JCaptcha does not work in a clustered environment

Description

JCaptcha does not seem to work in a clustered environment, since the Service must be a Singleton (as stated in JCaptcha's documentation).
In a cluster, it is possible for any captcha image to be generated by one server, and the response to be validated by an entirely different server, thus resulting in a CaptchaServiceException. As such, for any webapp deployed in a cluster, there exist as many captcha services as there exist servers with this app deployed in it.
Are there any plans to support clusters in JCaptcha? This is a show stopper for us, and will switch to another captcha technology if no support is available in the short term.

Environment

Integrated with Spring 2.0.7. Bug detected in Apache Tomcat 5.5.x and Weblogic 9.2.x clusters.

Activity

Show:
Joe Reger, Jr.
December 14, 2007, 10:06 AM

I agree... show stopper for us as well. We have some clustered Facebook apps where the issue is even more of an issue because sticky sessions can't lock a browser to a server (page call comes from Facebook's servers, image call for captcha comes from user's browser).

We explored manually clustering the answer for the captcha but the jcaptcha api doesn't allow it. If we could, for instance:

String validResponse = CaptchaServiceSingleton.getInstance().getValidResponseForId(String captchaId);

Then we could manually cluster the valid responses in a Map object. In the image servlet we'd make the above call and then use the normal:

CaptchaServiceSingleton.getInstance().getImageChallengeForID()

to display the image. On the jsp page instead of calling the CaptchaServiceSingleton validator we'd simply look to our own manually cached Map to see if the user typed the captcha properly. Of course, this is dependent on us also passing the captchaId to the image servlet and to/from the jsp form... i.e. not using the request session id as the captcha id.

Anyhow, all we'd need from jcaptcha is that getValidResponseForId() method... of course, it needs to be tied to the image so maybe this shouldn't be part of the Singleton.

Open to thoughts/recommendations.

Joe

AntoineV
February 12, 2008, 2:04 AM

Hi, please try the new JBossCacheCaptchaStore.
I temporary post the documentation here because we are facing confluence upgrading issue.

------------------------
Howto JBossCache Captcha Store

The JBossCacheStore allow JCaptcha to be used in a clustered environment. It allows storing generated captchas in a distributed Cache. So a user can retrieve a captcha from a node and validate it on another node.
This tutorial shows how to set up the JCaptcha extension and configure JBossCache 2

Add project dependencies

Maven2 users
Add the following dependency to your project POM
<dependency>
<groupId>com.octo.captcha</groupId>
<artifactId>jcaptcha-extension-jbosscache-store</artifactId>
<version>1.0-SNAPSHOT</version>
</dependency>

Without Maven2
Add the following libraries to your project classpath.
? The JCaptcha extension
o jcaptcha-extension-jbosscache-store-1.0-SNAPSHOT.jar
? JBossCache dependencies
o Jboss-common-core
o Jboss-j2ee
o The JCaptcha extension POM (QQQ) contains names, versions and repository URL to download them.
Configure your CaptchaService with the JBossCacheCaptchaStore

Use for example the GenericManageableCaptchaService and provide a JBossCacheCaptchaStore for the first argument of the constructor.
CaptchaService service = new GenericManageableCaptchaService(
new JBossCacheCaptchaStore(),
new GenericCaptchaEngine( /* engine configuration */ ),
180, // minGuarantedStorageDelayInSeconds
180000, // maxCaptchaStoreSize
180000 // captchaStoreLoadBeforeGarbageCollection
)

The three last arguments are related to the JCaptcha garbage collector. They must be set carefully in order to avoid overhead with JBossCache eviction policy. See next section QQQ for more explanations

Configure the JBoss Cache

Set the configuration filename
You must provide the JBossCache configuration filename to the JBossCacheCaptchaStore in order to initialize the Cache.
This can be done by adding the jcaptcha.jbosscache.config system property to the JVM. Add the following argument to the JVM command line or in the JAVA_OPTS environment variable.
-Djcaptcha.jbosscache.config=myCaptchaStoreJBossCacheConfig.xml

Modify the XML configuration file

This configuration is a proposal and has to be adapted to your project requirements. Please refers to the JBossCache reference documentation for further details (http://labs.jboss.org/portal/jbosscache/docs/index.html).
You could find a sample here (extension-jbosscache-store\src\test\resources)
The configurations attributes are divided in two main parts, the first one define the cache behavior (transaction, synchronisation, eviction policy) and the second one defines the deployment scheme.

Cache general behavior
The main attributes have to be set with the following values:

<attribute name="NodeLockingScheme">PESSIMISTIC</attribute>
<attribute name="IsolationLevel">REPEATABLE_READ</attribute>
<attribute name="LockParentForChildInsertRemove">false</attribute>
<attribute name="CacheMode">REPL_SYNC</attribute>

In the EvictionPolicyConfig XML node :
<attribute name="policyClass">org.jboss.cache.eviction.LRUPolicy</attribute>

Add the captcha region configuration in the EvictionPolicyConfig XML node
<region name="/captcha">
<attribute name="maxNodes">5000</attribute>
<attribute name="timeToLiveSeconds">0</attribute>
<attribute name="maxAgeSeconds">120</attribute>
</region>

Parameterq coherency guidelines

Follow these rules in order to let JBossCache manage the size of the cache (instead of JCaptcha garbage collector) and use efficiently JBossCache for managing captchas.
? Disable JCaptcha garbage collector
o JCaptcha maxCaptchaStoreSize must be set to zero
o JCaptcha minGuarantedStorageDelayInSeconds must be set to zero
o JCaptcha captchaStoreLoadBeforeGarbageCollection must be bigger than JBossCache maxNodes
? Disable captchas TimeToLive
o JBossCache timeToLiveSeconds must be set to zero
? Configure resolution max time (usually two minutes)
o JBossCache maxAgeSeconds must be less than ten minutes
? Manage the CaptchaStore memory size
o JBossCache maxNodes must be set in relation to the JVM memory size parameter (ex : -Xmx256m)

Deployment scheme

Please refers to the JGroups reference documentation for detailed explanations.
http://www.jgroups.org/javagroupsnew/docs/tutorial/html_single/index.html

Andrew
February 3, 2010, 8:14 PM

has a memcached based integration been considered for this?

Fixed

Assignee

AntoineV

Reporter

JesusJ

Labels

None

Components

Fix versions

Affects versions

Priority

Blocker
Configure