Issue
- How do you disable CAPTCHA on pages?
- Site Administration pages like the Gogo Shell now have a CAPTCHA verification.
- How do you disable CAPTCHA on pages? Adding “-1” (Never Check), doesn’t work.
- Previously, CAPTCHA could be “disabled” by navigating to Control Panel → Configuration → System Settings → Security Tools → CAPTCHA. Then setting the maximum challenges to “-1” (never check).
Environment
- Liferay DXP 2024.Q1.7+
Resolution
To further strengthen security and prevent unauthorized access to administrative controls, Liferay has made CAPTCHA verification mandatory for all omni-admin actions. Therefore, as of 2024.Q1.7, this is expected behavior, see Configuring CAPTCHA.
This additional layer of protection provides sufficient Cross-Site Request Forgery attack protection for omni-admin actions.
In case you still want to disable captchas for these pages:
- Add
captcha.enforce.disabled=true
to yourportal-ext.properties
file. - After that, navigate to Control Panel -> System Settings -> Security Tools -> Captcha and set the Maximum Challenges field's value to -1 in order to disable Captcha Validation.
You should only do this for testing with Continuous Integration (CI).
Breaking Changes:
- Due to this security enhancement, the previously available option to disable CAPTCHA verification using the "-1" (Never Check) value is not applicable to administrative actions.
- If a CAPTCHA engine is not selected within your Liferay DXP configuration (i.e. the option is left on “Choose an Option”), Server Admin Pages will become inaccessible and display a "Temporarily Unavailable" message.
Additional Information
Contenido exclusivo para suscriptores.
Una Suscripción Enterprise de Liferay proporciona acceso a más de 1.500 artículos que incluyen las mejores practicas, diagnóstico de problemas y otras soluciones útiles. Inicia sesión para tener un acceso completo.
Inicia sesión