Radio Liferay

Welcome to Radio Liferay, a peek into what is going on in Liferay from the people doing it themselves.


Latest Broadcast

Radio Liferay Episode 60: Performance and Permissions with Preston Crary

  An episode on the "Per" things: Performance and Permissions. I spoke to Preston Crary, who amazingly was not mad at me for losing an earlier recording.

We're talking about these (and more) topics

  • We open with the attention to detail that's required for working on performance tuning and some short conversation about this topic.
  • Sadly, there's not often a single silver bullet, but many areas of dust.
  • Sometimes the fastest code is not the most optimal
  • Continuing with Preston's work on Permissions:
  • ResourceBlock is deprecated, and there's an easy migration path
  • The usecase for Resources, ResourcePermission, and ResourceBlocks (as they're not at all visible on the UI)
  • Preston's way through Liferay from Support to working on the topics that he's now working on
  • The new API for Permissions - and the documentation is also done already (as of me writing this article, not yet published, but available on github - should be a matter of days or hours)
  • Should you implement your own permission system? (and how the answer to this question might change in 7.1)
  • Upgrades are being performance tuned. I smell a future episode coming up. Paging the team that is working on this area
  • The remarkable memory savings that refactoring the UserBag introduced
  • What happend during login
  • Passwords are PBKDF2WithHmacSHA1/160/128000 hashed, a deliberately expensive password hashing algorithm.
  • LPS-75747 and an update to my hardball question: Document Library's default.xml is still in core, can't be updated through a module, just through an ext.

Follow @RadioLiferay, Preston and me (@olafk) on twitter.

You'll find this episode - and make sure that you don't miss any of the future episodes - by subscribing to You can also subscribe on itunes.: Just search for "Radio Liferay" or just "Liferay" in the podcast directory. Make sure to write a review for the podcast directory of your choice - or find everything about Radio Liferay on

Or just download the MP3 here:

download audio file

Average (0 Votes)
The average rating is 0.0 stars out of 5.

Threaded Replies Author Date
Clicked the link to and Chrome... Dante Wang March 28, 2018 8:37 PM
Whoops, sorry - Something went wrong in the... Olaf Kock April 3, 2018 1:05 AM

Clicked the link to and Chrome warned me about invalid cert...
Posted on 3/28/18 8:37 PM.
Whoops, sorry - Something went wrong in the reconfiguration of that server. Non-https works for now, it's just a forwarder to anyways...
Thanks for letting me know
Posted on 4/3/18 1:05 AM in reply to Dante Wang.

Tell others

If you enjoy this podcast and are subscribing on itunes or any other aggregator: Please consider telling them how much you like it - just use their rating system. And consider leaving feedback and comments (at the shownotes, linked for each episode)

Older Episodes

« Back

Radio Liferay Episode 22: Samuel Kong on Security

  Yes, I know. I didn't keep my previous promise to quickly follow up with the next episode. Thus, I'm not promising again, only revealing that I'm planning to be quicker in future.

This is another episode recorded at the previous Liferay Retreat. I sat together with Samuel Kong, GM of the chinese office and member of Liferay's security team.

As I've been carrying this recording around for quite some while, note that there have been some changes during the last year. First and foremost, we have a new community security team, which was not around at the time of the recording. I'm planning to talk to someone from that team soon (consider yourself warned if you're on that team)

Some of the topics you'll find in this episode

  • How to file a security issue - thankfully he is consistent with what Cynthia and Michael have reported: go to, file your issue under the component "security", optionally with private visibility. If you've already done so, please try if your issue is reproducible in the latest available version - your issue might already have been reported and fixed.
  • OWASP (The Open Webapplication security project) site is a good resource for learning about security in Webapplications in general, independent of Liferay.
  • The three tools that Liferay has built-in, helping you to prevent security issues:
    • Redirects: Some Properties, configuring the list of domain names and IPs, that Liferay is allowed to redirect to
    • CSRF: Auth-Token
    • XSS: The various escape-methods in com.liferay.portal.kernel.util.HtmlUtil - There are so many because the correct escaping depends on the context for which one escapes some HTML-Text. Also, the AlloyUI Taglibs help a lot when you're displaying user-content in forms. And also: The "escapedModel" that you can get from ServiceBuilder.
    • Bonus: SqlInjection and its prevention through ServiceBuilder.
  • When to escape HTML text in order to be most flexible.
  • Sidenote: A call to extract and read the full A long, boring and interesting read. Oh, and the dtds for xml files

You'll find this episode - and make sure that you don't miss any of the future episodes - by subscribing to the RSS feed, on itunes or with your podcatcher of choice - you'll find all the options on And if you want to get notified when the next episode is out, follow @RadioLiferay

And please remember to rate this podcast in your podcast directory of choice and provide feedback here on the episodes as well. Thank you.

download audio file

Average (0 Votes)
The average rating is 0.0 stars out of 5.

Threaded Replies Author Date
[...] The glorious glamorous days one has on... Anonymous November 20, 2015 6:17 AM

[...] The glorious glamorous days one has on the security team (consisting mostly of email, tickets, pullrequests) Different ways to make Liferay more secure Gathering feedback from community and... [...] Read More
Posted on 11/20/15 6:17 AM.