How To Add BotDetect CAPTCHA Protection to JSF Forms

Protecting your JSF forms with BotDetect Java Captcha slightly differs from JavaServer Pages protection but is still straightforward whether you use standard or Facelets presentation technology.

You can also see how BotDetect Captcha protection has been added to various kinds of JSF forms and projects by running the BotDetect Captcha JSF integration code examples coming with the BotDetect installation. You can also reuse the code example source code that fits your requirements.

First Time Here?

Check the BotDetect JSP Captcha Quickstart for key integration steps.

Here we will discuss only integration steps which differ from JavaServer Pages integration steps since including botdetect.jar and registering CaptchaServlet steps are the same regardless of framework.

Include BotDetect Library in the Classpath

BotDetect Captcha can simply be included in classpath by copying botdetect.jar from the BotDetect Java download package.

To protect specific application with BotDetect Captcha copy botdetect.jar into WEB-INF/lib directory of your application.

Copy botdetect.jar into lib directory of your web container or application server's domain in order to share BotDetect Captcha among multiple applications.

[back to the top of the page]

Register CaptchaServlet

Update your application configuration (web.xml) file. 

<servlet-name>BotDetect Captcha</servlet-name>
    <servlet-class>botdetect.web.http.CaptchaServlet</servlet-class>
</servlet>
<servlet-mapping>
    <servlet-name>BotDetect Captcha</servlet-name>
    <url-pattern>/botdetectcaptcha</url-pattern>
</servlet-mapping>

[back to the top of the page]

BotDetect CAPTCHA JavaServer Faces Tag

To protect your JSF form use dedicated jsfCaptcha tag.
Adding jsfCaptcha tag to JSF form is pretty straightforward but there are some differences between standard JSF (.jsp) and Facelets (.xhtml) presentation techologies:

Standard JSF

  • declare taglib at the begining of the .jsp file:
    • <%@taglib prefix="botDetect" uri="botDetect"%>
  • add attribute prependId="false" to <h:form> opening tag
    this is not mandatory but enables some added functionality to jsfCaptcha tag
  • within the form insert:
    • <h:outputLabel for="captchaCodeTextBox" 
    value="Retype the code from the picture:"/>
<botDetect:jsfCaptcha id="exampleCaptcha" 
    binding="#{captchaExampleBean.captcha}"/>
<h:inputText id="captchaCodeTextBox" 
    value="#{captchaExampleBean.captchaCode}"/>

[back]

Facelets

  • add xmlns attribute to the page's <html> opening tag: 
    xmlns:botDetect="botDetectFacelets"
  • add attribute prependId="false" to <h:form> opening tag
    this is not mandatory but enables some added functionality to jsfCaptcha tag
  • within the form insert:
    • <h:outputLabel for="captchaCodeTextBox" 
    value="Retype the code from the picture:"/>
<botDetect:jsfCaptcha id="exampleCaptcha" 
    binding="#{captchaExampleBean.captcha}"/>
<h:inputText id="captchaCodeTextBox" 
    value="#{captchaExampleBean.captchaCode}"/>

[back]

When you open your form in a browser, the above declarations should render as:

BotDetect CAPTCHA added to an JSP page

If you are adding Captcha protection to multiple JSF forms in the same website, you should take care to give each one a unique name (e.g. "RegistrationCaptcha", "CommentCaptcha", ...) in the Captcha object constructor.

In order to perform CAPTCHA validation jsfCaptcha tag must be bound with the corresponding property of the backing bean. This backing bean property should be of the JsfCaptcha type, and include both getter and setter access:

import botdetect.web.jsf.JsfCaptcha;
    [...]
private JsfCaptcha captcha;
    [...]
public JsfCaptcha getCaptcha() {
  return captcha;
  }

public void setCaptcha(JsfCaptcha captcha) {
  this.captcha = captcha;
}

[back to the top of the page]

Check is the Visitor a Human on Form PostBack

Once the Captcha challenge is displayed on your form, the code processing form submissions can check if the Captcha was solved successfully and deny access to bots.

Add CAPTCHA Validation Logic to Backing Bean

When the form is submitted, the Captcha validation result must be checked and the protected action (user registration, comment posting, email sending, ...) only performed if the Captcha test was passed. For example, this code should be part of or invoked from backing bean method declared in <form> action attribute:

boolean isHuman = captcha.validate(captchaCode);
if(isHuman){
  correctLabelVisible = true;
  incorrectLabelVisible = false;
} else {
  correctLabelVisible = false;
  incorrectLabelVisible = true;
}

[back to the top of the page]

Please Note

BotDetect Java Captcha Library v4.0.Beta3.7 is an in-progress port of BotDetect 4 Captcha, and we need you to guide our efforts towards a polished product. Please let us know if you encounter any bugs, implementation issues, or a usage scenario you would like to discuss.

© Captcha, Inc. 2004-2025. All rights reserved.

BotDetect, BotDetect CAPTCHA, Lanap, Lanap CAPTCHA, Lanap BotDetect, Lanap BotDetect CAPTCHA, Lanapsoft, Lanapsoft CAPTCHA, Lanapsoft BotDetect, Lanapsoft BotDetect CAPTCHA, and Lanap Software are trademarks of Captcha, Inc. All other product, brand, and company names are mentioned for identification purposes only and are trademarks or registered trademarks of their respective owners.

Captcha, Inc. -- formerly: Lanapsoft, Inc. / Lanap, Inc.