David Graham wrote:
The validation rules are only exposed if you use Struts' <html:javascript>Not true they are exposed by server side validation also. The error messages clearly state the min/max
values.
But even that is only exposed if you use the validator framework's minLength checks. If I didn't want to expose the fact that I cared about such things, I'd use two different validation mechanisms:
* On the login screen, I'd use nothing except (perhaps) a "required" validation.
* On the admin screen that lets me change my own password, I'd write a custom validator
method + appropriate JavaScript -- or, more likely, implemented this as a server side check
that approved a proposed password (minimum length, appropriate mixture of letters and
digits, not in a dictionary, ...) without exposing *anything* about why a password might
get rejected.
Of course, there's a usability issue here, too ... if you impose particular rules for passwords in the code but don't tell your users about what the rules are, you're bound to frustrate them when they try to set their own passwords to a new value, but don't know why you're not allowing the proposed value.
Anyone who objects to exposing a "minimum password length" rule to the general public shoudn't be employing such a validation rule on their login screens in the first place.
+1, will do it tomorrow.
I'm still -1 on this last commit for the reasons stated. Please revert this change to not validate password fields in the javascript.
Craig
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
