Spam has become one of the biggest menaces on the Web. Many community-based applications force authentication only to distinguish a valid user from an automated spam-bot, which can be overkill in some cases. CAPTCHAs help in differentiating between real users and automated bots. In this article, Anand Raman uses CAPTCHAs as weak authentication mechanisms for J2EE Web applications. He begins with a quick introduction to both the J2EE Web application security model and CAPTCHAs. He then builds on these concepts to implement a JAAS (Java Authentication and Authorization Service) login module using CAPTCHAs and integrates it with an application server’s existing security infrastructure. The artifacts are based on standard J2EE security mechanisms. Hence, the module can be reused on any J2EE application or across different application servers with some minor modifications.