Home > Liferay, Security > Liferay application display templates

Liferay application display templates

Liferay Portal 6.2 has just been released. One of it’s interesting new features are Application display templates (ADT), that promise to allow easy and flexible rendering of content, without changing JSP’s. It’s implementation gives me some security concerns for all users of Liferay.

ADT architecture

During Liferay Devcon 2013 James Falkner gave a great introduction into ADT. The basic principle is quite easy: instead of using the default JSP’s to render the output of a portlet (like webcontent, dynamic data lists, documents & media, etc.) we can use velocity or freemarker templates to render it. You’ll understand that this reduces the number of JSP-hooks needed to customize the portal and we can have multiple templates for a portlet.

ADT architecture

ADT implementation

The templates are stored as regular Liferay content and are edited using a new editor that supports code completion and syntax highlighting. A great improvement over the old plain text editor.


For some great examples see an excellent blog post by Eduardo Garcia about using ADT in the example Museum Theme on Github.

Never thought that Liferay could look this good?

ADT and Security

Since every freemarker template has full access to all the Liferay services we have a potential security risk. Well-behaving template will only call a normal Liferay service, e.g.


Templates of a more malicious kind are able to call Local services directly and bypass Liferay security checks:

UserLocalService.addRoleUser(ADMINISTRATOR, myself)

Liferay provides a way to restrict the classes, packages and variables that can be called from a template using a few portal properties. This method is not powerful enough to fully sandbox the templates for a few reasons:

  1. Liferay puts normal and local services in the same Java Package (com.liferay.portal.service) and thus we have to list all the services explicitly.
  2. Using reflection (java.lang.reflect) and can still access the restricted classes.
  3. Even when straight forward reflection is forbidden there are alternatives will serve the same purpose (Class.forName, looking up Spring beans, javax.beans.*, etc.)

A proper way to sandbox the templates would be to only  allow specific services to be called, while denying access to all others. On method would be using a Java security manager. Give me a cold winter night and I’ll try to come up with a patch for that ;-)


Application Display Templates are a great addition to Liferay Portal 6.2. They are also a security threat. Make sure only Administrators have permissions to edit (or publish) them, since every template runs with full administrative permissions within the JVM.

For more information on ADT see the Liferay manual.

Categories: Liferay, Security Tags: , , ,
  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


Get every new post delivered to your Inbox.

Join 275 other followers