The Learning Curve, Chapter 5 - Community Resources

Company Blogs 2014/11/23 投稿者 Olaf Kock Staff

Are you new to Liferay? Found Liferay and want to know what it can do for you? Or are you with Liferay and still remember the time when you were new and unexperienced? Where did you come from and what was the biggest problem you faced? Can you ever learn enough? And how do you keep up with the current trends and new features?

A platform as big as Liferay spans several technologies and areas of best practices that are beneficial to know of. Nobody can know everything - there's always a learning curve. At the beginning, it's quite steep. Some argue that it's flattening the more you know. Some argue that it gets steeper: The more you know, the more you know what you don't know.

This is chapter 5 in a series of blog articles. See below this article for links to the other chapters.

Top 10 resources, lazy linking

Back in August, when I published chapter 4 of this series, I announced chapter 5 to be about Community Resources. In the meantime (actually, also quite a while ago), James has done a great job putting exactly this together, so I won't repeat him, just point you to his article Top 10 ways to keep up with the Liferay Community. Follow all his links and suggestions, then come back here.

11: But wait, there's more

One more resource though, which has been released (in beta) since James wrote his article: Our new documentation home on dev.liferay.com went live and you can find a lot of relevant information there. This site is meant to replace most of the documentation that you currently find on www.liferay.com - most specifically the Wiki, which got a bit outdated.

Note that you can see a lot of "Edit on github" links on dev.liferay.com: You can contribute and send pull requests without ever installing git or understanding the details of distributed version systems. Just click the link, edit and send in your suggestions.

12: Meet & Greet

Another additional item, directly from the current symposium season: Meeting the community is awesome. I've been lucky to have the opportunity to ruin my voice in several locations around the world (it's typically been really noisy) and all the conversations were extremely inspiring. I've learnt a lot, got lots of ideas and met interesting people - and I got the same feedback from many others. As I've said multiple times, I'm quite lucky to be able to say that events like those are actually work. From personal experience I can tell you that it's even more awesome once you made yourself known to the community, e.g. in the forums or here in the blogs. Having some reputation (and a recognizable portrait photo) and being recognized for your contributions over the time is an even better conversation starter than distributing free drink vouchers ;)

I tell you that to tell you this: Don't miss next year's event season. It's a great way to get and share ideas, knowledge, experience and feedback.

That's it?

Of course not. You'll find several personal blogs, Google+ and other resources about Liferay. Typically linked from all over, so it shouldn't be too hard to find them.

Learning is a personal experience. We have resources for the reader, the listener, the in-person-education-learner and the watcher. Some even in multiple flavors. Whatever your preferred way of learning is, you'll be able to find it. Whatever way you want to do to gain reputation or increase your knowledge: Do it. Whatever I've been missing: Add pointers in the comments. I might continue or update the series in future - for now I'll put it on hold.

And thanks again for all the inspiring conversations during the many events this year. Keep it up.

Radio Liferay Episode 41: The 37000ft overview of staging with Máté Thurzó

Company Blogs 2014/11/17 投稿者 Olaf Kock Staff

  Another first: This week's guest Máté Thurzó presents a brief 37000ft overview over Staging. Yes, this is literally 37000ft - we both were lucky to be invited to the North America Symposium 2014 and had the same flight back. Yes, this episode has been recorded 11277m over the atlantic ocean on the flight from Boston to Frankfurt, and it's also a first time that you see me use imperial units voluntarily.

We talked about

  • The problem that staging solves
    • "Workflow" for a whole site
  • What's new in staging in Liferay 6.2?
  • Staging in custom portlets
  • How LAR import/export relates to staging
  • Local vs. Remote Staging
  • The new staging UI: Visible Progress, Background processing
  • Performance rule of thumbs: "it depends" - I don't give the numbers here. Listen to the conversation to find out what it depends on.
  • Staging through multiple stages
  • The future of staging (in 7.0, available in the current milestone)
  • The effect of customer feedback on the future of staging. Hopefully you gave your feedback at Devcon, where Máté was attending to get more feedback. This episode should have been out by then; sorry, postprocessing took a while longer than anticipated.

Follow @RadioLiferay, @matethurzo and @olafk on twitter

Again, shoutout and big thank you to Auphonic for postproduction help. This time I really made them work. If you want to compare the result to the actual recording - let me know and you'll get a snippet of the raw file which they de-noised!

You'll find this episode - and make sure that you don't miss any of the future episodes - by subscribing to  http://feeds.feedburner.com/RadioLiferay. You can also subscribe on itunes.: Just search for "Radio Liferay" or just "Liferay" in the podcast directory. If you like this, make sure to write a review for the podcast directory of your choice - or leave your feedback on www.liferay.com/radio.

Or just download the MP3 here:

download audio file

Securing Liferay Chapter 4: More lockdown

Company Blogs 2014/11/13 投稿者 Olaf Kock Staff

You probably know the basic installation instructions for Liferay Bundles: „unzip and run startup.sh“ - with this you get to a working Liferay installation in a minute. It will run with all defaults - which might not be what you want in production.

This is part 4 of a series. Start with part 1 for "Introduction, Basics and Operating System Level", continue with part 2, "Liferay's configuration", part 3, "Port issues and http/https" and come back here. You might also want to check if more chapters are already available.

What to have in production

Browsing around the web, I see recommendations for tomcat's "manager" application all over. Yes, it's convenient. It also opens you up to attacks if that's available from the web. Whatever administrative UI you have installed on your production server, you might want to uninstall - or at least firewall to be available from specific networks only. This not only includes tomcat's manager (or related interfaces) but also phpmyadmin or whatever you use to maintain your database. I'd expect that this is not necessary to mention, but sadly it is.

If you rely on these components to be available, at least protect them with Apache (see chapter 3) and block access unless it's coming from trusted networks.

File access

In chapter 1 we set up Tomcat and changed the owner and permissions on the various files. You can extend this and look at the "soften" and "harden" options of the service starter script. As long as you don't expect any new deployments, it's good practice to have nothing but tomcat's temp, log and work directory writable by tomcat. Keep in mind that some of Liferay's "data" folder also needs to be writable, if you didn't change the locations of document library or lucene search index.

In addition, you might want to run your server within a java sandbox. For the server this will be really hard to achieve. As far as I know there's no policy file template that you could use as a starting point. However, there's help: You can run Liferay with a security manager, so that it runs plugins within a security manager. The plugins will have to be prepared for this, but you can mandate it for the applications that run on your server. See the Marketplace Developer Guides for more information on enabling security manager in plugins, called PACL.

Updates to tomcat

Patrick Wolf commented on chapter 1: Why not use your Linux distribution version of tomcat and install Liferay as a WAR archive on top of it? This will give you all updates to the appserver, while you have to maintain Liferay on your own. It will also solve logrotate issues, run as an unprivileged user by default etc. - And he's right. I've documented how to use the bundle just because it looks like everybody is using it and thought that these instructions are understood as "relevant" for this situation. The proper way to do it is what he suggests. You'll get your distribution's updates to tomcat with this. And as a side effect, Logrotation typically has also been implemented. Keeping your filesystems from overflowing is somewhat security related.

For EE customers, there's also an option to get a supported version of Tomcat. For users of other application servers: Keep an eye on your product. As this is outside of Liferay, we kindly ask you to keep overview over your platform yourself.

The installation of a WAR distribution of Liferay is well documented in the User's Guide (here for tomcat)

Updates to Liferay

if you're on Liferay EE, Liferay Cloud Services has some nice UI to keep you informed about updates that you can install. This way you're not missing out on any available fix - general improvement or security issue. Administering a web application should always mandate to keep it up to date. On EE you will get security advisories automatically. On CE you should subscribe to the Community Security Updates.

SSO & LDAP

You might wonder why I'm listing SSO under security, not under general installation tipps. Well, there's one really neat aspect on a system composed from SSO, LDAP and Liferay: The user's passwords are never known by Liferay, thus they can't get lost in case any appserver or Liferay security issue would allow access to the underlying hash values.

Network and beyond-scope

I think IDS (Intrusion Detection Systems) and similar firewalls are out of scope for this blog series. You'll know if you need them - and then it's typically not because of Liferay but because of your overall security policy. I'll not cover all aspects of your security - still: pay attention to who has physical access to your server

Future Plans

Will there be more? The more input I get, the more I can add and update this series. Security isn't a state, it's a process. Potentially there's no limit to how long this can go. Watch out for future Radio Liferay episodes on DevOps and other related topics.

Securing Liferay Chapter 3: Port issues and HTTP/HTTPS

Company Blogs 2014/11/07 投稿者 Olaf Kock Staff

You probably know the basic installation instructions for Liferay Bundles: „unzip and run startup.sh“ - with this you get to a working Liferay installation in a minute. It will run with all defaults - which might not be what you want in production.

This is part 3 of a series. Start with part 1 for "Introduction, Basics and Operating System Level", continue with part 2, "Liferay's configuration" and come back here. You might also want to check if more chapters are already available.

8080? I want 80!

In Chapter 1 we kept tomcat running on port 8080 and I promised that this will be mitigated later. Now is the time. Apart from port 80 we'll also cover port 443 for https access, but let's go step by step:

In order to bind to a port below 1024, an application on Unix must run as root or gain those privileges in some other way. I've already commented that this is a very bad idea for a process that is connected to the internet. In case there's any security issue that can be exploited remotely, you're toast as it's trivial to gain root access on your computer.

For this reason (and some others) I like to run a proper webserver in front of tomcat. Let's take Apache httpd for this chapter. Substitute with the one you are most familiar with. I'll abbreviate it as "Apache" for the rest of this chapter.

Apache drops the root permissions after binding to ports 80 and 443, so effectively it will not run as root. This is a trick that is easy if you run native on the operating system, but hard for a JVM process. Win: We're answering requests on port 80 without running as root. Fail: Now Apache serves our content, not tomcat - they'll need to be connected. Several options are available for this purpose

HTTP vs AJP

Apache offers mod_proxy and mod_jk (among others). They differ in the protocol that is spoken between it and tomcat. mod_proxy (to be exact: mod_proxy_http) communicates through http, while mod_jk (also to be complete: and mod_proxy_ajp) communicate with a binary protocol, named AJP.

I'm a big proponent of AJP, as it covers all of the default expectations that you have for this purpose. Assuming that you're using your distribution's Apache and you've installed mod_jk, here's what you do:

Configure some workers.properties that are pointing to your tomcat's AJP-connector. Where's that? Check your conf/server.xml file in tomcat. The default is port 8009. For the purpose of this documentation, I'm assuming that Apache is running on www.example.com, while tomcat is running on tomcat.example.com.

workers.properties:

for me, this file is /etc/apache2/workers.properties, as the next snippet refers to it.

ps=/ 
worker.list=tomcat1 
worker.tomcat1.port=8009 
worker.tomcat1.host=tomcat.example.com 
worker.tomcat1.type=ajp13 
worker.tomcat1.lbfactor=1

Now, how does this get into Apache?

You'll most likely have some VirtualHost configuration in Apache anyway for the server that you're building. Here's some pseudocode for general Apache configuration, as well as for the virtual hosts. On Ubuntu the next snippet might go into /etc/apache2/conf/liferay-settings.

ServerSignature Off
ServerTokens ProductOnly
TraceEnable Off
FileETag None
Options -Indexes
JkWorkersFile /etc/apache2/workers.properties
JkLogFile /var/log/apache2/mod_jk.log
JkLogLevel error
JkOptions +ForwardKeySize +ForwardURICompat -ForwardDirectories +ForwardURICompatUnparsed
NameVirtualHost your-ip-address:80
NameVirtualHost *:80
NameVirtualHost your-ip-address:443
NameVirtualHost *:443

and a snippet from /etc/apache2/sites-available/default

<VirtualHost _default_:80>
        ServerAdmin webmaster@example.com
        ServerName www.example.com
        DocumentRoot /srv/www/
        ErrorLog /var/log/apache2/error.log
        CustomLog /var/log/apache2/access.log combined
        Options +MultiViews
        JkMount /* tomcat1
        JkMount /  tomcat1
	JkUnmount /static/*
</VirtualHost>

What does this do? Every request that gets to Apache's default virtual host will be forwarded to tomcat. The only exception is that requests to www.example.com/static/* will still be handled by Apache (see the JkUnmount line).

Achievement unlocked: We're answering on port 80 but still run as the unprivileged user that we've been used in chapter 1.

https anyone?

What about https? Well, not much to change. Configure Apache like you would for https anyway, add the same JkMount instructions to the virtual host. With AJP you're set: Tomcat/Liferay knows that you're communicating on https, knows the ports, host names etc.

I don't go too much into the setup of a proper https server - a lot of recommendations have changed with the issues that surfaced lately. Just so much: You might want to check your setup for the recent issues. ssllabs.com is one of the sites that offer free instant testing.

Keep your private key under tight control, get a certificate for your key, set up the virtual host and you're set: https is ready.

Should I force https?

If your site contains data (or uses passwords) that should be protected, and you offer https anyway, I believe that it's a good idea to force https on anybody. Won't this generate significant overhead on the webserver? Measure!

With the setup that we have so far, you could easily add a https-terminator into the game, or have https completely handled by your Apache. You'll need to figure out by yourself what fits your environment and load profile.

If you want to force https, just implement unconditional redirect on the VirtualHost for port 80 to the https VirtualHost, like this:

<VirtualHost _default_:80>
        ServerAdmin webmaster@example.com
        ServerName www.example.com
        DocumentRoot /srv/www/
        ErrorLog /var/log/apache2/error.log
        CustomLog /var/log/apache2/access.log combined
        RewriteEngine On
        RewriteCond %{HTTPS} off
        RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
</VirtualHost>

And if you know HSTS, you might want to add one line to your VirtualHost on port 443:

<VirtualHost _default_:443>
        ServerAdmin webmaster@example.com
        ServerName www.example.com
        SSLEngine On
        # further https options omitted
        ErrorLog /var/log/apache2/error.log
        CustomLog /var/log/apache2/access.log combined
        JkMount /* tomcat1
        JkMount /  tomcat1
	JkUnmount /static/*
        Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"
</VirtualHost>

Naturally, this requires the required modules to be installed: Header and Rewrite* are not in the Apache core, but readily available.

What about http/https mixed mode?

This is quite a popular question. Why not use http for users that are not logged in, but use https as soon as they log in. Until recently I publicly stated that This! Does! Not! Work!. The main reason is that you'll definitely miss some setup and, sooner or later, leak some data, cookie or other information.

HSTS app iconRecently I found a neat workaround that limits the amount of configuration errors. As soon as the next Internet Explorer is available and adopted, it might even be a viable option (all other browsers support it). You can conditionally enable HSTS just when a user logs in to Liferay. More information in the Liferay HSTS app that yours truly has published on marketplace. With this, the case for mixed mode turns a bit towards a mixed mode that I don't totally reject.

Check the description in the app for the options that it opens. Note that you'll still make your life easier with the single line I give above. But if you drive up the download numbers and give reviews for that plugin, that is very welcome ;)

Other options: mod_proxy_http

Another quite popular configuration is to communicate http to tomcat. This has some drawback, e.g. all requests to tomcat will originate on Apache, tomcat will have no idea where in the world they came from. Also, tomcat will believe that its hostname is tomcat.example.com - this is true, but in a properly firewalled network, this address will not be available from the outside. We'll need to hack this with a few more options:

If you prefer proxying through http, look up ProxyPreserveHost On, which will make the original hostname, www.example.com, available to tomcat. Also, you want to configure Liferay's portal-ext.properties to have the proper ports. Check this in the original portal.properties that you already read during the previous chapter:

#
# Set the HTTP and HTTPs ports when running the portal in a J2EE server that
# is sitting behind another web server like Apache. Set the values to -1 if
# the portal is not running behind another web server like Apache.
#
web.server.http.port=-1
web.server.https.port=-1

(you probably want to set these ports to 80 and 443)

All of this is not necessary with AJP - everything is readily communicated to tomcat.

https and mod_proxy_http

With mod_proxy_http you'll need more work to let tomcat know that you're communicating https. You'll typically terminate the https connection on Apache and just forward to tomcat through http. For this reason tomcat doesn't know about the encryption - it never sees any encrypted connection.

A neat hack that you can use here is: Introduce another HTTP connector on tomcat that you'll purely use for proxy requests from your https virtual host. Add the secure="true" attribute to let tomcat know that the original requests on this connector have been encrypted. The relevant part of your server.xml might look like this:

    <Connector executor="tomcatThreadPool"
               port="8080" protocol="HTTP/1.1"
               connectionTimeout="20000"
               redirectPort="8443" URIEncoding="UTF-8" />

    <Connector executor="tomcatThreadPool"
               port="8081" protocol="HTTP/1.1"
               connectionTimeout="20000"
               redirectPort="8443" URIEncoding="UTF-8"
               secure="true"/>

Now you only need to make sure that nobody but the encrypted VirtualHost on Apache does connect to 8081 and tomcat assumes that requests coming in on 8081 have indeed been encrypted - but doesn't need to handle any encryption itself.

Future chapters

...coming soon...

Remember: This is not the only - and not the complete - truth. Please add your experience (and disagreements) in the comments

Securing Liferay Chapter 2: Liferay's configuration

Company Blogs 2014/10/31 投稿者 Olaf Kock Staff

You probably know the basic installation instructions for Liferay Bundles: „unzip and run startup.sh“ - with this you get to a working Liferay installation in a minute. It will run with all defaults - which might not be what you want in production.

This is part 2 of a series. Start with part 1 for "Introduction, Basics and Operating System Level", then continue here and check if more chapters are already available.

What Configuration?

As we've covered the Operating System Basics and the appserver with Liferay is running as an unprivileged user, let's check Liferay's configuration. Some of Liferay's configuration is done on the UI layer and gets persisted to the database. As the UI options naturally are spread all over the administrative UI, let's put this to the side for now. There's another resource that provides quicker ROI:

portal.properties

First of all: As a motivated System Administrator, you should have access to portal.properties already. It's well packaged (so that you don't accidentally change it) in Liferay's WEB-INF/lib/portal-impl.jar. Go ahead, extract it and keep it around. Then read it - yes: I actually recommend to read it. It's roughly 10.000 lines of configuration options, commented optional configuration as well as a lot of documentation for the individual configuration options.

You can also get hold of a HTML rendering of this file on the documentation server if you don't like the formatting of portal.properties. It might be easier for the eye to read.

Do you need to read it line-by-line? No. There are large sections, that you can easily "page-down" through. But if you have a broad idea of the content, you'll get a lot of ideas about Liferay's configurability. In fact, you might find features that you never knew to be in Liferay. I have learnt a lot about Liferay's features this way. And I have found some convenience options, that I'll add to every instance that I maintain.

(If you read it now and come back once you're done: I promise that I'll be still here when you come back)

...

...

...

...

...

...

No, really. Go read it.

...

...

...

...

...

...

...

What now?

Wasn't that an amazing read? What did you learn that you didn't know of?

Now that you've been through the file at least once, you might want to go through it again - now searching for specific values. Try the following search terms (and again, some of the places you can page-down through). Note, by design some are only partial words (e.g. in order to search for "security" or "secure", just search "secur")

  • password
  • encrypt
  • hash
  • restrict
  • secur
  • auth
  • timeout
  • servlet.filter
  • deploy
  • register
  • https

And when you're done with this, you probably want me to name the settings that you must set in order to get the "secure" certification for your configuration. Right?

Well, unfortunately I won't and I can't: What adds security for one ruins a feature for somebody else. You're totally required to do your homework - I can just point you to the options that you have. I think I forgot to mention earlier that security is hard work, but you probably knew this. This is part of the work. (oh, and please suggest your favorite settings that you keep an eye on)

If you don't like to do this work by yourself: My colleagues and I are available for rent ;). We'll still ask a lot of uncomfortable questions though. Ok, pun aside, I'll give you a few places to start:

Starting places

Yes, I'll give you a few. You'll have to promise though, that you'll view these as starting points. Everybody's system is different and I don't claim these to be complete (in fact, I'm keeping some options back, giving you the opportunity to shine in the comments;) )

jdbc.default.password: Do you like cleartext passwords to be available on disk, for anybody opening that file? Probably not. Liferay's default configuration uses the manual database configuration with driver, URL, name and password. However, you can also utilize JNDI and just replace the four classic configuration lines with a single entry on jdbc.default.jndi.name. Look it up, now you'll need to configure your application server to make the JNDI connection available to Liferay, and Liferay doesn't have a chance to know the connection password. On Tomcat this AFAIK still means that you have a configuration file with the password in clear text, but that's in tomcat's realm, no longer with Liferay. (Correct me if I'm wrong)

company.security.strangers.*: If you are running an intranet portal, you probably don't want random users to generate new accounts on your portal - by default they can. And if your content administrators just protect content for logged-in users, this can poke some holes.

portal.security.manager.strategy: If you're running 3rd party plugins from marketplace or other developers. If you mandate that plugins have security manager (PACL) enabled - you might want to enforce these settings.

ldap.*: It's easier to move your LDAP configuration around and configure different servers, if it's just a bunch of lines in portal-ext.properties. This might rather be convenience than security, but nailing the login process makes sure that only the right people can log in (and you can test the setup, move it around without typos etc)

*.auth.enabled: Determine the kinds of login that you allow on your system. Do you want to allow OpenID? Enable Facebook?

passwords.encryption.algorithm: On 6.2 Liferay uses a pretty good default. If you're running an older version and keep the hashed passwords in Liferay's database (as opposed to LDAP), you might want to know other options. Should your user database ever get loose, you don't want the hashes to be easy to brute-force.

default.admin.*: I don't like default user accounts, in any system. Even though Liferay comes with its own setup wizard where you can configure the admin user, you shouldn't timeout the session - otherwise you'll find that the default password has been taken from here (ever had a phone ringing while you did administration work? Or worse, a twitter notification or a squirrel in front of your office?)

com.liferay.portal.servlet.filters.*: Various filters that are active by default. If they refer to a product name that you don't know, most likely they can be disabled (e.g. for the SSO options that Liferay supports, you can disable either all or all but the one that you're using)

Take these settings as your starting point. Go further through the file and check what's around these settings. If you have your own favorite configurations that must not miss in this list (hint: it's not complete), consider adding them to the comments on this article. This way everybody gains that knowledge.

User Permissions

New users in Liferay, by default, are members of the roles "User" and "Power User". You can remove the "Power User" association, but should keep "User" as this is a sign that they're authenticated. However, this role comes with quite a lot of permissions. If they match your requirements - I don't know. You should inspect the list of features that they enable. Decide if your users should be able to maintain their own personal sites: This might open you up to malice behaviour if they can add custom administrative portlets to their sites. Liferay's portlets are typically safe and can't be added to personal sites, but you might have more than just the stock portlets.

Not to mention that your helpdesk might be thankful if they don't have to repair your user's personal sites every now and then when they deleted important portlets from their pages.

Do you <script>trust();</script> your content authors?

AntiSamy LogoIf you get what the headline implies: Answer the question. If you do trust them, continue on the next chapter. If you don't get the headline or don't trust your authors: Install AntiSamy (CE or EE) which will "make them trustable" by applying the OWASP rules to their content and eliminating potentially dangerous (scripting) content. You can also implement this functionality yourself by implementing com.liferay.portal.kernel.sanitizer.Sanitizer and configure sanitizer.impl in portal-ext.properties. When you implement this yourself, you can allow certain content that otherwise would be blocked (like embedding content from whitelisted external sites - like youtube - etc)

Portlets

You can disable quite a lot of portlets that Liferay delivers out-of-the-box if you don't need them. In the unlikely event of a loss in cabin pressure (e.g. in case one of them has security-related issues), you don't even have them available. When you choose a product like Liferay, you want it to have as many features as possible. If you want to lock down the installation, you want as few of the unused features being exploitable as possible. Careful: This might annoy your business users that expect to have the full feature set of Liferay available to them.

Portal Instances

I've seen a neat use of portal instances once. While instances are positioned for multi-tenancy, I personally don't really like all of the tenants to be sharing one portal/appserver. However, there's a nice aspect that rarely gets exploited: Only the default instance has access to the server level administration - e.g. only there you can install new portlets, trigger reindexing or garbage collection. When you use your default instance purely for administration and one extra instance for all content, none of your content administrators (not even those with portal-wide administrator roles) will be able to access these features and install server side code through Liferay's UI.

Future chapters

  • Fixing the port 8080 issues (and more HTTP-level issues, like https)
  • more Tomcat lockdown
  • a new episode of Radio Liferay on Security

...coming soon...

Looking forward to see some of you next week at Devcon. Remember to sign up for the community meetup.

Community Meetup at Devcon Darmstadt, 4 November

Company Blogs 2014/10/30 投稿者 Olaf Kock Staff

Greetings Earthlings that come to Darmstadt for Devcon, the Unconference or LPSF Germany

As last year, we'll have a community meetup. This year we'll be right outside Darmstadt Hauptbahnhof (main station) in a brewery. We'll meet Tuesday, 4 November at 19:30 in Braustüb'l, Goebelstrasse 7.

If you've been there in the previous years, you know the drill: Register for free beer. We have vouchers for you if you are on the list. And you get on the list here. You're welcome to come unregistered - you're just risking to pay for your own beer.

Securing Liferay Chapter 1: Introduction, Basics and Operating System Level

Company Blogs 2014/10/23 投稿者 Olaf Kock Staff

You probably know the basic installation instructions for Liferay Bundles: „unzip and run startup.sh“ - with this you get to a working Liferay installation in a minute.

While this is great for a quick demo, you might want to do more in case of production setups. This is a part 1 of summary of a workshop held at Liferay's North America Symposium 2014 in Boston. Like in the workshop, it won't give prescriptive information – e.g. you won't be able to hit the „secure“ checkbox – but will have to judge the settings you find for yourself. Also, this guide is not complete: Security is well depending on the general setup, requirements and policies. What works for one is not enough for somebody else. And vice versa. This summarizes things that work for me and that I see working for others. I encourage you to comment on this article if there are aspects that aren't covered but should be taken into account when securing the setup.

The sample setup we'll do (if you want to follow along) uses „Tomcat on Linux with MySql“ as platform. However, I intend to discuss or demonstrate the underlying problems, so that you can still get quite some information out of this series if your platform differs.

Operating System Level

For the purpose of you following along, I'm assuming that the bundle has been deployed to /opt/liferay already. If you want to keep the directory names as they're contained in the zip file, you can achieve this with (pseudocode)

   sudo unzip /path/to/your/liferay-portal-tomcat-6.2-ee-sp8-*.zip /opt/
   sudo ln -s /opt/liferay-portal-tomcat* /opt/liferay
   sudo ln -s /opt/liferay/tomcat-7.0* /opt/liferay/tomcat
   sudo mkdir /opt/liferay/deploy

As you can see, I prefer to have easy pathnames and I've omitted some of the timestamps and version indicators to make the directory structure more readable. If you have multiple versions, the wildcard might do more than you expect.

Typically Production Liferay Systems should listen to port 80 and 443. The easiest way to achieve this is by changing port 8080 to 80 in tomcat's conf/server.xml and then run

   sudo /opt/liferay/tomcat/bin/startup.sh

e.g. run tomcat as root. If you're frightened by this, read on. If you're not frightened by this line, you should: This is the first mistake to avoid. You simply don't want any internet-connected software to be running as root. So the first change is a no-change: Keep tomcat's standard ports (8080) for now – we'll take care of the port issue later – as a first step, we just don't want to run as root.

(Editorial question: Does this statement mislead the quick reader to actually run as root? Should I rephrase this part of the article?)

User Account

To begin, create or identify a specific user account for tomcat. Adjust the actual permissions on the system to minimize access and match your policy. Simplified:

   adduser –system liferay

So, in case I mislead you above: It's really vital that you never run an internet connected process as root. Please don't ever do this. We're using an account that is not allowed to log in to the server, e.g. has no shell (-system). Use what's appropriate on your platform.

Database driver

Before actually starting up tomcat and Liferay, let's make sure the database driver is available. For the purpose of this article, I'm using ubuntu and its bundled mysql, along with the JDBC-Driver (sudo apt-get install libmysql-java). This ensures that I do get operating system level upgrades. Naturally this differs for a different database - especially for commercial ones, you still have to take care of driver updates.

   sudo ln -s /usr/share/java/mysql.jar /opt/liferay/tomcat/lib/ext/

(mnemonic trick to remember the order of parameters for ln: they're following the same semantics as cp – Duh. I felt stupid when sb told me this. Not that I want you to feel this way as well...)

Starting a Daemon & fixing file permissions

Now you might be tempted to already start up our server (sudo -u liferay /opt/liferay/tomcat/bin/startup.sh) but it would still signal several issues when writing temporary- and work files: You probably have unzipped the bundle as a different user, so that “liferay” can't write the temp files. As we want to run tomcat as a daemon anyway, we'll create a script to achieve this and have it do the work of preparing the proper permissions. Here's one that works for me – I don't claim particular shellscript-elegance. Use your favorite editor to create /etc/init.d/liferay and make it executable:

# Liferay NAS Symposium Boston 2014 auto-start
#
### BEGIN INIT INFO
# Provides:          liferay
# Required-Start:    $apache2 $mysql
# Required-Stop:     $apache2
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
# X-Interactive:     true
# Short-Description: Start/stop tomcat server bundled with liferay
### END INIT INFO

export JAVA_HOME=/usr/lib/jvm/default-java

# If Liferay has ever been started (or unzipped) with a different user 
# account than what it's running as, we need to correct permissions.
#
# cd /opt/liferay
# chown -R liferay data deploy
# cd tomcat
# chown -R liferay webapps conf temp logs work
# cd /opt/liferay/tomcat

# run on hardened permissions by default
# chown -R root webapps conf ../deploy

cd /opt/liferay

case $1 in
start)
        # run on softened permissions by default: might need to deploy hooks etc. on startup
        chown -R liferay tomcat/temp tomcat/logs tomcat/work tomcat/webapps tomcat/conf deploy
        sudo -u liferay /opt/liferay/tomcat/bin/startup.sh
        ;;
stop)  
        sudo -u liferay /opt/liferay/tomcat/bin/shutdown.sh
        ;;
soften)
        # can and should be run when the server is running.
        chown -R liferay webapps conf ../deploy
        ;;
harden)
        # can and should be run while the server is running.
        chown -R root tomcat/webapps tomcat/conf deploy
        ;;
restart)
        sudo -u liferay /opt/liferay/tomcat/bin/shutdown.sh
        sleep 5
        sudo -u liferay /opt/liferay/tomcat/bin/startup.sh
        ;;
esac   
exit 0

Note the nonstandard options “soften” and “harden” - we're discussing them later, but maybe it already gives you an idea of what to do with them. (want to contribute to the elegance of this works-for-me script? You might want to add checks to make sure that the directories are actually existing.

Once you have this script (remember to chown root, chmod u+x, chmod go-rwx it)

    sudo service liferay start

With this, we've covered most of the OS side of configuration and the appserver side of Liferay has advanced quite some way. An additional issue that I've not yet taken into account is to run with a Security Manager. Also, we'll leave the port issue (we're still running on port 8080) for later.

Note that an even easier way to cover the OS side is to rely on your operating system's methods to update tomcat - e.g. just install Liferay's WAR distribution and dependencies on top of ubuntu's tomcat (in our example). This would be easier, but it would demonstrate less principles of the installation. But it would come with some nice and fancy daemon script.

Remember: This does not claim to be the absolute truth - please add your own recommendations and different policies/practices. Security never has the absolute truth: If I'd show you how to absolutely nail the implementation you'd complain that nothing works any more. Security is a matter of policy, as much as it is a matter of experience, absence of stupid mistakes and some things more.

Future chapters

  • Securing Liferay's configuration
  • Fixing the port 8080 issues
  • more Tomcat lockdown

...coming soon...

Also, another Radio Liferay episode on security is in the can - scheduled to be published very soon.

Ridiculously Simple Plugins on dev.life

Technical Blogs 2014/08/26 投稿者 Olaf Kock Staff

This article accompanies the dev.life session "Ridiculously simple plugins" hosted today (26. Aug, 16:00 CEST, 14:00 UTC) by me. The session is broadcasted on youtube and recording will be available (and linked here) after the session.


The purpose of this session is to demonstrate that - given the proper architecture - you can extend Portal Applications within minutes. Well - the story is: Your developer estimates an hour (to do it properly), which means that you might want to round up to the next unit, e.g. 1 day - and this includes documentation, deployment, administration etc.

It's most likely harder to get your system administrator to update the production system yet again than to implement new functionality - given a proper architecture.

Quick start if you want to follow along:

Everything you need is available on www.olafkock.de/liferay/rsp/ and if you don't want to read through everything when we start, pick the instructions with the yellow markers below:

Customers project

During the session we're going to create 3 simple plugins. Two of them are extending a business layer that is generated with XMLPortletFactory. If you'd like, you can download & execute xmlportletfactory yourself with the customer&invoice definition file, but you can also use the shortcut and download this portlet project, unzip it in the portlets directory of your plugins sdk (yes, I'm using Ant, sorry Maveners) and open it in your development environment. For the session I'll use Liferay Developer Studio, but you're free to use whatever you'd like.

What does this project do? It's just what xmlportletfactory generates from the customer.xml script. Actually, I've cheated. It also contains a custom portlet as well that will provide some random data for you. However, it doesn't compile: Consider it to be just the xmlportletfactory output. To make it usable, you'll need to run Liferay's ServiceBuilder.

We'll explore the resulting code during this dev.life session. In short: Add all portlets from the new "Customer" section to a page, create a few customers and invoices and click the icon left of a customer to see the invoices updated.

If you examine the default xmlportletfactory-generated UI, it's not too obvious, which customer is currently selected. You can see it when the icon in a customer's row changes from a square to an arrow. Let's make the current customer more visible by hooking into the already established mechanism of Inter Portlet Communication. The first portlet we create is a CustomerDetailPortlet, showing the name and location of a customer. If we had more business data, we'd probably show more data in the details. (Solution to be linked after the session)

For the next portlet, assume you're using this system, with thousands of customers in the database. Whenever somebody calls, you'll have to search for them again. But when they're calling, they typically call multiple times, delivering more details for their issues. That's why we want to keep track of the latest 5 callers and we'll create a MostRecentlyUsedCustomerPortlet (MRU): This will make it easy to just click on their name, rather than searching for the record again. (Solution to be linked after the session)

What does this teach us? In a portlet environment you can easily compose your application from many different building blocks. If you introduce yet another portlet that interacts with the existing ones, it doesn't need to be big to add value. And it doesn't need to be high-risk to update the site: If your new portlet has a bug - just remove it again. The others will still continue to work, unaffected.

Here's the screenshot of what can be achieved within minutes: (Customer and Invoices Portlets are what xmlportletfactory generated)

Customizing Core Portlets vs. Adding ridiculously Simple Portlets

Time permitting, we'll have one more plugin that demonstrates how to simplify Liferay's UI through a ridiculously simple portlet. If you add WebContent, you'll find that the UI for adding a single article has quite a complex UI. You can translate, tag, expire, categorize your content, provide abstracts etc.

What if your authors are untrained, infrequent users of Liferay? Do you want to train them on the generic UI? They'll probably be annoyed because it's so complex and they don't need all of the features. So why not simplify the UI?

In the forums, this typically comes along as "How do I change the WebContent Editor (or other plugins) to use my defaults?". I'd like to suggest a different approach: Create your own, ridiculously simple plugin. It doesn't mess with Liferay's portlets, is easy to maintain and quick to write. And if the API that you use changes in the next version, you can easily identify the spot to upgrade. In fact, that's exactly what I did - I stole some code from James' 7cogs article and made it work on Liferay 6.2 because the API changed slightly.

So, we're creating a SimplifiedArticlePortlet, which takes an article's title, as well as english and german text through a really simple UI. Point your inexperienced authors to this portlet to add their new articles and you'll be able to take them from there (and you can edit them with the full-featured WebContent editor). Here's a screenshot of the result:

If you follow along (e.g. develop the portlets) during the session, this one is a bit harder to follow - after all it involves an API call with 39 parameters. That's why I've prepared the portlet for you to copy/paste portions as you like: http://www.olafkock.de/liferay/rsp/SimplifiedArticlePortlet.java and http://www.olafkock.de/liferay/rsp/SimplifiedArticlePortlet-view.jsp

What's more?

Given your own applications: Consider to make the best out of the portal environment and compose your big application from many small building blocks. The reward is an easy maintenance of each single component and easy extension of the whole system.

Liferay's API is easy to use (even given occasional 39-parameter methods) and sometimes it's a great option to just hardcode your own logic to a ridiculously simple plugin than to extend and tweak one of Liferay's very generic out-of-the-box portlets. There's a place for generic features, just as there's a place for specialized, narror, behaviour. Choose what makes sense to you and don't fear to write throwaway code: If it's well compartmented (e.g. in a single plugin) there's nothing bad in it.

Update

During the broadcast I didn't finish the MRUCustomerPortlet - here's what needs to be done. The code changes are marked in the solution download that will come up soon - portlet.xml is just updated as required, not marked:

  • Decorate the <li> content on view.jsp with a hyperlink that executes an action
  • Create an action handler in the portlet class, triggering the customerId event
  • Declare that our MRUCustomer portlet does also publish this event in portlet.xml
  • Declare that xmlportletfactory's CustomerPortlet now also processes this event in portlet.xml
  • Implement the eventhandler in CustomerPortlet to highlight the selected row.

And you're done. The full "solution" is now uploaded to customer-portlet-solution.zip.

Note that I do not consider the solution code (or the code presented in the presentation) "good style": When I refer to a "ridiculously simple" plugin, I am stating 1 hour of effort. With the plugins presented here, I took slightly more than 1 hour for 3 plugins. Naturally this means I'll need a few shortcuts that shouldn't actually go into production code. But you get the point.

Radio Liferay Episode 40: Our Upcoming Events. Hack 'em!

Company Blogs 2014/08/19 投稿者 Olaf Kock Staff

  Radio Liferay is back with a repeat guest, James Falkner, Liferay's Community Manager. Like last year, symposium season is about to start (even though we already had some events earlier this year...). And there's something new, for the nerds and software craftsmen among you.

We talked about

  • The upcoming events, how to tell them apart and the target audience. In short: LPSF (Liferay Portal Solutions Forum) is targetted to business users, DevCon is targetted to Developers and technically interested people. Symposium has tracks for both groups.
  • You'll find almost all of the upcoming events on Liferay's Events overview - filter for "Conferences". As of publication of this episode, the first brazil symposium is not yet on that list.
  • Check if the event you want to go to still has an open Call For Paper. Some are still open the day that this episode is released.
  • Final reminder: Unconference seats will be limited. Register early to make sure you get your seat.
  • This year, we're going to provide access to the (anonymous) data that backs the events, and hope that you'll create an awesome mashup with this data. Refer to James' blog article "DIY: Liferay Events Hacks: Part 1" for details of the API and let us know if you need more help
  • iBeacons and what to do with them at events. (Watch out for a part 2 of James' blog article)
  • ...and other topics - but listen yourself... if you listen close enough, you might even hear a secret

Follow @RadioLiferay (James) or @olafk (me) on twitter

Again, shoutout and big thank you to Auphonic for postproduction help. This is a fantastic service!

You'll find this episode - and make sure that you don't miss any of the future episodes - by subscribing to  http://feeds.feedburner.com/RadioLiferay. You can also subscribe on itunes.: Just search for "Radio Liferay" or just "Liferay" in the podcast directory. If you like this, make sure to write a review for the podcast directory of your choice - or leave your feedback on www.liferay.com/radio.

Or just download the MP3 here:

download audio file

Radio Liferay Episode 39: Liferay Cloud Services

Company Blogs 2014/08/14 投稿者 Olaf Kock Staff

 \o/ Radio Liferay is back. A while ago I talked with Juan Fernandez and Ivica Čardić about an exciting project they're collaborating on: Liferay Cloud Services. "What's this?" you ask? Well, good that you're asking, because here's the explanation. It's all about helping you monitor the health of your Liferay Installation, keeping an eye on the installed fixpacks (if you're using EE) or showing you some monitoring information that the server provides and you'd otherwise risk not to see.

(The episode is prefixed with a PSA for all Radio Liferay Listeners: The CfP for Devcon2014 is still open until 22. Aug 2014) and if you intend to come to the unconference on 4. Nov., make sure to register early: We have limited space and already predict that we'll sell out the unconference - there are enough seats available for the regular DevCon)

Juan is a project manager on this very project, working in Spain. Ivica is Senior Software Engineer, implementing LCS with the engineering team (Marko Čikoš and Igor Bešlić) in Croatia. I delayed publishing this episode to wait for the end of the private beta (you couldn't join anyway) until the public beta is just about to start.

We talked about

  • How LCS got started and what problems it solves (this is work in progress, designed for constantly added functionality)
  • (among the current information shown are things like: Performance metrics on JVM- and portal/portlet level, Fixpack information (EE only) and -installation.
  • The public beta is just around the corner (estimated in September). Test results from the private beta are in and lots of feature requests implemented (I can certify on that - some of them are mine)
  • Intended new features, to be added over time
  • New target audiences (currently it's largely system administrators, but content managers, e.g. for content targetting statistics, could be a possible future extension)
  • For the nerds, we talked about how LCS is implemented under the hood, and the mechanics of targetting Liferay 6.1 and 6.2 at the same time.
  • ...and others - but listen yourself...

Follow @RadioLiferay or @olafk (me) on twitter

Again, shoutout and big thank you to Auphonic for postproduction help. This is a fantastic service!

You'll find this episode - and make sure that you don't miss any of the future episodes - by subscribing to  http://feeds.feedburner.com/RadioLiferay. You can also subscribe on itunes.: Just search for "Radio Liferay" or just "Liferay" in the podcast directory.

Or just download the MP3 here:

download audio file

DevCon 2014 Call For Paper and Registration open. Unconference coming again

Company Blogs 2014/08/08 投稿者 Olaf Kock Staff

It's public - Registration for DevCon 2014 (Wed-Thu, 5.-6. Nov) is open. And we're looking for your participation to make it an even bigger success. This year we're going to Darmstadt, just south of Frankfurt. The venue "Darmstadtium" is named after a chemical element that was named in honor of the city where it's first been created - it's one of those very heavy elements (atomic number 110) and predicted to behave like Platinum.

Platinum or at least Gold is what we'd like to see in your submissions: Check the Devcon homepage's Call For Papers for topics that we're looking for - but do submit even if your interesting topic doen't fit our list. (closing 22. Aug). Yes, it's short notice, so get up and submit quickly.

You'll notice that the Unconference (Tuesday, 4. Nov) will be held again. Like last year, space is limited, and it's expected to sell out quickly (the venue limits us - there's no way we can open up more space). If you want to be at the unconference it's wise to register early. The unconference is a spontaneously structured day where we focus on technical aspects of Liferay and you'll be able to bring in your topics.

If you're not lucky enough to get a seat at the unconference - or if you're more interested in the business aspects anyway - you might be interested in Liferay Portal Solutions Forum, which also takes place on Tuesday, 4. November, parallel to the unconference. Note that LPSF will be in german language. The two are distinctly different events and can't be interchanged at will (due to the space limitations)

Next, if you ever wanted to get highly condensed knowledge about Liferay, we're holding a "Mastering Liferay Fundamentals Express" Training on Monday, 3. Nov. This teaches the same topics as the original 2-day version of that training, with less exercises and higher density.

Find the combination that fits your needs best and book your event package. If you want to make sure to get a seat at the unconference: Register as soon as you can as space is limited - you have been warned.

We also will have another community meeting on 4. November. Stay tuned for more updates on that event. Note that - like last year - we'll require registration to hand out coupons for drinks (and to have an idea of how many of you will show up)

The Learning Curve, Chapter 4, Well hidden documentation

General Blogs 2014/08/04 投稿者 Olaf Kock Staff

Are you new to Liferay? Found Liferay and want to know what it can do for you? Or are you with Liferay and still remember the time when you were new and unexperienced? Where did you come from and what was the biggest problem you faced? Can you ever learn enough? And how do you keep up with the current trends and new features?

A platform as big as Liferay spans several technologies and areas of best practices that are beneficial to know of. Nobody can know everything - there's always a learning curve. At the beginning, it's quite steep. Some argue that it's flattening the more you know. Some argue that it gets steeper: The more you know, the more you know what you don't know.

I'd like to give you pointers to resources that are available to you, in order to learn about Liferay, resources that help you avoid steep detours, when there are flatter direct connections. This is meant to be (eventually) comprehensive but I'm sure that it will never be complete. It's just what I remember while I write this article and the follow ups (yes, there are more, already drafted)

Today's Target Audience: mostly Developers, but some generic pointers for everybody.

After last week's call to read the official documentation, here's the documentation that you may easily miss

Javadoc (sic!)

Javadoc has not been Liferay's strength for a long time. The explanation for this is available in the end of Radio Liferay, Episode 21, but since then, a lot of Javadoc has been added to Liferay. It's available at docs.liferay.com, and growing. If you're wondering why some commonly used class is not documented there, you might also want to follow the master branch on github, as this gets all the latest and greatest javadoc (speaking of well hidden documentation). The API might not be 100% identical (this is the next version, after all) but as we add new features there, you'll find javadoc there first.

portal.properties

Did you ever extract Liferay's original portal.properties file? Or inspected it in the source code? This file has well over 10.000 lines in 6.2, and it's a wealth of information about Liferay. I do wholeheartly recommend to browse through it at least once. I personally have gotten a lot of ideas from this file about Liferay's extension points. There are some extension points that I only learned of because I've read that file. "Properties" you say, "what kind of reading enjoyment will that be?" Well: Look at it. Huge portions of that file are comments, describing the options you find, the preconditions as well as the features that you can configure here. Note: Some features are available only in portal.properties (or your overriding file portal-ext.properties) while others are available on the UI as well.

DTD and XSD

Have you developed plugins for Liferay and wondered about the possible configurations that you can add in the various xml files? Have you ever looked at the headers of those xml files? They do refer to a DTD or XSD file. Hands up if you know the peculiarities of DTD and XSD! ...

(I don't see any hands)

Well, try Liferay's definitions: Similar to portal.properties, you'll find a wealth of documentation right where you need it. I predict that you are able to make reasonable sense of most of Liferay's DTDs and XSDs, if only of the human readable comments. Your xml editor will help you make sense of the machine readable parts.

Care for some examples?

Or even more generic: Try http://docs.liferay.com/portal/6.2/. If you're on older versions, go further to the root directory (It's worth exploring that site)

Presentations

You might know that Liferay hosts quite a lot of events around the world. Even though it's impossible to attend every single event, you should keep an eye on them and on the presentations that are available there. For one, they might spark your ideas, when you just look at the presentations. If you've been there, you might remember everything, when you read the slides again. And for some events there are even recorded presentations. E.g. here is DevCon 2013.

Which brings me to point to a presentation that never aired on Radio Liferay (despite being scheduled as such) because the pure audio recording didn't come out and the video had a bit too much room noise to extract the audio IMHO. I'll refer to it as "the hidden Radio Liferay Episode" from now on, here it is for your viewing pleasure. It's short, less than 18 minutes.

And if you're not yet on Liferay 6.2, you might be interested in the literal "Well Hidden Features" episode

Speaking of which: Devcon 2014 registration just opened, including the Call For Papers. You can be part of this year's event and add to this chapter. Events like this (depending on where you are: North American Symposium and various others around the world - there are rumors for more to come) really give you a lot of insider information and insight.

(more about Devcon in another upcoming blog post)

Even better hidden?

When I woke up this morning, I was thinking of a great resource - but forgot which one it was. Obviously it's quite well hidden. If it comes back, I'll make a note and add it to one of the next posts. Unfortunately, that's the nature of these well hidden items. If you have your own favorite hidden documentation: Please add it in the comments. Oh, and: There's another well hidden place that is so well hidden, that I'll better not yet speak about it. Keep your eyes open and subscribe to the blogs - you'll probably get it here first.

Also, let me sneak something in, which is clearly linked on this site, but not as documentation: If you rather learn hands-on, you might want to consider one of the certified Liferay Trainings - There's a course for almost any role that you can have in Liferay: Content Provider, Developer, System Administrator, Business Owner - you name it, we have it. Not only do you get a lot of structured knowledge, you'll also have the chance to get your questions answered by an experienced Trainer.

While Training is not documentation, it can definitely help to flatten the learning curve.

Next up?

Stay tuned for Chapter 5: Community Resources (please let me know your favorite recommendations)

The Learning Curve, Chapter 3 - Documentation (sic!)

General Blogs 2014/07/28 投稿者 Olaf Kock Staff

Are you new to Liferay? Found Liferay and want to know what it can do for you? Or are you with Liferay and still remember the time when you were new and unexperienced? Where did you come from and what was the biggest problem you faced? Can you ever learn enough? And how do you keep up with the current trends and new features?

A platform as big as Liferay spans several technologies and areas of best practices that are beneficial to know of. Nobody can know everything - there's always a learning curve. At the beginning, it's quite steep. Some argue that it's flattening the more you know. Some argue that it gets steeper: The more you know, the more you know what you don't know.

I'd like to give you pointers to resources that are available to you, in order to learn about Liferay, resources that help you avoid steep detours, when there are flatter direct connections. This is meant to be (eventually) comprehensive but I'm sure that it will never be complete. It's just what I remember while I write this article and the follow ups (yes, there are more, already drafted)

Today's Target Audience: All (unless more specifically indicated in the individual paragraphs below)

There's a good argument that this chapter should have been the first. However, just saying "RTFM" is guaranteed to give the least amount of attention possible. So I postponed the obvious until chapter 5. Is it really obvious? Let's check.

User Guide

Have you ever read Liferay's User Guide? Whatever you answer, my prediction is that you don't know what's in there today - if only because it's constantly updated. As a regular user of Liferay, no matter what your role is, you probably need to know several of the chapters outlined in that guide. It's covering anything from Content- and User-Management, Installation, Dealing with Plugins etc.

It's worth checking it out, even if you have some experience developing with Liferay. After all: When you know about a feature being available in Liferay, you can just use it instead of implementing it yourself. Every built in feature that you use, you don't have to write & maintain yourself. Remember that story from chapter 1 - the training participants that only took Mastering Liferay fundamentals training years after their project started? Same reasons here.

If you're missing content or want to suggest/provide improvements, you can do so on Jira. If you're technically savvy, you might want to follow the evolution of this guide on github or contribute.

Developer's Guide

Next to the User Guide you'll find the Developer Guide. Similar to the User Guide, this document is a living one and gets updated from time to time. If you have read it already, you might want to check back if it has been extended since that time. Even if you believe that you should know it by now: There are many gems that you might have missed the first time you read it. (I am constantly learning new tricks in Liferay, especially when going through well known material again)

Of course, you can also follow the Developer's Guide evolution on github and contribute through pull requests or issues, just like with the User Guide.

Books

I'll have to admit, it's been a while since I last read books about Liferay. Among the ones that I read, there were some that I liked and some that didn't really match my expectations... As it's been a while (a few versions ago), only one recommendation is left: Liferay in Action, though based on version 6.0, still contains very relevant content.

Sorry to not be able to point you to new books. If you want to recommend in the comments, please do so. Also indicate any relationship to the author or why you particularly liked the book - please don't just mention that there is a book.

Wiki

I'd like to mention our Wiki here. For one, you might find it as search results in case you're looking for information. It has quite good information, but you'll have to be aware that it's sometimes severely outdated. Double check the history of the articles: If it hasn't been touched for a few years or mentions Liferay versions 4.x, use it with a grain of salt - more to this in a later chapter about community resources.

Next up?

Stay tuned for Chapter 4 - Next week: Well hidden documentation (for developers), covering documentation that is available, but arguably harder to find than clicking on the "Documentation" link or searching for "Liferay" on Amazon.

Call For Feedback and Suggestions

For chapter 5 or 6 I'm planning to cover Community Resources. You might have your favorite go-to place that I haven't found yet. If you want to make sure that your favourite resource gets mentioned: Give me a hint.

The Learning Curve, Chapter 2 - Infrastructure

General Blogs 2014/07/21 投稿者 Olaf Kock Staff

Are you new to Liferay? Found Liferay and want to know what it can do for you? Or are you with Liferay and still remember the time when you were new and unexperienced? Where did you come from and what was the biggest problem you faced? Can you ever learn enough? And how do you keep up with the current trends and new features?

A platform as big as Liferay spans several technologies and areas of best practices that are beneficial to know of. Nobody can know everything - there's always a learning curve. At the beginning, it's quite steep. Some argue that it's flattening the more you know. Some argue that it gets steeper: The more you know, the more you know what you don't know.

I'd like to give you pointers to resources that are available to you, in order to learn about Liferay, resources that help you avoid steep detours, when there are flatter direct connections. This is meant to be (eventually) comprehensive but I'm sure that it will never be complete. It's just what I remember while I write this article and the follow ups (yes, there are more, already drafted)

Today's Target Audience: Technical (Sysadmins and Developers), unless indicated otherwise:

Basic Understanding

Liferay is always running in some kind of environment. It requires a database to store its data. It requires an application server to run on. And there are a lot more component that you can operate in combination with Liferay: Single-Sign-On, LDAP, Search Appliances, Monitoring Systems etc. Let's look at the most common ones and keep the other ones for later:

Liferay's User Guide has several chapters on Administration and Installation. While this gives you the necessary step-by-step instructions to get started on any (supported) platform, the more experience you have on a platform, the more you can get your own policy or opinion into the game.

Application Server

Liferay is an application that requires a container to run in. This can be a simple servlet container or a full blown application server. Naturally, quite a bit of configuration for Liferay depends on the container that you're running on. And, as technical staff, you should know a bit about your container of choice and about Java Web applications in general. For the purpose of this blog post, I'm summarizing all these containers as "Application Servers" even if they might be more simple than you'd expect from such a component.

Among the things that you should know (or learn) about your application server of choice are

  • Proper setup for production, including hardening, protecting default management interfaces from public access
  • Update procedures. Even (or especially) if you're running Liferay from a bundle: The maintenance of the appserver is in your realm.
  • Backup and (Disaster) Recovery.

Where do you find that information and experience? The vendor (or supporting website) of your appserver vendor should have it, alternatively somebody in your team or on the market: Having a good system administrator or developers with good understanding of the platform they're developing on is gold. There's trainings for the server of your choice, books, and the internet is full of Q&A. If you wonder why there's no link here: Liferay supports various versions of the following application servers, and I'm familiar with only few of them:

  • Glassfish
  • JBoss
  • Tcat
  • tcServer
  • Tomcat
  • Weblogic
  • WebSphere
  • Resin

Speaking about your Application server of choice: Which one should you choose? The bulletpoints above might already answer this question: Choose the one that you feel most familiar with. If I give my recommendation (the one I'm most familiar with), this doesn't help you: you might not have a clue about hardening, maintenance, backup and recovery of that platform. So check your team's experience with and make your own choice. Ask your team about the best way to learn about their preferred platform. Mentor each other. Find local usergroups, online resources and meetups/conferences for the platform of your choice. (this exercise is left for the reader. If you have outstanding, specific preferred resources, feel free to add them as comment)

Database

The same goes for your database: Liferay supports many of the databases available on the market. While it will be happy to store its data in your DB, the setup, backup, maintenance and tuning of that database is totally outside the realm of Liferay. Where do you get the experience? With the vendor or platform of your choice. Here we have the same recommendation as with appserver: Choose the one platform that you can maintain best. It's not worth choosing my favourite one just because it's 5% faster when you have no clue about its backup strategy or disaster recovery.

Again - where do you find this information? With the database vendor of your choice. From Q&A sites. From training and from experienced admins that you're working with. (and again: Feel free to add outstanding resources as comments)

For databases, just like for application servers, you'll have to make your own choice: Here are the databases that Liferay supports (in various versions)

  • DB2
  • MySQL
  • Oracle
  • Postgresql
  • SQL Server
  • Sybase ASE

Installation/Maintenance Training

Naturally, with Liferay's Training offerings, "there's a course for that": In Administering Liferay Systems, we spend 3 full days to set up, maintain and tune Liferay within the infrastructure. While this course concentrates on the open source appservers and databases (because that's what we can legally distribute for the class), you're free to bring your own appservers and databases and try out the principles that you learn in this class.

Target Audience for this class, naturally: System Administrators and DevOps.

As always, this course is available in public trainings, scheduled around the world, as well as onsite, with a trainer coming to your organization.

Links?

So much for the infrastructure. Granted, due to the nature of these recommendations there are not a lot of clickable links here. Help me fix this and add your recommendations for the environment of your choice in the comments. And stay tuned for Chapter 3: Documentation (sic!).

People that liked this article, also liked The Learning Curve Chapter 1 - a basic overview.
People that like to learn more about what happens behind the scenes, also like to listen to Radio Liferay. ;)

The Learning Curve, Chapter 1 - A basic overview

General Blogs 2014/07/15 投稿者 Olaf Kock Staff

Are you new to Liferay? Found Liferay and want to know what it can do for you? Or are you with Liferay and still remember the time when you were new and unexperienced? Where did you come from and what was the biggest problem you faced? Can you ever learn enough? And how do you keep up with the current trends and new features?

A platform as big as Liferay spans several technologies and areas of best practices that are beneficial to know of. Nobody can know everything - there's always a learning curve. At the beginning, it's quite steep. Some argue that it's flattening the more you know. Some argue that it gets steeper: The more you know, the more you know what you don't know.

I'd like to give you pointers to resources that are available to you, in order to learn about Liferay, resources that help you avoid steep detours, when there are flatter direct connections. This is meant to be (eventually) comprehensive but I'm sure that it will never be complete. It's just what I remember while I write this article and the follow ups (yes, there are more, already drafted)

Today's Target Audience: All, this is providing an overview and basic information

Quick reads

A very quick overview over the aspects of the Liferay Platform are the Whitepapers found in the "Business Whitepapers" section. I recommend them even for technically oriented folks, as they show off some aspects that you otherwise wouldn't necessary get in contact with, and they're really quick to read.

Continuing on the quick reads, you might be interested in case studies, e.g. matching your industry, your usecase or your location. All of them are easy to filter.

Events





To get in contact with people that are actually using Liferay, a good opportunity is to visit the events that are happening all over the world. Starting with half-day roadshows that are conducted in cooperation with our service partners. These typically feature some customer case study and - most important - bring you face to face with experienced Liferay-, Partner- and Customer-Staff. You'll get real experience & answers to the questions that you bring.

On with other events: All over the world, you'll find either "Symposiums" or "Liferay Portal Solutions Forum" or LPSF. These are typically single- or two-day events. Some are in the language local to the country they take place in, others are in english, or mixed. About the content, LPSF is focussing on the business aspect of Liferay. You'll typically find customer case studies, insights into Liferay's Roadmap and our "Speed consulting", where an experienced Consultant answers as many questions as you can ask during your appointed time slot. In contrast, Symposiums add the technical crowd to the mix. The different target audiences are organized in different tracks, but there's some overlap and you can choose from session to session. Purely technical people are the target audience for DevCon

Trainings

Mastering Liferay FundamentalsLiferay offers different certified courses for all target audiences - how about getting you or your project team kickstarted with Mastering Liferay Fundamentals? This course gives you a comprehensive overview over Liferay Features. After having taken this course, you have a solid impression of Liferay's feature set, the configurability and how to adapt this great platform for your own site(s). Our trainers are well experienced, so you'll be able to get your own questions answered during class, in addition to the curriculum.

For the managers and business owners: You'll learn what Liferay can do for you.

For the developers and technical people: You'll learn that Liferay has many features that you just need to enable or tweak, rather than implementing them yourself, from ground up.

A customer once stated to me that they'd have saved months of implementation if their developers only had taken this class at the beginning of their implementation, rather than a few years in.

Trainings are offered on-site (a good deal for 5 and more participants from your organization: Have the trainer come to your place) or as public trainings, open for anybody to sign up. "Mastering Liferay Fundamentals" is also available online. For all Liferay trainings, you can get a certification of participation as well as a badge on your liferay.com profile (check out mine)

So much for the basic overview, stay tuned for Chapter 2: The infrastructure Liferay is running in, and what you should know about it.

Community Meeting: Wien, 15. Mai

General Blogs 2014/05/09 投稿者 Olaf Kock Staff

(english summary below)

Liferay öffnet am 15. Mai offiziell sein österreichisches Büro - ein schöner Anlass, am Abend zum Community-Meeting einzuladen:

15. Mai 2014, 19:30 (Achtung: Neue Zeit!)
Eatalico
Praterstraße 31
1020 Wien

Auf der Agenda steht: Zwangloser Gedankenaustausch, Treffen mit anderen Liferay-Nutzern und ich (sowie andere) werde bereitstehen, Fragen zu beantworten.

Wie immer bitte ich um Bestätigung, damit wir einschätzen können, was für einen Tisch wir reservieren müssen. An-/Rückmeldung per Kommentar hier, via Twitter oder per Mail (olaf punkt kock ät liferay punkt com).


What better reason to have a community meeting than Liferay opening its austrian office. You're welcome to join even if you don't speak german. Please let us know if you're planning to come - via comment here, tweet to @olafk or mail to me, olaf (dot) kock at liferay.com.

Community Meeting: Zurich, 7. Mai

General Blogs 2014/04/22 投稿者 Olaf Kock Staff

Location Update:
Zunfthaus zur Haue, Limmatquai 52, 8001 Zürich
Mittwoch, 7. Mai 2014, 19:00
Ich bitte um Rückmeldung, um ausreichend Tische zu reservieren!

(english summary below)

Und wieder bin ich auf Reisen, dieses Mal zu den Trainings "Mastering Liferay Fundamentals" und "Developing for the Liferay Platform 1" in Zürich/Schweiz. (Hint: Es gibt noch freie Plätze).

Aus diesem Anlass - und weil es immer wieder nett ist, einen Abend mit Gleichgesinnten zu verbringen, rufe ich mal wieder zum Community-Meeting auf für Mittwoch, 7. Mai, 19:00. Wie gewohnt wird der exakte Ort kurzfristig bekannt gegeben - es wird in der Nähe des Hauptbahnhofs sein und ich nehme gern Empfehlungen an. Um eine Tischreservierung vornehmen zu können, bitte ich um An-/Rückmeldung per Kommentar hier, via Twitter-Mention oder per Mail (olaf punkt kock ät liferay punkt com).

Wer sich nicht anmeldet und dadurch keinen Sitzplatz mehr bekommt, sitzt zwischen den Stühlen ;)


Again, calling for a community meeting. This time in Zürich/Switzerland (note: seats in trainings are still available). This post will be updated with the exact location a day before the event. It will be Wednesday, 7. May, at 19:00 (7pm), close to the main station. Please register by commenting here or through a twitter mention to make sure the table has enough room (and beer) for everyone.

Community Meeting: Stuttgart (15. April 2014)

General Blogs 2014/04/07 投稿者 Olaf Kock Staff

(english summary below)

Hallo zusammen,

ich bin mal wieder auf Reisen - genauer gesagt beim Training "Administering Liferay Systems" in Stuttgart (Hint: es gibt noch freie Plätze) und habe am Dienstag, 15. April, abend noch nichts vor. Korrektur: Jetzt habe ich etwas vor!

Ich rufe kurzfristig zum Community-Meeting im Café Kaiserbau am Marienplatz in Stuttgart auf, zum freundlichen Gespräch und Austausch bei Bier, Wein oder einem anderen Getränk. Um einen groben Überblick zu haben und einen passenden Tisch zu reservieren, bitte ich um kurze Rückmeldung per Kommentar hier, auf twitter oder per Mail (olaf punkt kock ät liferay punkt com)

Keine Agenda, keine Vorträge (sofern sich nicht jemand aufdrängt), nur nette Unterhaltung. Start: 18:30 Uhr, die genaue Location gebe ich spätestens am Tag vorher hier bekannt (Vorschläge von Ortskundigen sind gern genommen) steht jetzt oben: Cafe Kaiserbau. Ich habe einen Tisch bestellt - bitte probiert entweder "Liferay" oder meinen Namen, wenn ich noch nicht da bin.


the promised english summary

As I'll be in Stuttgart for the upcoming training "Administering Liferay Systems" (which you still can register for), I'm calling for a community meeting. The location will be close to Marienplatz, Time is Tuesday, 15. April 2014, 18:30 (6:30 pm). To ensure we have enough seats, please register by commenting here, on twitter or through mail (olaf dot kock fancy-symbol liferay dot com, go figure). There's no agenda or presentation (unless someone volunteers), just conversation (and some drinks). Location: Cafe Kaiserbau, there's a table for "Liferay" or on my name.

Radio Liferay Episode 38: Alberto Chaparro on the Migration tool for Portlets Version 6.1 to 6.2

General Blogs 2014/02/05 投稿者 Olaf Kock Staff

 I talked with Alberto Chaparro. Alberto works for Liferay as a support engineer on the spanish team. This conversation follows up on something that Iliyan mentioned in episode 37: The migration tool that will help you upgrade your portlet from 6.1 to 6.2. We're talking during the end of the symposium, so the background noise that you hear are people that are starting to break down the staff room.

We talked about

  • Alberto has helped Iliyan working on the upgrade tool that we spoke about in episode 37
  • The tool helps upgrading AlloyUI JS, CSS and some JSP code from Liferay 6.1 to 6.2
  • Alberto presented this tool at the spanish symposium
  • The tool is available for Windows, Mac and Linux, Installation instructions are available in the tool / github repository
  • It's been used on 100+ portlet plugins already, providing good service in the upgrade process. Sorry, this is the only plugin type that it's good for.

Follow RadioLiferay or me on twitter

Again, shoutout and big thank you to Auphonic for postproduction help. This is a fantastic service!

You'll find this episode - and make sure that you don't miss any of the future episodes - by subscribing to  http://feeds.feedburner.com/RadioLiferay. You can also subscribe on itunes.: Just search for "Radio Liferay" or just "Liferay" in the podcast directory.

Or just download the MP3 here:

download audio file

Radio Liferay Episode 37: Iliyan Peychev on Frontend and AlloyUI

General Blogs 2014/01/09 投稿者 Olaf Kock Staff

 I talked with Iliyan Peychev, Software Developer from Madrid. We met during Liferay's spanish symposium (so it's about time to publish the episode - sorry for the delay). We're back on Liferay's frontend, so I'm getting my scoop on how to approach Javascript work, new tools, new infrastructure. Also - as you'll discover - I got a glimpse of developer-paradise

We talked about

  • where Iliyan's non-spanish accent comes from
  • Iliyan is a long time user and contributor to YUI (since YUI 2.x) and came on board when Liferay was looking for an Ajax Developer after having seen many of the AlloyUI components.
  • Liferay's currently open positions (changed since we recorded, but still a lot & interesting positions)
  • How to approach AlloyUI, what tools to use
  • as 6.2 uses Bootstrap for themes, we talk about the migration of existing themes and the way we work with css. (the episode has been recorded just before the actual release of 6.2)
  • The Liferay AUI upgrade tool will cover a lot of the upgrade work you need to do to migrate your existing 6.1 plugins to 6.2 - covering various API upgrades etc. (see https://github.com/liferay/liferay-aui-upgrade-tool#what-it-does - doesn't it sound like paradise?)
  • AlloyUI now has a testing infrastructure - automatically running a on a huge number of browsers to make sure nobody introduces regressions with a change to AlloyUI
  • Roadmap for AlloyUI past 2.0
  • Just like all Open Source projects, AlloyUI lives and improves on feedback - please help and get involved, get your impression heard. (and the same goes to podcasts. Please let me know which episodes you like, what to change, topic requests. You have blog comments to this episode on liferay.com, itunes comments and ratings and other platforms - whereever you get this podcast from)
  • The AlloyUI team hangs out on Forums, IRC, stackoverflow, twitter, github, jira - use whatever suits you best.
  • An alternative to Bootstrap that has been considered
  • Though symposium season is over now, you, dear listener, might consider to come to one of the 2014 Symposiums, Portal Solution Forums, Roadshows or DevCon.
  • AlloyUI is available through CDN

Follow Iliyan, RadioLiferay or me on twitter

Again, shoutout and big thank you to Auphonic for postproduction help. This is a fantastic service!

You'll find this episode - and make sure that you don't miss any of the future episodes - by subscribing to  http://feeds.feedburner.com/RadioLiferay. You can also subscribe on itunes.: Just search for "Radio Liferay" or just "Liferay" in the podcast directory.

Or just download the MP3 here:

download audio file

該当件数: 85 件中 1 - 20
ページごとのアイテム数 20
/ 5