Liferay 6.1.1 GA2 Application Security

1. Web server type and version disclosure.
Risk Impact

Being able to determine precise software versions might aid an attacker in mounting tailored attacks on the server.

Recommendation
It is recommended removing software versions in use from service banners.

Solution
Add the below property in portal-ext.properties
##
## HTTP Header Reponse
##

    #
    # Set the level of verbosity to use for the Liferay-Portal field in the HTTP
    # header response. Valid values are "full", which gives all of the version
    # information (e.g. Liferay Portal Community Edition 6.1.0 CE etc.) or
    # "partial", which gives only the name portion (e.g. Liferay Portal
    # Community Edition).
    #
    http.header.version.verbosity=partial

2.  Auto complete is enabled

 Risk Impact
 Not setting ‘AutoComplete’ attribute can allow attackers to extract valid credentials of previously logged-in users from public computers or multi-user environments.

 Recommendation
 It is recommended to set auto complete functionality to “off” for sensitive input fields.

 Solution
 Add the below property in portal-ext.properties

    #
    # Set this to true to allow users to autocomplete the login form based on
    # their previously entered values.
    #
    company.security.login.form.autocomplete=false

    #
    # Set this to true to allow users to ask the portal to send them their
    # password.
    #
    company.security.send.password=false

 3. Missing HttpOnly Attribute in Session Cookie

 Risk Impact
 In absence of HTTPOnly attribute in the set-cookie parameter, an attacker can exploit this vulnerability to gain information stored in cookie or can launch theft of modification attack by using malicious.

 Recommendation
 It is recommended enabling HTTPOnly feature for session cookies.
   
 Solution
 Add the below configuration for Tomcat {TOMCAT_HOME}\conf\context.xml file.
<Context useHttpOnly="true">

Liferay 6.1.1 : Disable simultaneous login from different sessions

Add the below properties in portal-ext.properties

     ##
     ## Live Users
     ##

    #
    # Set this to true to enable tracking via Live Users.
    #
    live.users.enabled=true

    #
    # Set the following to true if users are allowed to have simultaneous logins
    # from different sessions. This property is not used unless the property
    # "live.users.enabled" is set to true.
    #
    auth.simultaneous.logins=false

Disable "Request processed successfully" Message

1. Add this in portlet.xml

<init-param>
    <name>add-process-action-success-action < /name>
    <value>false
< /init-param>

2. If you want to change for a particular action rather than for all actions.

public void addBook(ActionRequest actionRequest,
                                  ActionResponse actionResponse)
                                throws IOException, PortletException {

   ...............
   .................

    String successMsg = "Book added Successfully!";

    SessionMessages.add(actionRequest, "request_processed", successMsg);
}

AUI Form Validation for Alpha and AlphaNumeric

<aui:input name="field1" >
           
    <!-- Only allow alphabetical characters -->
    <aui:validator name="alpha" />
   
</aui:input>

<aui:input name="field2" >
           
    <!-- Only allow alphanumeric characters/digits -->
    <aui:validator name="alphanum" />
   
</aui:input >

AUI Form Validation For file uploads with extension

<aui:input type="file" name="field2" >

    <!--
    For use with input type="file"
    Only allow file uploads with this extension.
    Specify multiple values either comma delimted 'jpg, png',
    whitespace delimited 'jpg png', or pipe 'jpg|png' delimited.
    Do not include the period before the extension
    -->
    <aui:validator name="acceptFiles">
        'jpg, png'
    </aui:validator>
   
</aui:input>

AUI Form Validator Taglib

< aui:input name="field1" >
    <!-- Example with multiple validators -->

    <!-- Make the field required. If the field is empty, form will not submit -->
    <aui:validator name="required" />

    <!-- Only allow digits in the field -->
    <aui:validator name="digits" />

    <!-- Make sure field value is between 1 and 100 characters in length -->
    <aui:validator name="range" >
    [1,100]
    </aui:validator >

</aui:input >

liferay-ui:discussion with custom portlet (MVCPortlet)

liferay-ui:discussion with custom portlet(MVCPortlet / Liferay 6.1)

Add the below code in view.jsp


<%

 WindowState windowState = null;
 PortletMode portletMode = null;
 PortletURL currentURLObj = null;
 if (renderRequest != null) {
          windowState = renderRequest.getWindowState();
          portletMode = renderRequest.getPortletMode();
          currentURLObj = PortletURLUtil.getCurrent(renderRequest, renderResponse);
} else if (resourceRequest != null) {
         windowState = resourceRequest.getWindowState();
          portletMode = resourceRequest.getPortletMode();
          currentURLObj = PortletURLUtil.getCurrent(resourceRequest, resourceResponse);
 }

String currentURL = currentURLObj.toString();

 %>


Add the below invokeTaglibDiscussion method in YourPortletClass. java

public void invokeTaglibDiscussion(ActionRequest actionRequest, ActionResponse actionResponse) throws Exception {

PortletConfig portletConfig = getPortletConfig();

 PortalClassInvoker .invoke(true, "com.liferay.portlet.messageboards.action.EditDiscussionAction",       
                  "processAction", new String[] {
                                  "org.apache.struts.action.ActionMapping",
                                  "org.apache.struts.action.ActionForm",
                                  PortletConfig.class.getName(),
                                  ActionRequest.class.getName(),
                                 ActionResponse.class.getName()
                  }, null, null, portletConfig, actionRequest, actionResponse);
}