Issue
- The user is not prompted for login but to a 404 page when navigating in pages with restricted access if the user session expires or, if the user is not logged in and tries to access directly the url.
Environment
- DXP 7.4
Resolution
- We disable this feature, that is present in former versions of DXP, to avoid the potential risks of the user enumeration and page enumeration attack vector.
- When the Login Prompt is enabled, an attacker can guess users or private/restricted pages simply by the different responses the portal gives when accessing existing vs non-existing pages.
- This behaviour can be reverted from Control Panel -> System Settings ->Login ->Login Prompt Enabled.
Contenido exclusivo para suscriptores.
Una Suscripción Enterprise de Liferay proporciona acceso a más de 1.500 artículos que incluyen las mejores practicas, diagnóstico de problemas y otras soluciones útiles. Inicia sesión para tener un acceso completo.
Inicia sesión