Re: Safe UserName characters
Yes, this is still an open issue in 2.0. It's on my list. Do we have a proposed solution? - Dave On Aug 21, 2005, at 10:25 PM, Elias Torres wrote: BTW, I don't think I have double-checked this, but handle in create weblog form does not seem to restrict any characters (as found in Roller_2.0 branch). Therefore, I guess we need to resolve this so we are not being inconsistent. Sorry for being such a pest on this. Elias On 8/16/05, Lance Lavandowska [EMAIL PROTECTED] wrote: Due to Jaap's http://rollerweblogger.org/wiki/Wiki.jsp?page=JaapVanDerMolen work http://rollerweblogger.org/wiki/Wiki.jsp?page=InstallationGuide#ref- InstallationGuide-6 websafe shouldn't be necessary. But Anil indicated there were some issues with Tomcat not supporting non-ISO-8859-1 usernames. Lance On 8/16/05, Dave Johnson [EMAIL PROTECTED] wrote: What we really need is a algorithm for determining if a username (or in 2.0 a webloghandle) is safe to use in a URL. Any pointers? - Dave
Re: Safe UserName characters
I know Elias had proposed adding a config property which is essentially a regex that would be used to determine if a username is okay. then site admins can alter that property as desired if they want to. Personally, I have mixed emotions about the prospect of letting app owners alter the username and password restrictions. I can see that it would be a nice feature, but at the same time it really shouldn't be all that necessary as long as we pick a good standard. Anyone know of any open standards for username character restrictions? Elias is correct that we should at least open up the username restrictions to allow for '@' and '.' characters so that email addresses are valid. -- Allen On Tue, 2005-08-23 at 06:31, Dave Johnson wrote: Yes, this is still an open issue in 2.0. It's on my list. Do we have a proposed solution? - Dave On Aug 21, 2005, at 10:25 PM, Elias Torres wrote: BTW, I don't think I have double-checked this, but handle in create weblog form does not seem to restrict any characters (as found in Roller_2.0 branch). Therefore, I guess we need to resolve this so we are not being inconsistent. Sorry for being such a pest on this. Elias On 8/16/05, Lance Lavandowska [EMAIL PROTECTED] wrote: Due to Jaap's http://rollerweblogger.org/wiki/Wiki.jsp?page=JaapVanDerMolen work http://rollerweblogger.org/wiki/Wiki.jsp?page=InstallationGuide#ref- InstallationGuide-6 websafe shouldn't be necessary. But Anil indicated there were some issues with Tomcat not supporting non-ISO-8859-1 usernames. Lance On 8/16/05, Dave Johnson [EMAIL PROTECTED] wrote: What we really need is a algorithm for determining if a username (or in 2.0 a webloghandle) is safe to use in a URL. Any pointers? - Dave
Re: Safe UserName characters
On 8/23/05, Allen Gilliland [EMAIL PROTECTED] wrote: I know Elias had proposed adding a config property which is essentially a regex that would be used to determine if a username is okay. then site admins can alter that property as desired if they want to. Personally, I have mixed emotions about the prospect of letting app owners alter the username and password restrictions. I can see that it would be a nice feature, but at the same time it really shouldn't be all that necessary as long as we pick a good standard. Anyone know of any open standards for username character restrictions? Elias is correct that we should at least open up the username restrictions to allow for '@' and '.' characters so that email addresses are valid. I don't know if these characters are currently prevented, unless it was recently added. When we first installed Roller at SourceBeat, we used e-mail addresses for usernames. Matt -- Allen On Tue, 2005-08-23 at 06:31, Dave Johnson wrote: Yes, this is still an open issue in 2.0. It's on my list. Do we have a proposed solution? - Dave On Aug 21, 2005, at 10:25 PM, Elias Torres wrote: BTW, I don't think I have double-checked this, but handle in create weblog form does not seem to restrict any characters (as found in Roller_2.0 branch). Therefore, I guess we need to resolve this so we are not being inconsistent. Sorry for being such a pest on this. Elias On 8/16/05, Lance Lavandowska [EMAIL PROTECTED] wrote: Due to Jaap's http://rollerweblogger.org/wiki/Wiki.jsp?page=JaapVanDerMolen work http://rollerweblogger.org/wiki/Wiki.jsp?page=InstallationGuide#ref- InstallationGuide-6 websafe shouldn't be necessary. But Anil indicated there were some issues with Tomcat not supporting non-ISO-8859-1 usernames. Lance On 8/16/05, Dave Johnson [EMAIL PROTECTED] wrote: What we really need is a algorithm for determining if a username (or in 2.0 a webloghandle) is safe to use in a URL. Any pointers? - Dave
RE: Safe UserName characters
Wouldn't the string of allowed characters be gigantic? There are 95,156 characters in Unicode 3.2, though I'm unsure how many would be needed on an allowed characters list. Perhaps for limited situations, like (A-Z,-,@), this might work. Kenneth M. Kolano Technology Architecture Innovation 908-423-4241 WS1B-51B -Original Message- From: Elias Torres [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 16, 2005 1:19 PM To: roller-dev@incubator.apache.org Subject: Re: Safe UserName characters Sounds good to me. If the route will be to allow characters on a configurable basis then I think it makes more sense to place the config option in the ApplicationResources.properties. Thanks! Elias On 8/16/05, Lance Lavandowska [EMAIL PROTECTED] wrote: How about using ApplicationResources.properties to store the string of allowed characters? This will allow you to customize as you wish for the moment (your suggested string should not pose a problem) and will allow languages other than English to specify any additional characters they like. I don't know how this will interact with the I18N/authentication problem Anil mentions, but wouldn't this allow those with expertize in their a particular language (and how it interacts with Http/Tomcat) make the decision? Lance On 8/16/05, Elias Torres [EMAIL PROTECTED] wrote: Any decision on this need I have regarding safe characters? Did you decide whether you would include the ability to specify allowed characters (snippet included by me) or to remove the restriction on some characters because of your i18n work on Roller? We are trying to decide if we use Roller again inside for IBM weblogs, but I would not like to fork the code again and instead be using the latest releases from SVN. The more flexible you are with us, the easier our decision will be and less changes we'll have to maintain separate from the main repository. I'll definitely have more requests coming if we decide to go with Roller. Elias On 8/9/05, Anil Gangolli [EMAIL PROTECTED] wrote: A bit of caution, oddly related to the authentication mechanism topic. One of the stopping points has been problems in the form authentication chain, currently used by Roller. Tomcat forces ISO-8859-1 for this. (There's a bug filed about it but I can't quote the number because I can't seem to get to our Jira site right now. The bug says something about character corruption when going through login; it's high on the importance list, assigned to Dave with lots of comments from me while I went through analyzing it.) We may be able to address it for Tomcat with a Valve, but not sure how other containers will behave. --a. Elias Torres wrote: On 8/8/05, Lance Lavandowska [EMAIL PROTECTED] wrote: I think alphanumeric was chosen because it is known websafe but there are obviously other characters that can safely be put in a URL, such as the ones you list below. Since we are now encoding our URLs more thoroughly (for I18N support) perhaps we can drop this requirement? I haven't looked thoroughly to support this question/claim. Lance That would be even better! Thanks Lance. Elias On 8/8/05, Elias Torres [EMAIL PROTECTED] wrote: Is there/should there be an option to allow other than alphanumeric characters in usernames other than commenting a few lines in UserBaseAction. At IBM we use email addresses as Roller IDs (because usernames are not globally unique, except at the country level). I've written a piece of code to make this work if you are interested. It uses commons-lang CharSetUtils. roller.properties [EMAIL PROTECTED] UserBaseAction.java protected static String DEFAULT_ALLOWED_CHARS = A-Za-z0-9; UserBaseAction#validate() String allowed = RollerConfig.getProperty(username.allowedChars); if(allowed == null || allowed.trim().length() == 0) { allowed = DEFAULT_ALLOWED_CHARS; } String safe = CharSetUtils.keep(form.getUserName(), allowed); Regards, Elias -- Notice: This e-mail message, together with any attachments, contains information of Merck Co., Inc. (One Merck Drive, Whitehouse Station, New Jersey, USA 08889), and/or its affiliates (which may be known outside the United States as Merck Frosst, Merck Sharp Dohme or MSD and in Japan, as Banyu) that may be confidential, proprietary copyrighted and/or legally privileged. It is intended solely for the use of the individual or entity named on this message. If you are not the intended recipient, and have received this message in error, please notify us immediately by reply e-mail and then delete it from your system. --
Re: Safe UserName characters
What we really need is a algorithm for determining if a username (or in 2.0 a webloghandle) is safe to use in a URL. Any pointers? - Dave On Aug 16, 2005, at 1:34 PM, Kolano, Kenneth M. wrote: Wouldn't the string of allowed characters be gigantic? There are 95,156 characters in Unicode 3.2, though I'm unsure how many would be needed on an allowed characters list. Perhaps for limited situations, like (A-Z,-,@), this might work. Kenneth M. Kolano Technology Architecture Innovation 908-423-4241 WS1B-51B -Original Message- From: Elias Torres [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 16, 2005 1:19 PM To: roller-dev@incubator.apache.org Subject: Re: Safe UserName characters Sounds good to me. If the route will be to allow characters on a configurable basis then I think it makes more sense to place the config option in the ApplicationResources.properties. Thanks! Elias On 8/16/05, Lance Lavandowska [EMAIL PROTECTED] wrote: How about using ApplicationResources.properties to store the string of allowed characters? This will allow you to customize as you wish for the moment (your suggested string should not pose a problem) and will allow languages other than English to specify any additional characters they like. I don't know how this will interact with the I18N/authentication problem Anil mentions, but wouldn't this allow those with expertize in their a particular language (and how it interacts with Http/Tomcat) make the decision? Lance On 8/16/05, Elias Torres [EMAIL PROTECTED] wrote: Any decision on this need I have regarding safe characters? Did you decide whether you would include the ability to specify allowed characters (snippet included by me) or to remove the restriction on some characters because of your i18n work on Roller? We are trying to decide if we use Roller again inside for IBM weblogs, but I would not like to fork the code again and instead be using the latest releases from SVN. The more flexible you are with us, the easier our decision will be and less changes we'll have to maintain separate from the main repository. I'll definitely have more requests coming if we decide to go with Roller. Elias On 8/9/05, Anil Gangolli [EMAIL PROTECTED] wrote: A bit of caution, oddly related to the authentication mechanism topic. One of the stopping points has been problems in the form authentication chain, currently used by Roller. Tomcat forces ISO-8859-1 for this. (There's a bug filed about it but I can't quote the number because I can't seem to get to our Jira site right now. The bug says something about character corruption when going through login; it's high on the importance list, assigned to Dave with lots of comments from me while I went through analyzing it.) We may be able to address it for Tomcat with a Valve, but not sure how other containers will behave. --a. Elias Torres wrote: On 8/8/05, Lance Lavandowska [EMAIL PROTECTED] wrote: I think alphanumeric was chosen because it is known websafe but there are obviously other characters that can safely be put in a URL, such as the ones you list below. Since we are now encoding our URLs more thoroughly (for I18N support) perhaps we can drop this requirement? I haven't looked thoroughly to support this question/claim. Lance That would be even better! Thanks Lance. Elias On 8/8/05, Elias Torres [EMAIL PROTECTED] wrote: Is there/should there be an option to allow other than alphanumeric characters in usernames other than commenting a few lines in UserBaseAction. At IBM we use email addresses as Roller IDs (because usernames are not globally unique, except at the country level). I've written a piece of code to make this work if you are interested. It uses commons-lang CharSetUtils. roller.properties [EMAIL PROTECTED] UserBaseAction.java protected static String DEFAULT_ALLOWED_CHARS = A-Za-z0-9; UserBaseAction#validate() String allowed = RollerConfig.getProperty(username.allowedChars); if(allowed == null || allowed.trim().length() == 0) { allowed = DEFAULT_ALLOWED_CHARS; } String safe = CharSetUtils.keep(form.getUserName(), allowed); Regards, Elias --- --- Notice: This e-mail message, together with any attachments, contains information of Merck Co., Inc. (One Merck Drive, Whitehouse Station, New Jersey, USA 08889), and/or its affiliates (which may be known outside the United States as Merck Frosst, Merck Sharp Dohme or MSD and in Japan, as Banyu) that may be confidential, proprietary copyrighted and/or legally privileged. It is intended solely for the use of the individual or entity named on this message. If you are not the intended recipient, and have received this message in error, please notify us immediately by reply e-mail and then delete it from your system. --- ---