How to Disable CAPTCHA on Server Admin Pages

Issue

  • How do you disable CAPTCHA on pages?
  • Site Administration pages like the Gogo Shell now have a CAPTCHA verification.
  • How do you disable CAPTCHA on pages? Adding “-1” (Never Check), doesn’t work.
  • Previously, CAPTCHA could be “disabled” by navigating to Control Panel → Configuration → System Settings → Security Tools → CAPTCHA. Then setting the maximum challenges to “-1” (never check).

Environment

  • Liferay DXP 2024.Q1.7+

Resolution

To further strengthen security and prevent unauthorized access to administrative controls, Liferay has made CAPTCHA verification mandatory for all omni-admin actions. Therefore, as of 2024.Q1.7, this is expected behavior, see Configuring CAPTCHA.

This additional layer of protection provides sufficient Cross-Site Request Forgery attack protection for omni-admin actions.

In case you still want to disable captchas for these pages:

  • Add captcha.enforce.disabled=true to your portal-ext.properties file.
  • After that, navigate to Control Panel -> System Settings -> Security Tools -> Captcha and set the Maximum Challenges field's value to -1 in order to disable Captcha Validation.

You should only do this for testing with Continuous Integration (CI).

 

Breaking Changes:

  • Due to this security enhancement, the previously available option to disable CAPTCHA verification using the "-1" (Never Check) value is not applicable to administrative actions. 
  • If a CAPTCHA engine is not selected within your Liferay DXP configuration (i.e. the option is left on “Choose an Option”), Server Admin Pages will become inaccessible and display a "Temporarily Unavailable" message.

Additional Information

¿Fue útil este artículo?
Usuarios a los que les pareció útil: 1 de 2