Search Results

All Results 433
ソート
Resource Type
Applicable Versions
Deployment Approach
Capability
Feature
Liferay as SAML SP fails after switching the URL of the virtual instance
legacy Troubleshooting
Issue SAML configuration hasn't been working since the virtual host of the portal instance changed. Caused by: org.opensaml.ws.security.SecurityPolicyException: Request was required to be secured but was not...
How to prevent an AD user from logging into Liferay using the old password if LDAP authentication cannot set to be required
legacy Troubleshooting
Issue After the user changes the password in Microsoft Active Directory (AD), the user can still log into Liferay using the old password. If enabling "Required" option, the issue can be resolved. But users created manually...
How can the p_auth authorization token be generated?
legacy
Issue Liferay protects itself against CSRF attacks by generating the p_auth authorization token. How can this token be created? Environment DXP 7.0, 7.1, 7.2, 7.3 Resolution When "auth.token.check.enabled=true" is set in...
Automated process to remove users from Liferay that are no longer in LDAP?
legacy How To
Issue Is there a way to automatically remove users from Liferay who are no longer in LDAP? Environment Liferay DXP 7.1 Resolution There's no automated process to do this out of the box. However, a feature request...
Cross Site Scripting Vulnerability report on refererPlid or other parameters
legacy
Issue During a penetration test, a Cross Site Scripting Vulnerability may be reported, indicating that you can inject a script into the refererPlid parameter or into the...
When resetting a password, duplicate error messages appear
legacy Troubleshooting
Issue Duplicate error messages show up when resetting the password Steps to reproduce: 1. Start and set up Liferay DXP 7.3 SP1 using the setup wizard. The email can be set as test@liferay.com and the password as a...
The behavior of bypassing SAML SSO has changed
legacy Troubleshooting
Issue There is a use case in which a subset of users are meant to bypass SAML SSO and login directly to the Liferay SP. On Liferay 7.2 dxp-8, users successfully used the following URL to achieve this:...
Enabling both Liferay's default login and SAML login so that users can use either option
legacy How To
Issue I would like to configure and enable SAML login while also having Liferay's default login available to users so that they can have two options for logging in. Environment DXP 7.4+ Quarterly Release Resolution...
Is Liferay Vulnerable to CVE-2023-45960?
legacy
Issue I would like to know if Liferay is vulnerable to CVE-2023-45960?  Is Liferay affected by CVE-2023-45960? Environment Quarterly Release 2024.Q1.7 Resolution The NIST listing for CVE-2023-45960 has been withdrawn and...
High CPU and memory use with stacktraces associated to password encryption
legacy Troubleshooting
Issue The environment starts using a large amount of CPU and also memory. Reviewing thread dumps taking during that time, there are many threads associated to PBKDF2PasswordEncryptor.encrypt, such as:...
I want to skip OpenID Connect provider selector at sign in if there is only one provider
legacy Troubleshooting
Issue We want to bypass the client selection screen because there is only one OpenID Client to choose.   Environment Quarterly Releases   Resolution There is a Feature Request opened for this which is currently under...
Vulnerabilities for spring-web and spring-core
legacy
Issue Vulnerabilities remain unresolved in spring-web and spring-core, even after a fix was applied to spring-context. For spring-web: Vulnerable component: org.springframework:spring-web:5.3.39 For spring-core:...
Enabling real-time antivirus scanning without asynchronous background scans
legacy How To
Issue We would like to enable real-time antivirus scanning for uploaded files but disable asynchronous background scanning of the document library. The issue arises because: Enabling...
Audit Events filtered by date/time are not being exported accurately
legacy Troubleshooting
Issue When using using the Audit Export Feature, filters for date and time are not applied accurately in the resulting CSV file. The exported file may not include entries explicitly requested by the filter. For...
Resolving 401 Errors When Using Authorization Bearer Tokens in RestBuilder APIs
legacy Troubleshooting
Issue When making calls to a REST API service created with RestBuilder that includes the Authorization Bearer token header, the responses often return a 401 Unauthorized status. However, when the same service is...
Is Session Prediction Possible in Liferay
legacy
Issue Is it possible an attacker could predict the JSESSIONID and gain unauthorized access, referencing an example from a 'Session Prediction' article? Explanation of Issue Using the "Catalog" Page in Postman: If a...
How to implement a token system instead of using credentials to access remote services
legacy How To
Issue Trying to write a custom remote service using Liferay (ServiceImpl file), so which method may be used to authenticate using a token rather than credentials? Environment Liferay DXP 7.4 Resolution Liferay has...
Is There A Way To Verify ClamAV Integration With Liferay?
legacy Troubleshooting
Issue We followed the instructions below to enable document virus scanning, but we do not see any way to confirm the ClamAV integration was successful or that file scans are occurring when new files are uploaded to...
AntiSamy sanitizer cleans some of the HTML tags and styles, how can we solve that?
legacy Troubleshooting
Issue We turned on AntiSamy but it removes certain HTML code and CSS styles from our Web Content articles. Environment DXP 7.0+ Resolution Usage of HTML and CSS in Web Content article HTML fields Web content articles...
ORA-12899 because OpenID access token is too large
legacy
Issue We store several things in our OpenID access token and when a user tries to log in, it fails because the token size exceeds the 3000-character limit specified in the ACCESSTOKEN column of the...
How is AntiSamy configured?
legacy
Issue We configured AntiSamy to santize Web Content articles. We would like to understand how AntiSamy works and what parts are expected to be removed in Web Content articles. Environment DXP 7.0+ Resolution In the...
Can Liferay Support SP and IDP initiated SAML Simultaneously?
legacy
Issue Our team is the design phase for authentication and we want to know if Liferay supports IDP and SP initiated SAML logins at the same time?  Environment DXP 7.4 Resolution No, a single instance should not be both...
Force Authentication in SAML requiring reauthentication in SP
legacy How To
Issue With SAML and Force Authentication enabled, I am required to reauthenticate requests from the SP Environment DXP 7.3, 7.4 Resolution This behavior is intended, but to avoid manual reauthentication in this...
Captcha authentication via Headless API
legacy
Issue We have developed a Liferay fragment to collect user input via a custom-designed HTML form. This fragment interacts with custom Liferay objects through a Headless API using JS We have created a new role with the...
CVE-2020-28885 and CVE-2020-28884
legacy
Issue We would like to know about Liferay's vulnerability to CVE-2020-28885 and CVE-2020-28884. The CVE's claim that it is a vulnerability for an Administrator User to be able to inject commands through the Gogo Shell...
How to reduce difficulty on captcha for Liferay DXP 7.2
legacy Troubleshooting
Issue The captcha generated in the login is unreadable, even for humans. Environment Liferay DXP 7.2 Resolution Go to System Settings > Security Tools. Find and delete the following properties: ...
Relay state exceeds 80 bytes
legacy Troubleshooting
Issue After configuring SAML, I see Relay state exceeds 80 bytes WARN messages in the logs. How can I prevent the transmission of relay states larger than 80 bytes? Environment DXP 7.X Resolution This issue was...
CVE-2023-33950
legacy Troubleshooting
Issue We would like to determine whether Liferay is vulnerable to CVE-2023-33950 The CVE claims that Pattern Redirects in Liferay Portal 7.4.3.48 through 7.4.3.76, and Liferay DXP 7.4 update 48 through 76 allow regular...
SQL injection Sleepy user agent attack
legacy
Issue Liferay does not restrict a URL that has a 'sleepy user agent' query appended to it like: https://domain/page?1%2b(select*from(select(sleep(x)))a)%2b=1 Environment Liferay DXP 7.4 Resolution Sleepy user agent...
SAML Download Certificate button is broken, with Redirect URL errors seen
legacy Troubleshooting
Issue The Download Certificate button doesn't work in the SAML Admin. When I click on the Download Certificate button, nothing happens. Redirect URL errors are seen in Liferay logs, such as:...
SAML Admin - "Metadata XML is null" error
legacy Troubleshooting
Issue When attempting to create a new Identity Provider under SAML Admin, having entered the required information, when ‘Save’ is clicked the UI displays: "Error: Please enter a valid identity provider entity ID."...
Disabling jQuery in Control Panel
legacy How To
Issue I've found vulnerabilities in our current jQuery version. Since I can't find jQuery used anywhere, I would like to disable it. Environment Liferay DXP 7.2 Resolution Go to Control Panel --> System Settings -->...
Blank screen is seen after password reset
legacy Troubleshooting
Issue A blank screen (with url http://localhost:8080/c) is seen after user password is reset. The expected behavior after password reset is for users to A) be successfully redirected to Liferay home page and B) remain...
InvalidNameIDPolicy errors
legacy Troubleshooting
Issue The following error occurs while configuring Liferay as SP and ADFS as Idp. At Liferay
Signed SAML response
legacy How To
Issue How can the signed response, which is required by ADFS to complete authentication at the Liferay end, be clarified? Environment Liferay DXP 7.0 Liferay DXP 7.1 Liferay DXP 7.2 Liferay DXP 7.3 Resolution...
Impact of Spring4Shell and Spring Cloud Security Advisory on other libraries related to Spring
legacy
Issue There previously was a Security Advisory regarding a vulnerability for the Spring4Shell and Spring Cloud libraries. These vulnerabilities are detailed in this article here:  Spring4Shell and Spring Cloud Security...
Plain text can still be seen despite SSL
legacy
Issue Even if SSL (or TLS) is enabled, the login credentials are in plain text while intercepting requests with Burp Suite. Environment Liferay DXP 7.3 Resolution If a user utilizes the burp suite as a proxy, they...
Error "Invalid domain for site key" when using reCAPTCHA
legacy Troubleshooting
Issue When using Google's reCAPTCHA, the CAPTCHA option won't show, instead the message "Invalid domain for site key" is displayed where the CAPTCHA should be. Environment Any Liferay DXP version with...
After changing the password, site members are not redirected to a page where they don't have the guest view permission
legacy Troubleshooting
Issue After changing the password, site members are not redirected to a page Steps to reproduce: 1) Start the server, login as Admin 2) Create a new page e.g. /testpage and remove the VIEW permission for the Guest...
Is there a REST API method to revoke the OAuth2 tokens?
legacy How To
Issue We want to provide a public REST API method to revoke the OAuth2 tokens following the RFC 7009 specification https://datatracker.ietf.org/doc/html/rfc7009#section-2.1 Does Liferay provide this functionality?...