All geek questions in one place

Why do we need to do a side check for google recaptcha?

In my new project, I am going to enable Google Reaptcha. My question is quite simple, even if we perform a client-side check that the user is not a robot, even if it is proposed to perform a server-side check. I want to know why it is necessary to perform a server side check for Google recaptcha? How to add an extra layer of security? but how does spring make spring loaded boot?

+5
source share
2 answers

Server-side validation MUST !! reCAPTCHA is designed in such a way that the client side simply generates a "g-captcha-response", which, together with the secret key (stored on the server side), is sent to https://www.google.com/recaptcha/api/siteverify for verification. The response is JSON, which indicates that success is true or false, and it is then passed to the client side. Validation only on the client side is technically possible, but this is against the goal. Moreover, you can get a CORS (Cross-Origin Resource Sharing) policy error in the console if you only perform client-side validation. I can share the steps to do a simple Java based check on the server side in the servlet. Let me know if you need it.

+1

, :

  1. userResponse = request.getParameter("recaptchaResponse") - , 'g-recaptcha-response', , reCAPTCHA . javascript 'g-recaptcha-response' . request.getParameter. :

     var recaptchaResponse = document.getElementById("g-recaptcha-response").value;
 //alert("g-recaptcha-response= "+recaptchaResponse);
 if (recaptchaResponse.length > 0)
 { 
   var xmlhttp1;
   if (window.XMLHttpRequest)
    {
      xmlhttp1=new XMLHttpRequest();
    }
   else
    {
      xmlhttp1=new ActiveXObject("Microsoft.XMLHTTP");
    }
    var query1 = "?recaptchaResponse=" + recaptchaResponse;
    xmlhttp1.open("POST","captchaVerificationServlet" + query1, false);
    xmlhttp1.send(null);   
    var resp1 = xmlhttp1.responseText;
    alert("resp1= "+resp1);
    if(resp1=='matched'){
        return true;
    }
    else{
        alert("resp1 did not match");
        return false;
    }
  } 
  else{
     alert("error: recaptcha response is blank");
     return false;
  }
    1. "success: true" JSON. , JSON : success error-. JSONReader JSON . : JsonReader rdr = Json.createReader(your_inputstream); JsonObject jsonObject = rdr.readObject();
    2. , !

CaptchaVerificationServlet extends HttpServlet { String sec = YOUR_SECRET_KEY; public void processRequest ( HttpServletRequest, HttpServletResponse) ServletException, IOException {}

  protected void doPost(HttpServletRequest request, HttpServletResponse response)
              throws ServletException, IOException {     
        String userResponse = request.getParameter("recaptchaResponse");
        response.setCharacterEncoding("UTF-8"); 
        System.out.println("userResponse= "+userResponse);
        //verify user response with Google ReCaptcha API
        String ipAddress = request.getRemoteAddr(); //get client ip address
        System.out.println("ipAddress= "+ipAddress);
        try{
            String s = validateCaptcha(sec, userResponse, ipAddress);
            Boolean success = (s.contains("\"success\": true"));
            if(success)
              response.getWriter().write("matched");
        }
        catch(Exception ioe){
            ioe.printStackTrace();
            ioe.printStackTrace(response.getWriter()); 
        }
   }

  private String validateCaptcha(String secret, String response, String remoteip) throws IOException
  {
    URLConnection connection = null;
    InputStream is = null;
    String output = "";
    String proxyHost = "YOUR_PROXY_NAME";
    int proxyPort = 80; //proxy server port, generally 80 or 443 (confirm from sys-admin)
    SocketAddress addr = new InetSocketAddress(proxyHost, proxyPort);
    Proxy httpProxy = new Proxy(Proxy.Type.HTTP, addr);

    String filename = System.getProperty("java.home") + "/lib/security/cacerts".replace('/', File.separatorChar);
    String password = "changeit";
    System.setProperty("javax.net.ssl.trustStore",filename);
    System.setProperty("javax.net.ssl.trustAnchors",filename); 
    System.setProperty("javax.net.ssl.trustStorePassword",password);

      String charset = Charset.forName("UTF-8").name();
      String url = "https://www.google.com/recaptcha/api/siteverify";
      try {            
          String query = String.format("secret=%s&response=%s&remoteip=%s", 
          URLEncoder.encode(secret, charset),
          URLEncoder.encode(response, charset),
          URLEncoder.encode(remoteip, charset));

          URL fullURL = new URL(url + "?" + query);
          connection = fullURL.openConnection(httpProxy);
          connection.addRequestProperty("User-Agent", "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0");
          is = connection.getInputStream();
          System.out.println("connection InputStream");
                  BufferedReader reader = null;
                  String responseXXX = "";
                  reader = new BufferedReader(new InputStreamReader(is));
                  responseXXX = reader.readLine();
                  while (responseXXX!=null) {
                      output+= responseXXX;
                      responseXXX = reader.readLine();
                  }   
          System.out.println("Output: " + output);
      }
      finally {
          if (is != null) {
              try {
                  is.close();
              } catch (IOException e) {
                  //cannot do anything here
              }
          }
      }
      return output;
  }
}
+1

Source: https://habr.com/ru/post/1676356/

More articles:


All Articles