Categories
Framework

Restrict all Liferay traffic to be encrypted

Our CTO came to me recently with the results of a PCI audit. One area of non-compliance that the audit discovered was the need to have users log in only through a SSL encrypted gateway. I set about finding a way to accomplish this with Liferay. Thankfully, it was a pretty easy change and didn’t require any custom log in code (as I initially feared.)

At first, I just happened to come across a relevant property in my portal-ext.properties file.

servlet.always.encrypt=false

On my local machine, I changed this value to true, restarted the server, and all traffic on my local server redirects to the ssl encrypted version on port 8181!

“Hooray”, I thought. “I’m done!” I talked to our Ops team to get the changes made in our other environments and he promptly burst my this-is-too-easy bubble. “Why is it encrypting our marketing site? We shouldn’t be encrypting everything, just the stuff we need protected.” Damnit! Now I have to find an alternative. Fortunately for me, the same Ops guy found the relevant properties to include in our portal-ext.properties file:

#require https for login
web.server.http.port=8080
web.server.https.port=8181
company.security.auth.requires.https=true

This is exactly the technique we needed. Our site doesn’t encrypt any public-facing page (unless you are already logged in) and all logged-in traffic is SSL-encrypted. Liferay team really did me a solid by making this so easy to configure. Thanks girls & guys of Liferay!