Denied resolving class [...] error is shown in custom FreeMarker/Velocity templates (LSV-658)


  • Custom FreeMarker and Velocity templates generate the following error after installing a fix pack:
    Denied resolving class [...] by org.apache


  • Liferay DXP 7.0 FP92+
  • Liferay DXP 7.1 FP18+/SP5+
  • Liferay DXP 7.2 FP6+/SP2+


  • The behavior originates from an intentional change due to security vulnerability documented in LSV-658.
  • In Liferay DXP 7.0, 7.1, and 7.2, the template API gives users access to sensitive objects, which allows remote authenticated users to execute arbitrary code via FreeMarker and Velocity templates. Therefore certain packages that are exposed to the risk of circumventing the sandbox and achieving remote code execution were disabled in newer Fix Packs.
  • If you are using a Hotfix that requires the Fix Packs indicated above, your installation may be impacted.

  • As the Solution and Mitigation Information section states:
    • The following packages were added to the default list of Restricted Packages of the FreeMarker Engine and Velocity Engine System Settings configurations, thus if your system is using a customized version of these configurations, you have to review and update your settings accordingly. If you have custom templates relying on these restricted packages reconsider their usage before re-enabling them:
      • com.liferay.portal.spring.context
      • io.undertow
      • org.apache
      • org.glassfish
      • org.jboss
      • org.springframework
      • org.wildfly
      • weblogic
  • You can re-enable your template by:
    1. Removing the org.apache package from the restricted packages in the Control Panel -> Configuration -> System settings -> Foundation -> Velocity Engine/FreeMarker Engine
    2. Then restart your server (or you can restart the Liferay Portal Template FreeMarker/Liferay Portal Template Velocity bundles through the App Manager).
  • However, we suggest you consider use alternatives since those packages have been disabled for security reasons.

Additional Information

  • For more information, please check LSV-658
Was this article helpful?
0 out of 1 found this helpful