Application Security updates

thumbnail
Bence Losonczy
Published Date10 Months Ago - 1991 Views

Exporting audit data

 

We created a solution where Instance Administrators are able to export audit records as a file in order to further analyze it.
It is also possible to download separate files per user, and per site.

 

For site events first you need to take these steps in order to store it:

  1. Go to “Control Panel > System Settings > Audit > Persistent Message Audit Message Processor” . Check Enabled & click on Save.

  2. Create a new Object definition and make sure to

    1. Set its scope to Site

    2. Enable “Show widget”

    3. Enable "Enable Entry History"

  3. Make a note of the “Object ID”

  4. Add a page to a site. Make note of the “Site ID” (a.k.a. Group ID). You’ll find it in “Site Settings”.

  5. Use the “+” button to add the widget named after the Object to a page on the site.

  6. Use the widget to create a new record.

  7. Go to “Control Panel > Audit” and look for an audit event for a resource named com.liferay.object.model.ObjectDefinition#X where X is the ID of your Object definition.

  8. When you click on the audit event, its full details are rendered and amongst those is the groupId


 

The feature is available in the Audit portlet found under “Control Panel > System Settings > Audit”. The feature appears under the 3-dot menu. It will take into account the current search results (if there is any) to filter the output.

 

Password Policy

 

We further developed an existing password policy which makes users unable to change their password when this policy is set by an Instance Administrator.

 

The steps to achieve this are the following.:

 

  1. Go to “Control Panel > Password Policies > Default Password Policy”.

  2. Under “Password Changes” disable “Changeable”.

  3. To verify the changes we need to check in 2 places:

  • User Account Settings page:

    • On the Home page click on the “User Profile” icon.

    • Go to “Account Settings”.

    • The “Password Navigation” tab on the right should not be visible.

 

  • User Admin view:

    • Go to “Control Panel > Users And Organizations”

    • Select the any of the users

    • The “Password Navigation” tab on the right should not be visible.

 


 

It is also possible now to configure that users have the option to create their password on registration to the site.

The steps to achieve this.:

  1. Verify the new option under “Control Panel > Instance Settings > Platform > Users > Fields” is available and takes effect

    1. Go to “Control Panel > Instance Settings > Platform > Users > Fields”, verify that there is a checkbox of “Allow Custom Password at Creating User Account”. The default value is checked.

    2. Click Save so that the value within portal.properties gets ignored.

    3. Open the portal in another browser, choose “Sign In” then “Create Account”. Verify the fields of Password exist in the creation form.

    4. Go back to the browser with an Administrator session. Uncheck field “Allow Custom Password at Creating User Account”.

    5. Back to the creation form in the previous step. Refresh page. Verify that the password fields disappear.
       

  2. Verify the form of creating user via an invitation will respect the new configuration

    1. Uncheck the “Control Panel > Instance Settings > Platform > Users > Fields > Allow Custom Password at Creating User Account” field if it’s checked.

    2. Go to “Control Panel > Accounts”, create a new account of type Business. At the account editing screen, choose tab “Users” then select “Invite users” from the action menu.

    3. Enter an email address, then invite.

    4. Open the link from the previously added email address to create the account in a new browser. Verify that the password field section doesn’t exist.
       

  3. Verify that the property login.create.account.allow.custom.password no longer takes effect when an instance option ”Control Panel > Instance Settings > Platform > Users > Fields > Allow Custom Password at Creating User Account” has been set

    1. Start the portal, make the field “Control Panel > Instance Settings > Platform > Users > Fields > Allow Custom Password at Creating User Account” unchecked then Save the setting.

    2. Stop the portal. Make the property login.create.account.allow.custom.password=true in portal-ext.properties file. Start the portal.

    3. Verify that the option “Control Panel > Instance Settings > Platform > Users > Fields > Allow Custom Password at Creating User Account” still unchecked.

Comment (0)

More Blog Entries

thumbnail?version=1.0&t=1686864071643

Liferay Portal 7.4 GA81 and Liferay Commerce 4.0 GA81 Release

thumbnail
Rafaela Nascimento
21 Jun
0
thumbnail?version=1.0&t=1687261227494

Operating Liferay 7.4 GA/Update 81+ with Elasticsearch 8

thumbnail
Tibor Lipusz
20 Jun
1
Blogs