The background
In Singapore where I have been working, most customers engage auditors to audit the PeopleSoft implementations and upgrades. One of the common finding off-late is the vulnerability of the application to coordinated attacks using scripts, bots etc (especially in the case of internet facing applications such as Candidate Gateway).
The favourite remedy to this apparent drawback has been to think of implementing Captcha. It is my personal opinion that Captcha in itself does not offer a comprehensive solution to the problem. There are several blogs and articles on the net that have shown that Captcha can be broken (e.g. Using AI to beat CAPTCHA and post comment spam).
At best it is a preventive measure that can give Organizations more time to react to an attack on the Web/IT infrastructure before the damage is extensive. This is akin to a moat surrounding the castle in ancient times which acted as a barrier to slow down an approaching army, giving the castle inhabitants time to react before the wall was breached. Nevertheless, until a better solution is found we will settle for a Captcha solution.
The drawback of using recaptcha is that the authentication of the response to the captcha challenge is done by google, and not within PeopleSoft application. The captcha challenge is sent by Google and so does the validation of the user response. This necessitates us to open the web/app connectivity to internet traffic so as to reach Google servers for obtaining the captcha validation result. This is virtual no no for Organizations that keep the application servers secure and out of reach by putting them behind firewalls, DMZ's and what not.
Thus the only viable option was to have a home-grown (so as to speak) solution that will generate a Captcha challenge from PeopleSoft and does the authentication within PeopleSoft. I found this blog (captcha-implementation-of-peoplesoft.html) that succeeded in doing that.
The chosen one
However rather than reinvent the wheel from scratch, I was looking for something I could re-use and implement. Thus I discovered the JCaptcha Open source API and decided to test the waters with this one. The sourceforge page has the JCaptcha version 1.0 API that produces a very basic captcha image (in black and white) as-is unless of course you decide to modify the source code.
Then I discovered the JCaptcha Version 2.0 alpha API here that produced a more colourful Captcha image. The wiki also has a nice write up on testing their API.
Test Drive
The steps to manually deploy the JCaptcha sample application onto a PeopleSoft web server is described below -
In Singapore where I have been working, most customers engage auditors to audit the PeopleSoft implementations and upgrades. One of the common finding off-late is the vulnerability of the application to coordinated attacks using scripts, bots etc (especially in the case of internet facing applications such as Candidate Gateway).
The favourite remedy to this apparent drawback has been to think of implementing Captcha. It is my personal opinion that Captcha in itself does not offer a comprehensive solution to the problem. There are several blogs and articles on the net that have shown that Captcha can be broken (e.g. Using AI to beat CAPTCHA and post comment spam).
At best it is a preventive measure that can give Organizations more time to react to an attack on the Web/IT infrastructure before the damage is extensive. This is akin to a moat surrounding the castle in ancient times which acted as a barrier to slow down an approaching army, giving the castle inhabitants time to react before the wall was breached. Nevertheless, until a better solution is found we will settle for a Captcha solution.
Options
With this as the background, I set out to do a Google search to see if anyone has attempted and/or succeeded in this endeavor. However the search yielded very few links. Oracle support site also has no solutions on this topic (as of this writing). The most common and easy to implement solution is the re-captcha API from Google. This is good enough for internet web pages, blogs etc. There are few blogs (implementing-captcha-using-recaptcha-in.html) that discuss how to achieve this.The drawback of using recaptcha is that the authentication of the response to the captcha challenge is done by google, and not within PeopleSoft application. The captcha challenge is sent by Google and so does the validation of the user response. This necessitates us to open the web/app connectivity to internet traffic so as to reach Google servers for obtaining the captcha validation result. This is virtual no no for Organizations that keep the application servers secure and out of reach by putting them behind firewalls, DMZ's and what not.
Thus the only viable option was to have a home-grown (so as to speak) solution that will generate a Captcha challenge from PeopleSoft and does the authentication within PeopleSoft. I found this blog (captcha-implementation-of-peoplesoft.html) that succeeded in doing that.
The chosen one
However rather than reinvent the wheel from scratch, I was looking for something I could re-use and implement. Thus I discovered the JCaptcha Open source API and decided to test the waters with this one. The sourceforge page has the JCaptcha version 1.0 API that produces a very basic captcha image (in black and white) as-is unless of course you decide to modify the source code.
Then I discovered the JCaptcha Version 2.0 alpha API here that produced a more colourful Captcha image. The wiki also has a nice write up on testing their API.
Test Drive
The steps to manually deploy the JCaptcha sample application onto a PeopleSoft web server is described below -
- Download the war file (jcaptcha-integration-simple-servlet-sample.war) to a local folder on your PC/server.
- Copy the war file to this location -
In my case I have a windows VM. So the location is<%PS_HOME%>\webserv\<domain>\applications\peoplesoft
C:\psoft\pt85302\webserv\hcm92dmo\applications\peoplesoft - Modify the application.xml by adding the code below. I chose the name "Tungabhadra" for the context-root. You can name it anything you like.
The application.xml can be found at<module> <web> <web-uri>jcaptcha-integration-simple-servlet-sample.war</web-uri> <context-root>/tungabhadra</context-root> </web> </module>
For me the location is<%PS_HOME%>\webserv\<domain>\applications\peoplesoft\META-INF
C:\psoft\pt85302\webserv\hcm92dmo\applications\peoplesoft\META-INF
- Restart the webserver
- Access the sample captcha page that we just deployed into PeopleSoft webserver by accessing the URL -
Note: This is the same listener port which your PeopleSoft application listens to.http://<webserver_host_name>:<web_http_listener_port>/tungabhadra/index.jsp
- The version 2.0 captcha page as seen on the browser -
Verdict
The JCaptcha v2.0 Open Source API is easy to use and implement within PeopleSoft and it does a pretty good job of producing a nice modern looking random captcha image even with the basic DefaultGimpyEngine WordGenegration classes. The nice thing about this solution is that the image is created on the fly (using a word to image java classes) and directly streamed to the HTTP output and rendered on the client browser. The captcha authentication classes are deployed within the PeopleSoft application hosted within your own infrastructure which is exactly what I set out looking for.
Having tested the waters now it is time to do an actual implementation on the PeopleSoft application (I will be attempting this on the signin page). I will post the solution once I have it ready.
No comments:
Post a Comment