Fórum

  1. Início
  2. Portal
  3. Critical Security Issues

Critical Security Issues

Rathish R, modificado 14 Anos atrás.

Critical Security Issues

Junior Member Postagens: 47 Data de Entrada: 26/02/09 Postagens Recentes
Hi Team,

I have Liferay 5.2 running. My URL pattern is :

http://localhost:8080/web/MYCOMMUNITY1/MYPAGE1
http://localhost:8080/web/MYCOMMUNITY2/MYPAGE2

The problem is that users who are not authenticated are also able to view these pages. Also i read in the admin guide that -

"For example, if the public pages are mapped to /web and the group or user's
friendly URL is set to /guest and the layout's friendly URL is set to /company/community,
then the friendly URL for the page will be
http://www.liferay.com/web/guest/company/community. Public pages are available to
unauthenticated users.."

How do i stop this. I want only authenticated users to view my public pages.

I have LDAP-NTLM setup & i am using Microsoft AD.
thumbnail
Arvind Mishra, modificado 14 Anos atrás.

RE: Critical Security Issues

Regular Member Postagens: 226 Data de Entrada: 13/02/08 Postagens Recentes
Public pages are available to unauthenticated users .
You need to create Private Pages . Private pages have URL like http://domain/group/MYCOMM/MYPAGE

TO create private page - go to the respective community -> Manage Pages -> You will see 3 Tabs Public Pages/Private Pages/Settings

You can create Private Pages inside Private Pages tab .

Thanks
Arvind
Rathish R, modificado 14 Anos atrás.

RE: Critical Security Issues

Junior Member Postagens: 47 Data de Entrada: 26/02/09 Postagens Recentes
Hi,

Thanks for the reply. But i am a little confused. If public pages are available for unauthenticated users, then i dont see any point in having them, because if i have public pages and if my application is hosted over the internet, then anybody in world who could guess my url would have access to our portal, which i think is a huge security issue.

There should be some workaround for this. Need help.
thumbnail
Aarti Jain, modificado 14 Anos atrás.

RE: Critical Security Issues

Regular Member Postagens: 116 Data de Entrada: 02/09/08 Postagens Recentes
Hi Rathish,

If you want that guest users should not access your public pages then you can set the permissions for public pages:

1) Log in as admin user
2) Go to the Public pages of the community
3) Select 'Manage Pages' from dock menu
4) Select the page from tree you dont want guest users to access
5) Click on permissions button.
6) Uncheck the guest view permission and submit.

Hope That Helps !!!

Regards,
Aarti Jain
Impetus Infotech Pvt. Ltd.
Noida
thumbnail
Auditya manikanta Vadrevu, modificado 14 Anos atrás.

RE: Critical Security Issues

Liferay Master Postagens: 621 Data de Entrada: 06/05/08 Postagens Recentes
hi rathish,

You have public pages and private pages in portal. Content you want to show to only authenticated members can be kept in private pages and public pages is the place where you can keep content that can be available for unauthenticated (guests).

f public pages are available for unauthenticated users, then i dont see any point in having them,


With out public pages , (which are visible to guests) how will you login into the portal. check liferay.com, /web/.. pages all are contents that can be visible to guests, and after login /group/.. pages are only for authenticated members.


With Regards,
V.Auditya
thumbnail
Arvind Mishra, modificado 14 Anos atrás.

RE: Critical Security Issues

Regular Member Postagens: 226 Data de Entrada: 13/02/08 Postagens Recentes
Rathish R:
Hi,

If public pages are available for unauthenticated users, then i dont see any point in having them,



Lets take an example [Its a example]

Suppose you to www.chase.com , You will see all kind of offers , and login box this is kind of public page .
After you login , you go to your account pages , which are kind of private page .

You at least need to have one public page in any kind of site until unless your site is a intranet site or can only be accessed through SSO via other application , isnt it ?

Thanks
Arvind
Rathish R, modificado 14 Anos atrás.

RE: Critical Security Issues

Junior Member Postagens: 47 Data de Entrada: 26/02/09 Postagens Recentes
Hi All,

Let me explain the scenario. The departments in my company are my communities. Now for each community i have public and private pages. Public pages should be visible to all the employess who are authenticated. Private pages are specific to those individual dept members only.

WE had LR 4.3 and this the concept we used it worked very fine. IN 5.2 is the logic changed that all public pages are accessible to unauthenticated users.???

Are you saying that no matter what configs, public pages will be accessible to unauthenticated users.

Also one thing i have noticed is that not all public pages are accessible without authentication.

I am really confused. Please help.

If i modify "layout.friendly.url.public.servlet.mapping=/web" and make it layout.friendly.url.private.servlet.mapping=/web , will taht solve the problem??
Rathish R, modificado 14 Anos atrás.

RE: Critical Security Issues

Junior Member Postagens: 47 Data de Entrada: 26/02/09 Postagens Recentes
Hi All,

Finally i decided to recreate all my public pages to private pages. Now my url pattern is http://localhost:8080/group/MYCOMMUNITY/MYPAGE.

After doing this when i go to the above url it asks me for username & password. Once i supply the credentials it takes me to the page.

But when another user types the same url then he is logged in as me. Is this some cache issue?? If so how do i get rid of it??
Boden Larson, modificado 14 Anos atrás.

RE: Critical Security Issues

Regular Member Postagens: 200 Data de Entrada: 10/07/08 Postagens Recentes
How is the other user hitting the site? From your machine or from another machine?
Rathish R, modificado 14 Anos atrás.

RE: Critical Security Issues

Junior Member Postagens: 47 Data de Entrada: 26/02/09 Postagens Recentes
Boden Larson:
How is the other user hitting the site? From your machine or from another machine?


From another machine..
thumbnail
Olaf Kock, modificado 14 Anos atrás.

RE: Critical Security Issues

Liferay Legend Postagens: 6403 Data de Entrada: 23/09/08 Postagens Recentes
They don't happen to have some ";jsessionid=23dtxxxxxxxxx" part in their url that might link to your session id? This would enable them to get into your session without having a cookie that you have.

In order to make sure it's not this scenario, please try to
* have somebody else access the site in a way that they seem to be logged in as you
* see if you yourself are still logged in
* log out
* see if the other person is still logged in as you or also logged out.

It might also be that some proxy server caches content that has been delivered for you and also delivers it to the other person. This should not happen and the liferay pages should be marked as not cacheable, but who knows: there might be a bug with this or an over-aggressive proxy cache in action.