Search Results

Issue After setting up the SAML process, the user tries to log in receiving the warning below and not being logged in. Environment Liferay 2023.Q4.0 Resolution If users are setting up an identity provider as Liferay and a service provider as Liferay In IDP and SP, users set the below...

Issue The following SAML errors appear in the Liferay logs: ERROR [http-nio-8080-exec-5][BaseSamlStrutsAction:53] org.opensaml.messaging.decoder.MessageDecodingException: This message decoder only supports the HTTP POST method com.liferay.saml.runtime.SamlException:...

Issue When navigating through the portal with SAML disabled, there are a few SAML-related filters that are still being processed, leading to database calls and causing slower performance. at...

Issue If the user allows any origin (Access-Control-Allow-Origin: *) to access the resource, the CORS request fails. Steps to reproduce: 1. Start Liferay DXP 7.4 U90 2. Navigate to Control Panel > Instance Settings > Security Tools > CORS > Edit. 3. Access-Control-Allow-Origin as * 4....

Issue The LIFERAY.HEADLESS.DELIVERY scope is missing or delayed in appearing when creating or managing OAuth 2 applications. The issue can occur intermittently, with the scope sometimes appearing after a delay of several hours. Reindexing, restarting the application server, or creating...

Issue Both SAML and OpenID Connect(OIDC) can be configured on the same Liferay instance. However, the option to authenticate using OIDC is missing whenever SAML is enabled. Is it possible for a user to select either SSO methods to log in?  Environment DXP 7.4 Resolution The missing...

Issue When using using the Audit Export Feature, filters for date and time are not applied accurately in the resulting CSV file. The exported file may not include entries explicitly requested by the filter. For example: When filtering the audit events over several days, only the current...

Issue We want to bypass the client selection screen because there is only one OpenID Client to choose.   Environment Quarterly Releases   Resolution There is a Feature Request opened for this which is currently under development. Please refer to: LPD-19197 Please note that the new...

Issue Vulnerabilities remain unresolved in spring-web and spring-core, even after a fix was applied to spring-context. For spring-web: Vulnerable component: org.springframework:spring-web:5.3.39 For spring-core: Vulnerable component : org.springframework:spring-core:5.3.39   Environment...

Issue Is it possible an attacker could predict the JSESSIONID and gain unauthorized access, referencing an example from a 'Session Prediction' article? Explanation of Issue Using the "Catalog" Page in Postman: If a user uses the "owner cookie" to access the "Catalog" page via Postman,...

Issue I would like to configure and enable SAML login while also having Liferay's default login available to users so that they can have two options for logging in. Environment DXP 7.4+ Quarterly Release Resolution This is the expected behavior for now. Liferay will abdicate to SAML...

Issue When making calls to a REST API service created with RestBuilder that includes the Authorization Bearer token header, the responses often return a 401 Unauthorized status. However, when the same service is tested using Swagger within a Liferay session, it responds with a 200 OK....

Issue I would like to know if Liferay is vulnerable to CVE-2023-45960?  Is Liferay affected by CVE-2023-45960? Environment Quarterly Release 2024.Q1.7 Resolution The NIST listing for CVE-2023-45960 has been withdrawn and has the following description:  Current Description Rejected...

Issue We would like to enable real-time antivirus scanning for uploaded files but disable asynchronous background scanning of the document library. The issue arises because: Enabling dl.store.antivirus.enabled=true triggers both real-time scanning and background scanning of the document...

Issue The environment starts using a large amount of CPU and also memory. Reviewing thread dumps taking during that time, there are many threads associated to PBKDF2PasswordEncryptor.encrypt, such as: "https-jsse-nio-8443-exec-5" #115 daemon prio=5 os_prio=0 cpu=274186.74ms...

Issue When we try to embed a video using <iframe> tags, during the creation the video displays, however after publishing the content and editing it again, the video is not displayed anymore and the source is updated with a sandbox attribute. Environment DXP 7.4 Quarterly release...

Issue After upgrading to Quarterly Release 2023.Q3.4 from DXP 7.3, we've found that OpenID Connect is no longer working. The button is no longer populating within the UI even after enabling it using this article: Configuring Liferay Authentication with Okta using OpenID Connect....

Issue Liferay throws a ClassCastException after upgrading, the upgrade logs show no errors.  Liferay throws an error after non-graceful shutdown ERROR [http-nio-8080-exec-8][AutoLoginFilter:247] Current URL /home generates exception:...

Issue I'm unable to use the PUT API to update users as linked to the SCIM Client. I'm not able to add new users and then update them using the PUT API linking them to the SCIM client. Environment 2024.Q1+ Resolution Important This feature is currently behind a beta feature flag. To add...

Issue Is Liferay DXP affected by CVE-2024-38286? CVE-2024-38286 is an Apache Tomcat vulnerability wherein Apache Tomcat, under certain configurations on any platform, allows an attacker to cause an OutOfMemoryError by abusing the TLS handshake process. This vulnerability only impacts...