Securing Liferay

Liferay is built with security in mind. This includes mitigation of common security vulnerabilities and exploits like those described by the OWASP Top 10 and the CWE/SANS Top 25.

There are several aspects of securing a Liferay installation—including, but not limited to, following the best security practices for your hosting environment, database, search provider, application server, and Liferay itself.

Here you’ll learn the basic elements to secure Liferay. This includes configuring how users authenticate to your Liferay installation, authorizing users with permissions, configuring secure access to Liferay web services, and fine-tuning security features on an as-needed basis.

Authentication

Liferay authentication is flexible. By default, users log into Liferay by using the Sign In widget, which uses the database to authenticate the user. By default, guests can use the Sign In widget to create accounts with default permissions. Nearly every element of the default authentication experience can be changed by an administrator. For example,

• You can configure Multi-Factor authentication.
• You can use an SSO to manage authentication.
• Liferay can also be integrated with LDAP to validate users instead of using the portal database.
• Guest account creation can be turned off.

To learn more, see Authentication Basics.

Permissions

Liferay has a robust role-based access control (RBAC) system. Users can be assigned to sites, teams, user groups, or organizations. Custom Roles can be created, permissions can be assigned to these roles, and those roles can be assigned to users. Roles are scoped to apply only in a specific context, such as a site, organization, or globally. See Roles and Permissions for more information.

Securing Web Services

Liferay web services have a multi-layered and configurable approach to security and authorization:

• Service Access Policies control access to remote APIs.
• Authentication Verifiers verify provided credentials.
• Cross-Origin Resource Sharing configuration can enable retrieving resources from trusted sources only.

See Introduction to Securing Web Services to learn more.

Security Headers not Added by Liferay

Liferay does not add certain security headers in the HTTP request and response.

• X-XSS-Protection: This header has been deprecated starting from Liferay DXP 7.4 and above. See the recommendations from OWASP and Mozilla.
• Strict-Transport-Security: You must configure this in your application server and not on Liferay.
• Cross-origin resource sharing (CORS): Starting from Liferay 7.2 and above, you can set up CORS within Liferay. See Setting up CORS for more information.
• Public-Key-Pins: You must configure this in your web server.
• Content-Security-Policy: This is available as a beta feature and appears in the request if configured. See Configuring Content Security Policy Headers for more information.

Fine-Tuning Security

There are many ways to fine-tune or disable additional security features:

• Configure Liferay’s HTTPS web server address.
• Configure the list of allowed servers to which users can be redirected.
• Configure the list of portlets that can be accessed from any page.
• Configure the file types allowed to be uploaded and downloaded.

These features can be configured using portal properties.

Related Topics

For more information about securing a Liferay installation, please see our security statement, the community security team, and the resources listed on those pages.

There are additional security plugins available from Liferay Marketplace.

Next Steps

• Configuring Sign-In
• Introduction to Securing Web Services