[hibernate-issues] [Hibernate-JIRA] Commented: (HV-406) URL Validator not effective

[Gunnar Morling (JIRA)]

    [ http://opensource.atlassian.com/projects/hibernate/browse/HV-406?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=40054#action_40054 ] 

Gunnar Morling commented on HV-406:
-----------------------------------

I think this is similar to @Email - from a specification point of view much more values are valid than one typically finds in the wild. 

Restricting @URL values to "real" internet addresses seems a bit too strict IMO, though. For instance "http://localhost" as an URL value seems not that uncommon, so this should not be considered as invalid by HV (btw. the domain part can be longer than three characters: *.info, *.name or even *.museum).

Generally I think the requirements for validating URLs just depend too much on the context of the use case at hand, so it's really hard to provide a generic solution for this. For instance according to [WP|http://en.wikipedia.org/wiki/Uniform_Resource_Locator] URLs also could contain parts such a username or a password: http://username:password@domain:port/ In one use case this might be valid, in others not.

Personally I feel we should stick with using java.net.URL for validation as this ensures correctness according to what Java can process technically as URL. If in a certain scenario a more restrictive validation is needed, using @Pattern in addition to @URL might help.

> URL Validator not effective
> ---------------------------
>
>                 Key: HV-406
>                 URL: http://opensource.atlassian.com/projects/hibernate/browse/HV-406
>             Project: Hibernate Validator
>          Issue Type: Bug
>          Components: validators
>    Affects Versions: 4.1.0.Final
>            Reporter: Marc Schipperheyn
>            Priority: Minor
>             Fix For: 4.2.0.CR1
>
>
> The supplied URL Validator basically doesn't work. Or at least not as expected.
> It creates a URL against the URL class and if it fails this, it returns false. There are multiple problems with this:
> * A URL like http://bljdlfghjdlgjlfd is perfectly valid according to the URL class (intranet domains can be anything)
> * It's not the most efficient way to test this (generating an error etc)
> In order to retain backward compatibility I would suggest adding an "internet" attribute, which would force the validator to really check for minimally one dot, maximum 3 characters in the domain extension, etc. Because that is what you would normally want from a validator like this.
> Also, I would not use the URL class, but use a regular expression. A more elegant way to check this. 
> The URL class approach could be retained for when the "internet" attribute is false

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://opensource.atlassian.com/projects/hibernate/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira