Legacy Knowledge Base
Published Jul. 2, 2025

Avoid or allow that some applications can be dynamically displayed in a page

Written By

Jose Jimenez

How To articles are not official guidelines or officially supported documentation. They are community-contributed content and may not always reflect the latest updates to Liferay DXP. We welcome your feedback to improve How To articles!

While we make every effort to ensure this Knowledge Base is accurate, it may not always reflect the most recent updates or official guidelines.We appreciate your understanding and encourage you to reach out with any feedback or concerns.

Legacy Article

You are viewing an article from our legacy "FastTrack" publication program, made available for informational purposes. Articles in this program were published without a requirement for independent editing or verification and are provided"as is" without guarantee.

Before using any information from this article, independently verify its suitability for your situation and project.

Issue

  • The permissions system for an application (portlet) includes a security check when the application is going to be displayed in a page. Normally, the users should not be able to see applications if the administrator did not configured/added previously to that page.
  • It is feasible to bypass that check by configuration because there are other cases in where the administrator wants to dynamically allow a feature in whatever page the user is, as for example can be the sign-in form/application to enable to start an expired session without navigating to a different page.

Environment

  • All Liferay versions and environments.

Resolution

  • You can bypass the security check by adding the portlet identifier (a.k.a. portletId) to the next portal property: portlet.add.default.resource.check.whitelist
  • The configuration also can be provided an environment variable:LIFERAY_PORTLET_PERIOD_ADD_PERIOD_DEFAULT_PERIOD_RESOURCE_PERIOD_CHECK_PERIOD_WHITELIST 
  • There is a set of applications/portlets allowed by default. You can check the current configuration from the Control Panel > Server Administration > Properties > Portal Properties searching by portlet.add.default.resource.check.whitelist
  • Add or modify the portlet.add.default.resource.check.whitelist property to your portal-ext.properties file adding/removing portlet identifiers to/from this list to control which applications can be dynamically displayed in spite of not being added to a page by the admin.
  • Eg. default value for DXP 7.3.10 is: 
    #
    # Set a list of comma delimited portlet IDs that will bypass the security
    # check set in the property "portlet.add.default.resource.check.enabled".
    #
    # Env: LIFERAY_PORTLET_PERIOD_ADD_PERIOD_DEFAULT_PERIOD_RESOURCE_PERIOD_CHECK_PERIOD_WHITELIST
    #
    portlet.add.default.resource.check.whitelist=\
    com_liferay_calendar_web_portlet_CalendarPortlet,\
    com_liferay_login_web_portlet_FastLoginPortlet,\
    com_liferay_login_web_portlet_LoginPortlet,\
    com_liferay_portlet_configuration_css_web_portlet_PortletConfigurationCSSPortlet,\
    com_liferay_portlet_configuration_web_portlet_PortletConfigurationPortlet,\
    com_liferay_product_navigation_simulation_web_portlet_SimulationPortlet,\
    com_liferay_staging_bar_web_portlet_StagingBarPortlet

Additional Information

 

Did this article resolve your issue ?

Legacy Knowledge Base