Securing Liferay Portal

Liferay follows the OWASP Top 10 (2013) and CWE/SANS Top 25 lists to ensure Liferay Portal is as secure as possible. Following these recommendations protects the product against known kinds of attacks and security vulnerabilities. For example, Liferay Portal’s persistence layer is generated and maintained by the Service Builder framework which prevents SQL Injection using Hibernate and parameter based queries.

To prevent Cross Site Scripting (XSS), user-submitted values are escaped on output. To support integration features, Liferay Portal doesn’t encode input. Data is stored in the original form as submitted by the user. Liferay Portal includes built-in protection against CSRF attacks, Local File Inclusion, Open Redirects, Uploading and serving files of dangerous types, Content Sniffing, Clickjacking, Path Traversal, and many other common attacks.

To stay on top, Liferay Portal also contains fixes for state-of-the-art attacks and techniques to improve product security. For example, Liferay Portal uses PBKDF2 to store passwords. Liferay Portal also contains mitigation for Quadratic Blowup XXE attack, Rosetta Flash vulnerability, Reflected File Download, and other kinds of attacks.

This section of tutorials shows you how to configure various security and login features, such as LDAP, single sign-on, Service Access Policies, and more. What follows is an overview of what’s available.

Authentication Overview

Liferay Portal user authentication can take place using any of a variety of prepared solutions:

  • Form authentication using the Sign In Portlet with extensible adapters for checking and storing credentials (portal database, LDAP)
  • Single-Sign-On (SSO) solutions - NTLM, CAS, SiteMinder, OpenSSO, OpenID, Facebook
  • SAML plugin
  • JAAS integration with application server

Note: Although Liferay’s SSO solutions are incompatible with WebDAV, they can be used with Liferay Sync. See the Publishing Files article for more information on WebDAV and Liferay Sync.

You can authenticate and authorize apps remotely using the AuthVerifier layer:

  • Password based HTTP Basic + Digest authentication
  • Token based OAuth plugin
  • Portal session based solution for JavaScript applications

Both user authentication and remote application authentication are extensible. Developers can create custom Login portlets and plugins, extend the default Login portlet auth.pipeline, create AutoLogin extensions for SSO, or create custom AuthVerifier implementations.

Authorization and Permission Checking

There are several adjustable authorization layers in place to prevent unauthorized or unsecured access to data:

  • Remote IP and HTTPS transport check to limit access to Liferay Portal’s Java servlets
  • Extensible Access Control Policies layer to perform any portal service related authorization check
  • Extensible role-based permission framework for almost any portal entity or data (stored in the portal database or elsewhere)
  • Portlet Container security checks to control portlet access
  • Remote IP check for portal remote API authentication methods
  • Service Access Policies to control access to portal remote API

Additional Security Features

Users can be assigned to sites, teams, user groups, or organizations. Custom roles can be created, permissions can be assigned to those roles, and those roles can be applied to users. Roles are scoped to apply only with a specific context like a site, an organization, or globally. See the Roles and Permissions documentation for more information.

There are additional security plugins available from Liferay Marketplace. For example, you can find an Audit plugin for tracking user actions or an AntiSamy plugin for clearing HTML from XSS vectors.

There are many ways to fine-tune or disable various security features. Here are a few examples of these kinds of configuration actions:

  • Disable the Sign In portlet’s Create Account link
  • Configure Liferay Portal’s HTTPS web server address
  • Configure the list of allowed servers to which users can be redirected
  • Configure the list of portlets that can be accessed from any page
  • Configure the file types allowed to be uploaded and downloaded

Secure Configuration and Run Recommendations

Liferay Portal is built using the “secure by default” concept in mind. It’s not recommended to disable built-in protections or to allow all values in security white-lists. Such acts may lead to security misconfiguration and an insecure deployment.

For more information about securing a Liferay Portal installation, please see our security statement, the community security team, and the resources listed on those pages.

Also, customers are advised to deploy security patches as described on the customer portal.

For community and CE deployments, the stay secure by always using the latest community version, which contains all previous security patches. Until a new version is released, the Community Security Team issues patches for the latest CE version via the community security team page.

Logging into Liferay Portal

One of the primary functions of a security system is to make pages, content, and web applications are accessible to only the appropriate users. A student logging into a university portal should not...

Read More

Service Access Policies

Service access policies are an additional layer of web service security that define which services or service methods can be invoked remotely. As such, they affect only remote services, not local...

Read More

Authentication Verifiers

The Authentication Verification Layer is a centralized and extensible way to authenticate remote invocations of Liferay Portal’s API. The main responsibilities of the authentication verification...

Read More

Token-based Single Sign On Authentication

Token-based SSO authentication was introduced in Liferay Portal 7.0 to standardize support for Shibboleth, SiteMinder, and any other SSO product which works on the basis of propagating a token via...

Read More

Authenticating with OpenID Connect

OpenID Connect is a lightweight authentication layer built on top of the OAuth 2.0 authorization protocol. It compliments having local accounts by enabling users to authenticate using accounts they...

Read More

OpenID Single Sign On Authentication

OpenID is a single sign-on standard implemented by multiple vendors. Users can register for an ID with the vendor they trust. The credential issued by that vendor can be used by all the web sites...

Read More

CAS (Central Authentication Service) Single Sign On Authentication

CAS is an authentication system originally created at Yale University. It is a widely used open source single sign-on solution and was the first SSO product to be supported by Liferay Portal....

Read More

OpenAM Single Sign On Authentication

OpenAM is an open source single sign-on solution that comes from the code base of Sun’s System Access Manager product. Liferay Portal integrates with OpenAM, allowing you to use OpenAM to integrate...

Read More


Liferay Portal fully supports LDAP as a user store. Use the LDAP tab in Instance Settings’s Authentication page to connect to an LDAP directory. Users can be imported from LDAP or exported to LDAP....

Read More

NTLM Single Sign On Authentication

NTLM (NT LAN Manager) is a suite of Microsoft protocols that provide authentication, integrity, and confidentiality for users. Though Microsoft has adopted Kerberos in modern versions of Windows...

Read More

OAuth 2.0

OAuth 2.0 is an industry-standard authorization protocol. Users can seamlessly share select credentials from another website to log into yours. You’ve probably seen this before: any time you see a...

Read More

Facebook Connect Single Sign On Authentication

Facebook Connect SSO authentication is an integration with Facebook’s Graph API. It retrieves the user’s Facebook profile information and matches it to existing Liferay Portal users (either by...

Read More
0 (0 Votes)
Setting Up Marketplace Previous