Search Results

All Results 437
Resource Type
Applicable Versions
Deployment Approach
Capability
Feature
SAML Logout Issues: Multiple Login Entries and Optimistic Locking Exceptions
legacy Troubleshooting
Issue When a user logs out after authenticating via SAML, multiple login entries might be recorded in the audit logs. This can lead to HibernateOptimisticLockingException errors, particularly during...
In SAML setup user is not getting login in the SP and receiving warning on the UI
legacy Troubleshooting
Issue After setting up the SAML process, the user tries to log in receiving the warning below and not being logged in. Environment Liferay 2023.Q4.0 Resolution If users are setting up an identity provider as...
SAML Authentication Error: "This message decoder only supports the HTTP POST method
legacy Troubleshooting
Issue The following SAML errors appear in the Liferay logs: ERROR [http-nio-8080-exec-5][BaseSamlStrutsAction:53] org.opensaml.messaging.decoder.MessageDecodingException: This message decoder only supports the...
Unexpected SAML calls: com.liferay.saml.internal.servlet.filter.SpSessionTerminationSamlPortalFilter.doProcessFilter
legacy Troubleshooting
Issue When navigating through the portal with SAML disabled, there are a few SAML-related filters that are still being processed, leading to database calls and causing slower performance. at...
CORS request is failing
legacy Troubleshooting
Issue If the user allows any origin (Access-Control-Allow-Origin: *) to access the resource, the CORS request fails. Steps to reproduce: 1. Start Liferay DXP 7.4 U90 2. Navigate to Control Panel > Instance...
LIFERAY.HEADLESS.DELIVERY scope missing or delayed in OAuth 2 applications
legacy Troubleshooting
Issue The LIFERAY.HEADLESS.DELIVERY scope is missing or delayed in appearing when creating or managing OAuth 2 applications. The issue can occur intermittently, with the scope sometimes appearing after a delay of...
Is it possible to offer both SAML and OIDC as SSO options?
legacy How To
Issue Both SAML and OpenID Connect(OIDC) can be configured on the same Liferay instance. However, the option to authenticate using OIDC is missing whenever SAML is enabled. Is it possible for a user to select either SSO...
Audit Events filtered by date/time are not being exported accurately
legacy Troubleshooting
Issue When using using the Audit Export Feature, filters for date and time are not applied accurately in the resulting CSV file. The exported file may not include entries explicitly requested by the filter. For...
I want to skip OpenID Connect provider selector at sign in if there is only one provider
legacy Troubleshooting
Issue We want to bypass the client selection screen because there is only one OpenID Client to choose.   Environment Quarterly Releases   Resolution There is a Feature Request opened for this which is currently under...
Vulnerabilities for spring-web and spring-core
legacy
Issue Vulnerabilities remain unresolved in spring-web and spring-core, even after a fix was applied to spring-context. For spring-web: Vulnerable component: org.springframework:spring-web:5.3.39 For spring-core:...
Is Session Prediction Possible in Liferay
legacy
Issue Is it possible an attacker could predict the JSESSIONID and gain unauthorized access, referencing an example from a 'Session Prediction' article? Explanation of Issue Using the "Catalog" Page in Postman: If a...
Enabling both Liferay's default login and SAML login so that users can use either option
legacy How To
Issue I would like to configure and enable SAML login while also having Liferay's default login available to users so that they can have two options for logging in. Environment DXP 7.4+ Quarterly Release Resolution...
Resolving 401 Errors When Using Authorization Bearer Tokens in RestBuilder APIs
legacy Troubleshooting
Issue When making calls to a REST API service created with RestBuilder that includes the Authorization Bearer token header, the responses often return a 401 Unauthorized status. However, when the same service is...
Is Liferay Vulnerable to CVE-2023-45960?
legacy
Issue I would like to know if Liferay is vulnerable to CVE-2023-45960?  Is Liferay affected by CVE-2023-45960? Environment Quarterly Release 2024.Q1.7 Resolution The NIST listing for CVE-2023-45960 has been withdrawn and...
Enabling real-time antivirus scanning without asynchronous background scans
legacy How To
Issue We would like to enable real-time antivirus scanning for uploaded files but disable asynchronous background scanning of the document library. The issue arises because: Enabling...
High CPU and memory use with stacktraces associated to password encryption
legacy Troubleshooting
Issue The environment starts using a large amount of CPU and also memory. Reviewing thread dumps taking during that time, there are many threads associated to PBKDF2PasswordEncryptor.encrypt, such as:...
Embedding videos using basic web content
legacy Troubleshooting
Issue When we try to embed a video using <iframe> tags, during the creation the video displays, however after publishing the content and editing it again, the video is not displayed anymore and the source is updated...
Unable to get OpenID Connect's link to work after upgrading to a Quarterly Release
legacy Troubleshooting
Issue After upgrading to Quarterly Release 2023.Q3.4 from DXP 7.3, we've found that OpenID Connect is no longer working. The button is no longer populating within the UI even after enabling it using this article:...
Liferay Throws java.lang.ClassCastException: class org.apache.xerces.parsers on Login
legacy Troubleshooting
Issue Liferay throws a ClassCastException after upgrading, the upgrade logs show no errors.  Liferay throws an error after non-graceful shutdown ERROR [http-nio-8080-exec-8][AutoLoginFilter:247] Current URL...
SCIM API is not working as expected to link existing users to SCIM Client
legacy
Issue I'm unable to use the PUT API to update users as linked to the SCIM Client. I'm not able to add new users and then update them using the PUT API linking them to the SCIM client. Environment 2024.Q1+ Resolution...
Is Liferay DXP affected by CVE-2024-38286?
legacy Troubleshooting
Issue Is Liferay DXP affected by CVE-2024-38286? CVE-2024-38286 is an Apache Tomcat vulnerability wherein Apache Tomcat, under certain configurations on any platform, allows an attacker to cause an OutOfMemoryError by...
Password for LDAP and Liferay users should not expire
legacy Troubleshooting
Issue After integrating Liferay with the LDAP server for users, the passwords for the users are expiring after some time and are required to be reset again. Is there any way for the passwords to never...
Multi-Factor Authentication via SMS
legacy
Issue We want to set up MFA via SMS without using any external Apps. Is this possible with Liferay out-of-the-box? Environment Liferay DXP 7.2 Liferay DXP 7.3 Liferay DXP 7.4 Resolution MFA by SMS is not...
CVE-2022-22950
legacy Troubleshooting
Issue We would like to determine whether Liferay is vulnerable to CVE-2022-22950. The CVE claims that in Spring Framework versions 5.3.0 - 5.3.16 and older unsupported versions, it is possible for a user to provide a...
[T003] Open redirect in /c/document_library/find_folder with DNS rebinding vulnerability
legacy Troubleshooting
Issue Medium threat found during the performance testing: [T003] Open redirect in /c/document_library/find_folder with DNS rebinding Environment Liferay Quarterly release Resolution The reported concern has been...
Enabling SSO for our Liferay Console prevents logging in with email and password
legacy
Issue After enabling SSO for our Liferay Console, we are no longer able to log in with email and password.  Environment DXP 7.4 Resolution This is expected behavior, as per the Official documentation for SSO: "The first...
CVE-2023-52428
legacy Troubleshooting
Issue We would like to determine whether Liferay is vulnerable to CVE-2023-52428. Environment DXP 7.4, 2023.Q4 Resolution Contact Customer Support to request a hotfix containing LPE-18064. Additional Information...
Vulnerability: Robots.txt file must not be accessed and should be blocked
legacy Troubleshooting
Issue Encountered a vulnerability issue with the robots.txt file and the vulnerability test suggests preventing the robots.txt file from being accessed. Environment Liferay DXP 7.3 Liferay DXP 7.4...
GitHub Token Leak Exposure
legacy
Issue GitHub Personal Access Token has been leaked in a public Docker container hosted on Docker Hub. Some of the malicious packages like testbrojct2, proxyfullscraper, proxyalhttp and proxyfullscrapers work...
HTTP Strict-Transport-Security Header in Liferay
legacy
Issue Is HTTP Strict-Transport-Security Header enabled in Liferay? Environment Liferay DXP 7.4 Resolution Liferay enables HTTP security headers such as 'http.header.secure.x.content.type.options',...
Unable to Cancel Shutdown Event
legacy Troubleshooting
Issue After scheduling a shutdown event, and trying to cancel it, you see an error: "Error:Text verification failed."   When trying to cancel a shutdown event, I'm prompted to input a CAPTCHA, but there is...
A simple example and key factors to check when testing custom OAuth 2.0 applications
legacy How To
Issue You have created an OAuth 2.0 application and would like to set up the minimum configuration to be able to test it. This article provides a simple example that could be adapted to your needs....
OpenID Connect Client Secret field must be filled
legacy Troubleshooting
Issue I configured an OpenID Connect Provider Connection. When I try to login using the OpenID  Connect Client Name, I get an internal server error. In logs, a java exception is thrown: WARN [http...
Residual risk after limiting the usage of unsafe-eval and unsafe-inline
legacy
Issue Can the derivatives unsafe-eval and unsafe-inline be exploited? If yes, how it is done? What is the residual risk associated with this? Can Content Security Policy (CSP) be resolved by adding a reverse...
Remove extend_session for Guest users
legacy
Issue Guest users should not be able to see the extend_session message in the browser once the session has expired. Environment Liferay DXP [7.1-7.4, Quarterly Releases] Resolution Post observing the time...
Access revoked after task assignment to another user
legacy How To
Issue Once the user assigns the task to another user, then the previous user loses access to that task and is unable to see that in the 'Assigned to my roles' tab of 'My workflow Tasks'. Steps to reproduce: 1....
CVE-2013-3587- enable of HTTP compression
legacy Troubleshooting
Issue Security vulnerability CVE-2013-3587 details a breach attack that is possible with the enable of HTTP compression and Deflate. Steps to see the behvaior: Navigate to any of the pages on the Liferay server....
Provide other permissions to Guest user beside just view permission
legacy
Issue Can users give permission to the guest users to use the headless API to create, update, delete, etc. for documents & media, besides just the VIEW permission? Environment Liferay DXP 7.4 Resolution These...
Can you add a theme or fragments to action pages?
legacy Troubleshooting
Issue How do I add fragments to action pages like /c/portal/update_password and /c/portal/update_reminder_query? Our theme reverts on utility/action pages /c/ When a user is taken to the...
Polyfill.io Vulnerability: Is Liferay affected?
legacy
Issue An attribute polyfill:true is observed in the source code of the website. Does it have anything to do with the domain 'https://polyfill.io'? Is Liferay affected by the Polyfill.js vulnerability? ...