It looks like the min/max length JavaScript functions do NOT work on HTML "password" fields. We just verified this. I totally agree with "Hajratwala". Struts should not impose this limitation on the developers. It is the developers responsibility to control the amount of security-related information returned to a user, not Struts. I go to websites all the time where I get a message specifying the size limits for a password. Does anyone know where the logic is implemented for ignoring the max/min check on a password? Do others agree that Struts is outside it boundaries by doing this? If so, maybe my team can submit a patch.
John Hohlen (and Viplava Nekkaplapudi) -----Original Message----- From: Hajratwala, Nayan (N.) [mailto:nhajratw@;ford.com] Sent: Thursday, October 24, 2002 3:15 PM To: 'Struts Users Mailing List' Subject: RE: JavaScript Validation: MinLength & MaxLength Functions Don't Work interesting ... sorry if this has been discussed to death already. If so, i'll shut up. =) Shouldn't the decision of displaying the validation be up to the application developer? For example, when changing a password, you would have a spot to enter old & new passwords, but would likely want to put some validation around the new one (min 6 characters, etc). What would be wrong with displaying that info to the user? --- - Nayan Hajratwala - Chikli Consulting LLC - http://www.chikli.com -----Original Message----- From: Dave Derry [mailto:dderry@;acm.org] Sent: Thursday, October 24, 2002 4:14 PM To: Struts Users Mailing List Subject: Re: JavaScript Validation: MinLength & MaxLength Functions Don't Work This has been explained before. I think it was by Ted. The reason has to do with security. Specifying bouinds on the length of a password limits the universe of potential passwords that a cracker would need to test. And of course if he/she saw a message saying "Password must be between 6 and 30 characters in length" that would provide that information. Dave Derry ----- Original Message ----- From: "bachan s" <[EMAIL PROTECTED]> > > Can you try removing the required from the depends for password and give minlength and maxlength. Since minLength is mentioned required is not necesary. > Try it and let ue know. > this may be considered as a bug in struts too. > Thanks ! > Bachan > > "Nekkalapudi, Viplava" <[EMAIL PROTECTED]> wrote: My team can't get the Struts client-side (i.e. JavaScript) validation > framework to work. We want to ensure that a password is between 6 and 30 > characters. Has anyone been able to get these checks to work? The "required" > field check works, but the "minlength" and "maxlength" do not. Here's what > our validation.xml file contains: > > > depends="required"> > > > depends="required,minlength,maxlength"> > > > > > > minlength > 6 > > > maxlength > 30 > > > > > Thanks, > > JOHN > -- To unsubscribe, e-mail: <mailto:struts-user-unsubscribe@;jakarta.apache.org> For additional commands, e-mail: <mailto:struts-user-help@;jakarta.apache.org> -- To unsubscribe, e-mail: <mailto:struts-user-unsubscribe@;jakarta.apache.org> For additional commands, e-mail: <mailto:struts-user-help@;jakarta.apache.org> -- To unsubscribe, e-mail: <mailto:struts-user-unsubscribe@;jakarta.apache.org> For additional commands, e-mail: <mailto:struts-user-help@;jakarta.apache.org>
