Add Google reCaptcha to Java Spring

Preventing bots from submitting forms on a website or web app is an absolute must, especially when you're receiving hundreds of emails about highheel specials in Russia 🙂 For some reason I don't particularly like spelling out reCaptcha the whole time, so I've just gone with GoogleService etc. instead of RecaptchaService.

Step 1

The first step to adding reCaptcha is to create an object in which the response from Google will be kept.


import com.fasterxml.jackson.annotation.JsonProperty;
import org.springframework.stereotype.Service;

import java.util.Collection;

public class GoogleResponse implements Serializable {
    private boolean success;

    private Collection<String> errorCodes;

    public boolean isSuccess() {
        return success;

    public void setSuccess(boolean success) {
        this.success = success;

    public Collection<String> getErrorCodes() {
        return errorCodes;

    public void setErrorCodes(Collection<String> errorCodes) {
        this.errorCodes = errorCodes;

Step 2

The next step is to create the GoogleService interface and implementation which will house the method for actually validating whether the client entered the correct reCaptcha.



public interface GoogleService {

    boolean validateReCaptcha(String remoteIp, String reCaptchaResponse);



import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Service;
import org.springframework.util.LinkedMultiValueMap;
import org.springframework.util.MultiValueMap;
import org.springframework.web.client.RestClientException;
import org.springframework.web.client.RestTemplate;

public class GoogleServiceImpl implements GoogleService {

    private final String recaptchaUrl = "";
    private final String recaptchaSecretKey = "YOUR-SECRET-KEY-HERE";

    private RestTemplate restTemplate;

    public RecaptchaServiceImpl(RestTemplate restTemplate) {
        this.restTemplate = restTemplate;

    public boolean validateReCaptcha(String remoteIp, String reCaptchaResponse) {
        GoogleResponse googleResponse;
        try {
            googleResponse = restTemplate
                    .postForEntity(recaptchaUrl, createBody(recaptchaSecretKey, remoteIp, reCaptchaResponse), GoogleResponse.class)

        } catch (RestClientException e) {
            throw new RuntimeException();

        return googleResponse.isSuccess();

    private MultiValueMap<String, String> createBody(String secret, String remoteIp, String response) {

        MultiValueMap<String, String> form = new LinkedMultiValueMap<>();
        form.add("secret", secret);
        form.add("remoteip", remoteIp);
        form.add("response", response);

        return form;

Step 3

The next step is to pass the g-recaptcha-response from the controller to the service and perform the validation

Autowire the GoogleService

@RequestMapping ("/misc")
public class SomeController {
    private GoogleService googleService;

Add HttpServletRequest as a parameter in the method handling the form submission. This method should also contain the logic determining whether or not the validation was successful.

    @RequestMapping (value = "/referAFriend", method= RequestMethod.POST)
    public String referAFriend (ReferAFriend referAFriend, BindingResult result,RedirectAttributes attributes, HttpServletRequest request) throws MessagingException {

String reCaptchaResponse = request.getParameter("g-recaptcha-response");

        boolean isValid;

        try {
            isValid = recaptchaService.validateReCaptcha(getRemoteIp(request), reCaptchaResponse);
        } catch (Exception e) {
            attributes.addFlashAttribute("errorMessage","reCaptcha error, please try again");
            return "redirect:/";

        if(!isValid) {
            attributes.addFlashAttribute("errorMessage", "The Captcha is missing or wrong");
            return "redirect:/";

Step 4

The final step is to include the necessary HTML and Javascript on the frontend.

Add the following line before the closing head tag:

<script src='' async="async" defer="defer"></script>

Add the following line in your HTML where you would like the reCaptcha box to be displayed:

<div class="g-recaptcha" data-sitekey="YOUR-SITE-KEY"></div>

Please note that this is your site key and NOT your secret key.

Add the following line in your HTML where you would like the reCaptcha error message to be displayed if any:

<div  th_if="${errorMessage}" th_text="${errorMessage}" class="alert alert-danger" role="alert"></div>

This is of course how information is obtained from the model using Thymeleaf.