2

At the moment we are implementing a WSO2 Identity Server and I am checking the configs. My goal was to enable spaces in usernames. Those are not allowed by default and protected by some regexes. I do not understand why there is a difference in the regexes for Frontend and Backend.

Here is the snippet taken from repository/conf/user-mgt.xml:

<Property name="UsernameJavaRegEx">[a-zA-Z0-9._\-|//]{3,30}$</Property>
<Property name="UsernameJavaScriptRegEx">^[\S]{3,30}$</Property>
<Property name="PasswordJavaRegEx">^[\S]{5,30}$</Property>
<Property name="PasswordJavaScriptRegEx">^[\S]{5,30}$</Property>
<Property name="RolenameJavaRegEx">[a-zA-Z0-9._\-|//]{3,30}$</Property>
<Property name="RolenameJavaScriptRegEx">^[\S]{3,30}$</Property>

First thing is that I do not get it why those regexes for username/rolename are different for frontend/backend While the ones for the passwords are equal ? Shouldnt they all use the same regexes for backend/frontend? The current examples and documentation are a little strange. For example the frontend accepts a username containing a ":" while the backend doesnt accept it?

Second thing is I am not sure if I am breaking up things by just allowing an empty space as part of those regexes (bad practice?).

[a-zA-Z0-9._\-|//]{3,30}$    ==>    [a-zA-Z0-9 ._\-|//]{3,30}$
^[\S]{3,30}$                 ==>    ^[\S ]{3,30}$

Is there some kind of OWASP best practice for username validation? I did not found anything so far...

Any help or information is welcome.

Community
  • 1
  • 1
Marco
  • 960
  • 2
  • 7
  • 26
  • 1
    Note that empty spaces get counted as literal space characters - it's not "breaking things up". – CertainPerformance May 09 '18 at 09:06
  • This sounds good for me. OWASP also does not deny usage of spaces in any way so I am going to use it. Thanks! I still hope someone has an explanation for the first part of my question. – Marco May 09 '18 at 09:28

1 Answers1

1

Yes, you are right. They should be identical if you don't want to waste users times on filling forms or it doesn't matter since one regex is putting a limit to another one and sometimes people don't bother to validate again while they are sure about incoming data. But in your case one is used in front-end which can be modified so the one used in back-end should be precise.

It seems regex used in Java allows special characters like pipe | and slash / in a username. Regarding this inconsistent usage of regular expressions, you should confirm it as a need or requirement.

Regardless of which method is being used, this regex [a-zA-Z0-9._\-|//]{3,30}$ alone, allows usernames with more than 30 character long following any type of characters since no beginning of string anchor ^ is defined (that you may need it).

Is there some kind of OWASP best practice...

Yes, there is. Just don't validate weird characters i.e. \x00

As a side note, you are limiting passwords to a certain length which you shouldn't.

revo
  • 47,783
  • 14
  • 74
  • 117
  • 1
    Awesome - Thank you very much for clarification! I was also wondering why we should limit the password length but I am still at the beginning of this identity server setup and clearing up things. I got the feeling I should not trust every config and example I find in their docs. – Marco May 09 '18 at 11:22