Search Results

All Results 435
ソート
Resource Type
Applicable Versions
Deployment Approach
Capability
Feature
User did not provide a valid CSRF token Error
Troubleshooting
Issue Portlet Action requests intermittently returning a 403 error code. In the logs the following error message regarding invalid CSRF token gets printed whenever the 403 error is thrown. "User [user_id] did not provide...
Email Address Validation for Forgot Password
Issue The Forgot Password option does not validate if the user enters a correct email address. You can enter anything and the field will accept it. Two types of validation are expected: Email format validation (to...
Login URL Parameters Reported as Security Threat
legacy Troubleshooting
Issue Vulnerability Assessment and Penetration Testing (VAPT) reports the parameters passed in the login request as a security threat. How can these parameters be removed or mitigated? Environment Liferay DXP 7.4+...
User profile is visible when accessing the /web/test
legacy Troubleshooting
Issue When accessing localhost:8080/web/test, the user profile is visible to guest users. The concern is that the user data being accessible to guest users poses a security threat. Environment Liferay DXP 7.4...
Password syntax checking error does not appear when configuring with Minimum Lowercase 1 when creating a new account
Troubleshooting
Issue I have an issue with checking the password syntax. When they configure the password syntax with Minimum Lowercase 1, Minimum Symbols 1, and Minimum Uppercase 1, try to create an account for a guest user, type a...
How to allow unauthenticated (guest user) requests for GraphQL
Troubleshooting
Issue I implemented ReactJS Widget that relies on GraphQL requests for custom object values, with a widget exposing object entries to the public. However, unauthenticated GrapQL requests are disabled by default and...
Can Liferay pass User Roles to the Service Provider?
legacy
Issue In a SAML configuration where Liferay acts as the Identity Provider, is Liferay able to pass its User Roles to the Service Provider?   Environment Liferay 7.4   Resolution Yes, it is possible. Liferay will send...
XSS Vulnerability present when using Web Content Article's source code
Troubleshooting
Issue We've observed a XSS Vulnerability present when using Web Content Article's source code.  This vulnerability appears to be present when involving the deployment of a payload via the source code.  Steps to...
SAML - Can you end the Identity Provider's session when the Service Provider's session times out?
legacy Troubleshooting
Issue We have Liferay configured as a SAML Service Provider (SP), and we use third-party software as the Identity Provider (IdP) Our IdP is used for multiple applications, so its session timeout is set for a...
Is integration of mTLS possible in Liferay?
legacy How To
Issue We are required to use mTLS (Mutual Transport Layer Security) for certain requests Is it possible to integrate mTLS with Liferay? Environment DXP 7.4 Quarterly Releases Resolution Yes, it is possible to...
Setting up Liferay as both IDP and SP (SAML)
legacy How To
Issue This article outlines how to configure two Liferay DXP bundles for SAML authentication with one functioning as the Service Provider (SP) and the second as the Identity Provider (IdP). Environment DXP...
Updating React dependencies to later version
legacy
Issue As part of the security audit, the old version of the React might be vulnerable to attacks. Is there a way to hide the React version that Liferay displays? Environment Liferay DXP 7.3 Resolution At this...
Will a curl vulnerability impact Liferay DXP?
legacy
Issue There have been security announcements that are deemed to be a high-risk vulnerability that is caused by curl 8.4.0.   Environment DXP 7.3 Resolution Liferay DXP does not use the libcurl library. In conclusion,...
Is it Liferay vulnerable to the Log4j Vulnerability CVE-2019-17571?
legacy
Issue After search in the following folder:/tomcat/webapps/ROOT/WEB-INF/lib/log4j-extras.jar is notice that the log4 is available as part of product, so the Liferay is it vulnerable to this lib? Environment All...
Nested Azure AD Groups are not assigned to Liferay groups
legacy Troubleshooting
Issue You want to assign Liferay user groups via dynamic Azure AD groups when logging in with SAML. For this, certain rules of Azure AD groups are in place based on your needs. There might be an issue where nested...
Vulnerability in CKeditor 4.18.0
legacy Troubleshooting
Issue In Liferay, a vulnerable version of CKEditor 4.18.0 is being used. The vulnerability CVE-2023-28439 is present in the CKEditor versions less than 4.21.0. Environment Liferay DXP 7.0+ Resolution The observed...
Differentiate multiple Identity Provider when click on the Sign-in button
legacy
Issue How the user can login to specific IDP when multiple IDPs are configured on the portal? Environment Liferay DXP 7.0 Liferay DXP 7.1 Liferay DXP 7.2 Liferay DXP 7.3 Liferay DXP 7.4 Resolution While using...
How to enable cookies and the banner, consent panel
legacy How To
Issue How to enable the cookie preference handling as well as the configuration options for both the banner and the consent panel. Environment Liferay DXP 7.4 Resolution This feature was introduced in the Liferay...
Setting sameSite attribute in Cookie for header response on JBoss EAP 7.2
legacy How To
Issue How to add the sameSite attribute as 'Strict' on the cookies JSESSIONID,COOKIE_SUPPORT,GUEST_LANGUAGE_ID on JBoss EAP 7.2 Environment Liferay DXP 7.4 JBoss EAP 7.2 Resolution In JBoss, navigate...
p_auth token missing from GET request
legacy
Issue After enabling CSRF Tokens, a p_auth token is appended to URLs, as expected. However, we noticed that if we manually remove this from the end of a URL and hit enter, we are still able to access the page,...
After enabling LDAP authentication, administrator users who do not exist in LDAP can log in
legacy
Issue We have enabled LDAP authentication, checking it as required and we have unchecked Ignore User Search Filter for Authentication. With this configuration applied the administrator users can login even if...
SAML Sessions remain Active despite Logout in Liferay
legacy Troubleshooting
Issue We have integrated SAML with our Liferay configuration. We have noticed that after a User logs out, their session remains active in Liferay. Environment Liferay DXP 7.3 Resolution This issue may occur if the...
Requests to Liferay with an invalid HOST request HTTP header returns the default site
legacy Troubleshooting
Note: please note that Liferay has renamed its Liferay Experience Could offerings to Liferay SaaS (formerly LXC) and Liferay PaaS (formerly LXC-SM). Issue Requests to Liferay with an invalid HOST request...
Are URLs that display/download Liferay JS information a vulnerability?
legacy
Issue Some monitoring tools may identify certain URLs that are accessible during routine scans that should not have allowed access. Among the URLs that are typically detected are URLs that can download Liferay's JS...
Service Organization Control (SOC) -1 Type 2 report
legacy
Issue Service Organization Control (SOC) -1 Type 2 report for auditing purposes. Environment Liferay DXP Resolution The SOC-1 report focuses on financial controls and their evaluation and this reporting is not...
How to Disable CAPTCHA on Server Admin Pages
legacy How To
Issue How do you disable CAPTCHA on pages? Site Administration pages like the Gogo Shell now have a CAPTCHA verification. How do you disable CAPTCHA on pages? Adding “-1” (Never Check), doesn’t work....
Microsoft Azure Key Vault with Liferay DB
legacy How To
Issue Can we use Azure Key Vault with DB setup configuration in Liferay instead of having it in plain text in the properties file? Is there any way to configure the DB in Liferay using Azure Key Vault? How we can use...
Tomcat Vulnerability Impact (CVE-2023-28708)
legacy
Please be aware that the page you are viewing has been machine translated from Japanese into English and may contain some translation errors. If you observe any issues with the translation, please contact us. Issue...
What is the user password algorithm and format of the stored passwords?
legacy
Issue We would like to understand the formatting of passwords as they're saved in Liferay. What algorithm, salt, and hash format is being used to store passwords?  Environment DXP 7.1 Resolution Example Password:...
When trying to access a user's private page, a "404 Page Not Found" populates instead of the Login prompt
legacy
Issue When trying to access a user's private page, we are transferred to a "404 Page Not Found" error page instead of the Login page that we were expecting.  Environment DXP 7.4 Quarterly Release Resolution Not being...
A blank SAML redirect screen is seen even with redirect message disabled
legacy
Issue A blank intermediary page (showing "Please select your identity provider" title and /portal/c/portal/login?redirect=%2Fportal%2F&refererPlid=[sanitized]&p_l_id=[sanitized] URL) is being seen even with the hotfix...
'Authentication Search Filter' for Users in LDAP
legacy
Issue At the moment, we are using LDAP server connection to authenticate our users. Our question is: in which moment the query to authenticate users is executed? More exactly, when the field 'Authentication Search...
Web Server keeps asking for basic authentication when using a Client Extension that makes a request via OAuth to Liferay API
legacy Troubleshooting
Issue A Web Server before the Liferay environment is configured with Basic Auth. Liferay uses a Client Extension (CX) that makes a request to a Liferay API using OAuth. When the page using the CX is loaded, the Web...
'Email Account Activity: New Sign-In detected for your account' received which is an unwanted email
legacy
Issue Receiving unwanted email notifications like "Your email account abc@xyz.org.in was signed into from a new location, device, browser, or application" from GoDaddy. Below are the details received:   From:...
Liferay's OpenID Connect implementation does not account for language variations for ui_locales
legacy
Issue Liferay's OpenID Connect implementation does not account for language variations for ui_locales. For example, Selecting English (United States) on Liferay sets ui_locales to en. Selecting Chinese (either Traditional...
LDAP import PermissionChecker not initialized
legacy Troubleshooting
Issue When importing users by Groups and enabling ‘Creating Roles on Import’, the roles and groups will be created/imported, but the users are not imported. Error reads PermissionChecker not initialized...
Security Issue: CVE-2024-28752 - Apache CXF
legacy
Issue Security vulnerability CVE-2024-28752 details a SSRF vulnerability with the Aegis DataBinding in versions of Apache CXF before 4.0.4, 3.6.3, and 3.5.8, which would allow an attacker to perform SSRF style attacks...
How long does the content remain in the CDN cache?
legacy
Note: please note that Liferay has renamed its Liferay Experience Could offerings to Liferay SaaS (formerly LXC) and Liferay PaaS (formerly LXC-SM). Issue What is the policy for cleaning and updating content...
Is there a way identify When was the user Deactivated and by Whom?
legacy How To
Issue Is there a possible way to find out when was the exact date the Liferay user was deactivated and by whom? Environment Liferay DXP 7.3 Liferay DXP 7.4 Resolution Please run the attached Groovy script to get a...
How can I access OpenIdConnectProvider classes in 7.4 U34+?
legacy How To
Issue The Liferay classes com.liferay.portal.security.sso.openid.connect.OpenIdConnectProvider; and com.liferay.portal.security.sso.openid.connect.OpenIdConnectProviderRegistry; were removed in U34+...
Security Issue Concerning Google Guava Versions 1.0 to 32
legacy How To
Issue There is a present vulnerability with Google Guava that affects the versions from 1.0 to 31.1. Liferay is currently bundled with Guava. It has been reported that...
User enumeration attack via response time
legacy Troubleshooting
Issue It is possible to determine if an email address is valid or not (i.e., user enumeration) by comparing the request's response time. This can be done by checking the browser's network tab and comparing...
How do we Toggle Requirement for Strangers to Verify their Email Address
legacy How To
Issue How do we toggle the requirement for strangers to verify their email address  Environment DXP 7.4 Resolution This setting can be toggled by going to: Instance Settings > User Authentication. From here, you can...
Checking for vulnerability to CVE-2022-42889
legacy Troubleshooting
Issue Is our Liferay instance vulnerable to CVE-2022-42889?  Environment DXP 7.4, DXP 7.3, DXP 7.2, DXP 7.1, DXP 7.0  Resolution Look for commons-text in ${liferay.home}/license/versions.html, if you do not find it, you...
How to test for vulnerabilitity to CVE-2020-7961
legacy How To
Issue We would like to determine if we are vulnerable to CVE-2020-7961. Environment DXP 7.3, DXP 7.2,  DXP 7.1, DXP 7.0 Resolution The steps to test for vulnerability to CVE-2020-7961 are as follows:   1. Start your...
How to set up a Mail Server with DXP to receive email notifications?
legacy How To
Issue This article outlines how to set up a Mail Server and SMTP in Liferay DXP to receive emails. Environment Liferay DXP 7.3 Resolution Liferay DXP uses a mail server and SMTP to get email notifications. Liferay...
NTLM and NTLMv2 in Liferay Portal 6.2
legacy
Issue The question is whether Liferay Portal 6.2 supports NTLM and NTLMv2 Environment Liferay Portal 6.2 Resolution The library used in Liferay Portal 6.2 supports both NTLM and NTLMv2 There is a property that can...
Session Management in Liferay
legacy
Issue How the sessions are managed in Liferay and what are all the different types to configure the same. Also, whether the Liferay session work for the javascript disabled browsers? Environment Liferay DXP...
How can we get a complete picture of a user's activity history?
legacy How To
Issue Is there a way to find out how and by whom a user was created? Environment Liferay DXP 7.2 Resolution The steps below can be used to track user activity. Log in by 'Test' user (Admin User) Create a new user...
Forgot Password is not popped up with an error when providing an email address that doesn't exist in the DB
legacy
Issue In the 'Forgot Password' option, while trying to provide an email id that doesn't exist in the database, the user can proceed to answer the security question. Whereas an error is not popped up saying the user's...
Is functionality impacted when upgrading to Bootstrap 5 in portal 6.2 ? Is it supported ?
legacy
Issue Requirement is to upgrade the Bootstrap library.  Is functionality impacted when upgrading to Bootstrap 5 in portal 6.2 ?  Is Liferay portal 6.2 compatible with Bootstrap 5? Is it supported ? Environment...
Is there a way to allow upper cases in a screen name?
legacy
Issue Is there any way to ensure that a user's screen name maintains the same capitalization that is present in the AD (Active Directory) when the user is imported into Liferay? Environment Liferay DXP 7.2...
Any user who has not securely logged out will have their session terminated?
legacy
Issue Terminating the session of any user who has not properly logged out, for example, who has unexpectedly closed the transaction window, etc. This user does not have to wait for the default time-out to be...
Password verification needed at time of changing user screen name & email address
legacy
Issue Password verification is required whenever a user needs to update its screen name or email address Environment Liferay DXP 7.3 Resolution A feature request has been already created in order to add a toggle for...
When Setting Okta up as an SSO for Liferay PaaS, how can I generate IdP metadata in Okta without first having SP metadata?
legacy Troubleshooting
Note: please note that Liferay has renamed its Liferay Experience Could offerings to Liferay SaaS (formerly LXC) and Liferay PaaS (formerly LXC-SM). Issue The documentation for setting up an SSO with Liferay PaaS...
Does the Encryption Key that is generated per company id for the Liferay Installation ever change?
legacy
Issue Does the Encryption Key that is generated per company id for the Liferay Installation ever change? Environment Liferay 7.2 Resolution The following portal properties will alter the encryption key for a Liferay...
How to create Custom attribute in MS Active Directory and configure in Liferay
legacy How To
Issue Is there any way to map a custom attribute in Liferay created from MS Active Directory? Environment Liferay Portal 6.2 Resolution Liferay provides an OOTB option to achieve the custom attribute...
Externalize Session Management
legacy
Issue  The session details should be stored in a centralized server so that it is shared with all the available nodes. Environment Liferay Portal 6.2 Resolution This is a specific business requirement that falls beyond...
Disable Admin password reset email notifications
legacy
Issue The user should not receive the email notification for the password change. Environment Liferay DXP 7.0 Resolution The requirement is not available out of the box in Liferay. If you want to achieve this...
SSO at site level
legacy
Issue Is there any OOTB option to configure SAML for two sites on the same instance? Whether creating a new instance for a site would help to configure SAML? Environment Liferay DXP 7.2 Liferay DXP 7.3...