フィードバックを送信
legacy-knowledge-base
公開されました Jun. 30, 2025

Login URL Parameters Reported as Security Threat

written-by

Balázs Létai

How To articles are not official guidelines or officially supported documentation. They are community-contributed content and may not always reflect the latest updates to Liferay DXP. We welcome your feedback to improve How To articles!

While we make every effort to ensure this Knowledge Base is accurate, it may not always reflect the most recent updates or official guidelines.We appreciate your understanding and encourage you to reach out with any feedback or concerns.

legacy-article

learn-legacy-article-disclaimer-text

Issue

  • Vulnerability Assessment and Penetration Testing (VAPT) reports the parameters passed in the login request as a security threat.
  • How can these parameters be removed or mitigated?

Environment

  • Liferay DXP 7.4+

Resolution

Liferay DXP uses specific URL parameters for the LoginPortlet to manage different aspects of the login process. These parameters, including p_p_idp_p_lifecyclep_p_statep_p_mode, and _com_liferay_login_web_portlet_LoginPortlet_mvcRenderCommandName, are essential for identifying the portlet, handling its lifecycle and state, and determining the MVC render command. The saveLastPath configures whether to save the last path or not. This is optional and affects specific functionality.

The following files within the login-web module handle different aspects of the login URL parameters, from setting them up to processing them during login actions:

  1. LoginUtil.java: This utility class has methods related to handling login operations, such as getLoginURL which sets parameters like saveLastPath and mvcRenderCommandName.
  2. LoginMVCActionCommand.java: This class processes login actions and directs the parameters accordingly.
  3. LoginPortlet.java: The main portlet class for handling the login portlet.

While there is no out-of-the-box way to completely remove these parameters, you can implement the following workarounds to mitigate the security concerns:

  1. Custom Login Page with URL Rewrite:

    1. Create a custom login page.
    2. Add the Liferay Sign-In portlet to your custom login page.
    3. Set the auth.login.url property in your portal-ext.properties file to point to your custom login page. This redirects users from the default login URL /c/portal/login to your custom page, effectively hiding the default URL parameters.
    4. Configure rewrite rules in your web server (e.g., Nginx, Apache) to redirect any requests to /c/portal/login (with or without parameters) to your custom login page. This ensures that even if someone manually enters the default login URL with parameters, they are redirected to your custom login page.

  2. Servlet Filter: Implement a servlet filter to intercept and modify login requests. The filter can remove or rewrite the parameters before the request reaches Liferay's login portlet.

Additional Information

 

did-this-article-resolve-your-issue
legacy-knowledge-base
did-this-article-resolve-your-issue