What we really need is a algorithm for determining if a username (or in
2.0 a webloghandle) is safe to use in a URL. Any pointers?
- Dave
On Aug 16, 2005, at 1:34 PM, Kolano, Kenneth M. wrote:
Wouldn't the string of allowed characters be gigantic?
There are 95,156 characters in Unicode 3.2, though I'm unsure how many
would
be needed on an "allowed" characters list. Perhaps for limited
situations,
like (A-Z,-,@), this might work.
Kenneth M. Kolano
Technology Architecture & Innovation
908-423-4241
WS1B-51B
-----Original Message-----
From: Elias Torres [mailto:[EMAIL PROTECTED]
Sent: Tuesday, August 16, 2005 1:19 PM
To: [email protected]
Subject: Re: Safe UserName characters
Sounds good to me. If the route will be to allow characters on a
configurable basis then I think it makes more sense to place the
config option in the ApplicationResources.properties.
Thanks!
Elias
On 8/16/05, Lance Lavandowska <[EMAIL PROTECTED]> wrote:
How about using ApplicationResources.properties to store the string of
allowed characters? This will allow you to customize as you wish for
the moment (your suggested string should not pose a problem) and will
allow languages other than English to specify any additional
characters they like.
I don't know how this will interact with the I18N/authentication
problem Anil mentions, but wouldn't this allow those with expertize in
their a particular language (and how it interacts with Http/Tomcat)
make the decision?
Lance
On 8/16/05, Elias Torres <[EMAIL PROTECTED]> wrote:
Any decision on this need I have regarding safe characters? Did you
decide whether you would include the ability to specify allowed
characters (snippet included by me) or to remove the restriction on
some characters because of your i18n work on Roller?
We are trying to decide if we use Roller again inside for IBM
weblogs,
but I would not like to fork the code again and instead be using the
latest releases from SVN. The more flexible you are with us, the
easier our decision will be and less changes we'll have to maintain
separate from the main repository.
I'll definitely have more requests coming if we decide to go with
Roller.
Elias
On 8/9/05, Anil Gangolli <[EMAIL PROTECTED]> wrote:
A bit of caution, oddly related to the authentication mechanism
topic.
One of the stopping points has been problems in the form
authentication
chain, currently used by Roller. Tomcat forces ISO-8859-1 for this.
(There's a bug filed about it but I can't quote the number because I
can't seem to get to our Jira site right now. The bug says
something
about character corruption when going through login; it's high on
the
"importance list," assigned to Dave with lots of comments from me
while
I went through analyzing it.)
We may be able to address it for Tomcat with a Valve, but not sure
how
other containers will behave.
--a.
Elias Torres wrote:
On 8/8/05, Lance Lavandowska <[EMAIL PROTECTED]> wrote:
I think alphanumeric was chosen because it is known "websafe" but
there are obviously other characters that can safely be put in a
URL,
such as the ones you list below.
Since we are now encoding our URLs more thoroughly (for I18N
support)
perhaps we can drop this requirement? I haven't looked thoroughly
to
support this question/claim.
Lance
That would be even better!
Thanks Lance.
Elias
On 8/8/05, Elias Torres <[EMAIL PROTECTED]> wrote:
Is there/should there be an option to allow other than
alphanumeric
characters in usernames other than commenting a few lines in
UserBaseAction. At IBM we use email addresses as Roller IDs
(because
usernames are not globally unique, except at the country level).
I've written a piece of code to make this work if you are
interested.
It uses commons-lang CharSetUtils.
roller.properties
[EMAIL PROTECTED]
UserBaseAction.java
protected static String DEFAULT_ALLOWED_CHARS = "A-Za-z0-9";
UserBaseAction#validate()
String allowed =
RollerConfig.getProperty("username.allowedChars");
if(allowed == null || allowed.trim().length() == 0) {
allowed = DEFAULT_ALLOWED_CHARS;
}
String safe = CharSetUtils.keep(form.getUserName(), allowed);
Regards,
Elias
-----------------------------------------------------------------------
-------
Notice: This e-mail message, together with any attachments, contains
information of Merck & Co., Inc. (One Merck Drive, Whitehouse Station,
New Jersey, USA 08889), and/or its affiliates (which may be known
outside the United States as Merck Frosst, Merck Sharp & Dohme or MSD
and in Japan, as Banyu) that may be confidential, proprietary
copyrighted and/or legally privileged. It is intended solely for the
use of the individual or entity named on this message. If you are not
the intended recipient, and have received this message in error,
please notify us immediately by reply e-mail and then delete it from
your system.
-----------------------------------------------------------------------
-------
