Forums

Home » Liferay Portal » English » 3. Development

Combination View Flat View Tree View
Threads [ Previous | Next ]
toggle
Security Issue : Liferay Name and Version in Response Header Manish Kumar Jaiswal March 3, 2011 10:17 PM
RE: Security Issue : Liferay Name and Version in Response Header Shagul Khajamohideen March 4, 2011 8:34 AM
RE: Security Issue : Liferay Name and Version in Response Header David H Nebinger March 4, 2011 8:51 AM
RE: Security Issue : Liferay Name and Version in Response Header David H Nebinger March 10, 2011 11:22 AM
RE: Security Issue : Liferay Name and Version in Response Header Manish Kumar Jaiswal March 11, 2011 4:45 AM
RE: Security Issue : Liferay Name and Version in Response Header Amit Kumar Gupta January 19, 2013 12:08 AM
RE: Security Issue : Liferay Name and Version in Response Header Jelmer Kuperus January 19, 2013 2:45 AM
RE: Security Issue : Liferay Name and Version in Response Header Amit Kumar Gupta January 19, 2013 3:02 AM
RE: Security Issue : Liferay Name and Version in Response Header Jelmer Kuperus January 19, 2013 3:18 AM
RE: Security Issue : Liferay Name and Version in Response Header Amit Kumar Gupta January 19, 2013 3:22 AM
RE: Security Issue : Liferay Name and Version in Response Header Jelmer Kuperus January 19, 2013 11:47 AM
RE: Security Issue : Liferay Name and Version in Response Header Amit Kumar Gupta January 20, 2013 8:54 AM
RE: Security Issue : Liferay Name and Version in Response Header Jelmer Kuperus January 20, 2013 12:28 PM
RE: Security Issue : Liferay Name and Version in Response Header Hitoshi Ozawa January 20, 2013 1:03 PM
RE: Security Issue : Liferay Name and Version in Response Header satyam kaushik November 1, 2013 3:59 AM
Manish Kumar Jaiswal
Security Issue : Liferay Name and Version in Response Header
March 3, 2011 10:17 PM
Answer

Manish Kumar Jaiswal

Rank: Regular Member

Posts: 133

Join Date: November 25, 2008

Recent Posts

Liferay Leaks out the in its Resonse headers its Name and Version . How Can I restrict it , What Exact modification will make it hide (I hope something into Tomcat ...mine is Liferay 6.0.5 + tomcat-6.0.26)...?
Shagul Khajamohideen
RE: Security Issue : Liferay Name and Version in Response Header
March 4, 2011 8:34 AM
Answer

Shagul Khajamohideen

Rank: Liferay Master

Posts: 759

Join Date: September 27, 2007

Recent Posts

Manish Kumar Jaiswal:
Liferay Leaks out the in its Resonse headers its Name and Version . How Can I restrict it , What Exact modification will make it hide (I hope something into Tomcat ...mine is Liferay 6.0.5 + tomcat-6.0.26)...?



I think the response headers are intentional and not a mistake. I do not see any configurations to change the behavior.

If there is no configurable way to do that, I see two options
1) Customize/extend the code behind that to no set those response headers
2) Use some kind of modify header options in apache or any web server (based on what they support) to remove those headers.

http://httpd.apache.org/docs/2.0/mod/mod_headers.html
David H Nebinger
RE: Security Issue : Liferay Name and Version in Response Header
March 4, 2011 8:51 AM
Answer

David H Nebinger

Community Moderator

Rank: Liferay Legend

Posts: 9441

Join Date: September 1, 2006

Recent Posts

Sure they're intentional (as they are purposely returning it), but I can't see what value it would have.

It is strange that www.liferay.com returns the header:

1Liferay-Portal:Liferay Portal Enterprise Edition 5.2 EE SP6 (Augustine / Build 5210 / February 14, 2011)


With 6.0 out for awhile now, you'd think they would push their own folks to use the latest release.

It begs the question, what is so wrong with 6.0 that you need to stay on 5.2? If you're staying on 5.2, then perhaps we should too...
David H Nebinger
RE: Security Issue : Liferay Name and Version in Response Header
March 10, 2011 11:22 AM
Answer

David H Nebinger

Community Moderator

Rank: Liferay Legend

Posts: 9441

Join Date: September 1, 2006

Recent Posts

I've just submitted a patch in LPS-2748 for the 6.0.6 CE edition that adds a new boolean property, response.header.liferay.version, defaults to true but controls the addition of the header. This would allow for it to overridden in portal-ext.properties to disable the header addition.

I think it cannot be done as an extension plugin since it is a change to the portal's MainServlet class (and other key classes) and would probably need to be applied directly to the 6.0.6 code base and built manually...

Boy, I sure miss the extension environment (where such a change would have been a breeze to incorporate).
Manish Kumar Jaiswal
RE: Security Issue : Liferay Name and Version in Response Header
March 11, 2011 4:45 AM
Answer

Manish Kumar Jaiswal

Rank: Regular Member

Posts: 133

Join Date: November 25, 2008

Recent Posts

Nice David !!!!!!!!!!!!
Amit Kumar Gupta
RE: Security Issue : Liferay Name and Version in Response Header
January 19, 2013 12:08 AM
Answer

Amit Kumar Gupta

Rank: New Member

Posts: 24

Join Date: November 25, 2010

Recent Posts

Manish Kumar Jaiswal:
Nice David !!!!!!!!!!!!



Dear .Manish Kumar Jaiswal

How are you?

We have also hide the liferay verion from our portal.
How can we achieve?

i have set response.header.liferay.version=false in portal-ext.properties but it is not working....


its urgent.....
mail me solution
Jelmer Kuperus
RE: Security Issue : Liferay Name and Version in Response Header
January 19, 2013 2:45 AM
Answer

Jelmer Kuperus

Rank: Liferay Legend

Posts: 1192

Join Date: March 10, 2010

Recent Posts

The property that was added is not response.header.liferay.version but this one :

#
# Set the level of verbosity to use for the Liferay-Portal field in the HTTP
# header response. Valid values are "full", which gives all of the version
# information (e.g. Liferay Portal Community Edition 6.1.0 CE etc.) or
# "partial", which gives only the name portion (e.g. Liferay Portal
# Community Edition).
#
http.header.version.verbosity=full


What does not seem to be documented is that you can change this setting for the community edition to

http.header.version.verbosity=Liferay Portal Community Edition


or for the enterprise edition to (probably)

http.header.version.verbosity=Liferay Portal Enterprise Edition


To get rid of the header completely
Amit Kumar Gupta
RE: Security Issue : Liferay Name and Version in Response Header
January 19, 2013 3:02 AM
Answer

Amit Kumar Gupta

Rank: New Member

Posts: 24

Join Date: November 25, 2010

Recent Posts

I have tried below
http.header.version.verbosity=Liferay Portal Community Edition
and
http.header.version.verbosity=partial
one by one in protal-ext.properies file and restart my tomcat server but servre is show full liferay version.

Plz help me
Jelmer Kuperus
RE: Security Issue : Liferay Name and Version in Response Header
January 19, 2013 3:18 AM
Answer

Jelmer Kuperus

Rank: Liferay Legend

Posts: 1192

Join Date: March 10, 2010

Recent Posts

what version of liferay are you using ?
Amit Kumar Gupta
RE: Security Issue : Liferay Name and Version in Response Header
January 19, 2013 3:22 AM
Answer

Amit Kumar Gupta

Rank: New Member

Posts: 24

Join Date: November 25, 2010

Recent Posts

Liferay CE 6.0.6
Jelmer Kuperus
RE: Security Issue : Liferay Name and Version in Response Header
January 19, 2013 11:47 AM
Answer

Jelmer Kuperus

Rank: Liferay Legend

Posts: 1192

Join Date: March 10, 2010

Recent Posts

That property is only supported on

liferay ce >= 6.1.0
liferay ee >= 6.0.12

You could (if you are not already doing this) run apache httpd in front of Liferay (using mod_proxy or mod_jk)
You can then use mod_rewrite to remove this header eg :

RequestHeader unset Liferay-Portal
Amit Kumar Gupta
RE: Security Issue : Liferay Name and Version in Response Header
January 20, 2013 8:54 AM
Answer

Amit Kumar Gupta

Rank: New Member

Posts: 24

Join Date: November 25, 2010

Recent Posts

Thanks for Reply

Can you please suggest me the exact Apache configuration of mod_rewrite?

In fact we are using Apache as front server (and liferay CE 6.0.6 behind it).
Jelmer Kuperus
RE: Security Issue : Liferay Name and Version in Response Header
January 20, 2013 12:28 PM
Answer

Jelmer Kuperus

Rank: Liferay Legend

Posts: 1192

Join Date: March 10, 2010

Recent Posts

sure, would you like me to hold your hand while you type it in too?
Hitoshi Ozawa
RE: Security Issue : Liferay Name and Version in Response Header
January 20, 2013 1:03 PM
Answer

Hitoshi Ozawa

Rank: Liferay Legend

Posts: 7949

Join Date: March 23, 2010

Recent Posts

one by one in protal-ext.properies file and restart my tomcat server but servre is show full liferay version.


This won't help you solve your problem on hand but the file name should be "portal-ext.properties".


BTW, I'm willing to help. Where can I send you my bills?
satyam kaushik
RE: Security Issue : Liferay Name and Version in Response Header
November 1, 2013 3:59 AM
Answer

satyam kaushik

Rank: New Member

Posts: 4

Join Date: June 1, 2013

Recent Posts

Is it possible to display blank or remove the Liferay-Portal header in the request header.I already use partial and it works fine.But I don't want to display server information at all in the request header.

My another doubt is when I tried to call setHeader(" Liferay-Portal"," ") on the reference of HttpServletResponse but it didn't work.Why?