By default users registering on a Liferay portals are assigned a randomly generated password and their accout is active immediately. Upon first login, users are then required to change their password. Well, to put it delicately, especially the second step in this registration process will definitely confuse some of your potential users since why do you need to change the password you just set during the registration process?
Today, most of the prominent web frameworks offer the possibility to add an additional layer of security OOTB by forcing users to verify their email address upon registration. Thus, accounts do not become active until potential users have verified their email address. Furthermore, no framework I know other than Liferay forces users to change their password on the first login after the registration process completed.
Registration Workflow with Verification
Luckily, Liferay is highly configurable and thus allows us to change the registration workflow without any changes to the code. As reference, the desired registration workflow looks as follows:
- The user fills out the registration form (username, email, password, first and surename, etc.)
- Liferay creates the account but does not yet mark it active
- Liferay sends a verification e-mail to the user e-mail account with a verification link that activates the account
- The user clicks on the link provided and Liferay finally activates the account
Now that we have defined the registration worklflow to be used how do we enable it in Liferay? Simply by editing portal-ext.properties by adding the following line:
company.security.strangers.verify=true
That’s it! Be sure to restart Tomcat (or respectively your servlet container of choice) for this settings to take effect and test your registration workflow 🙂