CAPTCHA validator for Cocoon Forms

16 05 2005

Since I’m going to need some form of spam prevention for, I opted to forego user registration and authentication and use CAPTCHA instead to verify that submissions come from human beings and not robots. Hope this keeps spam down to a reasonable level while lowering the entry barrier for would-be contributors.

My first approach consisted in looking at jcaptcha to see if there was some code to reuse. Unfortunately, jcaptcha has several drawbacks:

  • The website is the usual Maven-generated load of crap. Why there’s no link to a comprehensive tutorial on the home page or the navigation menu? Beats me.
  • It’s LGPL, which means I wouldn’t be allowed to commit anything I did into Cocoon‘s repository.
  • It’s probably too complex for what I need.

Don’t get me wrong, jcaptcha is probably a nice piece of software, but it’s just not the right solution at the moment.

Back to the drawing board. I remembered reading on Cocoon’s developers’ mailing list something about image-based authentication and indeed I could find a sample contributed by Tony Collen and tucked away inside Cocoon’s scratchpad that, among other things, generated a blurred image of a text string. The nice thing is that doing this doesn’t need any coding at all, since it’s just an SVG file rasterized using components that are already included in Cocoon. “Internet Glue” indeed.


Next, I decided that this feature would be useful in many instances, so I decided to write a Cocoon Forms validator. Cocoon Forms has this nice, pluggable architecture that makes it easy to expand it with new widgets, datatypes, convertors and validators.

Well, “easy” is a bit of an exaggeration, as the plot started to thicken after a while. First, I came upon an apparent bug in Cocoon Forms and tried to ask for guidance on the mailing list. Unfortunately, Apache’s mailing list aren’t working too well today. Maybe it’s all that fscking nazi spam that’s been circulating lately that’s giving the servers a hard time.

Anyway, after an hour or so of debugging, I devised a quick fix, but I’ll wait for some comments from some developer that is more confident with Forms internals before committing.

The other hurdle I came upon is the fact that it’s not enough to return false from your validator in order to trigger a validation error. You also need to set a validation error, otherwise validation of the whole form will succeed without even a warning.

After working around these problems, I got it working quite nicely. Adding CAPTCHA validation to your Cocoon forms is as simple as:

<fd:captcha id='f1' required='true'>
  <fd:datatype base='string'/>

It would be nice to have a pluggable strategy for generating random strings, as the current one is fixed, but I’m waiting for someone else to have this particular itch to scratch.

I’m not quite ready to commit, however. I’d rather have some feedback on my proposed fix before risking breakage somewhere else.

Update: the ASF mail server is still struggling under the load but I’ve managed to get feedback from Sylvain, so I went ahead and committed. CAPTCHA validation is now available in SVN (2.1 branch only for now).




3 responses

17 05 2005

Typo – should be . As for random string – you need random value binding, I think.

18 05 2005
18 05 2005

forgot to say that it concerns jcaptcha.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: