Blogs

Hello all, The easiest thing you can do to mitigate the recent vulnerabilities in Log4j is to set the JVM parameter -Dlog4j2.formatMsgNoLookups=true. While this solution is not perfect, it should provide sufficient protection given how Log4j is used in Liferay Portal. However, based on Log4j's newest recommendation to mitigate by removing the JndiLookup class, the Community Security Team...

The new installers and IDE 3.9.5 ga6 which support development on the upcoming Liferay 7.4 U1 has been made available. Community Download https://liferay.dev/-/ide-installation-instructions Customers Download https://customer.liferay.com/downloads/-/download/liferay-workspace-with-developer-studio-3-9-5 ...

I've often been asked whether we can process additional UserInfo data from an OpenId Connect session after successful log in. I used to share this piece of code where I had my way to access the OpenIdConnect Session object in order to retrieve the Access Token Liferay obtained in order to fetch additional info: https://github.com/fabian-bouche-liferay/oidc-userinfo-mapping/ However, last...

The Apache Log4j project is now saying that setting -Dlog4j2.formatMsgNoLookups=true is not a 100% guarantee that you are protected from exploits. I think that currently no one has found a way to exploit the vulnerability on Liferay with -Dlog4j2.formatMsgNoLookups=true set but many prefer to be extra safe. As it has been stated before, you're likely to find log4j2 in DXP...

The landscape for Identity and Access Management has changed over the years. Whereas in the past, we'd often rely on proprietary or home grown solutions, we can now largely rely on well established standards. Setting up Single Sign On has become easier as many SaaS providers offer some free plans and there is even easy-to-use software out there. In this article, I'm going to show you how you...

Hey, all! There's a new zero-day vulnerability hitting the web right now, and it is affecting a lot of libraries and applications out there, including Liferay 7.4. Any app using Log4j2 is vulnerable. If you are using Log4j2 in your customizations or you are using Liferay 7.4 (which now uses Log4j2), this new vulnerability affects you. I'm not going to show anything about how to take advantage...

Recently I started a new "Office Hours" session to occur every other Tuesday at 9am EST/10am EDT (14:00 UTC) and 4pm EST/5pm EDT (21:00 UTC) on a Zoom bridge. Here you can bring questions, ideas, or whatever. Heck, feel free to join and just talk about your Liferay projects if you want. I'll post the Zoom meeting bridge to the Liferay Community Slack, feel free to sign...

Nuestra comunidad cumple otro año más, y llegamos a los cuatro. En estos momentos son en los que echamos la vista atrás para ver el camino que hemos recorrido y que nos anima a mirar para adelante con ilusión para continuar con este proyecto. Aunque parecía que este año íbamos a continuar como habíamos dejado el pasado 2020, lo cierto es que con lo que respecta a Liferay y la comunidad ha...

While Liferay has many wonderful features like DRAC, a docs repository, user self registration, and more, I still would like to store my data for custom portlets/applications in an external database. It’s like, you know, data independence! I found David H Nebinger’s blog for Liferay 7, Service Builder and External Databases. I struggled with a few issues, and I updated some things over Dave’s...

Esta entrada de blog está también disponible en español It is increasingly common to deploy applications or microservices in a container-based infrastructure, such as Kubernetes or Openshift. Liferay Portal / DXP is not far behind in this regard and thanks to the fact that it is a totally agnostic platform to the underlying infrastructure, it is possible to implement it in this type of...