Welcome to Radio Liferay, a peek into what is going on in Liferay from the people doing it themselves.
Radio Liferay Episode 60: Performance and Permissions with Preston Crary
An episode on the "Per" things: Performance and Permissions. I spoke to Preston Crary, who amazingly was not mad at me for losing an earlier recording.
- We open with the attention to detail that's required for working on performance tuning and some short conversation about this topic.
- Sadly, there's not often a single silver bullet, but many areas of dust.
- Sometimes the fastest code is not the most optimal
- Continuing with Preston's work on Permissions:
- ResourceBlock is deprecated, and there's an easy migration path
- an example upgrade path for bookmarks
- The usecase for Resources, ResourcePermission, and ResourceBlocks (as they're not at all visible on the UI)
- Preston's way through Liferay from Support to working on the topics that he's now working on
- The new API for Permissions - and the documentation is also done already (as of me writing this article, not yet published, but available on github - should be a matter of days or hours)
- Should you implement your own permission system? (and how the answer to this question might change in 7.1)
- Upgrades are being performance tuned. I smell a future episode coming up. Paging the team that is working on this area
- The remarkable memory savings that refactoring the UserBag introduced
- What happend during login
- Passwords are PBKDF2WithHmacSHA1/160/128000 hashed, a deliberately expensive password hashing algorithm.
- LPS-75747 and an update to my hardball question: Document Library's default.xml is still in core, can't be updated through a module, just through an ext.
You'll find this episode - and make sure that you don't miss any of the future episodes - by subscribing to http://feeds.feedburner.com/RadioLiferay. You can also subscribe on itunes.: Just search for "Radio Liferay" or just "Liferay" in the podcast directory. Make sure to write a review for the podcast directory of your choice - or find everything about Radio Liferay on radioliferay.com.
Or just download the MP3 here:
Radio Liferay Episode 22: Samuel Kong on Security
This is another episode recorded at the previous Liferay Retreat. I sat together with Samuel Kong, GM of the chinese office and member of Liferay's security team.
As I've been carrying this recording around for quite some while, note that there have been some changes during the last year. First and foremost, we have a new community security team, which was not around at the time of the recording. I'm planning to talk to someone from that team soon (consider yourself warned if you're on that team)
Some of the topics you'll find in this episode
- How to file a security issue - thankfully he is consistent with what Cynthia and Michael have reported: go to issues.liferay.com, file your issue under the component "security", optionally with private visibility. If you've already done so, please try if your issue is reproducible in the latest available version - your issue might already have been reported and fixed.
- OWASP (The Open Webapplication security project) site is a good resource for learning about security in Webapplications in general, independent of Liferay.
- The three tools that Liferay has built-in, helping you to prevent security issues:
- Redirects: Some Properties, configuring the list of domain names and IPs, that Liferay is allowed to redirect to
- CSRF: Auth-Token
- XSS: The various escape-methods in com.liferay.portal.kernel.util.HtmlUtil - There are so many because the correct escaping depends on the context for which one escapes some HTML-Text. Also, the AlloyUI Taglibs help a lot when you're displaying user-content in forms. And also: The "escapedModel" that you can get from ServiceBuilder.
- Bonus: SqlInjection and its prevention through ServiceBuilder.
- When to escape HTML text in order to be most flexible.
- Sidenote: A call to extract and read the full portal.properties: A long, boring and interesting read. Oh, and the dtds for xml files
You'll find this episode - and make sure that you don't miss any of the future episodes - by subscribing to the RSS feed, on itunes or with your podcatcher of choice - you'll find all the options on www.liferay.com/radio. And if you want to get notified when the next episode is out, follow @RadioLiferay
And please remember to rate this podcast in your podcast directory of choice and provide feedback here on the episodes as well. Thank you.