
This is a custom reCAPTCHA Spring Boot Starter to easliy integrate Google's reCAPTCHA service in any Spring Boot web project

Primary LanguageJavaMIT LicenseMIT

Spring Boot Rest reCAPTCHA Starter

Maven Central
License: MIT

Easy integration for Rest/Web API spring boot projects with Google's reCaptcha service.


  • reCAPTCHA secret key. To get it go to the reCAPTCHA Home Page and set up your reCAPTCHA.
  • The spring-boot-starter-aop dependency present on the classpath.
  • The project runs in a web environment e.g.: via a simple spring web starter.



How To Use

Simple usage

If you do not want to customize the reCAPTCHA validation behaviour just use the @RequiresCaptcha annotation on top of the protected endpoint,
And add your configuretion from application properties.

At the moment the following properties can be configured:

Global Properties

Name Description Default Value
recaptcha.enabled Disable/Enable the auto configuration true

Service Properties

Prefix - recaptcha.service

Service Properties Description Default Value
secret The secret key obtained from Google's reCAPTCHA null
verify-url Google's reCAPTCHA verify endpoint "https://www.google.com/recaptcha/api/siteverify"
connection-request-timeout The http client request time out 2000
connection-timeout The http client connection time out 2000
socket-timeout The http client socket time out 2000

Aspect Properties

Prefix - recaptcha.aspect

Name Description Default Value
header-name The header name in which the client needs to send his ReCaptcha response "g-recaptcha-response"
proxy-real-ip-header-name The header of the real client IP (e.g.: X-Forwarded-For) null, By default the request.getRemoteAddr() will be used.
proxy-real-ip-header-delimiter Delimiter for multi value real client IP header (e.g.: , ) null
verified-ips List of verified IPs (',' delimited) that will pass automatically without captcha validation ( useful if you want to exclude dev/test machines ) null


Place the following lines into your application.properties


Protected Endpoint

public class RestReCaptchaController {  
 public boolean captchaProtectedPath() { return true; }

Catch Exceptions and decide how to react. Exceptions:

  • MissingReCaptchaException - Bad Request.
  • ClientReCaptchaException   - reCAPTCHA Client Error.
  • ServerReCaptchaException   - reCAPTCHA Server Error
public class RestExceptionHandler {  
   protected ResponseEntity<Object> ReCaptchaException(ReCaptchaException ex, WebRequest request) {  
       HttpStatus status = HttpStatus.FORBIDDEN;  
       String message = ex.getMessage();  
       if(ex instanceof ServerReCaptchaException){  
           status = HttpStatus.INTERNAL_SERVER_ERROR;  
       }else if (ex instanceof MissingReCaptchaException){  
           status = HttpStatus.BAD_REQUEST;  
       return new ResponseEntity<>(message, status);  

That's all, you're good to go now, try to reach your protected endpoints.

Customize Error Handlers

If you want custom error handlers for different scenarios, just define your own handler beans. At the moment the following callback handlers are supported:

  • SuccessResponseHandler: this handler will be invoked after a valid reCAPTCHA value has been sent.
  • ErrorResponseHandler: this handler will be invoked after an invalid reCAPTCHA value has been sent.


public class CustomHandlersConfiguration {  
    ErrorResponseHandler customErrorResponseHandler() {  
        return new ErrorResponseHandler(){  
            AuditLogger auditLogger = ....
            public void handle(ProceedingJoinPoint joinPoint, ReCaptchaResponse response, HttpServletRequest request) throws ReCaptchaException {
                ReCaptchaResponse.ErrorCode[] errorCodes = response.getErrorCodes();  
                String errorMessage = getFirstErrorMessage(errorCodes);
                get invkoed method, ip etc..
                auditLogger.write(event, method, ip, response, errorMessage...);
                    throw new ServerReCaptchaException(errorMessage);  
                }else if(response.hasClientError()){  
                    throw new ClientReCaptchaException(errorMessage);
    SuccessResponseHandler customSuccessResponseHandler() {  
        return new SuccessResponseHandler() {
            AuditLogger auditLogger = ....  
            public void handle(ProceedingJoinPoint joinPoint, ReCaptchaResponse response, HttpServletRequest request) throws ReCaptchaException {  
            get invoked method, ip etc.. 
            auditLogger.write(event, method, ip, response...); 

Fully reCAPTCHA service custom behaviour

If you want totally different behavior, Set recaptcha.enabled to false, Implement ReCaptchaService interface and then define a bean with type ReCaptchaService.



recaptcha.enabled = false;
public class CustomReCaptchaServiceImpl implements ReCaptchaService {  
    private YourHttpClient httpClient;  
    private YourServiceProps serviceProps;  
    public ReCaptchaServiceImpl(YourHttpClient httpClient, YourServiceProps serviceProps) {  
        this.httpClient= httpClient;  
        this.serviceProps= serviceProps;  
    public ReCaptchaResponse validate(String reCaptchaResponse, String remoteIp) throws ReCaptchaException {  
        Your awesome implementation...  
