PermaLink Implementing a CAPTCHA with IBM Lotus Domino05/03/2008 11:12 PM
I am currently having some problems with form SPAM. Although the form is save and does not allow cross site scripting or even the execution of injected JavaScript it is still a pain in the as to have to delete SPAM from whatever web based database (guestbook , feedback, trouble-ticket, ...).

I have seen CAPTCHA solutions for other platforms but not for Domino so I started developing my own implementation...

The CAPTCHA article on WIKIPEDIA links to reCAPTCHA which is a CAPTCH generating engine. The good thing is that you do not have to implement your own code to transform a dictionary into images. All you have to do is to implement ready to use HTML code on your form. The user will see an embedded CAPTCHA challenge, when saving the form the users answer will be saved in a field in the new document. The tricky part is to check if the answer is correct by connecting to the reCAPTCHA server using a server based WebQuerySave agent.
There is already a JAVA implementation so I am using this one instead of trying to reinvent the wheel or making big efforts to try this in LotusScript.

As this is just a proof of concept I used the journal database which ships with Domino 8.x.

Step 1:
On your form, add three hidden fields:
- recaptcha_challenge_field, text, editable
- recaptcha_response_field, text, editable
- Remote_Addr, text, computed for display
Add the HTML code that will display the CAPTCHA challenge, make sure to use your public key to call the API. Only display the HTML code for web clients.

Step 2:
Configure your form to use a WebQuerySave agent.

@Command([ToolsRunMacro]; "(WQS)")

Step 3:
Download the reCAPTCHA JAVA code ZIP file. Extract all files from the ZIP.

Step 4:
Create your WebQuerySave agent by creating a new JAVA agent, click "edit Project" to continue.

Navigate to the directory you used to extract the JAVA code from the downloaded ZIP.

Highlight the directory "java" and click "Add/Replace File(s)" to add the java code to your agent.

The Domino Designer does a great job on importing all the JAVA into the new agent.

Now add some code directly after the "// (Your code goes here)" comment.

 // (Your code goes here)
 system.err.println("Starting WQS HTTP agent");
 Document doc = agentContext.getDocumentContext();
 String challenge = "";
 if (doc.hasItem("recaptcha_challenge_field")) {
 System.out.println("Good, item challenge in document");
 challenge = doc.getItemValueString("recaptcha_challenge_field");
 System.out.println("No item challenge in document");
 challenge = "";
 String response = "";
 if (doc.hasItem("recaptcha_response_field")) {
  System.out.println("Good, item recaptcha_response_field in document");
  response = doc.getItemValueString("recaptcha_response_field");
  System.out.println("No item recaptcha_response_field in document");
  response = "";
 String remoteAddr = "";
 if (doc.hasItem("Remote_Addr")) {
  System.out.println("Good, item Remote_Addr in document");
  remoteAddr = doc.getItemValueString("Remote_Addr");
  System.out.println("No item Remote_Addr in document");
 ReCaptchaImpl reCaptcha = new ReCaptchaImpl();
 // make sure to enter your private key before testing
 reCaptcha.setPrivateKey("<your private key>");
 ReCaptchaResponse reCaptchaResponse = reCaptcha.checkAnswer(remoteAddr, challenge, response);
 if (!reCaptchaResponse.isValid()) {
  System.err.println("Captcha IS NOT valid");
  System.err.println("Captcha IS valid");
 System.err.println("Exiting WQS HTTP agent");
// the rest of the agent remains unchanged.

Step 5:
Save the agent and configure security and target.
Tip: The compiler will give you a warning that some code is deprecated but as it is only a warning compilation is successfull and the agent gets saved.

As the agent connects to reCAPTCHA you have to allow restricted operations.

You are now done and ready to test.

The proof of concept implementation adds a field "Captcha" to every document with a value of either "valid" or "invalid".

Update: If you want to see the database in action, here is the captcha enabled form:

You can download a copy of the sample database.

This page has been accessed 8367 times. .
The weblog represent my personal views and comments and does not represent the views of my current or previous employers or customers.

About me
By Category
The BlogRoll
Christians sites
other Bloggers
Travel related
RSS News Feed OpenNTF
Monthly Archive