1. Home
  2. Development
  3. RE: API security differences

RE: API security differences

thumbnail
Pete Helgren, modified 7 Years ago.
API security differences
Regular Member Posts: 225 Join Date: 4/7/11 Recent Posts

I have a service builder api that I have exposed and is accessible using the api/jsonws panel in Liferay.  Works fine.   I can also invoke the API using Postman using a POST request with a URL of http://localhost:8080/api/jsonws/invoke and a body (raw) of:

{
    "/media.mymediamethod/get-media-list":{
    "emailAddr":"me@something.com"
    }
}

This too, works like a charm.  But, if I use the URL like so:

http://localhost:8080/api/jsonws/media.mymediamethod/get-media-list/email-addr/me%40something.com

I get: 

Forbidden
You do not have permission to access the requested resource. 


Now I understand that adding the p_auth parameter might help but what is throwing me is that I am running Postman without ANY authorizations at all.  Nothing in the header, no extra p_auth params.  Nothing.  And yet Postman will invoke with no authorization and a URL will not.  I even added the @AccessControlled(guestAccessEnabled=true)annotation to the method signature (didn't help).  I added the api to the "System Default" service access policy(didn't help) .  And yet the URL invocation doesn't work and Postman does.

I am trying to enable an ajax invocation of the API (jQuery) from a remote server.  Again, Postman invokes with no issue, the URL...nothing but forbidden. So, why the difference?  Postman doesn't authenticate and works.  The URL doesn't....

thumbnail
Minhchau Dang, modified 7 Years ago.
RE: API security differences
Liferay Master Posts: 598 Join Date: 10/22/07 Recent Posts
Pete Helgren:

So, why the difference?  Postman doesn't authenticate and works.  The URL doesn't....

The authentication token check specifically only triggers when you're signed in (reference), so it'll be skipped when you're not authenticated. In other words, the authentication token check will never run with Postman, and it's likely to always run in your browser unless you clear your cookies right before you paste the URL into your address bar.

thumbnail
Pete Helgren, modified 7 Years ago.
RE: API security differences
Regular Member Posts: 225 Join Date: 4/7/11 Recent Posts

Thanks.  That makes sense.  I haven't tested the idea yet because I ended up changing portal-ext.properties by adding json.service.auth.token.enabled=false  There might be other side effects with that so I'll have to do some additional testing.  As a follow up, and perhaps a bit OT, I have been looking for some examples and additional information on support for JSONP.  I did read that you can pass a callback parameter but I saw no example of the correct syntax.  I'll do some debugging but is there a "quick" answer here? (LR 7 GA5 CE)   I plan to try adding ?callBack='myCallBack' but I have no idea if that would work (yet).