Configuring Theme-Embedded Portlets After Deploying Security-Hotfix-11-6012

This article is a legacy article. It applies to previous versions of the Liferay product. While the article is no longer maintained, the information may still be applicable.

Security-hotfix-11-6012, which is available for Liferay Portal 6.0 EE SP2, is preventing embedded portlets from performing action requests using the actionURL tag. Because of extra security checks that the patch introduces, embedded portlets are unable to perform any action. This article describes the issue and how to adapt your portlet to work with the security fix.
 
One symptom of this is an error message being shown in the logs:
Reject processAction for http://localhost:8080/home on portletname_WAR_portlename6_0portlet_INSTANCE_D1J0
This is followed by a NullPointerException stacktrace.
 

Resolution

This issue is intended behavior: the error message appears due to the extra security check which has been introduced by LPS-27674 which does not allow the portlet to call processAction(...) or serverResource(...) from anywhere.

 

  1. Add the following tag into liferay-portlet.xml (located inside any project's docroot/WEB-INF):
    <liferay-portlet-app>
    	<portlet>
    		<add-default-resource>true</add-default-resource>
    	</portlet>
    </liferay-portlet-app>
    
  2. Either set portlet.add.default.resource.check.enabled=false or include your custom portlet in portlet.add.default.resource.check.whitelist.

 

Additional Information

LPS-27674 describes the changes included in security-hotfix-11-6012 that led to the unintended behavior when not using the directives suggested here.
这篇文章有帮助吗?
0 人中有 0 人觉得有帮助