论坛

主页 » Liferay Portal » English » 3. Development

组合视图 统一视图 树状图
讨论主题 [ 上一个 | 下一个 ]
toggle
Security Issue : Liferay Name and Version in Response Header Manish Kumar Jaiswal 2011年3月3日 下午10:17
RE: Security Issue : Liferay Name and Version in Response Header Shagul Khajamohideen 2011年3月4日 上午8:34
RE: Security Issue : Liferay Name and Version in Response Header David H Nebinger 2011年3月4日 上午8:51
RE: Security Issue : Liferay Name and Version in Response Header David H Nebinger 2011年3月10日 上午11:22
RE: Security Issue : Liferay Name and Version in Response Header Manish Kumar Jaiswal 2011年3月11日 上午4:45
RE: Security Issue : Liferay Name and Version in Response Header Amit Kumar Gupta 2013年1月19日 上午12:08
RE: Security Issue : Liferay Name and Version in Response Header Jelmer Kuperus 2013年1月19日 上午2:45
RE: Security Issue : Liferay Name and Version in Response Header Amit Kumar Gupta 2013年1月19日 上午3:02
RE: Security Issue : Liferay Name and Version in Response Header Jelmer Kuperus 2013年1月19日 上午3:18
RE: Security Issue : Liferay Name and Version in Response Header Amit Kumar Gupta 2013年1月19日 上午3:22
RE: Security Issue : Liferay Name and Version in Response Header Jelmer Kuperus 2013年1月19日 上午11:47
RE: Security Issue : Liferay Name and Version in Response Header Amit Kumar Gupta 2013年1月20日 上午8:54
RE: Security Issue : Liferay Name and Version in Response Header Jelmer Kuperus 2013年1月20日 下午12:28
RE: Security Issue : Liferay Name and Version in Response Header Hitoshi Ozawa 2013年1月20日 下午1:03
RE: Security Issue : Liferay Name and Version in Response Header satyam kaushik 2013年11月1日 上午3:59
Manish Kumar Jaiswal
Security Issue : Liferay Name and Version in Response Header
2011年3月3日 下午10:17
答复

Manish Kumar Jaiswal

等级: Regular Member

帖子: 133

加入日期: 2008年11月25日

最近的帖子

Liferay Leaks out the in its Resonse headers its Name and Version . How Can I restrict it , What Exact modification will make it hide (I hope something into Tomcat ...mine is Liferay 6.0.5 + tomcat-6.0.26)...?
Shagul Khajamohideen
RE: Security Issue : Liferay Name and Version in Response Header
2011年3月4日 上午8:34
答复

Shagul Khajamohideen

等级: Liferay Master

帖子: 759

加入日期: 2007年9月27日

最近的帖子

Manish Kumar Jaiswal:
Liferay Leaks out the in its Resonse headers its Name and Version . How Can I restrict it , What Exact modification will make it hide (I hope something into Tomcat ...mine is Liferay 6.0.5 + tomcat-6.0.26)...?



I think the response headers are intentional and not a mistake. I do not see any configurations to change the behavior.

If there is no configurable way to do that, I see two options
1) Customize/extend the code behind that to no set those response headers
2) Use some kind of modify header options in apache or any web server (based on what they support) to remove those headers.

http://httpd.apache.org/docs/2.0/mod/mod_headers.html
David H Nebinger
RE: Security Issue : Liferay Name and Version in Response Header
2011年3月4日 上午8:51
答复

David H Nebinger

等级: Liferay Legend

帖子: 7250

加入日期: 2006年9月1日

最近的帖子

Sure they're intentional (as they are purposely returning it), but I can't see what value it would have.

It is strange that www.liferay.com returns the header:

1Liferay-Portal:Liferay Portal Enterprise Edition 5.2 EE SP6 (Augustine / Build 5210 / February 14, 2011)


With 6.0 out for awhile now, you'd think they would push their own folks to use the latest release.

It begs the question, what is so wrong with 6.0 that you need to stay on 5.2? If you're staying on 5.2, then perhaps we should too...
David H Nebinger
RE: Security Issue : Liferay Name and Version in Response Header
2011年3月10日 上午11:22
答复

David H Nebinger

等级: Liferay Legend

帖子: 7250

加入日期: 2006年9月1日

最近的帖子

I've just submitted a patch in LPS-2748 for the 6.0.6 CE edition that adds a new boolean property, response.header.liferay.version, defaults to true but controls the addition of the header. This would allow for it to overridden in portal-ext.properties to disable the header addition.

I think it cannot be done as an extension plugin since it is a change to the portal's MainServlet class (and other key classes) and would probably need to be applied directly to the 6.0.6 code base and built manually...

Boy, I sure miss the extension environment (where such a change would have been a breeze to incorporate).
Manish Kumar Jaiswal
RE: Security Issue : Liferay Name and Version in Response Header
2011年3月11日 上午4:45
答复

Manish Kumar Jaiswal

等级: Regular Member

帖子: 133

加入日期: 2008年11月25日

最近的帖子

Nice David !!!!!!!!!!!!
Amit Kumar Gupta
RE: Security Issue : Liferay Name and Version in Response Header
2013年1月19日 上午12:08
答复

Amit Kumar Gupta

等级: New Member

帖子: 24

加入日期: 2010年11月25日

最近的帖子

Manish Kumar Jaiswal:
Nice David !!!!!!!!!!!!



Dear .Manish Kumar Jaiswal

How are you?

We have also hide the liferay verion from our portal.
How can we achieve?

i have set response.header.liferay.version=false in portal-ext.properties but it is not working....


its urgent.....
mail me solution
Jelmer Kuperus
RE: Security Issue : Liferay Name and Version in Response Header
2013年1月19日 上午2:45
答复

Jelmer Kuperus

等级: Liferay Legend

帖子: 1192

加入日期: 2010年3月10日

最近的帖子

The property that was added is not response.header.liferay.version but this one :

#
# Set the level of verbosity to use for the Liferay-Portal field in the HTTP
# header response. Valid values are "full", which gives all of the version
# information (e.g. Liferay Portal Community Edition 6.1.0 CE etc.) or
# "partial", which gives only the name portion (e.g. Liferay Portal
# Community Edition).
#
http.header.version.verbosity=full


What does not seem to be documented is that you can change this setting for the community edition to

http.header.version.verbosity=Liferay Portal Community Edition


or for the enterprise edition to (probably)

http.header.version.verbosity=Liferay Portal Enterprise Edition


To get rid of the header completely
Amit Kumar Gupta
RE: Security Issue : Liferay Name and Version in Response Header
2013年1月19日 上午3:02
答复

Amit Kumar Gupta

等级: New Member

帖子: 24

加入日期: 2010年11月25日

最近的帖子

I have tried below
http.header.version.verbosity=Liferay Portal Community Edition
and
http.header.version.verbosity=partial
one by one in protal-ext.properies file and restart my tomcat server but servre is show full liferay version.

Plz help me
Jelmer Kuperus
RE: Security Issue : Liferay Name and Version in Response Header
2013年1月19日 上午3:18
答复

Jelmer Kuperus

等级: Liferay Legend

帖子: 1192

加入日期: 2010年3月10日

最近的帖子

what version of liferay are you using ?
Amit Kumar Gupta
RE: Security Issue : Liferay Name and Version in Response Header
2013年1月19日 上午3:22
答复

Amit Kumar Gupta

等级: New Member

帖子: 24

加入日期: 2010年11月25日

最近的帖子

Liferay CE 6.0.6
Jelmer Kuperus
RE: Security Issue : Liferay Name and Version in Response Header
2013年1月19日 上午11:47
答复

Jelmer Kuperus

等级: Liferay Legend

帖子: 1192

加入日期: 2010年3月10日

最近的帖子

That property is only supported on

liferay ce >= 6.1.0
liferay ee >= 6.0.12

You could (if you are not already doing this) run apache httpd in front of Liferay (using mod_proxy or mod_jk)
You can then use mod_rewrite to remove this header eg :

RequestHeader unset Liferay-Portal
Amit Kumar Gupta
RE: Security Issue : Liferay Name and Version in Response Header
2013年1月20日 上午8:54
答复

Amit Kumar Gupta

等级: New Member

帖子: 24

加入日期: 2010年11月25日

最近的帖子

Thanks for Reply

Can you please suggest me the exact Apache configuration of mod_rewrite?

In fact we are using Apache as front server (and liferay CE 6.0.6 behind it).
Jelmer Kuperus
RE: Security Issue : Liferay Name and Version in Response Header
2013年1月20日 下午12:28
答复

Jelmer Kuperus

等级: Liferay Legend

帖子: 1192

加入日期: 2010年3月10日

最近的帖子

sure, would you like me to hold your hand while you type it in too?
Hitoshi Ozawa
RE: Security Issue : Liferay Name and Version in Response Header
2013年1月20日 下午1:03
答复

Hitoshi Ozawa

等级: Liferay Legend

帖子: 7954

加入日期: 2010年3月23日

最近的帖子

one by one in protal-ext.properies file and restart my tomcat server but servre is show full liferay version.


This won't help you solve your problem on hand but the file name should be "portal-ext.properties".


BTW, I'm willing to help. Where can I send you my bills?
satyam kaushik
RE: Security Issue : Liferay Name and Version in Response Header
2013年11月1日 上午3:59
答复

satyam kaushik

等级: New Member

帖子: 4

加入日期: 2013年6月1日

最近的帖子

Is it possible to display blank or remove the Liferay-Portal header in the request header.I already use partial and it works fine.But I don't want to display server information at all in the request header.

My another doubt is when I tried to call setHeader(" Liferay-Portal"," ") on the reference of HttpServletResponse but it didn't work.Why?