disallow access of internal files in liferay - .htaccess

In liferay I have
--tomcat
--webapps
--myimages
--my-portlet
So using code in my-portlet I have given links to given file in myimages folder for a specific user. Link would be
http://localhost:8080/myimages/User1.jpg
Problem Statement: I have to restrict a user (rather than defined role in liferay) so that s/he should not be able to access any of the files in myimages folder as s/he user hits on direct above link.
What I have tested:
I have checked .htaccess file will NOT be useful since liferay has
tomcat rather than apache server.
Created a filter class by which I can intercept any request made
should process through.
openLDAP can not use since we are having separate authentication
mechanism.
So if anyone has idea how to deal with this security issue, please suggest me.

URLs that are resolved through individual webapps (like myimages), thus not through Liferay, will not have any idea of the user that accesses Liferay: They'll be well shielded from the other (and in this case totally unrelated) webapplication Liferay.
What you can do is to provide these files through portlet plugins and serve the images through resource-URLs in the portlet. This properly goes through the portal context (in fact, the URLs will point to Liferay, despite the implementation in a different webapplication) and you'll be able to check the permissions of the current user. Then just read the file and pipe it into the ResourceResponse's output stream.
If the files indeed are static web resources, you might want to put them in myimages/WEB-INF/images - as tomcat will refuse to directly serve everything under WEB-INF, but your portlet will be able to access these files.

Related

How do I make ( Users and Organizations ) as a portlet in liferay 7.3.6

I'm trying to use "Users and Organizations" as a portlet.
I have tried as mentioned in this outdated (6.x) article but it doesn't work.
This can be done without any code at all, but you'll need quite a bit of configuration.
The portlet is an OSGi component. First, figure out the implementation class. The URL gives a hint, as it contains com_liferay_users_admin_web_portlet_UsersAdminPortlet. However, in this case, that's just the key. Grep the sourcode, or use any other means to find where it's used, and you'll get to com.liferay.users.admin.web.internal.portlet.UsersAdminPortlet. If you look at its properties configuration, you'll find the line
"com.liferay.portlet.display-category=category.hidden",
If you guess that this is the reason why the portlet is not available for just any page: you're right.
Now, any OSGi declarative service's properties can be altered by just creating a config file, which you can drop into Liferay's deploy folder (or directly into osgi/configs if you like).
So, create a file named com.liferay.users.admin.web.internal.portlet.UsersAdminPortlet.config with the single line content
com.liferay.portlet.display-category="category.sample"
and you're set.
However, regular permission checks likely are very restrictive and you should be very aware that opening up those permissions can easily open security holes (imagine someone creating a full Administrator account, or turning an existing account into an administrative one)
A better way to go ahead might be to selectively just provide the proper permissions to operate this portlet, and provide access to it in ControlPanel without opening everything else up as well. This is part of the regular roles&permissions configuration, and also doesn't require any line of code.

How to set up a basic Java EE Workspace with JSP forms and servlets in my particular setup?

I'm on extended medical leave from my job and practicing at setting up my own workspace at home without the assistance of workspace setup documentation. I know I need a web.xml file somewhere in this structure but I'm not sure where it goes in the Web Content.
I'm only looking to create an input text field to enter a number and the user receives a number back from the tomcat server, but I don't know the proper place to create the Servlet java file in this particular folder structure.
My project has the standard Java Resources, Javascript Resources, build, and WebContent directories so far.
I've tried to Google for a similar project setup but no Youtube or Google workspace tutorial has shown the same workspace setup that I have. Does anyone know of one?
Yours Truly
(As Humanly Possible)
cnight62

IIS 8.5 is not serving JS, CSS, and Image files (static content)

The problem
We're running IIS on Windows 8.1 with Update. We're at the Orchard CMS first time setup screen, and IIS is giving 401s for all static content. We have read the following to no avail:
IIS 7.5 no images css js showing
IIS 7.5 no images css js showing
The official Orchard deployment documentation
Based on those, this is what I have tried that doesn't work.
Turn on the IIS feature to Serve Static Content.
Give IIS_IUSRS permission to Read, write & execute.
Give the site's application pool permission to Read, write & execute.
What does work though is the nuclear option: to give Everyone the Read permission (unless we want to proceed with the Orchard setup; then we need to give Everyone even more permissions.) That leads me to believe that I must give permission to some principle with less scope than Everyone but more scope than both IIS_IUSRS and the application pool combined.
Who/what is that principle?
Pictures to show the problem
We receive a 401 on ..\Themes\SafeMode\Styles\site.css
The task manager confirms that the site is running as the orchard user.
The security properties of the ..\Themes\SafeMode\Styles\ directory gives Read permission to orchard.
Why does it only work when we give Read permission to Everyone?
I had a similar problem. Under authentication, I right clicked "Anonymous Authentication" and clicked "Edit". That shows a dialog giving you the ability to set the identity of the anonymous user. I set it to "Application pool identity" and that fixed the problem for me.
.
This may not be the most secure configuration though, but I'm on a dev server so I don't care.
Try turn on the Static Content and Directory Browsing features under Internet Information Services->World Wide Web Services->Common HTTP Features node.
In my case I had to set Read permission for IUSR user for the web site folder.
So, what I had to do to fix this problem was the following:
(and please understand, that this is not ASP or PHP script related, the server wouldn't even show basic simple .html files, yet would serve out PHP results all day long!)
Two fold…
Had to set the application pool for each site, under advanced settings, to use LocalSystem for it’s process
Under site, advanced settings, security, add the IUSR account to have read & list contents access, for the site… :-)
See any problems with doing that?
'cuz it's working....
Updating windows feature for WWW services/Common Http Features/static content by selecting Static Content checkbox fixed my IIS not service static content issue.
Open IIS -> go to advanced settings of selected website and open Physical Path Credentials -> Select specific user and enter your local user credentials. Open below screenshot for further visualising the things:
IIS Settings

Secure file downloads in dotnetnuke

I'm relatively new to dotnetnuke and am trying to set up a simple site which will have multiple user groups with their own set of files and then another user that has access to all files.
I'm currently playing with doing this with the "documents" module and hiding the module from all but the everything user and the specific company user. This works fine but the security seems to be just security by obscurity.
If I log in as User A and get access to file A and copy its url. I then log out and log in as user B who can't see that file. If I then put the file url into the browser it seems to download fine.
Can anybody tell me if I am doign something wrong or is there no actual user based security on file downloads? I've tried goign to the actual file manager and making the directories explicitly not viewable to user B (they are secure directories too) but still it persists. Am I missing a permissions option at the file level somewhere or is the security designed to just prevent you finding the right links to the files? I'll admit the links aren't guessable (no sequential ids in the url or anything silly like that) but I'm still a little uncomfortable with the security working like this...
DNN FileManager Module
Hi Chris,
Please check out the FileManager module per above link. You are correct that the current FileManager module does not allow access per user roles. You might check Snowcovered for possible substitutes?
It seems that I was doing something wrong. I was referencing a different version of the file which didn't have any permissions attached to it. It seems also that I don't need to have multiple documents modules since if a file doesn't have read permission it will just be hidden in the list.
So to summarise the DNN Documents module will do role based security to prevent unauthorised users from downloading the file and from seeing it in the documents view.
Documents module provides security for LinkClick.aspx urls that are routed to ASP.NET.
If the actual files reside in the file system under the site's root folder, direct urls to these files are served and secured by IIS.
To prevent unauthorized access to direct urls you can disable anonymous authentication and set up Basic authentication with NTFS permissions, for example.
If don't want to touch IIS and administer Windows accounts, you can't store the files directly under any publicly available IIS folder. Security at the ASP.NET application-level is implemented using file encryption or storing the files outside the public IIS folders, like in the database. DNN File Manager offers both of these options: secure folders in the file system and secure folders in the database.
There are also 3rd party modules to manage file security and sharing, like NukeTransfer.

Setting up a new website with Liferay Portal - basic steps?

I know this is not specifically a programming question, but programmers will often have to do this work.
How do I create a website with Liferay portal - the docs are pretty light on this fundamental issue and are all for version 4.4. I am using version 5.2 and the docs don't seem to be relevant.
Do you know what the basic steps are. So far I have logged in as the bruno user and can see the 7cogs website and edit it. But I now need to create my own website (for my company) and be able to develop portlets to add to the parts of the page.
Further I notice that the docs talk about doing work in Eclipse. If our website is all static HTML, (the reason we want liferay is mainly so that we can edit content items using its content management tools), then will there be any need for Java dev, or will it all be drag n drop and clicking to get setup. Any guidance will be much appreciated.
Liferay can be used as a simple CMS, without much Java knowledge : creating, editing and positioning of web content fragments are drag'n'drop and use of the included rich text editor.
But to start using Liferay for your company, there are two main steps : a technical configuration (database, etc.), and a look'n'feel customization.
The technical part
First of all, you should get rid of the 7cogs website : this is called a hook in the Liferay wording. To do that, if you are using Tomcat for the application server, just delete the 7cogs directory as stated here.
You can now create the configuration file for your installation : it's a simple text properties file, named portal-ext.properties and placed in the webapps/ROOT/WEB-INF/classes folder of your tomcat installation.
This file handles most of the configuration of the Liferay portal, for example :
the name of your company
if you want to display a terms of use page on first login
if you want anybody to be able to create an account on your portal
the database where the data will be stored
To do this, the properties in the portal-ext.properties override default properties found in a embedded portal.properties file located in the jar file portal-impl.jar, in the webapps/ROOT/WEB-INF/lib directory. Just unzip the jar file in a temporary folder to access the portal.properties file.
A sample portal-ext.properties file :
company.default.web.id=yourcompany.com
terms.of.use.required=false
company.security.strangers=false
jdbc.default.driverClassName=com.mysql.jdbc.Driver
jdbc.default.url=jdbc:mysql://localhost/lportal?useUnicode=true&characterEncoding=UTF-8&useFastDateParsing=false
jdbc.default.username=root
jdbc.default.password=root
Once done, you can startup your application server. As the default admin (named test, something you can change in the portal-ext.properties file), you can access to the centralized web "control center", located in the "dock" (the strange menu labelled "welcome Test" in the upper right part of any page once logged in).
I would advise you to read the administration guide, useful for most administrative tasks.
The "branding" part
Liferay uses "Themes" to automatically decorate the portal pages (logo, navigation, portlet borders...) using images, CSS, Javascript (JQuery) and the templating language Velocity. The themes are bundled in a .war file, like a standard web application, and deployed on the fly either via the control center or by dropping the file in the deploy directory of the server.
Liferay can use several themes at the same time, one for each community (a group of pages, users and content) for example.
Creating your own theme can be done afterwards, using the "Plugins SDK".
The Wiki, forums and blogs can be very useful.

Resources