This article is a legacy article. It applies to previous versions of the Liferay product. While the article is no longer maintained, the information may still be applicable.
Security-hotfix-11-6012, which is available for Liferay Portal 6.0 EE SP2, is preventing embedded portlets from performing action requests using the actionURL tag. Because of extra security checks that the patch introduces, embedded portlets are unable to perform any action. This article describes the issue and how to adapt your portlet to work with the security fix.
One symptom of this is an error message being shown in the logs:
Reject processAction for http://localhost:8080/home on portletname_WAR_portlename6_0portlet_INSTANCE_D1J0This is followed by a
NullPointerException stacktrace.Resolution
This issue is intended behavior: the error message appears due to the extra security check which has been introduced by LPS-27674 which does not allow the portlet to call processAction(...) or serverResource(...) from anywhere.
- Add the following tag into
liferay-portlet.xml(located inside any project'sdocroot/WEB-INF):<liferay-portlet-app> <portlet> <add-default-resource>true</add-default-resource> </portlet> </liferay-portlet-app>
- Either set
portlet.add.default.resource.check.enabled=falseor include your custom portlet inportlet.add.default.resource.check.whitelist.
Additional Information
LPS-27674 describes the changes included in security-hotfix-11-6012 that led to the unintended behavior when not using the directives suggested here.