceeded"
value="true" />
</beans:bean>
<beans:bean
class="org.springframework.security.web.authentication.session.SessionFixationP
rotectionStrategy">
</beans:bean>
<beans:bean
class="org.springframework.security.web.authentication.session.RegisterSessionA
uthenticationStrategy">
<beans:constructor-arg ref="sessionRegistry" />
</beans:bean>
</beans:list>
</beans:constructor-arg>
</beans:bean>
<beans:bean id="sessionRegistry"
class="org.springframework.security.core.session.SessionRegistryImpl" />
<!-- Select users and user_roles from database -->
<authentication-manager alias="authenticationManager">
<authentication-provider user-service-ref="UserDetailsManager">
<password-encoder hash="plaintext">
</password-encoder>
</authentication-provider>
</authentication-manager>
</beans:beans>

Maven Update, Clean and Install

1) Right click on project from project explorer
2) select Run As -> Maven Clean
3) Right click on project from project explorer
4) select Run As -> Maven Install
5) Right click on Project from project explorer
6) Select Maven-> Update Project

FacesServlet related Error

This step is a must to avoid javax.faces.webapp.FacesServlet related errors.
1) Right click on Project
2) Select Deployment Assembly
3) Add Maven Dependiencies directive
faces-config.xml (declare all managed beans and xhtml files here)

faces-config.xml (replace XXXX with your desired value)

<faces-config version="2.1" xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:xi="http://www.w3.org/2001/XInclude"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
http://java.sun.com/xml/ns/javaee/web-facesconfig_2_1.xsd">
<managed-bean>
<managed-bean-name>baseUIController</managed-bean-name>
<managed-bean-class>XXXX.ui.BaseUIController</managed-bean-class>
<managed-bean-scope>session</managed-bean-scope>
</managed-bean>
<managed-bean>
<managed-bean-name>dbConnectionController</managed-bean-name>
<managed-bean-class>XXXX.database.DbConnectionController</managedbean-class>
<managed-bean-scope>session</managed-bean-scope>
</managed-bean>
<managed-bean>
<managed-bean-name>loginUIController</managed-bean-name>
<managed-bean-class>XXXX.ui.LoginUIController</managed-bean-class>
<managed-bean-scope>session</managed-bean-scope>
<managed-property>
<property-name>authenticationService</property-name>
<value>#{authenticationService}</value>
</managed-property>
</managed-bean>
<navigation-rule>
<navigation-case>
<from-outcome>index</from-outcome>
<to-view-id>/index.xhtml</to-view-id>
<redirect />

</navigation-case>
</navigation-rule>
<navigation-rule>
<navigation-case>
<from-outcome>login</from-outcome>
<to-view-id>/login.xhtml</to-view-id>
<redirect />
</navigation-case>
</navigation-rule>
<navigation-rule>
<navigation-case>
<from-outcome>sessionExpired</from-outcome>
<to-view-id>/sessionExpired.xhtml</to-view-id>
<redirect />
</navigation-case>
</navigation-rule>
<application>
<elresolver>org.springframework.web.jsf.el.SpringBeanFacesELResolver</el-resolver>
</application>
</faces-config>

Please note that <application>....</application> tag with the mentioned details above is very
important for Spring security configuration to work.

BaseUIController.java (replace XXXX with your desired

value)
You can store all common methods/procedures which all controller classes will access under this
class. Controller classes will inherit this class.
package XXXX.ui;
import java.io.Serializable;
import
import
import
import

javax.faces.application.FacesMessage;
javax.faces.application.FacesMessage.Severity;
javax.faces.context.FacesContext;
javax.faces.context.ExternalContext;

public class BaseUIController implements Serializable {

private static final long serialVersionUID = 1L;
private static final String appVersion = "1.0";
private String activeLink;
private String userNameParam;
/**
* @param activeLink
*
the activeLink to set
*/

/**
* @return the activeLink
*/
public String getActiveLink() {
if (FacesContext.getCurrentInstance().getExternalContext()
.getSessionMap().containsKey("ACTIVE_LINK")) {
this.activeLink = (String) FacesContext.getCurrentInstance()
.getExternalContext().getSessionMap().get("ACTIVE_
LINK");
} else {
this.activeLink = "welcome";
}
return activeLink;
}
public void setActiveLink(String activeLink) {
FacesContext.getCurrentInstance().getExternalContext().getSessionMap()
.put("ACTIVE_LINK", activeLink);
this.activeLink = activeLink;
}
public String getRealFileStoragePath() {
return FacesContext.getCurrentInstance().getExternalContext()
.getRealPath("/");
}
public String navigate(String activeLinkStr) {
if (null != activeLinkStr) {
setActiveLink(activeLinkStr);
}
return getActiveLink();
}
public void addFacesMessage(Severity sev, String msg) {
FacesContext.getCurrentInstance().addMessage(null,
new FacesMessage(sev, msg, ""));
}
public String getUserNameParam() {
if (FacesContext.getCurrentInstance().getExternalContext()
.getSessionMap().containsKey("USER_NAME_PARAM")) {
this.userNameParam = (String)
FacesContext.getCurrentInstance()
.getExternalContext().getSessionMap()
.get("USER_NAME_PARAM");
}
return userNameParam;
}
public boolean isLoggedInUser() {
ExternalContext extCtxt = FacesContext.getCurrentInstance()
.getExternalContext();
String remoteUser = extCtxt.getRemoteUser();
if (remoteUser != null) {
return true;
}
else return false;
}

/**
* @param userNameParam the userNameParam to set
*/
public void setUserNameParam(String userNameParam) {
this.userNameParam = userNameParam;
}

LoginUIController.java (replace XXXX with your desired

value)
This java class with authenticate user through spring security using the entered username and
password combination and Jcaptcha.
package XXXX.ui;
import javax.faces.context.FacesContext;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Controller;
import XXXX.security.AuthenticationService;
@Controller
public class LoginUIController extends BaseUIController {
private static final long serialVersionUID = 1L;
private String userName;
private String password;
private String message;
private String captchaString;
@Autowired
private AuthenticationService authenticationService;
public String login() {
boolean success = authenticationService.login(userName, password);
if (success) {
StringBuilder userNameBuilder = new StringBuilder();
userNameBuilder.append(userName);
FacesContext.getCurrentInstance().getExternalContext()
.getSessionMap()
.put("USER_NAME_PARAM",
userNameBuilder.toString());
return "index";
} else {
this.message = "Wrong Username or Password Entered. Please
LOGIN again.";
this.userName = null;
this.password = null;
this.captchaString = null;
}
}

return "login";

public String logout() {

authenticationService.logout();
FacesContext.getCurrentInstance().getExternalContext()
.getSessionMap().clear();
this.userName = null;
this.password = null;
this.captchaString = null;
FacesContext.getCurrentInstance().getExternalContext()
.invalidateSession();
return "login";
}
/**
* @return the userName
*/
public String getUserName() {
return userName;
}
/**
* @param userName
*
the userName to set
*/
public void setUserName(String userName) {
this.userName = userName;
}
/**
* @return the password
*/
public String getPassword() {
return password;
}
/**
* @param password
*
the password to set
*/
public void setPassword(String password) {
this.password = password;
}
/**
* @return the message
*/
public String getMessage() {
return message;
}
/**
* @param message
*
the message to set
*/
public void setMessage(String message) {
this.message = message;
}
/**
* @return the authenticationService
*/
public AuthenticationService getAuthenticationService() {

return authenticationService;
}
/**
* @param authenticationService
*
the authenticationService to set
*/
public void setAuthenticationService(
AuthenticationService authenticationService) {
this.authenticationService = authenticationService;
}
/**
* @return the captchaString
*/
public String getCaptchaString() {
return captchaString;
}
/**
* @param captchaString the captchaString to set
*/
public void setCaptchaString(String captchaString) {
this.captchaString = captchaString;
}
}

DbConnectionController.java (replace XXXX with your

desired value)
It is always advisable to create a seperate controller class for storing database connection details. In
entire project, only this file should have hard coded database connection details so that in case of
changing the connection details, only one file needs to be modified.
package XXXX.database;
import
import
import
import

java.sql.Connection;
java.sql.DriverManager;
java.sql.ResultSet;
java.sql.Statement;

public class DbConnectionController {

Connection conn;
Statement stmt;
DriverManager driverManager;
public DbConnectionController() {
try {
Class.forName("com.mysql.jdbc.Driver").newInstance();
conn = DriverManager.getConnection(
"jdbc:mysql://localhost:3306/DB", "DB_USER",
"DB_PWD");
stmt = conn.createStatement();
} catch (Exception e) {
// TODO Auto-generated catch block
e.printStackTrace();

}
}
public Connection getConn() {
return conn;
}
public void setConn(Connection conn) {
this.conn = conn;
}
public Statement getStmt() {
return stmt;
}
public void setStmt(Statement stmt) {
this.stmt = stmt;
}
public DriverManager getDriverManager() {
return driverManager;
}

public void setDriverManager(DriverManager driverManager) {

this.driverManager = driverManager;
}

CaptchaCaptureFilter.java (replace XXXX with your desired

value)
There will be an input text box field on Login page where user enters the captcha string seeing the
Jcaptcha image. The value of this string parameter needs to be captured. Once the value is captured,
the framework processes remaining filters in pipeline.
package XXXX.captcha;
import java.io.IOException;
import
import
import
import

javax.servlet.FilterChain;
javax.servlet.ServletException;
javax.servlet.http.HttpServletRequest;
javax.servlet.http.HttpServletResponse;

import org.springframework.web.filter.OncePerRequestFilter;
public class CaptchaCaptureFilter extends OncePerRequestFilter {
private String userCaptchaResponse;
private HttpServletRequest request;
@Override
public void doFilterInternal(HttpServletRequest req,
HttpServletResponse res, FilterChain chain) throws
IOException,
ServletException {
// Assign values only when user has submitted a Captcha value.
// Without this condition the values will be reset due to

redirection
// and CaptchaVerifierFilter will enter an infinite loop
if (req.getParameter("loginForm:jcaptchaString") != null) {
request = req;
userCaptchaResponse =
req.getParameter("loginForm:jcaptchaString");
}

// Proceed with the remaining filters

chain.doFilter(req, res);

/**
* @return the userCaptchaResponse
*/
public String getUserCaptchaResponse() {
return userCaptchaResponse;
}
/**
* @param userCaptchaResponse
*
the userCaptchaResponse to set
*/
public void setUserCaptchaResponse(String userCaptchaResponse) {
this.userCaptchaResponse = userCaptchaResponse;
}
/**
* @return the request
*/
public HttpServletRequest getRequest() {
return request;
}

/**
* @param request
*
the request to set
*/
public void setRequest(HttpServletRequest request) {
this.request = request;
}

AuthenticationService (Interface declaration) (replace XXXX

with your desired value)
package XXXX.security;
public interface AuthenticationService {
public boolean login(String username, String password);
}

public void logout();

AuthenticationServiceImpl (Interface implementation)

(replace XXXX with your desired value)
The authentication service checks both username/password and entered captcha to verify the login.
If both combinations are correct, then only user is allowed to login. @Autowired annotation is
must in order for Spring Security to recognize the CaptchaCaptureFilter in filter chain.
package XXXX.security;
import javax.annotation.Resource;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.authentication.AuthenticationManager;
import
org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.stereotype.Service;
import com.octo.captcha.module.servlet.image.SimpleImageCaptchaServlet;
import XXXX.captcha.CaptchaCaptureFilter;
@Service("authenticationService")
public class AuthenticationServiceImpl implements AuthenticationService {
@Resource(name = "authenticationManager")
private AuthenticationManager authenticationManager;
boolean flag1;
boolean flag2;
boolean captchaPassed;
@Autowired
private CaptchaCaptureFilter captchaCaptureFilter;
@Override
public boolean login(String username, String password) {
flag1 = false;
flag2 = false;
captchaPassed = false;
try {
// Assign values only when user has submitted a Captcha value
if (captchaCaptureFilter.getUserCaptchaResponse() != null) {
// Send HTTP request to validate user's Captcha
captchaPassed =
SimpleImageCaptchaServlet.validateResponse(
captchaCaptureFilter.getRequest(),
captchaCaptureFilter.getUserCaptchaResponse());
if(captchaPassed)

{
flag1 = true;
captchaCaptureFilter.setUserCaptchaResponse(null);
}
}
Authentication authenticate = authenticationManager
.authenticate(new
UsernamePasswordAuthenticationToken(
username, password));
if (authenticate.isAuthenticated()) {
SecurityContextHolder.getContext().setAuthentication(
authenticate);
flag2 = true;
}
correct

//if captcha and username/password combinations both are

//then only allow login. Otherwise no.
if(flag1 == true && flag2 == true)
return true;
else return false;
} catch (AuthenticationException e) {
e.printStackTrace();
}
return false;

}
@Override
public void logout() {
SecurityContextHolder.getContext().setAuthentication(null);
}
/**
* @return the flag1
*/
public boolean isFlag1() {
return flag1;
}
/**
* @param flag1 the flag1 to set
*/
public void setFlag1(boolean flag1) {
this.flag1 = flag1;
}
/**
* @return the flag2
*/
public boolean isFlag2() {
return flag2;
}
/**
* @param flag2 the flag2 to set
*/
public void setFlag2(boolean flag2) {
this.flag2 = flag2;

}
/**
* @return the captchaPassed
*/
public boolean isCaptchaPassed() {
return captchaPassed;
}
/**
* @param captchaPassed the captchaPassed to set
*/
public void setCaptchaPassed(boolean captchaPassed) {
this.captchaPassed = captchaPassed;
}
/**
* @return the captchaCaptureFilter
*/
public CaptchaCaptureFilter getCaptchaCaptureFilter() {
return captchaCaptureFilter;
}
/**
* @param captchaCaptureFilter the captchaCaptureFilter to set
*/
public void setCaptchaCaptureFilter(CaptchaCaptureFilter
captchaCaptureFilter) {
this.captchaCaptureFilter = captchaCaptureFilter;
}
}

LoginUser.java (replace XXXX with your desired value)

package XXXX.security;
import
import
import
import

java.sql.ResultSet;
java.sql.SQLException;
org.springframework.stereotype.Repository;
XXXX.database.DbConnectionController;

@Repository
public class LoginUser {
DbConnectionController dbConnectionController;
ResultSet resultSet;
public UserEntity getUser(String userName) throws ClassNotFoundException {
UserEntity user = new UserEntity();
dbConnectionController = new DbConnectionController();
String query = "SELECT * FROM LOGIN WHERE USERNAME = '" + userName
+ "'";
try {

resultSet =
dbConnectionController.getStmt().executeQuery(query);
if (resultSet.next()) {
user.setUsername(resultSet.getString(1));

user.setPassword(resultSet.getString(2));
user.setSuperUser(resultSet.getString(3));
user.setFullname(resultSet.getString(4));
user.setDepartment(resultSet.getString(5));

dbConnectionController.setConn(null);
dbConnectionController.setStmt(null);
this.dbConnectionController = null;
} catch (SQLException e) {

e.printStackTrace();
return null;

return user;
}
/**
* @return the dbConnectionController
*/
public DbConnectionController getDbConnectionController() {
return dbConnectionController;
}
/**
* @param dbConnectionController
*
the dbConnectionController to set
*/
public void setDbConnectionController(
DbConnectionController dbConnectionController) {
this.dbConnectionController = dbConnectionController;
}
/**
* @return the resultSet
*/
public ResultSet getResultSet() {
return resultSet;
}
/**
* @param resultSet
*
the resultSet to set
*/
public void setResultSet(ResultSet resultSet) {
this.resultSet = resultSet;
}
}

UserEntity.java (replace XXXX with your desired value)

package XXXX.security;
public class UserEntity {
private String username;
private String password;

private String superUser;

private String fullname;
private String Department;
public String getUsername() {
return username;
}
public void setUsername(String username) {
this.username = username;
}
public String getPassword() {
return password;
}
public void setPassword(String password) {
this.password = password;
}
public String getSuperUser() {
return superUser;
}
public void setSuperUser(String superUser) {
this.superUser = superUser;
}
public String getFullname() {
return fullname;
}
public void setFullname(String fullname) {
this.fullname = fullname;
}
public String getDepartment() {
return Department;
}

public void setDepartment(String department) {

Department = department;
}

UserDetailsManager.java (replace XXXX with your desired

value)
package XXXX.security;
import
import
import
import
import
import

org.springframework.security.core.userdetails.User;
org.springframework.security.core.userdetails.UsernameNotFoundException;
org.springframework.stereotype.Service;
org.springframework.security.core.userdetails.UserDetails;
org.springframework.security.core.userdetails.UserDetailsService;
org.springframework.transaction.annotation.Transactional;

import org.springframework.security.core.authority.AuthorityUtils;
@Service
public class UserDetailsManager implements UserDetailsService {
@Override
@Transactional
public UserDetails loadUserByUsername(final String userName)
throws UsernameNotFoundException {
boolean
boolean
boolean
boolean

enabled = true;
accountNonExpired = true;
credentialsNonExpired = true;
accountNonLocked = true;

UserEntity userEntity = new UserEntity();

LoginUser loginUser = new LoginUser();
try {
userEntity = loginUser.getUser(userName);
} catch (Exception e) {
e.printStackTrace();
}

return new User(userEntity.getUsername(), userEntity.getPassword(),

enabled, accountNonExpired, credentialsNonExpired,
accountNonLocked, AuthorityUtils.NO_AUTHORITIES);

UserDetailsManager and AuthenticationService work together to authenticate

the username/password.

Login.xhtml (replace XXXX with your desired value)

<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:ui="http://java.sun.com/jsf/facelets"
xmlns:h="http://java.sun.com/jsf/html"
xmlns:f="http://java.sun.com/jsf/core"
xmlns:a4j="http://richfaces.org/a4j"
xmlns:rich="http://richfaces.org/rich">
<h:body>
<h:form id="loginForm">
<a4j:outputPanel>
<br />
<center>
<fieldset style="width: 300px;">
<h:outputText value="Username: " />
<h:inputText id="username"
value="#{loginUIController.userName}" />
<br /> <br />
<h:outputText value="Password: " />
<h:inputSecret id="password"
value="#{loginUIController.password}" />
<br /> <br />

<img src="jcaptcha.jpg" />

<h:inputText id="jcaptchaString"
value="#{loginUIController.captchaString}" />
<br /> <br />
<h:commandButton value="Submit"
action="#{loginUIController.login()}" />
<br /> <br />
<h:outputText value="#{loginUIController.message}"

style="color:red" />
</fieldset>
</center>
</h:form>
</h:body>
</html>

index.xhtml (replace XXXX with your desired value)

<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:ui="http://java.sun.com/jsf/facelets"
xmlns:h="http://java.sun.com/jsf/html"
xmlns:f="http://java.sun.com/jsf/core"
xmlns:a4j="http://richfaces.org/a4j"
xmlns:rich="http://richfaces.org/rich">
<h:body>
<h:form>
<h:outputText value=Login is successful/>
</h:form>
</h:body>
</html>

LOGIN table on database side

CREATE TABLE `LOGIN` (
`USERNAME` varchar(45) COLLATE utf8_unicode_ci NOT NULL,
`PASSWORD` varchar(45) COLLATE utf8_unicode_ci NOT NULL,
`SUPERUSER` varchar(10) COLLATE utf8_unicode_ci DEFAULT NULL,
`FULLNAME` varchar(90) COLLATE utf8_unicode_ci DEFAULT NULL,
`DEPARTMENT` varchar(45) COLLATE utf8_unicode_ci DEFAULT NULL,
PRIMARY KEY (`USERNAME`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci;