Since I’m going to need some form of spam prevention for Source.zone, I opted to forego user registration and authentication and use CAPTCHA instead to verify that submissions come from human beings and not robots. Hope this keeps spam down to a reasonable level while lowering the entry barrier for would-be contributors.
My first approach consisted in looking at jcaptcha to see if there was some code to reuse. Unfortunately, jcaptcha has several drawbacks:
- The website is the usual Maven-generated load of crap. Why there’s no link to a comprehensive tutorial on the home page or the navigation menu? Beats me.
- It’s LGPL, which means I wouldn’t be allowed to commit anything I did into Cocoon’s repository.
- It’s probably too complex for what I need.
Don’t get me wrong, jcaptcha is probably a nice piece of software, but it’s just not the right solution at the moment.
Back to the drawing board. I remembered reading on Cocoon’s developers’ mailing list something about image-based authentication and indeed I could find a sample contributed by Tony Collen and tucked away inside Cocoon’s scratchpad that, among other things, generated a blurred image of a text string. The nice thing is that doing this doesn’t need any coding at all, since it’s just an SVG file rasterized using components that are already included in Cocoon. “Internet Glue” indeed.
Next, I decided that this feature would be useful in many instances, so I decided to write a Cocoon Forms validator. Cocoon Forms has this nice, pluggable architecture that makes it easy to expand it with new widgets, datatypes, convertors and validators.
Well, “easy” is a bit of an exaggeration, as the plot started to thicken after a while. First, I came upon an apparent bug in Cocoon Forms and tried to ask for guidance on the mailing list. Unfortunately, Apache’s mailing list aren’t working too well today. Maybe it’s all that fscking nazi spam that’s been circulating lately that’s giving the servers a hard time.
Anyway, after an hour or so of debugging, I devised a quick fix, but I’ll wait for some comments from some developer that is more confident with Forms internals before committing.
The other hurdle I came upon is the fact that it’s not enough to return false from your validator in order to trigger a validation error. You also need to set a validation error, otherwise validation of the whole form will succeed without even a warning.
After working around these problems, I got it working quite nicely. Adding CAPTCHA validation to your Cocoon forms is as simple as:
<fd:captcha id='f1' required='true'>
<fd:datatype base='string'/>
<fd:validation>
<fd:captcha>
</fd:validation>
</fd:captcha>
It would be nice to have a pluggable strategy for generating random strings, as the current one is fixed, but I’m waiting for someone else to have this particular itch to scratch.
I’m not quite ready to commit, however. I’d rather have some feedback on my proposed fix before risking breakage somewhere else.
Update: the ASF mail server is still struggling under the load but I’ve managed to get feedback from Sylvain, so I went ahead and committed. CAPTCHA validation is now available in SVN (2.1 branch only for now).
My (belated) congratulations to all the new 
This is one of those things that you hear happening to others, from time to time, but somehow you think it will never happen to you, because you’re too small to be seen on anyone’s radar and after all you’re not doing anything against the rules.
It seems now clear to me that James Gosling,
