Tuesday, February 24, 2009

Things You Should Know About Liferay in the Enterprise

A few days ago I wrote a goofy post about the current state of open source Java-based portal software in which I half-concluded that Liferay is the only choice worth considering, and that unfortunately Liferay will drive a person completely insane.

I stand by my claims, but after the comments I received I think that I need to let people know where I'm coming from. What I want from a portal is an out-of-the-box collaborative experience to synergize my enterprise. But seriously, what I want is an application that can satisfy two basic requirements:

1) The application should provide all of the basic collaborative features that one would expect to use here in 2009. What does that mean? It means wikis, blogs, forums, chat, file sharing, etc. These are not things that I want to spend time implementing.

2) The application should be extensible. This is the whole point of a portal, and all portal applications meet this requirement.

Given these requirements and then considering the sorry state of open source portlets, the only choice worth considering is Liferay. The whole point of Liferay is that BAM, your Intranet portal is up and running and usable, and you can get on with implementing the important bits that are specific to your business.

When you first install Liferay, it's a very "WOW!" experience. It actually starts up and works and looks slick. Drag & drop, tons of portlets, etc. For a good week or so you can have a lot of fun setting it up and showing it off; your friends and collegues will be amazed! But when you actually start to get in to the nitty gritty of your Liferay implementation, things start to fall apart.

I spent a fair bit of time trying to decide if I should write this post or not. On one hand I'm really starting to like the Liferay community, and the developers seem like good people. On the other hand, there's not a lot of information out there about Liferay and I feel like the whole point of the "blogosphere" is to share our experiences for the betterment of all. Everything I'm writing here is based on my own personal experience with Liferay, and unfortunately, just about everything I write from here on is going to be negative.

Advice about Liferay in the Enterprise (or just your Business):

1) Liferay security is extremely poor.

I know that this might be a little controversial as I've read other blogs praising Liferay's permissions system... but really, just because something is really hard to understand doesn't mean that it's good, or even working.

If you're setting up Liferay in your business, then it's imperative that you test and re-test the restrictions in place on every single bit of data that you're exposing through your portal. One of the biggest problems I've had with Liferay is little pieces of confidential information showing up here and there for people who should not have access to it.

For example, the search portlet *will* comprimise security by showing search results, complete with abstracts, to users that should not have access to them. If you have a wiki hiding somewhere in a closed community, and have the tightest permissions on that thing you can possibly set, the search portlet is still going to show results from that wiki to every knucklehead on the site. The reason for this is that Liferay's opensearch implementation doesn't yet do "Liferay permissions." There's no big warning anywhere about this, so hopefully you found out about it by reading this instead of the hard way. My advice: do not use the search portlet.

Another example is the fine-grained permissions for each portlet. Often times they simply do not work correctly. Take the message board: if you create a restricted category (e.g. "forum"), then the posts in that category do not inherit its permissions, and are viewable by anyone with a link. Then, even if you lock down the security of each post in the restricted category, the post title and abstract will still appear to anyone who clicks the "Recent Posts" tab! This problem isn't isolated to the message board; I've found similar behavior in the document library and blog portlets. My advice: do not use fine-grained permissions in Liferay. I should also note that the activities portlet doesn't respect fine-grained portlet permissions at all.

If the above aren't enough to make you uneasy, then there is also a report of an NTLM bug in which any non-domain user can login as any user with a blank or random password. This is a big one, and one that should have been nailed immediately. That it existed in 5.1 and still exists in 5.2.1 is inexcusable. My advice: do not expose your Intranet portal to the outside world.

2) Liferay is very buggy.

It seems like everytime I try to set something up, whether it be a wiki or a blog or whatever, I run into some maddening bug. For instance when editing a wiki page or forum post, all of the new line characters disappear! This makes the entire wiki virtually unusable or at least a significant pain in the rear. A bug report was filed for this one and a fix has been committed, but the problem exists in the default 5.2.1 package that you're going to download. Heck, it even exists on the Liferay community site itself.

Aside from that I've seen 3rd party portlet javascript completely break Liferay's javascript, bugs in the new scoping feature, portlets that simply don't install or work, and a variety of other flaws. Without going into detail about every annoying little thing that I've run across, I'll just leave you with this: be prepared to download the Liferay source and do a bit of patching yourself.

There are hundreds of bugs in the Liferay JIRA, and something like 75+ critical bugs. They don't seem to get patched up very quickly. I know the developers are doing the best they can.

3) Documentation is hit or miss.

The Liferay Administrator's Guide is fantastic. Unfortunately, it's for 5.1 and some important bits aren't going to work for 5.2. Things like database configuration. The Liferay wiki is ok, but I really have a hard time using it. For whatever reason, it's very hard to drill down to topics that are relative...everything's in this search view that returns way too many results. I hate wikis for technical support anyhow because the information is almost always incomplete or out of date.

4) Community is hit or miss.

The community can be really great, and it can also be really bad. What I've found is that a single user who really gets on the ball in the forums can start a chain reaction and forum usage goes up. All too often, however, the forums seem to wither and a lot of posts with good questions go unanswered.

If you're going to use Liferay, then I recommend getting active in the community, and don't let your questions go unanswered. Bump away. The traffic on the forums isn't very high so nobody is going to get too upset.

5) The permissions system is whack.

There's a hilarious diagram in the Liferay Administrator's Guide that is intended to make the permissions system easy to understand. On the contrary, it just demonstrates the complexity. Maybe I'm "old school" or something, but users and groups are just fine. Want to throw in roles? Fine. But I don't need communities and organizations and locations and public and private pages and everything else all mixed up with users and groups and roles.

Here's what I recommend: assuming that you're going to want to bring your users in from LDAP or some external source, don't bother using Liferay organizations. The idea behind organizations is interesting, but the benefits of using them are very few and I've run into more bugs due to the added complexity. Instead, just use Liferay communities. Unlike organizations, user groups can be associated with communites, which allows you to grant access to a particular community to a user group that you've imported via LDAP. This way you can manage your users in a more centralized way, which is sorta the whole point of LDAP.

Another recommendation: use public pages sparingly. From what I can tell, public pages in Liferay are groups of pages with Guest access hard wired to "on". I can't think of many good reasons for this in a corporate environment, especially if you occasionally have guests on your network.

6) Liferay releases are... odd.

Be very careful before deciding to upgrade to the latest release of Liferay. With 5.2 we saw changes to database setup that were sort of hard to find, a bunch of example data that had to be physically removed, and a whole bunch of portlets and themes that took a month or so to be released.

7) Performance is pretty poor.

Now maybe I'm being too harsh, but the requirements for running Liferay are pretty high. Be prepared to dedicate a server instance to Liferay with a couple gigs of memory and a decent CPU.

Ok, so I think I've covered everything that's bothered me about Liferay thus far. Reviewing my list, it almost seems like Liferay could use some real business-grade suit-and-tie management to make sure that priorities are set and that the project as a whole moves in some well-defined direction. With things like Social Office taking up developers time, I really don't see the overall quality of Liferay improving much. Given that, it's important to take it for what it is and work around its problems and limitations because it is a good product. It's miles ahead of the other portals out there in terms of end user experience, administration, and simply getting a full-featured portal up and running in short order.


Bryan Cheung said...

Hi, thanks again for blogging about Liferay. :) Bad blogs are better than no blogs, to paraphrase the old saying.

It looks like this is an expansion of your last comment to me on your last blog, which is great because I was hoping to respond to that comment as well.

First, thanks for pointing out Liferay's strengths in out of the box functionality and extensibility. That's a core competitive advantage that we want to continue to improve upon, and the reason why a lot of people continue to choose Liferay and deploy it successfully.

You mentioned a number of factors that has led to a negative or frustrating overall experience of Liferay even in spite of finally getting close to a working solution. Let me address them in turn so that you and your readers can get some sense of how we're trying to deal with each problem.

1. Permissions / security. I do want to make the distinction that we're not talking about "security" in terms of vulnerability to cross-site scripting or general hacking activities. Besides the NTLM issue, we're mostly talking about the out-of-the-box permissions system that deals with the security of individual portal artifacts, such as documents, actions (add, edit), message board posts, and so forth.

That said I do think that the permissions system, while powerful, is too complex to be easily understood and used. To that end we have simplified the system in the latest releases of Liferay. For example, we recently moved to a full roles-based permission system. There is also ongoing discussion about how to improve default permissions, inheritance of permissions, and perhaps overhaul permissions altogether to be view-independent. While the conversation is ongoing, we are listening and sometimes withhold comment until we've been able to give the matter deeper attention.

The best thing to do when you find bugs like the "Recent Posts" loophole is to raise the issue on issues.liferay.com, which of course is our JIRA for defect tracking.

This has worked for the search defect you mention (showing results the user doesn't have permission to see). Part of the problem for a long time was performance, but we've since been able to apply a solution. See LPS-427 and LPS-2242 for more information.

That said, you are certainly welcome to use other search providers such as Google Search Appliance, and some people have done just that.

Regarding the NTLM bug, I've raised the issue with our engineers and we'll try to resolve it.

2. Buggyness. The challenging reality for us is that we are still ramping up our subscription revenue in order to release more engineering bandwidth to address software issues.

Unlike a lot of other commercial open source companies, Liferay remains self-funded. That means we're not working to an investor's agenda, and it allows the freedom to make choices that are most beneficial to the community rather than our monetization timeline. We also have specific philanthropic goals for the company that are easier to accomplish under independent ownership and funding.

But unfortunately this also means that we need to fund the company with time-consuming professional services and we can't get to all the issues as quickly as we'd like. And at the same time we want to continue to innovate and provide features that are expected parts of the roster for today's software. As you mentioned, part of Liferay's appeal is in its out of the box value (which I also recently blogged about), so we want to continue to provide that. But do believe we are doing our best to resolve the issues reported and that we will get there, in time.

You warned your readers to "be prepared to download the Liferay source and do a bit of patching yourself." And while our Standard Edition releases are intended for production use (we do not intend to do a "faux-pen source" bait and switch), we did create our new EE offering precisely for those who would prefer not to do their own patching. Our latest EE, for example, has over 300 critical improvements to the last SE release of 5.1.x. Again our intention is not to do a bait and switch (these fixes are also available in 5.2), but we believe our target customer is the enterprise for whom the subscription is going to cost them less than self-maintenance. And prior to EE, there was no recourse to issue resolution in older releases once a new version was out.

We always appreciate new subscribers and would welcome your readers to see the value of an EE subscription.

3. The Administrator's Guide that you mentioned is the labor of love of Rich Sezov, our knowledge manager and one of the best investments in talent we've ever made here at Liferay. And as we speak Rich is furiously writing to get the Guide updated for 5.2. Of course, 5.2 was only

The Wiki problem you mentioned is something I raised with my engineers just this week and we have a working model for solving it. My take on it is that the front page does not have enough editorial content (landing pages that point out helpful pages in sequence) to make it easy to navigate. It's something we're aware of and we're working on it. But to your point about Wikis, we do think they're not the best medium for tech support and we plan for the Administrator's Guides to be the definitive references, with the Wiki being more encyclopedic for topical or situational information.

In the meantime, we've compiled the major changes and need to know information about 5.2 on a single page, and this is where you'll find the Administrator's Guide when it's ready. We also would like to have "in progress" HTML versions of the Administrator's Guides for each Liferay release, so that the documentation is more easily searched and indexed, and so that people don't have to wait for the whole Guide to be ready to access valuable knowledge. This will be much more structured than the Wiki and therefore easier to navigate, and at the same time less unwieldy than the full PDF.

4. Community. Yes, unfortunately community participation as far as responses to questions is not as strong as we'd like. Maybe because of the nature of a portal, we get a lot of folks who are using Liferay for their own project / customization / what not, and they're more focused on getting answers than giving them. But that said we've got some great community members and a good percentage of our top posters are not Liferay employed.

If you have any suggestions for how to improve participation we're all ears.

5. Improvements to come as mentioned above. We're also considering folding communities into organizations so that the two group types are joined into one super set.

6. We're improving our release process; this last one was particularly challenging because of multiple pressures, but we have a strong schedule that we'll be adhering to for 5.2 and 5.3. Expect these to be more predictable over the next two major releases.

7. Performance. You'll be pleased to know that we've been working specifically on performance over the last several weeks, and my engineer has reported a significant performance improvement with his enhancements to the code. You'll be hearing more about this soon and I think the results will be very good.

We've also done more to ensure that Liferay makes a strong impression out of the box. Before, Liferay "shipped" by default in "developer mode"—caching turned off, integrated Hypersonic SQL (only for minimal evaluation and not even for development, and certainly not for production), no packing of JS or other bandwidth-sensitive files. We've changed recent releases to be more performance tuned out of the box.

Finally, you closed with comments about the need for business-driven product management, as well as some doubts about whether Social Office might be consuming engineering resources.

First, I agree about the need for business-driven use cases and product management, and we are making a definitive shift toward that for 5.3. I've been drilling my engineers to think in terms of solutions and not features. This is critical to Liferay's relevance in coming releases, and will put the 10-20% of polish on the product that it needs to truly shine. It's really about them thinking about and understanding how the portal is being used to solve larger business problems, rather than how to solve the specific / minute problems of an individual feature.

As for whether Social Office is taking up resources, in fact the way we've devised the engineering of Social Office, a lot of the development work is beneficial to both products. For example, the Office integration using Sharepoint protocols is common to Portal and Social Office. And any improvements to user experience or capability that is applicable to both general portal and collaborative workspace use cases are being applied to both products. So I don't think that needs to be a concern.

Thanks again for caring enough to write and I hope this post clears up some of your questions and misgivings.

Bryan Cheung said...

Looks like I screwed up a couple of the links there:

EE Subsriptions

Issue Tracker

SM2K said...

Thanks for commenting Bryan. I do believe that Liferay is a good product overall, and I just wanted to share my experience with it.

Your openness in this exchange has really helped me gain a little bit of faith in Liferay, and I do expect good things in the future.

Amer said...

SM2K ,

I just wanted to say thank you, thank you for saying what you said, I don't even want to read what Bryan contributed with, my experience with liferay started just as yours did, and then took a hellish turn, unfortunately - like you - I still think liferay is an amazing product, and once you get it up and running, it is almost worth the effort.

Bryan Cheung said...

Thanks for the comment, SM2K. Believe me, there's so much more we want to do, we're looking forward to improving things. Just need time and help from the community.

By the way, what's your screen name on the Liferay community? Just curious so we'll know to look out for you.

Anonymous said...

I've been working with Liferay 5.1.1 for a couple years now and I can't agree more. If you want/need a Portal based framework, you get a lot of bang for the buck with Liferay, but be prepared. I especially agree with the nature of Liferay releases. In the past point releases have included major changes to the product that seemed out of place in a point release. Also interfaces and classes can just disappear without notice or a deprecation period. RE Bryan's comment "...this last one was particularly challenging because of multiple pressures...."
Yeah, that's the nature of commercial enterprise software. It's not going to get any easier as far as releases go.

Anonymous said...

I would like to exchange links with your site sadsoftware.blogspot.com
Is this possible?

Mike said...

It might be a little late to add something but you really did forget to mention how, and sorry for the word, it sucks to develop a new portlet for liferay. Developing time increases thousands of times, testing is painful, and you're really, really cornered into doing it the "liferay way" or die trying. My Advice: Use is as it is, or prepare for madness.

bdsm scat domination stories said...

My wife is a Lesbian. By the time our food arrives I have already bought her threedrinks.
boys masturbation with pantyhose stories usa
erotic masturbation stories
stories taboo sex stories free
free gay interracial short stories
stories bisexual first time
My wife is a Lesbian. By the time our food arrives I have already bought her threedrinks.

HairyDogTrumpet said...

hey are you still around? i'd love to know if you're still using liferay :)

Anonymous said...

They make it really hard to find pricing on liferay EE. You might end up needing this. The pricing scheme should be straight forward enough to put on their website. I heard some companies are paying over 30k a year.

Ursula said...

This post is from 2008. Do you still hate/love Liferay???

renata said...

Are you still using it? I'm just starting with Liferay 6.1.1 CE GA2 and I want to know how many of the issues that you mentioned are still ocurring?

Anonymous said...


Nestor Ledon said...

Liferay is pretty bad. Compare all its aspects to Joomla! and there will be a clear victor. For an "Enterprise Application" build on J2EE and Struts/Spring/Hibernate, Joomla!'s little PHP core makes it look like a joke.

Anonymous said...

The information were very helpful for me, I've bookmarked this post, Please share more information about this

Anonymous said...

These online auto insurance uk firms not only
offer you free of cost. Electronically limited
maximum track speeds are 161 mph 260 km/h, 171 mph 275 km/h and 186 mph 300 km/h, respectively, for the V6.
Traffic up ahead stops for a red light. So, while the insurance company financially penalized agents for writing policies for new cars.

Anonymous said...

Your shoulders should be pulled back with your ex-how to get a girlfriend
fast and that is love. Give her an intense ten-second
full-body check out as she approaches you in full view.

my page :: web page

Anonymous said...

how you can obtain a smaller waist,slim belly,
flat stomach.six pack abs,washboard abs,sexy tummy,slim waist,tone
abs,belly unwanted fat loss,burn belly excess fat...

My web page: muscles in motion poster

Anonymous said...

car insurance fraud cases providers typically divide drivers into
a three-tiered system of risk: preferred risk, standard risk, and non-standard
risk. Here are some quick tips that help to
find the appropriate coverage for your needs,
but something that will just end up being worthless to you.
This is why it is so important to have a chance at the win, you
first need to decide that you can confront if there's any ill-fated incident.

my website :: car insurance ()

Anonymous said...

It could just make your ex how to attract women to give
you another chance. Mothers, sisters and daughters all love being able to How To Attract Women because they simply do not
want to look like it belongs to your accountant or your dad.
You cannot have it in your heart that you would talk to someone else if you
hope to steal her back. You won't get over anyone in one day. On the other hand, love the dramatics like throwing things and getting physical.

Feel free to surf to my page: how to attract women tips

Anonymous said...

I do not even know how I ended up here, but I thought
this post was great. I don't know who you are but definitely you are going to a famous blogger if you aren't already ;)

Here is my website: Air Jordan

Anonymous said...

Does your site have a contact page? I'm having problems locating it but, I'd like to send you an email.

I've got some suggestions for your blog you might be interested in hearing. Either way, great website and I look forward to seeing it grow over time.

Here is my weblog - attractions in los angeles county

Anonymous said...

I am regular visitor, how are you everybody? This post posted at this web page is genuinely good.

my web page; Bonuses

Anonymous said...

I am a survivor of childhood sexual abuse and this kind of
training is exactly what I'd have necessary and what my mother and father would have needed to prevent the suffering I went? by means of.

Feel free to visit my blog - natural cure premature ejaculation

Ching Ice-creaming said...
This comment has been removed by the author.
Ching Ice-creaming said...

I retired from programming job many year ago, now I have time to write my memoirs about portals.war episode by episode.


Liferay is still using obsolete Struts 1.2.9 as its core even Apache has already announced Struts 1 end of life!

October 2, 2013 at 8:26 PM

jason alexander said...

After working with Liferay 6.1.1 CE GA2 for a year, I share any frustration. Our team mistakenly chose it so that we could extend it, just for it's base functionality, and use it in a cluster. The liferay website and feature list was appealing, but deceiving.

1. It _is_ really buggy, jumbled together and a disappointment to extend and develop with. Our team regrets going with it because we constantly have to work around the limitations. We have issues such as an unnecessary two-step deploy that changes the web.xml and adds a couple of jars, and broken pages that require full page loading to get some resources when a portlet is added, (despite the fact that it loads a small country worth of unused javascript and css into the browser when you load an empty page).

2. The fact that it is only available in 'kitchen sink' format ruins it's future, because if I wanted to submit fixes, improvements or fork it, I don't have a 'platform' that is clearly separated from all of the portlets, and modules. This is why Eclipse has a base platform.

3. Indeed - it's missing a common architectural vision and thus you will see dozens of conflicting frameworks patched together like a drunken picasso. The code is organized okay, but the implementation overall is very funky.

4. Sympathies if you run this in a cluster, or on a commercial container like Weblogic or WebSphere. Users, Groups, preferences don't cross between servers well, and some users or preferences only show up on some servers, even though they all use the same DB.

5. I should _never_ _ever_ need to unpack and modify an _ear_ or the guts of a packaged and distributed application (liferay.war or tomcat dist). Yet, that's status quo when working with Liferay. When we upgrade, we cannot just install a new WAR, or distribution - we have to re-create any relevant hacks, that we had to do to the previous version, in the new one.

Save yourself some time and check back in 2015, to see whether Liferay is still a mess.

Consider Sencha Ext JS or build it yourself. It'll be less frustration.

Anonymous said...

"Save yourself some time and check back in 2015, to see whether Liferay is still a mess. "

Well it's 2016 now and it's still a steaming pile of dog poo. I see no progress having been made on the product's quality. Buggy piece of cr*p.

M.H. said...

Like the rest of you, I'm here because I've spent an inordinate amount of
time wrestling with Liferay and I'm wondering if it is worth using at all.

It's late 2016. I've been wrestling with LR (off and on) for a year.
I still hate it. There's a serious disconnect between the breezy
documentation and the underlying organizational mess.

Sadly, the client has chosen to go this route so I must persevere.
I've never wanted to hurl my laptop out the window as much as
LR makes me want to.

I understand all of the technologies underlying LR fairly well;
LR appears to be a thin handle that's trying to leverage much bigger
and better designed packages, and not doing a very good job
of it.