#70 Authentication Failures


There is a user on Citizen Sky that is experiences authentication Failures. He states that he has a space in his username, my suspicion is this is a causing the issues. Attached patch attempts to fix, not sure about the regex in JAVA, but this would need review.


  • Adam

    Adam - 2009-11-17

    Hopefully modifications to the auth pattern to allow space in username.

  • Adam

    Adam - 2009-11-17
    • labels: --> Infrastructure
    • milestone: --> Defect
    • assigned_to: nobody --> adamweber
    • status: open --> open-accepted
  • David Benn

    David Benn - 2009-11-18

    Nice catch Adam! I came to the same conclusion just before seeing this tentry. LoginDialog:


    is the only class from which this error message arises, so it's definitely the culprit.

    Your patch is almost right. The regex needs only to have a single whitespace character added: \\s vs \\s+ since the trailing {2,40} says: any of the foregoing characters may appear n times where 2 <= n <= 40. The addition of \\s was my first thought also. Upon reflection, I suspect that a space character (ASCII 32) is sufficient since tabs seem implausible in a username/password, and newline is, AFAIK, impossible, unless it is first quoted. Nevertheless, it is prudent to permit any whitespace.

    All of this raises the question: what, if anything with respect to username/password *should* be validated by LoginDialog? I am, as usual, probably being too cautious. Perhaps nothing except length should be checked in these fields, i.e. do the entered values consist of non-whitespace characters of non-zero length. It may pay to ask Kate Davis what is permitted by the back-end CS login subsystem.

    In the meantime, I will apply a slightly modified version of your patch, along the lines of what has been described above.

  • Adam

    Adam - 2009-11-18

    I was thinking along the same lines, that maybe this should be a list of what is explicitly excluded.

    "punctuation is not allowed except for periods, hyphens, and underscores." is what's claimed on the citizensky page, but I know that "@" is in the valid set as well, because for a while I was using my email as a username.

    It's a tough call really, if we exclude then things can slip through causing increased bogus auth traffic at a citizensky side. I don't know how much though, I think we can safely assume at this point that users are reasonable actors for the most part.

  • mikeu

    mikeu - 2009-12-10

    This one looks fixed to me.

  • Adam

    Adam - 2009-12-11

    Marking as such.

  • Adam

    Adam - 2009-12-11
    • status: open-accepted --> closed-fixed

Log in to post a comment.