Search Results

The fix on LPS-55208 modifies LDAPUserExporterImpl (PortalLDAPExporterImpl in Portal 6.2 EE) in a way that the user is only exported to LDAP when the user's modifiedDate field changed. When you change the password for a user only, then the call stack is a bit different and the user...

In some environments it may be desirable to import a user's contact information from an LDAP server. This article explains how to import custom mappings as well as contact mappings from a Microsoft Active Directory LDAP server using the following properties: ldap.contact.mappings.0=...

When a user first logs in to the Liferay Portal 6.1 EE, they are immediately prompted to change their password. Resolution While this request is the default setting, the setting can be changed via the control panel. Navigate to Control Panel > Password Policies In the Default Password...

The following article gives a basic use case for Liferay's Virtual LDAP Server Plugin. Liferay's EE Virtual LDAP plugin turns Liferay portal into a virtual LDAP server that can be accessed by external LDAP explorer programs or, as in the case of this article, another instance of Liferay...

This article documents a known issue where users cannot log in to the Sync Client if both SAML and OAuth are enabled. As a result, authentication fails with a blank screen on Sync client. Repeated warning messages will print out in the server console: Relay state exceeds 80 bytes, some...

Recently, a security vulnerability was filed in Mitre under CVE-2018-10795 reporting an issue in FCKEditor and Liferay Portal 6.x versions. Resolution Liferay disputed this issue because file upload is an expected feature, subject to Role-Based Access Control checks where only...

This article is a legacy article. It applies to previous versions of the Liferay product. While the article is no longer maintained, the information may still be applicable. The intended behavior of the Liferay Portal is to automatically reindex when any user is updated or created....

This article is a legacy article. It applies to previous versions of the Liferay product. While the article is no longer maintained, the information may still be applicable. SAML (Security Assertion Markup Language) is an XML-based open standard data format for exchanging authentication...

This article is a legacy article. It applies to previous versions of the Liferay product. While the article is no longer maintained, the information may still be applicable. After successfully configuring Liferay with NTLM, a user can authenticate simply by clicking "Sign In" within...

This article describes several cases in which a user can receive a password policy. Resolution Here are several use-cases outlining how password policies are applied in Liferay Portal. Case 1 When a user and all organizations that the user is a member of don't have a password policy,...

This article is a legacy article. It applies to previous versions of the Liferay product. While the article is no longer maintained, the information may still be applicable. As many Liferay subscribers use Lightweight Directory Access Protocol (LDAP) to manage their users, this article...

In compliance to the European Union Cookie Directive, please see the following articles in reference to cookies that Liferay has set upon at login. Resolution How HTTP Cookies are being used in Liferay DXP 7.0 and above How HTTP Cookies are being used in Liferay Portal 6.2 Additional...

Liferay Support does not recommend or endorse specific third-party products over others. Liferay is not responsible for any instructions herein or referenced regarding these products. Any implementation of these principles is the responsibility of the subscriber. This article will...

NTLM (NT Lan Manager) is a suite of Microsoft security protocols that provides authentication, integrity, and confidentiality to users. When Liferay Portal is successfully integrated with NTLM, Active Directory users who are logged in will be able to seamlessly log into Liferay Portal....

The details of this article may also be covered in Configuring Liferay's LDAP Settings to Import Users. This article provides a comprehensive walkthrough for integrating an Active Directory Server with Liferay Portal. By integrating Active Directory with Liferay Portal, you will be able...

What is OAuth? It is a utility that authorizes third party applications to interact with the Liferay platform. The OAuth example from our official documentation is worth repeating here; users can make Twitter or Facebook available on Liferay Portal or DXP. Instead of entering your...

This advisory comes in response to the recent public announcement of a potential Server-Side Request Forgery (SSRF) vulnerability in Liferay Portal 7.0.4. The report talks about a perceived vulnerability for the pingback functionality in the blogs feature of the product. You can find a...

This article is intended for legacy versions of Liferay Portal CAPTCHA is an industry standard security measure that requires users to enter what they see a small window as part of the validation process when creating an account. Only human users are able to see the contents. Liferay has...

QUESTION: How are Liferay Digital Enterprise 7.0 and Liferay Portal affected by the Spring Framework Vulnerabilities: CVE-2018-1270, CVE-2018-1271, and CVE-2018-1272? Resolution Impact to Liferay CVE-2018-1270: Liferay Portal 6.2 and Digital Enterprise 7.0 are not affected because they...

By default, the Liferay platform always uses its own authentication system that checks and validates the user password in its own database. Even if you enable LDAP settings and set it as required, the Liferay platform will always check and validate the user password in its own database...

By default, Liferay encrypts the passwords that go into the database. The default algorithm is SHA-1 in 6.0 and 6.1 versions, which changed to PBKDF2WithHmacSHA1/160/128000 in version 6.2. The encryption algorithm can be changed and even turned off via the portal-ext.properties. Because...

CVE-2018-3831 reports that, "Elasticsearch Alerting and Monitoring in versions before 6.4.1 or 5.6.12 have an information disclosure issue when secrets are configured via the API. The Elasticsearch _cluster/settings API, when queried, could leak sensitive configuration information such...

This article is a legacy article. It applies to previous versions of the Liferay product. While the article is no longer maintained, the information may still be applicable. In older versions of Liferay Portal (e.g. 5.1.x, 5.2 EE SP3), by default, Liferay will import all user groups a...

The following Common Vulnerabilities and Exposures (CVE) have been reported for Apache Struts 2: CVE-2017-9805 CVE-2017-12611 CVE-2018-1327 - REST XStream FreeMarker CVE-2018-11776 How are Liferay DXP (both 7.0 and 7.1) and Liferay Portal affected by the Apache Struts 2 Vulnerability?...

This article documents Liferay's position regarding the Session Identifier (JSESSIONID), including how and why a new JSESSIONID is generated.  Resolution Customers doing their own security scan of the Liferay platform might have noticed that a new JSESSIONID may have been generated....

This article documents a known issue where refreshing the CAPTCHA image causes a Java NullPointerException (NPE) to be triggered. Please note that the CAPTCHA image will still be refreshed. Steps to Reproduce Start the Liferay Digital Enterprise 7.0 platform. Click the Sign In link at...

Liferay Support does not recommend or endorse specific third-party products over others. Liferay is not responsible for any instructions herein or referenced regarding these products. Any implementation of these principles is the responsibility of the subscriber. This article contains a...

When deploying Liferay DXP 7.0 Fix Pack 24, 25, 26 or 27, the WeDeploy Auth Admin portlet will appear in the Control Panel. WeDeploy is currently a beta product. The addition of this portlet will have no impact or security risk.  Installing an affected fix pack will result in the...

This article is a legacy article. It applies to previous versions of the Liferay product. While the article is no longer maintained, the information may still be applicable. Security-hotfix-11-6012, which is available for Liferay Portal 6.0 EE SP2, is preventing embedded portlets from...

This article is a legacy article. It applies to previous versions of the Liferay product. While the article is no longer maintained, the information may still be applicable. When a session of Liferay times-out, an Invalid Authentication error is displayed. When the error is displayed, it...

This article is a legacy article. It applies to previous versions of the Liferay product. While the article is no longer maintained, the information may still be applicable. When trying to apply Security Update 2012-05-25 the following error message occurs: "security-hotfix-5-6012 ::...

This is a comprehensive article that documents the steps for how to set up SAML on Liferay Portal 6.2 EE. In addition, this article covers the different ways that SAML can be implemented and utilized. SAML (Security Assertion Markup Language) is an XML-based open standard data format for...

This article documents the basic steps users need to execute in order to set up their instance of Liferay DXP as SP, and OKTA as IdP. Resolution OKTA Configuration Log in to OKTA and navigate to Admin > Add Application (Shortcuts in the right menu) > Create New App. Select SAML 2.0....

This article explains why users from specific domains are not imported through LDAP due to the email address validator in the Liferay platform, and provides a solution to resolve this if a specific domain is required for your business needs. For example, domains that use two hyphens (for...

What is OAuth? It is a utility that authorizes third party applications to interact with the Liferay platform. The example from our official documentation is worth repeating here; users can make Twitter or Facebook available on Liferay Portal or DXP. To gain access to Facebook or...

This article describes the two uses of the data migration tool in the system administration section of Liferay Portal. The Data Migration Tool is fully supported for Liferay Portal 6.2 and below. It has been deprecated in DXP 7.0. Note: The tool migrates only Liferay data; that is, data...

This article describes how to generate Liferay SAML metadata from a web browser. SAML metadata in an XML file is configuration data required to automatically negotiate agreements between system entities, comprising identifiers, binding support and endpoints, certificates, keys,...

Very often a Liferay Portal or Liferay DXP instance resides inside a private network and—due to a company's security policy—while it can serve content to the public Internet, it cannot access the Internet by default. In such cases, cloud-based services—like Marketplace App Activation and...

This article documents how to set up Liferay DXP 7.0 as SP and WSO2 as IdP. Resolution WSO2 configuration 1. Download wso2is-5.3.0.zip from the WSO2 site and extract the file to a dedicated directory. 2. Go to wso2is-5.3.0/bin and run command $sh wso2server.sh to start wso2 server if you...

This article documents how to set up Clam Antivirus with the Liferay platform on Windows for testing purposes. The goal is to scan documents for viruses when they are being uploaded. Resolution Download ClamWin for Windows. You can update to a more recent version after installation. For...