Search Results

Issue Application Server errors at times may identify software, software versioning and hint at how user input is processed. This sample trace to demonstrate was triggered by having invalid characters (namely a set of square brackets '[ ]' ) in a given URL. Tomcat considers the address...

Note: please note that Liferay has renamed its Liferay Experience Could offerings to Liferay SaaS (formerly LXC) and Liferay PaaS (formerly LXC-SM). Issue There has been a documented case where Commerce modules fail to deploy following license expiration and redeployment WARN...

Issue After applying the workaround indicated in this Security Advisory LSV-545: Unauthenticated Remote code execution via JSONWS (CVE-2020-7961), every client-side web service call to the JSONWS-API is failing: json.web.service.enabled=false This does not allow users to set Tags,...

Issue In DXP 7.3, new users have to verify their email address in their initial login. I want to disable this verification requirement. Environment DXP 7.3   Resolution In DXP 7.3, the default value for company.security.strangers.verify= has been changed to true. Set it back to...

Issue Got the error saml-hook.war does not support this version of Liferay in log after deploying the SAML 2.0 lpkg (version 6.0.0) on DXP 7.1 fix pack dxp-18 Environment Liferay DXP 7.1 Resolution The root cause for this error is that the incorrect SAML 2.0 lpkg version was deployed. To...

Issue After enabling the SAML, when the user is trying to log in, authentication failed with the following message. ERROR [http-nio-8080-exec-36][BaseSamlStrutsAction:59] org.opensaml.messaging.handler.MessageHandlerException: Message context was not authenticated Caused by:...

Issue During the configuration of Apache DS I encountered an issue that resulted in an IOException that interfered with starting the LDAP server: ERROR [org.apache.directory.server.wrapper.ApacheDsTanukiWrapper] - Failed to start the service....

Issue Once the SAML is configured the Landing Page redirection is not redirecting to the desired page. Environment Liferay DXP 7.1 Resolution The pre and post-login actions (like DefaultLandingPage actions) are not compatible with AutoLogin solutions (like SAML). These pre and post-login...

Issue Upon installation of security-hotfix-lsv-45 in Liferay Portal bundled with JBoss, a "Failed to define class" error is generated in the Liferay logs. Failed to define class com.liferay.portal.security.xml.SecureXMLFactoryProviderImpl in Module "deployment.ROOT.war:main" from Service...

Environment Liferay DXP 7.0-7.3 Oracle Identity Cloud Service OpenID Connect authentication enabled Symptom When OpenID Connect authentication is enabled in Liferay DXP and Oracle Identity Cloud Service (IDCS) is the configured provider, the following error may occur and users are not...

Issue Sensitive system information may be seen in HTTP 400 - Bad Response status Environment DXP 7.0   DXP 7.1   DXP 7.2 Resolution The HyperText Transfer Protocol (HTTP) 400 Bad Request response status code indicates that the server cannot or will not process the request due to...

Issue Seeing some slowness authenticating with LDAP after upgrading from 6.2 to 7.2. Environment DXP 7.2 [Upgraded from 6.2] Resolution Install Fix Pack 9 or a hotfix that includes LPS-122832 and run the upgrade process again. LPS-122832 reports and fixes the behavior that several...

Issue Insecure default configuration may allow remote attackers to enumerate users' email addresses via the forgot password functionality. This can be a risk in the case of public-facing deployments. Environment Liferay DXP 6.2 EE Liferay DXP 7.0-7.2 Resolution It is recommended to set...

Issue SAML authentication is being used in DXP 7.0. After upgrading the DXP 7.0 to any higher version, how to configure SAML in the upgraded environment? Environment Liferay DXP 7.1 Liferay DXP 7.2 Resolution Post upgrade, the respective SAML tables will be carried from source version to...

Issue During installation of a fix pack, the value of <session-timeout> is reset to default within web.xml. Is the value of session timeout can be changed 'permanently'? Environment DXP 7.2 Resolution Currently, there is no out-of-the-box option to achieve this on DXP - the web.xml is...

Issue As part of the SAML configuration, it is possible to generate a Certificate and a Private Key. This generates both a self-signed key and a container storekey (in $LIFERAY_HOME/data/keystore.jks by default). How to use a different key instead of the default one? Environment Liferay...

Issue After upgrading Liferay from Liferay DXP 7.0 to Liferay DXP 7.2, SAML is no longer working and users are no longer able to authenticate using SAML. It is possible that the following error will also appear in the logs in the Identity Provider as well as the Service Provider,...

Issue Custom FreeMarker and Velocity templates generate the following error after installing a fix pack: Denied resolving class [...] by org.apache Environment Liferay DXP 7.0 FP92+ Liferay DXP 7.1 FP18+/SP5+ Liferay DXP 7.2 FP6+/SP2+ Resolution The behavior originates from an...

Issue On Liferay Portal 6.2, p_p_auth token is exposed in the URL. It might be considered as a security risk. Environment Liferay Portal 6.2 Resolution No attacker or other user can use p_p_auth token, only a legitimate user is able to apply it. Therefore, leaking the token has no value...

Issue The Single sign-on and Single log out are working fine when the user manually logs out but there is no Single logout happening on the portal session expiry Environment Liferay 7.0 as IdP Resolution  Service Providers (SP) only receive a maximum validity date contained in the SAML...

Issue When trying to import content between sites, i.e. knowledge base, a validation error arises: An unexpected error occurred with the publication process. Please check your portal and publishing configuration. com.liferay.portal.kernel.exception.SystemException:...

Issue After applying the fix for LSV-658, how can I see which users have permissions for (which) Freemarker/Velocity templates, i.e. via the user interface or by a database query? The Mitigation Notes of LSV-658 suggests that we review the owners of existing templates as they have full...

Issue The Forget Password form can be re-submitted with different cookies which lead to the CSRF issue. Environment Liferay DXP 7.2 Resolution This is considered as a False Positive, as the user is not logged into Liferay when accessing the Forget password page. CSRF is meant to protect...

Issue Page version control information is accessible in sitemap.xml - such information shall not be exposed for security reasons. Reproduction: 1) Start up bundle 2) Access sitemap (e.g. http://localhost:8080/sitemap.xml) 3) From the site map, open one of the URLs within <loc>...

Issue Changing password invalidates current sessions and the users have to log in again. 2020-02-07 13:08:37.558 ERROR [http-nio-8080-exec-2][PortletServlet:112] javax.portlet.PortletException: java.lang.IllegalStateException: getAttribute: Session already invalidated Environment Liferay...

Issue By replacing the sessionId of a logged-in user, the user's session from another browser is replicated. Steps to reproduce Create 2 users like u1, u2 Assign the role for the u1 as "Power user", u2 as "Portal Content Reviewer" Create 2 pages like Page1, Page2 Click on the permission...

Issue How to integrate the SiteMinder SSO with Liferay Environment Liferay DXP 7.0 Resolution By default, Token based authentication is disabled in the Liferay. To manage the same, refer to this document Token-based Single Sign-On Authentication which describes the Token SSO...

Issue Using Active directory, after changing the user password, still, a user is able to login using the old password Environment Liferay portal 6.2  Resolution Under Control Panel -> Portal Settings -> Authentication -> LDAP, if the "required" checkbox is not selected then the expected...

Issue Getting a 404 error when downloading module "com.liferay.saml.opensaml.integration" from Release Notes page. Environment Liferay DXP 7.2 Resolution The module for  "com.liferay.saml.opensaml.integration" can be found on Marketplace. Please download SAML 2.0 from Liferay Marketplace...

Liferay Support does not recommend or endorse specific third-party products over others. The information provided about products not created by Liferay is for reference purposes only, and any implementation of these principles will be at your team's discretion. Issue After the creation...

Issue  When trying to download modules like "com.liferay.saml.opensaml.integration" from Liferay DXP Release Notes page, the download link can not be opened with a 404 error. Environment Liferay DXP 7.2 Resolution Modules like "com.liferay.saml.opensaml.integration" is included...

Issue Is Liferay Product affected by OpenSSL security issue CVE-2020-1967 ? Environment Liferay DXP 7.1 Resolution Since Liferay products do not come with OpenSSL built-in, Liferay is not affected by CVE-2020-1967 out of the box. If you have implemented OpenSSL into your project, your...

Issue When a F5 load balancer is in front of Liferay and is forcing a secure protocol, no administrative options can be selected and accessed. On Liferay the following options are configured on the portal-ext.properties web.server.https.port = 443 web.server.host = [A host is specified...

Issue After adding an Iframe to a Liferay page and set the Source URL of that Iframe to e.g. /web/guest/page2, Liferay will redirect to /web/guest/page2 when logging in through the Welcome homepage. Environment Liferay Portal 6.2 Liferay DXP 7.0+ Resolution The above has to be considered...

Issue If there's a web server in front of Liferay, when clicking on the Authorize button to authorize OAuth2 applications HTTP is used instead of HTTPS and the following WARNs are displayed in the log. 2019-11-08 09:37:05.000 WARN [http-nio-8080-exec-63][AbstractOAuthService:88] Unsecure...

Issue Is it possible to set different Authentication methods for different sites in the same portal instance? Environment Liferay DXP 7.2 Resolution Currently, it is not possible to use different authentication methods for different Sites in one Portal Instance on Liferay DXP 7.2. The...

Issue For any virtual instances apart from a default instance, if the "Required" option in LDAP is enabled, only LDAP users can log in to the portal. When the LDAP server is down/unreachable, none of the users able to log in. In that case, how to login to the portal to make the changes...

Issue What is the reason behind the following error which is thrown in the logs? [LDAPAuth:198] Failed to bind to the LDAP server with userDN CN=VERMA BRIJESH KUMAR (MR.),OU=USERS,OU=RND,DC=DS,DC=INDIANOIL,DC=IN and password Me4Sharom@15012020 javax.naming.AuthenticationException: [LDAP:...

Issue I am an Administrator in Liferay DXP Someone deleted an asset (for example an Organization) I check the events in the Audit app (Control Panel > Configuration > Audit) I open the delete event I can only see the Resource ID of the Organization but not its name Since it was removed...

Issue Updated (May 31, 2021): The behavior is enabled by default since Chrome 84. Updated (April 3, 2020): Chrome is Temporarily rolling back SameSite Cookie Changes Updated (June 12, 2020): Added information about the fixed versions of the SAML 2.0 connector. With the release of Chrome...