Important 7.4 Private Page Change

Just a quick one today...

In previous versions of Liferay, if you were browsing a site as a guest but wanted to access a private page or a private site, Liferay would automagically show you the login form so you could authenticate before accessing the page or site.

This has been changed in 7.4.

It was determined that just by showing the login form, Liferay was leaking the fact that the page or site URL is valid, even if you didn't have access. A URL for a private page that didn't exist would generate a 404, so it was easy to determine when a page did or did not exist just based on the result.

In 7.4 this has been fixed. If a guest now tries to browse to a private page or private site, they will not get the login form, instead they will receive a 404.

Now if, for some reason, you want to have the portal show the user the login form, you can still do this.

Just navigate to the Control Panel -> System Settings -> Login and check the Prompt Enabled checkbox.

Going forward, guest users will be prompted to login when accessing private resources instead of getting the 404 error.

Blogs

Late :-) But thanks for giving this more attention. I was debugging this for almost 3 days. When you migrate from the old version, there are many things that can break so it was not so easy to spot the root cause. I get this advice after reporting this behavior as a bug https://issues.liferay.com/browse/LPS-146653 

I'd be grateful for adding such breaking changes to the Breaking change section.