It was found that PortletBridge PortletRequestDispatcher did not respect security constraints set by the servlet if a portlet request asks for rendering of a non-JSF resource such as JSP or HTML.
Acknowledgements: Red Hat would like to thank Liferay, Inc. for reporting this issue.
This issue has been addressed in the following products: JBoss Portal 6.2.0 Via RHSA-2015:1543 https://rhn.redhat.com/errata/RHSA-2015-1543.html