Submit Feedback
Legacy Knowledge Base
Published Jul. 2, 2025

Configuring Theme-Embedded Portlets After Deploying Security-Hotfix-11-6012

Written By

Liferay Support

How To articles are not official guidelines or officially supported documentation. They are community-contributed content and may not always reflect the latest updates to Liferay DXP. We welcome your feedback to improve How To articles!

While we make every effort to ensure this Knowledge Base is accurate, it may not always reflect the most recent updates or official guidelines.We appreciate your understanding and encourage you to reach out with any feedback or concerns.

Legacy Article

You are viewing an article from our legacy "FastTrack" publication program, made available for informational purposes. Articles in this program were published without a requirement for independent editing or verification and are provided"as is" without guarantee.

Before using any information from this article, independently verify its suitability for your situation and project.

This article is a legacy article. It applies to previous versions of the Liferay product. While the article is no longer maintained, the information may still be applicable.

Security-hotfix-11-6012, which is available for Liferay Portal 6.0 EE SP2, is preventing embedded portlets from performing action requests using the actionURL tag. Because of extra security checks that the patch introduces, embedded portlets are unable to perform any action. This article describes the issue and how to adapt your portlet to work with the security fix.
 
One symptom of this is an error message being shown in the logs:
Reject processAction for http://localhost:8080/home on portletname_WAR_portlename6_0portlet_INSTANCE_D1J0
This is followed by a NullPointerException stacktrace.
 

Resolution

This issue is intended behavior: the error message appears due to the extra security check which has been introduced by LPS-27674 which does not allow the portlet to call processAction(...) or serverResource(...) from anywhere.

 

  1. Add the following tag into liferay-portlet.xml (located inside any project's docroot/WEB-INF): 
    <liferay-portlet-app>
	<portlet>
		<add-default-resource>true</add-default-resource>
	</portlet>
</liferay-portlet-app>
  2. Either set portlet.add.default.resource.check.enabled=false or include your custom portlet in portlet.add.default.resource.check.whitelist.

 

Additional Information

LPS-27674 describes the changes included in security-hotfix-11-6012 that led to the unintended behavior when not using the directives suggested here.
Did this article resolve your issue ?
Legacy Knowledge Base
Did this article resolve your issue ?