-
Type:
Bug
-
Status: Closed
-
Resolution: Inactive
-
Affects Version/s: 6.2.4 CE GA5, 6.2.5 CE GA6
-
Fix Version/s: None
-
Component/s: Application Security, Core Infrastructure, Portal Configuration
-
Labels:
-
Fix Priority:3
-
Application Servers:GlassFish 3.1
Description:
Some properties are not loaded when the server is started on Glassfish 3.1.2.2 and Liferay 6.2 GA6. For example:
http.header.secure.x.content.type.options=true
http.header.secure.x.frame.options=true
http.header.secure.x.frame.options.255=/|SAMEORIGIN
http.header.secure.x.xss.protection=1
They aren't loaded from:
-portal.properties (poral-impl.jar, default)
-system.properties (poral-impl.jar, default)
-portal-ext.properties
-system-ext.properties
Probably the same problem with JRuby native properties - LPS-61251
Flow:
For Liferay 6.2 GA6 Bundle with Glassfish:
Run clean version with sample data with default properties (portal.properties, system.properties > poral-impl.jar). Resources haven't X-FRAME-OPTIONS in Response Headers.
Add properties to portal-ext.properties. Resources haven't X-FRAME-OPTIONS in Response Headers.
For Liferay 6.2 GA6 Bundle with Tomcat:
Looks OK. Resources have X-FRAME-OPTIONS in Response Headers.
For Liferay 6.2 GA4 with Glassfish 3.1.2.2:
Looks OK. Resources have X-FRAME-OPTIONS in Response Headers.
Tested versions with this flow in the attachment.
Environment:
1) Custom
Liferay 6.2 GA6,
GlassFish Server Open Source Edition 3.1.2.2 (build 5),
PostgreSQL 9.4.,
Debian GNU/Linux 6.0.6 (squeeze)
jdk1.7.0_71
2) Latest Bundle with Glassfish
Liferay 6.2 GA6
GlassFish Server Open Source Edition 3.1.2.2
HSQL
Win7 x64
