How to Integrate NetIQ Access Manager with reCaptcha for login form failures without NAM code change



By: cstumula

January 17, 2014 11:29 am

Reads: 920

Comments:0

Rating:5.0

Introduction

reCAPTCHA is a free CAPTCHA service that helps to digitize books, newspapers and old time radio shows.

A CAPTCHA is a program that can tell whether its user is a human or a computer. You’ve probably seen them – colorful images with distorted text at the bottom of Web registration forms. CAPTCHAs are used by many websites to prevent abuse from “bots,” or automated programs usually written to generate spam. No computer program can read distorted text as well as humans can, so bots cannot navigate sites protected by CAPTCHAs.

reCAPTCHA is a free CAPTCHA service that protects your site against spam, malicious registrations and other forms of attacks where computers try to disguise themselves as a human; a CAPTCHA is a Completely Automated Public Turing test to tell Computers and Human Apart. reCAPTCHA comes in the form of a widget that you can easily add to your blog, forum, registration form, etc.

http://www.google.com/recaptcha/learnmore

API Keys

To use reCAPTCHA, you need to sign up for API keys for your site. Unless you select the “global key” option, the keys are unique to your domain and sub-domains. (By default, all keys work on “localhost” (or “127.0.0.1″), so you can always develop and test on your local machine.)

https://developers.google.com/recaptcha/?csw=1

Integration

Once you’ve signed up for API keys, adding reCAPTCHA to your site consists of two steps and optionally a third step where you customize the widget:

  1. Client Side: Displaying the reCAPTCHA Widget (Required)
  2. Server Side: Verifying the solution (Required)
  3. Customizations (Optional)

In most Web forms, you usually have two files: the form itself with the fields, and the file with the script/servlet/servlet-filter to process the inputs to the form. These two files correspond to steps 1 and 2 above. Therefore, in most cases you will have to modify two different files.

For above step 3 please refer to recaptcha website.

https://developers.google.com/recaptcha/intro

Download recaptcha.zip

Follow the steps below to enable captcha for login page without modifying the NAM IDP (nidp) code to existing name/password login page.

  1. Copy your login.jsp at IDP from the location /opt/novell/nam/idp/webapps/nidp/jsp to backup folder. (/tmp)
  2. Modify the login.jsp file at IDP of /opt/novell/nam/idp/webapps/nidp/jsp/ folder
  3. Modify the following lines in login.jsp:
     

    To be replaced text:

    <tr>
    		<td align=right colspan=2 style="white-space: nowrap">
    			<input alt="<%=handler.getResource(JSPResDesc.LOGIN)%>" border="0" name="loginButton2" src="<%= handler.getImage("btnlogin.gif",true)%>" type="image" value="Login" onClick="return imageSubmit()">
    		</td>							
    	</tr>
    </table>
    	</td>
    </tr>
    <%
        String err = (String) request.getAttribute(NIDPConstants.ATTR_LOGIN_ERROR);
        if (err != null)
        {
    %>
    			  		<td style="padding: 10px">
    						<div class="instructions"><%=err%></div>
    			  		</td>
                    		</tr>
    <%  } %>

     

    Replace with:

    <%
        	String err = (String) request.getAttribute(NIDPConstants.ATTR_LOGIN_ERROR);
    	int failCount   =0;
    	HttpSession s= request.getSession();
    	if(s.getAttribute("loginFailCount") != null)
    		failCount = Integer.parseInt((String)s.getAttribute("loginFailCount"));	
    	if (err != null || failCount > 0)
    	{
    		failCount ++;
    		s.setAttribute("loginFailCount",""+failCount);		
    	}
    	// Increase this number to required number of login failures to show captcha
    	if(failCount >2)
        	{
    		try{
    			s.setAttribute("loginURL", request.getRequestURL()+"?"+request.getQueryString());
    		}catch(Exception e){}
     		request.setAttribute("capatchaEnabled","true");
    	//replace <public key> and <private key> with recaptcha public and private key 
    		ReCaptcha c = ReCaptchaFactory.newSecureReCaptcha("<public key>", "<private key>", false);
    ((ReCaptchaImpl) c).setRecaptchaServer("https://www.google.com/recaptcha/api");
    <!-Writes captcha widget -->        
    out.print(c.createRecaptchaHtml(null, null));
    	}
    %>
    	<tr>
    		<td align=right colspan=2 style="white-space: nowrap">
    		<input alt="<%=handler.getResource(JSPResDesc.LOGIN)%>" border="0" name="loginButton2" src="<%= handler.getImage("btnlogin.gif",true)%>" type="image" value="Login" onClick="return imageSubmit()">
    		</td>							
    	</tr>
    </table>
    </td>	</tr>
    <tr>.
    <%
        if (err != null)
        {
    			
    %>
    			 		<td style="padding: 10px" align=center>
    						<div class="instructions"><%=err%></div>
    			  		</td>
                    		</tr>
    <% } %>
  4. Modify the login.jsp for how many number of login failures, captcha need to be shown. Modify the line to required number if(failCount >2) in login.jsp
  5. After register with recaptcha, note down public and private keys.
  6. Replace the line in login.jsp with public and private keys.
    ReCaptcha c = ReCaptchaFactory.newSecureReCaptcha(“<public key>”, “<private key>”, false);
  7. Copy jar from extracted folder dist to /opt/novell/nam/idp/webapps/nidp/WEB-INF/lib
  8. Modify the file /opt/novell/nam/idp/webapps/nidp/WEB-INF/web.xml
     

    Copy the following

    <filter>
        <filter-name>recaptchaFilter</filter-name>
        <filter-class>
            com.netiq.recaptcha.RecaptchaFilter
        </filter-class>
      </filter>
    <filter-name>recaptchaFilter</filter-name>
        <url-pattern>/*</url-pattern>
        <dispatcher>FORWARD</dispatcher>
      </filter-mapping>

    Just above the:

    <filter-mapping>
            <filter-name>nidpJspFilter</filter-name>
            <url-pattern>/jsp/*</url-pattern>
        </filter-mapping>
  9. Restart the IDP executing “/etc/init.d/novell-idp restart”

References:

VN:D [1.9.22_1171]
Rating: 5.0/5 (1 vote cast)
How to Integrate NetIQ Access Manager with reCaptcha for login form failures without NAM code change, 5.0 out of 5 based on 1 rating

Tags: , ,
Categories: Access Manager, Cool Tools, Technical Solutions

Disclaimer: As with everything else at NetIQ Cool Solutions, this content is definitely not supported by NetIQ, so Customer Support will not be able to help you if it has any adverse effect on your environment.  It just worked for at least one person, and perhaps it will be useful for you too.  Be sure to test in a non-production environment.

Comment