Re: Safe UserName characters
Yes, this is still an open issue in 2.0. It's on my list. Do we have a proposed solution? - Dave On Aug 21, 2005, at 10:25 PM, Elias Torres wrote: BTW, I don't think I have double-checked this, but handle in create weblog form does not seem to restrict any characters (as found in Roller_2.0 branch). Therefore, I guess we need to resolve this so we are not being inconsistent. Sorry for being such a pest on this. Elias On 8/16/05, Lance Lavandowska [EMAIL PROTECTED] wrote: Due to Jaap's http://rollerweblogger.org/wiki/Wiki.jsp?page=JaapVanDerMolen work http://rollerweblogger.org/wiki/Wiki.jsp?page=InstallationGuide#ref- InstallationGuide-6 websafe shouldn't be necessary. But Anil indicated there were some issues with Tomcat not supporting non-ISO-8859-1 usernames. Lance On 8/16/05, Dave Johnson [EMAIL PROTECTED] wrote: What we really need is a algorithm for determining if a username (or in 2.0 a webloghandle) is safe to use in a URL. Any pointers? - Dave
Re: Safe UserName characters
I know Elias had proposed adding a config property which is essentially a regex that would be used to determine if a username is okay. then site admins can alter that property as desired if they want to. Personally, I have mixed emotions about the prospect of letting app owners alter the username and password restrictions. I can see that it would be a nice feature, but at the same time it really shouldn't be all that necessary as long as we pick a good standard. Anyone know of any open standards for username character restrictions? Elias is correct that we should at least open up the username restrictions to allow for '@' and '.' characters so that email addresses are valid. -- Allen On Tue, 2005-08-23 at 06:31, Dave Johnson wrote: Yes, this is still an open issue in 2.0. It's on my list. Do we have a proposed solution? - Dave On Aug 21, 2005, at 10:25 PM, Elias Torres wrote: BTW, I don't think I have double-checked this, but handle in create weblog form does not seem to restrict any characters (as found in Roller_2.0 branch). Therefore, I guess we need to resolve this so we are not being inconsistent. Sorry for being such a pest on this. Elias On 8/16/05, Lance Lavandowska [EMAIL PROTECTED] wrote: Due to Jaap's http://rollerweblogger.org/wiki/Wiki.jsp?page=JaapVanDerMolen work http://rollerweblogger.org/wiki/Wiki.jsp?page=InstallationGuide#ref- InstallationGuide-6 websafe shouldn't be necessary. But Anil indicated there were some issues with Tomcat not supporting non-ISO-8859-1 usernames. Lance On 8/16/05, Dave Johnson [EMAIL PROTECTED] wrote: What we really need is a algorithm for determining if a username (or in 2.0 a webloghandle) is safe to use in a URL. Any pointers? - Dave
Re: Safe UserName characters
On 8/23/05, Allen Gilliland [EMAIL PROTECTED] wrote: I know Elias had proposed adding a config property which is essentially a regex that would be used to determine if a username is okay. then site admins can alter that property as desired if they want to. Personally, I have mixed emotions about the prospect of letting app owners alter the username and password restrictions. I can see that it would be a nice feature, but at the same time it really shouldn't be all that necessary as long as we pick a good standard. Anyone know of any open standards for username character restrictions? Elias is correct that we should at least open up the username restrictions to allow for '@' and '.' characters so that email addresses are valid. I don't know if these characters are currently prevented, unless it was recently added. When we first installed Roller at SourceBeat, we used e-mail addresses for usernames. Matt -- Allen On Tue, 2005-08-23 at 06:31, Dave Johnson wrote: Yes, this is still an open issue in 2.0. It's on my list. Do we have a proposed solution? - Dave On Aug 21, 2005, at 10:25 PM, Elias Torres wrote: BTW, I don't think I have double-checked this, but handle in create weblog form does not seem to restrict any characters (as found in Roller_2.0 branch). Therefore, I guess we need to resolve this so we are not being inconsistent. Sorry for being such a pest on this. Elias On 8/16/05, Lance Lavandowska [EMAIL PROTECTED] wrote: Due to Jaap's http://rollerweblogger.org/wiki/Wiki.jsp?page=JaapVanDerMolen work http://rollerweblogger.org/wiki/Wiki.jsp?page=InstallationGuide#ref- InstallationGuide-6 websafe shouldn't be necessary. But Anil indicated there were some issues with Tomcat not supporting non-ISO-8859-1 usernames. Lance On 8/16/05, Dave Johnson [EMAIL PROTECTED] wrote: What we really need is a algorithm for determining if a username (or in 2.0 a webloghandle) is safe to use in a URL. Any pointers? - Dave
RE: Safe UserName characters
Wouldn't the string of allowed characters be gigantic?
There are 95,156 characters in Unicode 3.2, though I'm unsure how many would
be needed on an allowed characters list. Perhaps for limited situations,
like (A-Z,-,@), this might work.
Kenneth M. Kolano
Technology Architecture Innovation
908-423-4241
WS1B-51B
-Original Message-
From: Elias Torres [mailto:[EMAIL PROTECTED]
Sent: Tuesday, August 16, 2005 1:19 PM
To: roller-dev@incubator.apache.org
Subject: Re: Safe UserName characters
Sounds good to me. If the route will be to allow characters on a
configurable basis then I think it makes more sense to place the
config option in the ApplicationResources.properties.
Thanks!
Elias
On 8/16/05, Lance Lavandowska [EMAIL PROTECTED] wrote:
How about using ApplicationResources.properties to store the string of
allowed characters? This will allow you to customize as you wish for
the moment (your suggested string should not pose a problem) and will
allow languages other than English to specify any additional
characters they like.
I don't know how this will interact with the I18N/authentication
problem Anil mentions, but wouldn't this allow those with expertize in
their a particular language (and how it interacts with Http/Tomcat)
make the decision?
Lance
On 8/16/05, Elias Torres [EMAIL PROTECTED] wrote:
Any decision on this need I have regarding safe characters? Did you
decide whether you would include the ability to specify allowed
characters (snippet included by me) or to remove the restriction on
some characters because of your i18n work on Roller?
We are trying to decide if we use Roller again inside for IBM weblogs,
but I would not like to fork the code again and instead be using the
latest releases from SVN. The more flexible you are with us, the
easier our decision will be and less changes we'll have to maintain
separate from the main repository.
I'll definitely have more requests coming if we decide to go with
Roller.
Elias
On 8/9/05, Anil Gangolli [EMAIL PROTECTED] wrote:
A bit of caution, oddly related to the authentication mechanism topic.
One of the stopping points has been problems in the form
authentication
chain, currently used by Roller. Tomcat forces ISO-8859-1 for this.
(There's a bug filed about it but I can't quote the number because I
can't seem to get to our Jira site right now. The bug says something
about character corruption when going through login; it's high on the
importance list, assigned to Dave with lots of comments from me
while
I went through analyzing it.)
We may be able to address it for Tomcat with a Valve, but not sure how
other containers will behave.
--a.
Elias Torres wrote:
On 8/8/05, Lance Lavandowska [EMAIL PROTECTED] wrote:
I think alphanumeric was chosen because it is known websafe but
there are obviously other characters that can safely be put in a
URL,
such as the ones you list below.
Since we are now encoding our URLs more thoroughly (for I18N
support)
perhaps we can drop this requirement? I haven't looked thoroughly
to
support this question/claim.
Lance
That would be even better!
Thanks Lance.
Elias
On 8/8/05, Elias Torres [EMAIL PROTECTED] wrote:
Is there/should there be an option to allow other than alphanumeric
characters in usernames other than commenting a few lines in
UserBaseAction. At IBM we use email addresses as Roller IDs
(because
usernames are not globally unique, except at the country level).
I've written a piece of code to make this work if you are
interested.
It uses commons-lang CharSetUtils.
roller.properties
[EMAIL PROTECTED]
UserBaseAction.java
protected static String DEFAULT_ALLOWED_CHARS = A-Za-z0-9;
UserBaseAction#validate()
String allowed = RollerConfig.getProperty(username.allowedChars);
if(allowed == null || allowed.trim().length() == 0) {
allowed = DEFAULT_ALLOWED_CHARS;
}
String safe = CharSetUtils.keep(form.getUserName(), allowed);
Regards,
Elias
--
Notice: This e-mail message, together with any attachments, contains
information of Merck Co., Inc. (One Merck Drive, Whitehouse Station, New
Jersey, USA 08889), and/or its affiliates (which may be known outside the
United States as Merck Frosst, Merck Sharp Dohme or MSD and in Japan, as
Banyu) that may be confidential, proprietary copyrighted and/or legally
privileged. It is intended solely for the use of the individual or entity named
on this message. If you are not the intended recipient, and have received this
message in error, please notify us immediately by reply e-mail and then delete
it from your system.
--
Re: Safe UserName characters
What we really need is a algorithm for determining if a username (or in
2.0 a webloghandle) is safe to use in a URL. Any pointers?
- Dave
On Aug 16, 2005, at 1:34 PM, Kolano, Kenneth M. wrote:
Wouldn't the string of allowed characters be gigantic?
There are 95,156 characters in Unicode 3.2, though I'm unsure how many
would
be needed on an allowed characters list. Perhaps for limited
situations,
like (A-Z,-,@), this might work.
Kenneth M. Kolano
Technology Architecture Innovation
908-423-4241
WS1B-51B
-Original Message-
From: Elias Torres [mailto:[EMAIL PROTECTED]
Sent: Tuesday, August 16, 2005 1:19 PM
To: roller-dev@incubator.apache.org
Subject: Re: Safe UserName characters
Sounds good to me. If the route will be to allow characters on a
configurable basis then I think it makes more sense to place the
config option in the ApplicationResources.properties.
Thanks!
Elias
On 8/16/05, Lance Lavandowska [EMAIL PROTECTED] wrote:
How about using ApplicationResources.properties to store the string of
allowed characters? This will allow you to customize as you wish for
the moment (your suggested string should not pose a problem) and will
allow languages other than English to specify any additional
characters they like.
I don't know how this will interact with the I18N/authentication
problem Anil mentions, but wouldn't this allow those with expertize in
their a particular language (and how it interacts with Http/Tomcat)
make the decision?
Lance
On 8/16/05, Elias Torres [EMAIL PROTECTED] wrote:
Any decision on this need I have regarding safe characters? Did you
decide whether you would include the ability to specify allowed
characters (snippet included by me) or to remove the restriction on
some characters because of your i18n work on Roller?
We are trying to decide if we use Roller again inside for IBM
weblogs,
but I would not like to fork the code again and instead be using the
latest releases from SVN. The more flexible you are with us, the
easier our decision will be and less changes we'll have to maintain
separate from the main repository.
I'll definitely have more requests coming if we decide to go with
Roller.
Elias
On 8/9/05, Anil Gangolli [EMAIL PROTECTED] wrote:
A bit of caution, oddly related to the authentication mechanism
topic.
One of the stopping points has been problems in the form
authentication
chain, currently used by Roller. Tomcat forces ISO-8859-1 for this.
(There's a bug filed about it but I can't quote the number because I
can't seem to get to our Jira site right now. The bug says
something
about character corruption when going through login; it's high on
the
importance list, assigned to Dave with lots of comments from me
while
I went through analyzing it.)
We may be able to address it for Tomcat with a Valve, but not sure
how
other containers will behave.
--a.
Elias Torres wrote:
On 8/8/05, Lance Lavandowska [EMAIL PROTECTED] wrote:
I think alphanumeric was chosen because it is known websafe but
there are obviously other characters that can safely be put in a
URL,
such as the ones you list below.
Since we are now encoding our URLs more thoroughly (for I18N
support)
perhaps we can drop this requirement? I haven't looked thoroughly
to
support this question/claim.
Lance
That would be even better!
Thanks Lance.
Elias
On 8/8/05, Elias Torres [EMAIL PROTECTED] wrote:
Is there/should there be an option to allow other than
alphanumeric
characters in usernames other than commenting a few lines in
UserBaseAction. At IBM we use email addresses as Roller IDs
(because
usernames are not globally unique, except at the country level).
I've written a piece of code to make this work if you are
interested.
It uses commons-lang CharSetUtils.
roller.properties
[EMAIL PROTECTED]
UserBaseAction.java
protected static String DEFAULT_ALLOWED_CHARS = A-Za-z0-9;
UserBaseAction#validate()
String allowed =
RollerConfig.getProperty(username.allowedChars);
if(allowed == null || allowed.trim().length() == 0) {
allowed = DEFAULT_ALLOWED_CHARS;
}
String safe = CharSetUtils.keep(form.getUserName(), allowed);
Regards,
Elias
---
---
Notice: This e-mail message, together with any attachments, contains
information of Merck Co., Inc. (One Merck Drive, Whitehouse Station,
New Jersey, USA 08889), and/or its affiliates (which may be known
outside the United States as Merck Frosst, Merck Sharp Dohme or MSD
and in Japan, as Banyu) that may be confidential, proprietary
copyrighted and/or legally privileged. It is intended solely for the
use of the individual or entity named on this message. If you are not
the intended recipient, and have received this message in error,
please notify us immediately by reply e-mail and then delete it from
your system.
---
---
