Authentication Basics
By default, Liferay DXP uses the Sign In widget to authenticate users.
The Sign In widget appears on the default home page at http[s]://[server-name:port]/web/guest/home
. If the Sign In widget is unavailable on any page, it can be accessed directly via its URL: http[s]://[server-name:port]/c/portal/login
.
You can configure other methods of authenticating users and/or applications:
Authentication Verifiers can manage authentication for remote applications, and Authentication Pipelines define the ways users are validated by one or several systems.
Sign In Widget Configuration
To access the configuration menu for the sign in widget,
-
Open the page that contains the sign in widget in edit mode and click Actions () → Configuration.
-
You can configure several options here.
- Authentication Type: See Authentication Types for more information.
- Email From: Set the name and email address for the sender of system-generated emails (includes the password reset notification email).
- Password Reset Notification: Set the subject and contents of the password reset notification email.
-
Click Save to apply a new configuration.
Starting from Liferay DXP 2024.Q3/GA125, the Email From and Password Reset Notification settings were removed from the sign in widget through a beta feature flag. They are now available at the instance level. To access these settings, open the Global Menu () and go to Control Panel → Instance Settings → Email. You can find the Email Sender and Password Reset Notification settings here.
Authentication Types
Users can be configured to log in using one of three authentication types:
Authentication Type | Description | Used by Default? |
---|---|---|
Screen Name | Determined by administrator or user at account creation | No |
Email Address | Determined by administrator or user at account creation | Yes |
User ID | Automatically generated when the account is created | No |
Only one authentication type can be used at a time.
Regardless of the authentication type, users must always enter a password. You can create Password Policies to define password length, password format, expiration periods, and more.
Authentication Type can be configured through the Control Panel or a properties file.
Configuring Authentication Type Through the Control Panel
-
Navigate to the Control Panel.
-
Click Configuration → Instance Settings → Platform → User Authentication.
-
Choose an option under the How do users authenticate? selector.
Configuring Authentication Type Using Properties
To use the portal-ext.properties
file, paste in the below properties and uncomment the desired authentication type:
company.security.auth.type=emailAddress
#company.security.auth.type=screenName
#company.security.auth.type=userId
Using and Configuring the Sign In Widget
The Sign In widget calls the various mechanisms (the portal database, an LDAP server, a SAML identity provider, or any of the ways users can authenticate) that authenticate users. Its behavior can be configured and customized in several ways.
Disabling Guest Account Creation
-
Navigate to the Control Panel → Configuration → Instance Settings → Platform → User Authentication.
-
Uncheck Allow strangers to create accounts?.
-
Click Save.
Preventing Password Resets
If users should not be able to reset their own passwords, you can configure this from the same screen:
-
Navigate to the Control Panel → Configuration → Instance Settings → Platform → User Authentication.
-
Uncheck Allow users to request password reset links?.
-
Click Save.
Disabling the Password Section During Account Creation
Liferay DXP 2023.Q4+/Portal 7.4 GA92+
If the Allow Custom Password at Account Creation field is unchecked, the password fields are unavailable at the time of account creation from the Sign In widget. This also applies to users invited by email for account creation.
Configuring CAPTCHA or reCAPTCHA
Prevent bots from creating and logging into accounts by enabling CAPTCHA or reCAPTCHA:
-
Navigate to the Control Panel → Configuration → System Settings → Security Tools → CAPTCHA.
NoteBy default, Create Account CAPTCHA and Send Password CAPTCHA are enabled. If necessary, enable Message Boards CAPTCHA.
-
Choose a CAPTCHA engine. By default, Simple CAPTCHA is enabled. You can also select Google’s reCAPTCHA, which requires you configure the external service separately. If you select reCAPTCHA, supply your public and private key from Google.
- For Simple CAPTCHA, you can configure the captcha’s height and width. You can also configure Background Producers, Gimpy Renderers, Noise Producers, Text Producers], and Word Renderers.
-
Click Save when finished.
The DictionaryWordTextProducer
was removed from the Simple CAPTCHA Text Producers configuration as it has a higher probability of producing offensive words than completely randomized letter sequences.
Since Liferay DXP 2024.Q1.8/Portal 7.4 GA120, the Gogo shell and server administration pages (for a site admin) enforce captchas, even if the Maximum Challenges field is set to a negative number. These pages are not available without selecting a captcha engine.
To disable captchas for these pages, add captcha.enforce.disabled=true
to your portal-ext.properties
file. You should only do this for testing with Continuous Integration (CI).