Whan any user is hitting url
http://abc.xyz.com/web/12345/home Liferay Welcome page is coming up where user can see options like calender, language, dictionary etc. I am using Liferay 5.2.3. Can anyone suggest me how to disable this URL?
Can the URL be blocked from Apache?
You're probably referring to a user's personal page - this is a public page and you can configure Liferay so that users don't have personal (public) pages. As long as the users have personal and public pages, they are, well, public: If you navigate to them, you'll get to see them. You can make them private pages (thus the URL will change to /group/12345/home) and - at least - require a login. But as long as you have a public page in your portal, it will be shown.
(You can also change permissions on every single page, but that's probably what you also don't want)
Can you block on apache level? Yes. But why change at the entry point when you can also get rid of the root cause - e.g. properly configure the pages and access levels.
Also, Liferay 5.2.3 is quite ancient now. You should really consider to upgrade
Related
What is the best way to password-protect a folder on IIS with a single set of credentials to be shared by a group of users?
Our hosting service offers Plesk, which in turn offers a "password-protected directory" function, but some of our clients have HTTP authorization disabled, so they get an automatic 401.4 error with no prompt for credentials.
I've looked into Forms authentication but this seems cumbersome to set up for the numerous separate domains at issue.
The protected content is not super sensitive, we just don't want it easily accessible to the public. Many of our users do not use the site frequently and we don't want to implement individual credentialing for everyone (we do have that in place for more sensitive sections) just so they can view current project reports or meeting minutes.
On sites I don't control, but am just a user, that do the same things as mine, it is a big pain to have to look up a username and password twice per year just to view a meeting agenda (yes, browser could remember but they also have a 4-month expiration and lots of us are on different devices all the time).
Is Forms authentication the way to go? Took a several hours for me to get it set up and working, with all sorts of settings not well documented in a single place.
(I had previously asked about how to disable Basic Auth on the client side, was told more than once it's not possible - but it is, via client/browser registry keys)
Thanks.
It's perfectly fine to use forms authentication. All you need to do is navigate to the folder or file you want to protect, then go to Authorization Rules. Add a deny rule for anonymous users, when users who are not logged in try to click on any file in that folder, they will be redirected to your login page. You can find a lot of guides on forms authentication in Google, you can refer to the following:
https://learn.microsoft.com/zh-CN/troubleshoot/developer/webapps/aspnet/development/forms-based-authentication
https://learn.microsoft.com/en-us/iis/application-frameworks/building-and-running-aspnet-applications/how-to-take-advantage-of-the-iis-integrated-pipeline
I want to use an application that checks for broken links. I got to know that, Xenu is one such software. I do not have access to internal aspx/http files on a drive. The Problem I am facing is the Website requires the user to be authenticated. After login I need to crawl the site to determine which links are broken.
As an example, I kick off with mail.google.com. We end up typing the Username and password after which we are served different URLs. If I give the Xenu (or similar programs) the link such as mail.google.com it will not be able to fecth URLs inside the mail.google.com which will be of type - /mail/u/0/?shva=1#inbox/ etc. There lies the problem.
With minimal or least scripting language how can I provide Xenu (or other similar app) capability to Login by providing external URL (mail.google.com) in this example in order to do whatever xenu has to do.
Thanks
Balaji S
Xenu can be used with an authenticated user as long as the cookies are persistent. You will need to enable cookies in Xenu and login once yourself using IE.
From their FAQ:
By default, cookies are disabled, and Xenu rejects all cookies. If you
need cookies because
you have used Internet Explorer to authenticate yourself before
starting a run
to prevent the server from delivering URLs with a
session ID
then you can enable the cookies in the advanced options
dialog. (This has been available since Version 1.2g)
Warning: You
should not use this option if you have links that delete data, e.g. a
database or a shop - you are risking data loss!!!
You can enable cookies in the Options menu. Click Preferences and switch to the Advanced tab.
For single page applications (like gmail) you will also need to configure Xenu to parse Javascript
This is done by modifying the ini file (traditionally at C:\Program Files (x86)\Xenu135\Xenu.ini) and adding a line of code under [Options]
Javascript=[Jj]ava[Ss]cript: *[_a-zA-Z0-9]+ *\( *['"]((/|ftp://|https?://)[^'"]+)['"]
There are several variations provided in their FAQ, but I didn't get them to work perfectly.
Can someone please help me to find a solution to maintaining the session across subdomains.
The site uses fake subdomains for users, eg. (thisuser.mysite.com/). All the fake subdomains map to the main site (mysite.com) so there's a common database for everything.
The subdomains are used only for a couple of components(com_xxx) on the site. for other components the user is redirected to the main site via htaaccess.
The problem is when a user is redirected to mysite.com from thisuser.mysite.com and vice versa. Their session is not maintained. The user has to login back again.
I have tried updating the cookie domain in php.ini to '.mysite.com' but it doesnt seem to help.
Is it possible that the site may have auto-logins across all subdomains and main domain without any core hacks, assuming the solution lies in making cookies readable from all subdomains, irrespective of from where it's being set?
Thanks all, for your time and suggestions !
I'm not sure how you could do this....
Here is just an idea, it would rely on javascript...
WHen a user logs in using your login form... a hidden iframe would exist and javascript would post your login data to the login page of each domaine for your site. chaining them...
i dont feel its a safe thing tho... maybe im wrong...
u could use joomla's mootool framework to send an ajax requests to each domain...
Otherwise might want to check how joomla creates a session row in the database for each user on the site. maybe you can just create them for each domaine with 1 login. im gona check my mysql....
are you using joomla 1.5 or 2.5 ?
Otherwise i found this document for you:
http://docs.joomla.org/Multiple_Domains_and_Web_Sites_in_a_single_Joomla!_installation
okay, this was easy, I was testing on the local machine and it seems if domain doesnt have the dot, then the cookies are not handled well.
Just ensuring taht cookie domain is set to '.mysite.com' gets the job done
1. It is also recommended that you use the same joomla "secret" configuration value in the different websites as it is used to check the data exchanged between the different domains.
2. taht cookie domain is set to '.mysite.com' gets the job done
I am new to liferay 5.1 technology.
I by mistake removed the login portlet and now I am not able to login into the application.
I mean login portlet is no more visible any help would be of great help.
Can you please try hitting the following url?
localhost:8080/c/portal/login
Replace host and port with your host and port number.
If it doesnt work out try doing the following.(Make sure the package is correct as i am not aware of package path in 5.1)
http://www.liferay.com/community/forums/-/message_boards/message/5005621
Actually, with enough persistence, it would be also possible to lock yourself out of access to /c/portal/login (as of Liferay 6.0.6). This can be done by setting community home page to a hidden "redirect" page (as opposed to default "portlet" page), causing /c/portal/login to redirect wherever the home page redirects.
Liferay tries to prevent from doing so by issuing alerts whenever you try to make home page hidden. But you can make some page hidden and then drag&drop it to the first position in site map root level.
The reason behind doing so is to achieve a certain appearance of portal navigation (which would otherwise require some mangling in theme), i.e. make home page redirect to one of it's children.
Going back to the topic, when /c/portal/login fails, there is one another, more reliable (yet more ugly) method of getting to what one would call a login page - append this: ?p_p_id=58&p_p_state=maximized to any non-redirecting Liferay page (and probably drop any other GET parameters if existent). This is also basically what /c/portal/login does - but it appends it to home page, so if home page is a redirect page it fails display login portlet in it's maximized state.
Here is how our Tomcat webserver is currently setup. We are using jsp for the webpages.
/webserverpath/main (all public pages and the login page)
/webserverpath/secure1 (private pages)
/webserverpath/secure2 (private pages)
/webserverpath/secure3 (private pages)
I recently discovered that the authentication is very minimal. For instance once a user is logged in they can bookmark any private page, close the browser, open the browser back up and go to the bookmark and is never asked to sign in again (which turns out to be bad since we recently started disabling users). All of this was setup before I arrived. I'm wondering what can I do to add the proper security? Should I have all the folders under one main folder (ie /webserverpath/main/secure1, etc.) or just leave it alone?
Let me add that I'm newish to the whole website authentication stuff, having multiple websites in different folders like this and JSP itself.
You might start here: Declarative Web Application Security with Servlets and JSP
Generally, you probably want some session-based authentication that kicks people out of the private parts of the site if they aren't authenticated.