Create an anonymous authentication module

Use a CAPTCHA-based authentication module for J2EE Web applications

1 2 3 Page 3
Page 3 of 3


To build and test the application, we need Tomcat Web container version 5.0 or higher and the Ant build environment version 1.5 or higher. These can be downloaded and installed from Apache. Once we have all the prerequisite components in place, we can build and deploy the application by following the steps outlined below.

Installation and testing

  • Download and unzip the file to a directory (e.g., d:\captcha). The unzipped archive will have folders for the source code, dependent libraries, Web application, and the build scripts.
  • Navigate to the exploded directory (d:\captcha) and edit the file setAntEnv.cmd. As the name suggests, this file contains variables needed by the build environment to start up. Edit the values of the ANT_HOME and JAVA_HOMEvariables to point to the correct location. All the other properties are derived from these two variables and hence can be left untouched.
  • Navigate to the exploded directory (d:\captcha) and edit the file This file contains properties that influence the way the application is built. Most of the properties in the file have meaningful default values. You will need to set appropriate values only for the properties build.homeand server.home.
  • Now open a command shell (cmd), navigate to the exploded directory (d:\captcha), and execute the setAntEnv.cmd batch script.
  • Build and deploy the application by typing ant compile jar deploy. The Ant script first creates the required directories, compiles and JARs the security module code, and finally deploys it.
  • Start the application server by typing ant start. Tomcat should start and spawn a separate window.
  • Open a browser and test the application by pointing it to http://localhost:8080/clogin (clogin is the application.nameproperty configured in
  • After testing, you can stop the server by closing the Tomcat server window.

Whenever you change any property in, do a clean build. This ensures that all properties are correctly propagated. For example, if you use the out-of-box configuration, the token servlet will use the simple token factory. You can also test the more sophisticated CAPTCHA implementation by changing the value of captcha.token.factoryto jw.token.factory.JCaptchaTokenFactoryin the properties file Run ant clean-all deployto propagate the changes. Start the application server and test the application.


Depending on your environment, the application may fail to launch properly. The build scripts have deployed a log4j configuration file that configures Tomcat's logging. You can look at trace- and debug-level messages by opening the file <TOMCAT_HOME>/logs/jaasModule.logor <TOMCAT_HOME>/logs/tomcat.log. The jaasModule.logcontains debug information specific to the login module and the Web application. tomcat.log catches all the log messages originating from the container and the deployed code. Open these files to look for clues.


In this article, we explored the J2EE Web application declarative security model and ways to extend it using JAAS login modules. We extended Tomcat's J2EE security infrastructure to support a custom authentication mechanism. The authentication mechanism was implemented as a JAAS login module and used CAPTCHAs to weakly authenticate users. To a certain extent, it also guaranteed that the remote user is human. By using the container's declarative security support, we easily secured an application without any modification to the codebase.

It is important to note that CAPTCHAs can create usability issues for people with disabilities. Web application developers should be aware of these issues when choosing their authentication technologies.

Anand Ramanworks for Sapient out of its Delhi office as a senior associate, technology. He has been working on Java- and J2EE-related technologies for the past five years. Tackling J2EE complexity is a matter close to his heart.

Learn more about this topic

1 2 3 Page 3
Page 3 of 3