Tribune

Home » Liferay Portal » English » 6. Portal Framework

Vista Combinata Vista Piatta Vista ad Albero
Discussioni [ Precedente | Successivo ]
toggle
Vishal Kumar
Security Guidelines
31 dicembre 2012 5.43
Risposta

Vishal Kumar

Punteggio: Regular Member

Messaggi: 197

Data di Iscrizione: 11 dicembre 2012

Messaggi recenti

Hi;
What sort of Security Guidelines Liferay CE and EE is following.
And How developer can achieve this.
Hitoshi Ozawa
RE: Security Guidelines
31 dicembre 2012 5.46
Risposta

Hitoshi Ozawa

Punteggio: Liferay Legend

Messaggi: 7949

Data di Iscrizione: 23 marzo 2010

Messaggi recenti

There really isn't any good design/development guideline. You'll have to create it yourself as I have. The last time I asked, they only showed me a coding style guideline.
Sandeep Nair
RE: Security Guidelines
31 dicembre 2012 22.20
Risposta

Sandeep Nair

Punteggio: Liferay Legend

Messaggi: 1693

Data di Iscrizione: 5 novembre 2008

Messaggi recenti

This is a difficult one. I have noticed the following

1) If you are using Liferay tags for form fields and display then they do an html escape which should prevent XSS
2) I guess from Liferay 6, by default every request sends a token to validate the request being made, so that no one can copy paste the url from browser and make something work.
3) They can claim that since they are using Hibernate, SQL injection is not possible easily, though may be this will not always be true.

In my previous firm, we had used OWASP security guidelines in Liferay to prevent possible security attacks
This we mainly achieved at server side using Filters and request/response wrappers to check request attributes/parameters for html tags or sql staments.
Other this we handled were cookie tampering, handling exceptions properly so that end user doesnt see complete stack trace,etc

Regards,
Sandeep Nair
Vishal Kumar
RE: Security Guidelines
1 gennaio 2013 6.34
Risposta

Vishal Kumar

Punteggio: Regular Member

Messaggi: 197

Data di Iscrizione: 11 dicembre 2012

Messaggi recenti

Thanks Everybody.
If liferay following OWASP guidelines then how can i achieve this?
Will it achieved automatically?
Sandeep Nair
RE: Security Guidelines
2 gennaio 2013 1.11
Risposta

Sandeep Nair

Punteggio: Liferay Legend

Messaggi: 1693

Data di Iscrizione: 5 novembre 2008

Messaggi recenti

Hi Vishal,

I did not say Liferay follows OWASP guidelines... I said in my previous firm we followed OWASP guidelines to make our site secure. You can get more information about what do in Java to so that your code is OWASP compliant from this link... https://www.owasp.org/index.php/OWASP_Java_Table_of_Contents#J2EE_Security_for_Developers
Vishal Kumar
RE: Security Guidelines
2 gennaio 2013 1.36
Risposta

Vishal Kumar

Punteggio: Regular Member

Messaggi: 197

Data di Iscrizione: 11 dicembre 2012

Messaggi recenti

Sandeep Nair:
Hi Vishal,

I did not say Liferay follows OWASP guidelines... I said in my previous firm we followed OWASP guidelines to make our site secure. You can get more information about what do in Java to so that your code is OWASP compliant from this link... https://www.owasp.org/index.php/OWASP_Java_Table_of_Contents#J2EE_Security_for_Developers


Hi Sandeep,
thanks for the quick reply.
I know liferay EE following OWASP guidelines (http://www.liferay.com/products/liferay-portal/ee/overview) but i
don't know how to achieve this or it will be achieved automatically by only using Liferay EE edition.

Regards
Vishal Kumar
Hitoshi Ozawa
RE: Security Guidelines
6 gennaio 2013 15.18
Risposta

Hitoshi Ozawa

Punteggio: Liferay Legend

Messaggi: 7949

Data di Iscrizione: 23 marzo 2010

Messaggi recenti

For browser-level security, Liferay Portal EE implements the Top 10 recommended best practices published by the OWASP organization.


Liferay is only trying to implement the top 10 recommendations. It's trying because liferay still do provide security patches because some security flaws are still found.

https://www.owasp.org/index.php/CategoryemoticonWASP_Top_Ten_Project

Just using Liferay EE and developing your portlet will not make your portlet secure.
If you are a developer, you should be able to understand what the OWASP page means. If you can't, you should first study Java.

FYI, Liferay has HTMLUtil utility class to handle browser-level security issues.
Vishal Kumar
RE: Security Guidelines
7 gennaio 2013 21.28
Risposta

Vishal Kumar

Punteggio: Regular Member

Messaggi: 197

Data di Iscrizione: 11 dicembre 2012

Messaggi recenti

Thanks "Hitoshi", Thanks a lot.