[jira] Resolved: (VALIDATOR-151) [validator] Password validation revealed in javascript

[Niall Pemberton (JIRA)]

     [ http://issues.apache.org/jira/browse/VALIDATOR-151?page=all ]

Niall Pemberton resolved VALIDATOR-151.
---------------------------------------

    Resolution: Won't Fix

I think the simplest solution would be for someone to configure alternative 
"password" validators that don't have associated javaScript validators. For 
example, a "minimum length" password validator could be configured in Struts as 
follows:

        <validator name="passwordMinlength" 
classname="org.apache.struts.validator.FieldChecks"
                   method="validateMinLength"
                   methodParams="java.lang.Object,
                       org.apache.commons.validator.ValidatorAction,
                       org.apache.commons.validator.Field,
                       org.apache.struts.action.ActionMessages,
                       org.apache.commons.validator.Validator,
                       javax.servlet.http.HttpServletRequest"
                   depends=""
                   msg="errors.minlength"/>

Since this "passwordMinlength" validator doesn't have an associated 
"jsFunction" specified - no script will be generated for the field and 
therefore no sensitive information revealed.

The alternative would be for people to implement their own "custom" password 
validators.

Closing as WONT FIX

> [validator] Password validation revealed in javascript
> ------------------------------------------------------
>
>                 Key: VALIDATOR-151
>                 URL: http://issues.apache.org/jira/browse/VALIDATOR-151
>             Project: Commons Validator
>          Issue Type: Improvement
>          Components: JavaScript
>    Affects Versions: 1.1.1 (alpha)
>         Environment: Operating System: other
> Platform: Other
>            Reporter: David Graham
>            Priority: Minor
>
> The javascript does not validate password fields for security reasons; 
> however, 
> any rules defined on a password field still show up in the javascript 
> (they're 
> just not used).  The min/max length and mask properties reveal sensitive 
> information about the server-side password validation structure.  The best 
> solution at this time is to not use validator to check password fields at all 
> but we need a better solution in the long run.
> See bug# 12473 for other details.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: 
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]