Liferay application display templates
Liferay Portal 6.2 has just been released. One of it’s interesting new features are Application display templates (ADT), that promise to allow easy and flexible rendering of content, without changing JSP’s. It’s implementation gives me some security concerns for all users of Liferay.
During Liferay Devcon 2013 James Falkner gave a great introduction into ADT. The basic principle is quite easy: instead of using the default JSP’s to render the output of a portlet (like webcontent, dynamic data lists, documents & media, etc.) we can use velocity or freemarker templates to render it. You’ll understand that this reduces the number of JSP-hooks needed to customize the portal and we can have multiple templates for a portlet.
The templates are stored as regular Liferay content and are edited using a new editor that supports code completion and syntax highlighting. A great improvement over the old plain text editor.
ADT and Security
Since every freemarker template has full access to all the Liferay services we have a potential security risk. Well-behaving template will only call a normal Liferay service, e.g.
Templates of a more malicious kind are able to call Local services directly and bypass Liferay security checks:
Liferay provides a way to restrict the classes, packages and variables that can be called from a template using a few portal properties. This method is not powerful enough to fully sandbox the templates for a few reasons:
- Liferay puts normal and local services in the same Java Package (com.liferay.portal.service) and thus we have to list all the services explicitly.
- Using reflection (java.lang.reflect) and can still access the restricted classes.
- Even when straight forward reflection is forbidden there are alternatives will serve the same purpose (Class.forName, looking up Spring beans, javax.beans.*, etc.)
A proper way to sandbox the templates would be to only allow specific services to be called, while denying access to all others. On method would be using a Java security manager. Give me a cold winter night and I’ll try to come up with a patch for that
Application Display Templates are a great addition to Liferay Portal 6.2. They are also a security threat. Make sure only Administrators have permissions to edit (or publish) them, since every template runs with full administrative permissions within the JVM.
For more information on ADT see the Liferay manual.