Securing Sign-In

The Sign-In widget calls the various mechanisms (the portal database, an LDAP server, a SAML identity provider, or any of the ways users can authenticate) that authenticate users. Its behavior can be configured and customized in several ways.

Disabling Guest Account Creation

  1. Navigate to the Control Panel → ConfigurationInstance SettingsPlatformUser Authentication.

  2. Uncheck Allow strangers to create accounts?.

  3. Click Save.

    Guests can't create accounts if this box is unchecked.

Preventing Password Resets

If users should not be able to reset their own passwords, you can configure this from the same screen:

  1. Navigate to the Control Panel → ConfigurationInstance SettingsPlatformUser Authentication.

  2. Uncheck Allow users to request password reset links?.

  3. Click Save.

Disabling the Password Section During Account Creation

Liferay DXP 2023.Q4+/Portal GA92+

If the Allow Custom Password at Account Creation field is unchecked, the password fields are unavailable at the time of account creation from the Sign-In widget. This also applies to users invited by email for account creation.

Configuring CAPTCHA or reCAPTCHA

Prevent bots from creating and logging into accounts by enabling CAPTCHA or reCAPTCHA:

  1. Navigate to the Control Panel → ConfigurationInstance SettingsSecurity ToolsCAPTCHA.

    CAPTCHA is enabled by default.

    Note

    By default, Create Account CAPTCHA and Send Password CAPTCHA are enabled. If necessary, enable Message Boards CAPTCHA.

  2. Choose a CAPTCHA engine. By default, Simple CAPTCHA is enabled. You can also select Google’s reCAPTCHA, which requires you configure the external service separately. If you select reCAPTCHA, supply your public and private key from Google.

    1. For Simple CAPTCHA, you can configure the captcha’s height and width. You can also configure Background Producers, Gimpy Renderers, Noise Producers, Text Producers, and Word Renderers.
  3. Click Save when finished.

Note

The DictionaryWordTextProducer was removed from the Simple CAPTCHA Text Producers configuration as it has a higher probability of producing offensive words than completely randomized letter sequences.

Important

Since Liferay DXP 2024.Q1.8/Portal GA120, the Gogo shell and server administration pages (for a site admin) enforce captchas, even if the Maximum Challenges field is set to a negative number. These pages are not available without selecting a captcha engine.

To disable captchas for these pages, add captcha.enforce.disabled=true to your portal-ext.properties file. You should only do this for testing with Continuous Integration (CI).

Capabilities

Product

Education

Contact Us

Connect

Powered by Liferay
© 2024 Liferay Inc. All Rights Reserved • Privacy Policy