Secure Deployment

The following are best practices that should be used when deploying Liferay to production.

Upgrade Liferay Portal #

Upgrade to the latest available version of Liferay Portal. Each release contains the latest security fixes and improvements.

Security Patches #

Deploy all available security patches. Security patches are made published by the Community Security Team for the latest version of Liferay Portal.

For EE users, security patches are available in the Downloads section of the Customer Portal.

AntiSamy #

Deploy the AntiSamy hook. The AntiSamy hook filters content (usually HTML or JavaScript code) so that it does not contain inappropriate content like malicious JavaScript code or inappropriate words.

XSL Portlet #

Do not give permission to untrusted users to add the XSL Portlet to a page (alternatively, just disable the portlet). Due to the nature of XSL transformation, it is possible to use the XSL to access the system.

portal-ext.properties #

  • Set "json.web.service.enabled" to "false" if you are not using JSON web services.
  • Set "omniadmin.users" so that users with the Administrator role do not automatically have the Omniadmin role. Omniadmin users have access to the portal's core functionality (gc, shutdown, etc).
  • Do not set "redirect.url.domains.allowed" and "redirect.url.ips.allowed" to blank. Setting these property to blank will allow a phisher to redirect users to a different site.
  • Do not set "session.enable.phishing.protection" to "false".
  • setting "session.store.password" to "true" make passwords visible in heap dumps
  • Set "request.header.auth.import.from.ldap" to "true" only if you have a proper IDM removing the header from client requests
  • Setting "ldap.import.user.password.enabled" to "false" and "ldap.auth.required" to "false" gives access without password.
0 Attachments
11398 Views
Average (0 Votes)
The average rating is 0.0 stars out of 5.
Comments
No comments yet. Be the first.