Tribune

Home » Liferay Portal » English » 3. Development

Vista Combinata Vista Piatta Vista ad Albero
Discussioni [ Precedente | Successivo ]
toggle
Security Issue : Liferay Name and Version in Response Header Manish Kumar Jaiswal 3 marzo 2011 22.17
RE: Security Issue : Liferay Name and Version in Response Header Shagul Khajamohideen 4 marzo 2011 8.34
RE: Security Issue : Liferay Name and Version in Response Header David H Nebinger 4 marzo 2011 8.51
RE: Security Issue : Liferay Name and Version in Response Header David H Nebinger 10 marzo 2011 11.22
RE: Security Issue : Liferay Name and Version in Response Header Manish Kumar Jaiswal 11 marzo 2011 4.45
RE: Security Issue : Liferay Name and Version in Response Header Amit Kumar Gupta 19 gennaio 2013 0.08
RE: Security Issue : Liferay Name and Version in Response Header Jelmer Kuperus 19 gennaio 2013 2.45
RE: Security Issue : Liferay Name and Version in Response Header Amit Kumar Gupta 19 gennaio 2013 3.02
RE: Security Issue : Liferay Name and Version in Response Header Jelmer Kuperus 19 gennaio 2013 3.18
RE: Security Issue : Liferay Name and Version in Response Header Amit Kumar Gupta 19 gennaio 2013 3.22
RE: Security Issue : Liferay Name and Version in Response Header Jelmer Kuperus 19 gennaio 2013 11.47
RE: Security Issue : Liferay Name and Version in Response Header Amit Kumar Gupta 20 gennaio 2013 8.54
RE: Security Issue : Liferay Name and Version in Response Header Jelmer Kuperus 20 gennaio 2013 12.28
RE: Security Issue : Liferay Name and Version in Response Header Hitoshi Ozawa 20 gennaio 2013 13.03
RE: Security Issue : Liferay Name and Version in Response Header satyam kaushik 1 novembre 2013 3.59
Manish Kumar Jaiswal
Security Issue : Liferay Name and Version in Response Header
3 marzo 2011 22.17
Risposta

Manish Kumar Jaiswal

Punteggio: Regular Member

Messaggi: 133

Data di Iscrizione: 25 novembre 2008

Messaggi recenti

Liferay Leaks out the in its Resonse headers its Name and Version . How Can I restrict it , What Exact modification will make it hide (I hope something into Tomcat ...mine is Liferay 6.0.5 + tomcat-6.0.26)...?
Shagul Khajamohideen
RE: Security Issue : Liferay Name and Version in Response Header
4 marzo 2011 8.34
Risposta

Shagul Khajamohideen

Punteggio: Liferay Master

Messaggi: 759

Data di Iscrizione: 27 settembre 2007

Messaggi recenti

Manish Kumar Jaiswal:
Liferay Leaks out the in its Resonse headers its Name and Version . How Can I restrict it , What Exact modification will make it hide (I hope something into Tomcat ...mine is Liferay 6.0.5 + tomcat-6.0.26)...?



I think the response headers are intentional and not a mistake. I do not see any configurations to change the behavior.

If there is no configurable way to do that, I see two options
1) Customize/extend the code behind that to no set those response headers
2) Use some kind of modify header options in apache or any web server (based on what they support) to remove those headers.

http://httpd.apache.org/docs/2.0/mod/mod_headers.html
David H Nebinger
RE: Security Issue : Liferay Name and Version in Response Header
4 marzo 2011 8.51
Risposta

David H Nebinger

Community Moderator

Punteggio: Liferay Legend

Messaggi: 11101

Data di Iscrizione: 1 settembre 2006

Messaggi recenti

Sure they're intentional (as they are purposely returning it), but I can't see what value it would have.

It is strange that www.liferay.com returns the header:

1Liferay-Portal:Liferay Portal Enterprise Edition 5.2 EE SP6 (Augustine / Build 5210 / February 14, 2011)


With 6.0 out for awhile now, you'd think they would push their own folks to use the latest release.

It begs the question, what is so wrong with 6.0 that you need to stay on 5.2? If you're staying on 5.2, then perhaps we should too...
David H Nebinger
RE: Security Issue : Liferay Name and Version in Response Header
10 marzo 2011 11.22
Risposta

David H Nebinger

Community Moderator

Punteggio: Liferay Legend

Messaggi: 11101

Data di Iscrizione: 1 settembre 2006

Messaggi recenti

I've just submitted a patch in LPS-2748 for the 6.0.6 CE edition that adds a new boolean property, response.header.liferay.version, defaults to true but controls the addition of the header. This would allow for it to overridden in portal-ext.properties to disable the header addition.

I think it cannot be done as an extension plugin since it is a change to the portal's MainServlet class (and other key classes) and would probably need to be applied directly to the 6.0.6 code base and built manually...

Boy, I sure miss the extension environment (where such a change would have been a breeze to incorporate).
Manish Kumar Jaiswal
RE: Security Issue : Liferay Name and Version in Response Header
11 marzo 2011 4.45
Risposta

Manish Kumar Jaiswal

Punteggio: Regular Member

Messaggi: 133

Data di Iscrizione: 25 novembre 2008

Messaggi recenti

Nice David !!!!!!!!!!!!
Amit Kumar Gupta
RE: Security Issue : Liferay Name and Version in Response Header
19 gennaio 2013 0.08
Risposta

Amit Kumar Gupta

Punteggio: New Member

Messaggi: 24

Data di Iscrizione: 25 novembre 2010

Messaggi recenti

Manish Kumar Jaiswal:
Nice David !!!!!!!!!!!!



Dear .Manish Kumar Jaiswal

How are you?

We have also hide the liferay verion from our portal.
How can we achieve?

i have set response.header.liferay.version=false in portal-ext.properties but it is not working....


its urgent.....
mail me solution
Jelmer Kuperus
RE: Security Issue : Liferay Name and Version in Response Header
19 gennaio 2013 2.45
Risposta

Jelmer Kuperus

Punteggio: Liferay Legend

Messaggi: 1192

Data di Iscrizione: 10 marzo 2010

Messaggi recenti

The property that was added is not response.header.liferay.version but this one :

#
# Set the level of verbosity to use for the Liferay-Portal field in the HTTP
# header response. Valid values are "full", which gives all of the version
# information (e.g. Liferay Portal Community Edition 6.1.0 CE etc.) or
# "partial", which gives only the name portion (e.g. Liferay Portal
# Community Edition).
#
http.header.version.verbosity=full


What does not seem to be documented is that you can change this setting for the community edition to

http.header.version.verbosity=Liferay Portal Community Edition


or for the enterprise edition to (probably)

http.header.version.verbosity=Liferay Portal Enterprise Edition


To get rid of the header completely
Amit Kumar Gupta
RE: Security Issue : Liferay Name and Version in Response Header
19 gennaio 2013 3.02
Risposta

Amit Kumar Gupta

Punteggio: New Member

Messaggi: 24

Data di Iscrizione: 25 novembre 2010

Messaggi recenti

I have tried below
http.header.version.verbosity=Liferay Portal Community Edition
and
http.header.version.verbosity=partial
one by one in protal-ext.properies file and restart my tomcat server but servre is show full liferay version.

Plz help me
Jelmer Kuperus
RE: Security Issue : Liferay Name and Version in Response Header
19 gennaio 2013 3.18
Risposta

Jelmer Kuperus

Punteggio: Liferay Legend

Messaggi: 1192

Data di Iscrizione: 10 marzo 2010

Messaggi recenti

what version of liferay are you using ?
Amit Kumar Gupta
RE: Security Issue : Liferay Name and Version in Response Header
19 gennaio 2013 3.22
Risposta

Amit Kumar Gupta

Punteggio: New Member

Messaggi: 24

Data di Iscrizione: 25 novembre 2010

Messaggi recenti

Liferay CE 6.0.6
Jelmer Kuperus
RE: Security Issue : Liferay Name and Version in Response Header
19 gennaio 2013 11.47
Risposta

Jelmer Kuperus

Punteggio: Liferay Legend

Messaggi: 1192

Data di Iscrizione: 10 marzo 2010

Messaggi recenti

That property is only supported on

liferay ce >= 6.1.0
liferay ee >= 6.0.12

You could (if you are not already doing this) run apache httpd in front of Liferay (using mod_proxy or mod_jk)
You can then use mod_rewrite to remove this header eg :

RequestHeader unset Liferay-Portal
Amit Kumar Gupta
RE: Security Issue : Liferay Name and Version in Response Header
20 gennaio 2013 8.54
Risposta

Amit Kumar Gupta

Punteggio: New Member

Messaggi: 24

Data di Iscrizione: 25 novembre 2010

Messaggi recenti

Thanks for Reply

Can you please suggest me the exact Apache configuration of mod_rewrite?

In fact we are using Apache as front server (and liferay CE 6.0.6 behind it).
Jelmer Kuperus
RE: Security Issue : Liferay Name and Version in Response Header
20 gennaio 2013 12.28
Risposta

Jelmer Kuperus

Punteggio: Liferay Legend

Messaggi: 1192

Data di Iscrizione: 10 marzo 2010

Messaggi recenti

sure, would you like me to hold your hand while you type it in too?
Hitoshi Ozawa
RE: Security Issue : Liferay Name and Version in Response Header
20 gennaio 2013 13.03
Risposta

Hitoshi Ozawa

Punteggio: Liferay Legend

Messaggi: 7949

Data di Iscrizione: 23 marzo 2010

Messaggi recenti

one by one in protal-ext.properies file and restart my tomcat server but servre is show full liferay version.


This won't help you solve your problem on hand but the file name should be "portal-ext.properties".


BTW, I'm willing to help. Where can I send you my bills?
satyam kaushik
RE: Security Issue : Liferay Name and Version in Response Header
1 novembre 2013 3.59
Risposta

satyam kaushik

Punteggio: New Member

Messaggi: 4

Data di Iscrizione: 1 giugno 2013

Messaggi recenti

Is it possible to display blank or remove the Liferay-Portal header in the request header.I already use partial and it works fine.But I don't want to display server information at all in the request header.

My another doubt is when I tried to call setHeader(" Liferay-Portal"," ") on the reference of HttpServletResponse but it didn't work.Why?