Sunday, August 30, 2020
Thursday, August 27, 2020
Wednesday, June 24, 2015
Liferay Connected Services
Liferay Connected Services
Liferay Connected Services is a new online platform that offers a set of tools and services that will help our customers succeed on their Liferay projects. read more https://www.liferay.com/products/liferay-connected-services
Monday, November 5, 2012
Liferay 6.1.1 GA2 Application Security
1. Web server type and version disclosure.
Risk Impact
Being able to determine precise software versions might aid an attacker in mounting tailored attacks on the server.
Recommendation
It is recommended removing software versions in use from service banners.
Solution
Add the below property in portal-ext.properties
##
## HTTP Header Reponse
##
#
# Set the level of verbosity to use for the Liferay-Portal field in the HTTP
# header response. Valid values are "full", which gives all of the version
# information (e.g. Liferay Portal Community Edition 6.1.0 CE etc.) or
# "partial", which gives only the name portion (e.g. Liferay Portal
# Community Edition).
#
http.header.version.verbosity=partial
2. Auto complete is enabled
Risk Impact
Not setting ‘AutoComplete’ attribute can allow attackers to extract valid credentials of previously logged-in users from public computers or multi-user environments.
Recommendation
It is recommended to set auto complete functionality to “off” for sensitive input fields.
Solution
Add the below property in portal-ext.properties
#
# Set this to true to allow users to autocomplete the login form based on
# their previously entered values.
#
company.security.login.form.autocomplete=false
#
# Set this to true to allow users to ask the portal to send them their
# password.
#
company.security.send.password=false
3. Missing HttpOnly Attribute in Session Cookie
Risk Impact
In absence of HTTPOnly attribute in the set-cookie parameter, an attacker can exploit this vulnerability to gain information stored in cookie or can launch theft of modification attack by using malicious.
Recommendation
It is recommended enabling HTTPOnly feature for session cookies.
Solution
Add the below configuration for Tomcat {TOMCAT_HOME}\conf\context.xml file.
<Context useHttpOnly="true">
Risk Impact
Being able to determine precise software versions might aid an attacker in mounting tailored attacks on the server.
Recommendation
It is recommended removing software versions in use from service banners.
Solution
Add the below property in portal-ext.properties
##
## HTTP Header Reponse
##
#
# Set the level of verbosity to use for the Liferay-Portal field in the HTTP
# header response. Valid values are "full", which gives all of the version
# information (e.g. Liferay Portal Community Edition 6.1.0 CE etc.) or
# "partial", which gives only the name portion (e.g. Liferay Portal
# Community Edition).
#
http.header.version.verbosity=partial
2. Auto complete is enabled
Risk Impact
Not setting ‘AutoComplete’ attribute can allow attackers to extract valid credentials of previously logged-in users from public computers or multi-user environments.
Recommendation
It is recommended to set auto complete functionality to “off” for sensitive input fields.
Solution
Add the below property in portal-ext.properties
#
# Set this to true to allow users to autocomplete the login form based on
# their previously entered values.
#
company.security.login.form.autocomplete=false
#
# Set this to true to allow users to ask the portal to send them their
# password.
#
company.security.send.password=false
3. Missing HttpOnly Attribute in Session Cookie
Risk Impact
In absence of HTTPOnly attribute in the set-cookie parameter, an attacker can exploit this vulnerability to gain information stored in cookie or can launch theft of modification attack by using malicious.
Recommendation
It is recommended enabling HTTPOnly feature for session cookies.
Solution
Add the below configuration for Tomcat {TOMCAT_HOME}\conf\context.xml file.
<Context useHttpOnly="true">
Tuesday, October 16, 2012
Liferay 6.1.1 : Disable simultaneous login from different sessions
Add the below properties in portal-ext.properties
##
## Live Users
##
#
# Set this to true to enable tracking via Live Users.
#
live.users.enabled=true
#
# Set the following to true if users are allowed to have simultaneous logins
# from different sessions. This property is not used unless the property
# "live.users.enabled" is set to true.
#
auth.simultaneous.logins=false
##
## Live Users
##
#
# Set this to true to enable tracking via Live Users.
#
live.users.enabled=true
#
# Set the following to true if users are allowed to have simultaneous logins
# from different sessions. This property is not used unless the property
# "live.users.enabled" is set to true.
#
auth.simultaneous.logins=false
Monday, October 15, 2012
Disable "Request processed successfully" Message
1. Add this in portlet.xml
<init-param>
<name>add-process-action-success-action < /name>
<value>false
< /init-param>
2. If you want to change for a particular action rather than for all actions.
public void addBook(ActionRequest actionRequest,
ActionResponse actionResponse)
throws IOException, PortletException {
...............
.................
String successMsg = "Book added Successfully!";
SessionMessages.add(actionRequest, "request_processed", successMsg);
}
<init-param>
<name>add-process-action-success-action < /name>
<value>false
< /init-param>
2. If you want to change for a particular action rather than for all actions.
public void addBook(ActionRequest actionRequest,
ActionResponse actionResponse)
throws IOException, PortletException {
...............
.................
String successMsg = "Book added Successfully!";
SessionMessages.add(actionRequest, "request_processed", successMsg);
}
AUI Form Validation for Alpha and AlphaNumeric
<aui:input name="field1" >
<!-- Only allow alphabetical characters -->
<aui:validator name="alpha" />
</aui:input>
<aui:input name="field2" >
<!-- Only allow alphanumeric characters/digits -->
<aui:validator name="alphanum" />
</aui:input >
AUI Form Validation For file uploads with extension
<aui:input type="file" name="field2" >
<!--
For use with input type="file"
Only allow file uploads with this extension.
Specify multiple values either comma delimted 'jpg, png',
whitespace delimited 'jpg png', or pipe 'jpg|png' delimited.
Do not include the period before the extension
-->
<aui:validator name="acceptFiles">
'jpg, png'
</aui:validator>
</aui:input>
<!--
For use with input type="file"
Only allow file uploads with this extension.
Specify multiple values either comma delimted 'jpg, png',
whitespace delimited 'jpg png', or pipe 'jpg|png' delimited.
Do not include the period before the extension
-->
<aui:validator name="acceptFiles">
'jpg, png'
</aui:validator>
</aui:input>
AUI Form Validator Taglib
< aui:input name="field1" >
<!-- Example with multiple validators -->
<!-- Make the field required. If the field is empty, form will not submit -->
<aui:validator name="required" />
<!-- Only allow digits in the field -->
<aui:validator name="digits" />
<!-- Make sure field value is between 1 and 100 characters in length -->
<aui:validator name="range" >
[1,100]
</aui:validator >
</aui:input >
<!-- Example with multiple validators -->
<!-- Make the field required. If the field is empty, form will not submit -->
<aui:validator name="required" />
<!-- Only allow digits in the field -->
<aui:validator name="digits" />
<!-- Make sure field value is between 1 and 100 characters in length -->
<aui:validator name="range" >
[1,100]
</aui:validator >
</aui:input >
Wednesday, July 25, 2012
liferay-ui:discussion with custom portlet (MVCPortlet)
liferay-ui:discussion with custom portlet(MVCPortlet / Liferay 6.1)
Add the below code in view.jsp
<%
WindowState windowState = null;
PortletMode portletMode = null;
PortletURL currentURLObj = null;
if (renderRequest != null) {
windowState = renderRequest.getWindowState();
portletMode = renderRequest.getPortletMode();
currentURLObj = PortletURLUtil.getCurrent(renderRequest, renderResponse);
} else if (resourceRequest != null) {
windowState = resourceRequest.getWindowState();
portletMode = resourceRequest.getPortletMode();
currentURLObj = PortletURLUtil.getCurrent(resourceRequest, resourceResponse);
}
String currentURL = currentURLObj.toString();
%>
Add the below invokeTaglibDiscussion method in YourPortletClass. java
public void invokeTaglibDiscussion(ActionRequest actionRequest, ActionResponse actionResponse) throws Exception {
PortletConfig portletConfig = getPortletConfig();
PortalClassInvoker .invoke(true, "com.liferay.portlet.messageboards.action.EditDiscussionAction",
"processAction", new String[] {
"org.apache.struts.action.ActionMapping",
"org.apache.struts.action.ActionForm",
PortletConfig.class.getName(),
ActionRequest.class.getName(),
ActionResponse.class.getName()
}, null, null, portletConfig, actionRequest, actionResponse);
}
Add the below code in view.jsp
<%
WindowState windowState = null;
PortletMode portletMode = null;
PortletURL currentURLObj = null;
if (renderRequest != null) {
windowState = renderRequest.getWindowState();
portletMode = renderRequest.getPortletMode();
currentURLObj = PortletURLUtil.getCurrent(renderRequest, renderResponse);
} else if (resourceRequest != null) {
windowState = resourceRequest.getWindowState();
portletMode = resourceRequest.getPortletMode();
currentURLObj = PortletURLUtil.getCurrent(resourceRequest, resourceResponse);
}
String currentURL = currentURLObj.toString();
%>
Add the below invokeTaglibDiscussion method in YourPortletClass. java
public void invokeTaglibDiscussion(ActionRequest actionRequest, ActionResponse actionResponse) throws Exception {
PortletConfig portletConfig = getPortletConfig();
PortalClassInvoker .invoke(true, "com.liferay.portlet.messageboards.action.EditDiscussionAction",
"processAction", new String[] {
"org.apache.struts.action.ActionMapping",
"org.apache.struts.action.ActionForm",
PortletConfig.class.getName(),
ActionRequest.class.getName(),
ActionResponse.class.getName()
}, null, null, portletConfig, actionRequest, actionResponse);
}
Subscribe to:
Posts
(
Atom
)