Captcha Implementation on PeopleSoft Sign On Page

Implementation of Captcha in PeopleSoft Sign-in Page

What is Captcha?

Captcha stands for - Completely Automated Public Turing test to tell Computers and Humans Apart.

A CAPTCHA is a program that can generate and grade tests that humans can pass but current computer programs cannot. For example, humans can read distorted text as the one shown below, but current computer programs can't:

Applications

CAPTCHAs are used to prevent automated software from performing actions which degrade the quality of service of a given system, whether due to abuse or resource expenditure. CAPTCHAs can be deployed to protect systems vulnerable to e-mail spam, such as the webmail services of Gmail, Hotmail, and Yahoo! Mail. CAPTCHAs are also used on Wikipedia for anonymous or new users who attempt to add links.

CAPTCHAs have found active use in stopping automated posting to blogs, forums and wikis, whether as a result of commercial promotion, or harassment and vandalism. CAPTCHAs also serve an important function in rate limiting, as automated usage of a service might be desirable until such usage is done in excess, and to the detriment of human users. In such a case, a CAPTCHA can enforce automated usage policies as set by the administrator when certain usage metrics exceed a given threshold. The article rating systems used by many news web sites are another example of an online facility vulnerable to manipulation by automated software.

Current PeopleSoft Authentication Process

Ø  User logs in by giving user id and password.

Ø  Sign on PeopleCode fires on clicking the sign in button.

Ø  LDAP Authentication takes place.

Ø  Accordingly the user gets logged in or gets the error message.

Proposed

Ø  Sign on page will be modified to generate Captcha image (through jsp).

Ø  User will log on into the system by giving userid, password and Captcha text.

Ø  On clicking the sign in button, first the Captcha text entered by the user will get validated (done by jsp).

Ø  If the Captcha validation is successful then only sign on PeopleCode will get fired (LDAP authentication) other wise it will not.

Thus it will secure our PeopleSoft application from bogus users/automated scripts. It means that, whenever a human being will log in into the system then only the LDAP will get hit otherwise not, since the Captcha text is readable only by a human being and not by any automated script/software.

Technology Used – JSP (Java Server Pages)

JSP (java server pages) are used to generate the Captcha image and validate the text entered by the user.

What is JSP - JavaServer Pages (JSP) is a Java technology that allows software developers to create dynamically-generated web sites, with HTML, XML, or other document types, in response to a Web client request. The technology allows Java code and certain pre-defined actions to be embedded into static content.

The JSP syntax adds additional XML-like tags, called JSP actions, to be used to invoke built-in functionality. Additionally, the technology allows for the creation of JSP tag libraries that act as extensions to the standard HTML or XML tags. Tag libraries provide a platform independent way of extending the capabilities of a Web server.

JSPs are compiled into Java Servlets by a JSP compiler. A JSP compiler may generate a servlet in Java code that is then compiled by the Java compiler, or it may generate byte code for the servlet directly. JSPs can also be interpreted on-the-fly, reducing the time taken to reload changes.

Code for Generating Captcha Image

Generatecaptcha.jsp

Logic Implemented

Ø  A random text is generated.

Ø  This text is stored in a session.

Ø  A blank image is generated.

Ø  The random text generated is written on the blank image.

Code for Validating the Captcha Text Entered by User

validate.jsp

Logic Implemented

Ø  The text stored in the current session is retrieved.

Ø  The text entered by the user is retrieved.

Ø  Both the retrieved texts are compared.

Ø  If equals then the request is forwarded to the peoplesoft servlet – psp, this servlet will now hit the signon peoplecode for LDAP authentication.

Ø  If not, then the user will directed to the signin page.

In the tag <jsp:forward page=<u can place any path(ex. Homepage or Default page etc.)> >

Changes to be made in signin.html

NOTE:

Please take the backup of signin.html before making any changed to signin.html i.e. save the signin.html file with another name. In case of any issue/problem just rename the backup of signin.html to signin.html.

Navigate to

<PS_HOME>\webserv\<DOMAIN NAME>\applications\peoplesoft\PORTAL\WEB-INF\psftdocs\ps\

Three Changes have to be made in signin.html

1. Code to be added to timeout the session, if the signin page is opened for more than 5 minutes(this time can be changed, but it should not be too large. Ideally it should be 3-6 minutes.).This step is mandatory, as we are creating a string that is in a session it becomes mandatory to disconnect the session after some time otherwise functionality wont work properly.

Here, we have kept the timeout session as 5 min, so 300 seconds.

For this purpose we will tranfer the user to a page(transfer.html, this file should also be placed under <PS_HOME>/webserv/<DOMAIN NAME>/applications/peoplesoft/PORTAL/<DOMAIN NAME>/ps/) which will show the user session timeout information. It will also have a link to again come back to the signin page, so that a new/fresh session is created.

Code for transfer.html (Please change it as per your look n feel requirements)

2. Add one textbox in which user will enter the input and one row which will hold the image. The source of the image will be generatecaptcha.jsp

3. Change the <form action=> tag to transfer the user to validate.jsp, which will perform the validation.

Final Step

Once all the above changes have been done reboot the webserver.