System Properties

Table of Contents

Properties

Start your application server with the system property"system.properties.set" set to true to load the external file calledsystem.properties. This is given as a convenient way to ensure all propertiesare set for deployment. When the server starts, the portal will loadsystem.properties and then system-ext.properties.

Start your application server with the system property"system.properties.set.override" set to true if the properties ofsystem.properties override all similar command line properties. If set tofalse, the properties of system.properties will be set if and only if thoseproperties are not currently set.

Some application servers require you to set the "file.encoding" and"user.timezone" on startup regardless of system.properties because theapplication server reads these properties before system.properties is everloaded.


Top of Page

Java


The file encoding must be set to UTF-8 in order for the internationalization to work correctly.

Defaults:

    file.encoding=UTF-8


Java uses the underlying operating system to generate images. If you are using Unix and do not start the portal in a X Windows session, then Java will not know how to generate images and you'll get lots of nasty exceptions. Setting this property to true will fix that. Sometimes this property cannot be set dynamically when the server starts and you'll need to edit your start script to include this as a system property.

Defaults:

    java.awt.headless=true


Set the default locale used by Liferay. This locale is no longer set at the VM level. See LEP-2584.

Defaults:

    user.country=US
    user.language=en


Top of Page

Java Advanced Imaging


JAI relies upon native acceleration to improve performance. To use native acceleration, you must install the appropriate native libraries and set this property to false. Setting this to false without installing the proper native libraries will result in warnings.

Defaults:

    com.sun.media.jai.disableMediaLib=true


Top of Page

Logging


Set any logger that implements org.apache.commons.logging.Log.

Examples:

    org.apache.commons.logging.Log=org.apache.commons.logging.impl.Log4JLogger


Set this to true if Log4j complains that it was not properly configured.

Defaults:

    log4j.configure.on.startup=true


Top of Page

Service Proxy Factory


Set the service proxy factory timeout in milliseconds.

Defaults:

    com.liferay.portal.kernel.util.ServiceProxyFactory.timeout=60000


Top of Page

Stream

Defaults:

    com.liferay.portal.kernel.util.StreamUtil.buffer.size=8192


Set this to true when doing large file transfers on a 32-bit JVM to prevent running out of memory. This worsens performance but increases stability for older environments.

Defaults:

    com.liferay.portal.kernel.util.StreamUtil.force.tio=false


Top of Page

String Bundler


Set this property to tell StringBundler when to use a ThreadLocal buffer to build the output its String. The buffer is referred by SoftReference, so it will be forcibly removed by the GC when memory is nearly exhausted. It should be set to a high value so that the accessing to ThreadLocal is balanced by the savings in garbage collection. Setting it to too low of a value may actually do more harm than good.

Set a value larger than 0 to enable this feature when using StringBundler with an output length longer than the specified value. A reasonable value is 8192 (8 kb) or 16384 (16 kb). The best value depends on how the portal is used.

Defaults:

    com.liferay.portal.kernel.util.StringBundler.threadlocal.buffer.limit=0


Top of Page

Finalize Manager


Set this to true to enable the finalize manager to use a separate thread to do clean up. Otherwise, the finalize manager will only do clean up during registration.

Defaults:

    com.liferay.portal.kernel.memory.FinalizeManager.thread.enabled=false


Top of Page

Encryptor


Set the security provider class.

Defaults:

    com.liferay.util.Encryptor.provider.class=com.sun.crypto.provider.SunJCE


Top of Page

HTTP


See portal.properties for more HTTP settings.


Set the location of the HTTP proxy that the portal will use to fetch external content.

Set http.nonProxyHosts for hosts that will not be proxied. This is useful for proxied environments where you need direct access to internal servers. This should follow the same semantics as the java.net package.

Examples:

    http.proxyHost=192.168.0.200
    http.proxyPort=4480
    http.nonProxyHosts=192.168.0.250


Top of Page

HTTP Header Response


See portal.properties for more HTTP Header Response settings.


Set this to true for the portal to send the "X-Content-Type-Options: nosniff" HTTP header to protect against MIME sniffing. Custom URLs can specified in the property "http.header.secure.x.content.type.options.urls.excludes" that allow for unhindered MIME sniffing.

Defaults:

    http.header.secure.x.content.type.options=true


Set a list of comma delimited URL prefixes that allow for unhindered MIME sniffing. This property is only used when the property "http.header.secure.x.content.type.options" is set to true.

Examples:

    http.header.secure.x.content.type.options.urls.excludes=


Set this to true for the portal to send the "X-Frame-Options: DENY" HTTP header to protect against clickjacking.

Custom HTTP header values instead of "DENY" can be specified per URL via the properties "http.header.secure.x.frame.options.*".

Defaults:

    http.header.secure.x.frame.options=true


If the property "http.header.secure.x.frame.options" is set to true, then the portal will iterate through the properties "http.header.secure.x.frame.options.*" where the wildcard "*" is replaced with an int number starting from 0 and ending with 255 to find a pipe (|) delimited URL and HTTP header value pair (e.g. "/|SAMEORIGIN").

Upon finding a matched a URL, the portal will use the custom HTTP header value instead of the "DENY" value.

By default, URLs that start with "/" will use a custom HTTP header value of "SAMEORIGIN". Specify another URL and HTTP header value with a number smaller than 255 to intercept this default behavior.

Defaults:

    http.header.secure.x.frame.options.255=/|SAMEORIGIN


Set this to nonempty value for the portal to send the "X-XSS-Protection" HTTP header to block cross-site scripting attacks. Possible nonempty values are "0", "1" and "1; mode=block"

Defaults:

    http.header.secure.x.xss.protection=1


Top of Page

Cookie


HTTP only cookies are not supposed to be exposed to client-side scripting code, and may therefore help mitigate certain kinds of cross-site scripting attacks. Input a list of comma delimited cookie names that are not HTTP only.

Defaults:

    cookie.http.only.names.excludes=


Top of Page

Axis


Urls that match the specified pattern will use the SimpleHTTPSender. Urls that do not match the specified pattern will use Axis' default HTTPSender.

Defaults:

    com.liferay.util.axis.SimpleHTTPSender.regexp.pattern=.*mappoint\.net.*


Top of Page

Session Parameters


Encrypt session parameters so that browsers cannot remember them.

Defaults:

    com.liferay.util.servlet.SessionParameters=false


Top of Page

Ehcache


Set this to true to skip the update check.

Defaults:

    net.sf.ehcache.skipUpdateCheck=true


Top of Page

IO Netty

Defaults:

    io.netty.allocator.type=pooled

Examples:

    io.netty.allocator.cacheTrimInterval=
    io.netty.allocator.maxCachedBufferCapacity=
    io.netty.allocator.maxOrder=
    io.netty.allocator.normalCacheSize=
    io.netty.allocator.numDirectArenas=
    io.netty.allocator.numHeapArenas=
    io.netty.allocator.pageSize=
    io.netty.allocator.smallCacheSize=
    io.netty.allocator.tinyCacheSize=
    io.netty.threadLocalDirectBufferSize=


Top of Page

JRuby


Set this to true to enable native extensions (like JNA for non-Java APIs).

Defaults:

    jruby.native.enabled=false


Top of Page

Log Sanitizer


Set this to true to enable the log sanitizer, which is a safe logging mechanism that avoids directly embedding user input in log files. The log sanitizer automatically sanitizes log messages by replacing all unexpected characters from user supplied data with safe replacement characters.

See the "log.sanitizer.escape.html.enabled" property for encoding HTML entities in log messages.

Defaults:

    log.sanitizer.enabled=true


Set whether to encode HTML data in log messages.

Defaults:

    log.sanitizer.escape.html.enabled=false


Specify the code point of the character to replace forbidden characters. The underscore character, which has code point 95, is the replacement character by default.

Defaults:

    log.sanitizer.replacement.character=95


Specify characters to allow in log messages. The sanitizer operates on characters with code points less than 128. Characters with code points greater than 128 are always allowed. Please see ASCII tables to look up character code points.

This default whitelist allows characters with code points 9 (tab), 32 (space), and all characters with code points greater than 32 except 127 (delete).

Defaults:

    log.sanitizer.whitelist.characters=9,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99,100,101,102,103,104,105,106,107,108,109,110,111,112,113,114,115,116,117,118,119,120,121,122,123,124,125,126


Top of Page

Lucene


Set a timeout to avoid lock errors.

Examples:

    org.apache.lucene.writeLockTimeout=30000


Top of Page

Tika


Set the location of the Tika configuration.

Defaults:

    tika.config=tika/tika.xml


Top of Page

Quartz


Make threads daemon so the JVM exits cleanly.

Defaults:

    org.quartz.threadPool.makeThreadsDaemons=true


Turn off the update check for performance/security.

Defaults:

    org.terracotta.quartz.skipUpdateCheck=true


Top of Page

Security

Defaults:

    com.liferay.portal.kernel.io.ProtectedObjectInputStream.restricted.class.names=\
        com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl,\
        org.apache.commons.collections.functors.CloneTransformer,\
        org.apache.commons.collections.functors.ForClosure,\
        org.apache.commons.collections.functors.InvokerTransformer,\
        org.apache.commons.collections.functors.InstantiateFactory,\
        org.apache.commons.collections.functors.InstantiateTransformer,\
        org.apache.commons.collections.functors.PrototypeFactory$PrototypeCloneFactory,\
        org.apache.commons.collections.functors.PrototypeFactory$PrototypeSerializationFactory,\
        org.apache.commons.collections.functors.WhileClosure,\
        org.apache.commons.collections4.functors.InvokerTransformer,\
        org.codehaus.groovy.runtime.ConvertedClosure,\
        org.codehaus.groovy.runtime.MethodClosure,\
        org.springframework.beans.factory.ObjectFactory,\
        org.springframework.core.SerializableTypeWrapper$MethodInvokeTypeProvider,\
        sun.reflect.annotation.AnnotationInvocationHandler

Defaults:

    com.liferay.portal.kernel.security.SecureRandomUtil.buffer.size=65536


Top of Page

Static LPKGs

Defaults:

    static.lpkg.bundle.symbolic.names=Static


Top of Page

Xerces


Configure the default parser to avoid looking up an XMLParserConfiguration from the class path each time a SAXParser object is created. Set this property to a blank value to revert to the default behavior.

See https://xerces.apache.org/xerces2-j/faq-xni.html for more information.

Defaults:

    org.apache.xerces.xni.parser.XMLParserConfiguration=org.apache.xerces.parsers.XIncludeAwareParserConfiguration