1. Home
  2. Development
  3. RE: Liferay JSON Web Services available at /api/jsonws is open access for a

RE: Liferay JSON Web Services available at /api/jsonws is open access for a

thumbnail
Abdollah Esmaeilpour, modified 5 Years ago.
Liferay JSON Web Services available at /api/jsonws is open access for any u
Junior Member Posts: 60 Join Date: 8/22/09 Recent Posts
I asked this question on StackOverflow but I didn't receive any answer. So I am repeating it here. I hope someone can help me.

On Liferay 6.2, the JSON Web Services are open access via http://example.com/api/jsonws. I know that I can restrict access to it to some special IPs via portal-ext.properties. But I want to grant this permission just to Administrators to see this page. A Liferay document says
"Liferay’s user permission layer is the last Liferay security layer triggered when services are invoked remotely."
But I couldn't find anything nor in portal.properties neither in Control Panel/Roles to set such permission for Administrators to prevent others from seeing http://example.com/api/jsonws.
..
thumbnail
Christoph Rabel, modified 5 Years ago.
RE: Liferay JSON Web Services available at /api/jsonws is open access for a
Liferay Legend Posts: 1555 Join Date: 9/24/09 Recent Posts
Well, the page itself is the least of your problems. You really should upgrade to a newer Liferay version.
That said, David Nebinger wrote a blog about securing that page, but it applies only to 7.0+
https://liferay.dev/blogs/-/blogs/securing-the-api-jsonws-ui
You should be able to do the same (codewise) for 6.2 by using a hook.
thumbnail
Abdollah Esmaeilpour, modified 5 Years ago.
RE: Liferay JSON Web Services available at /api/jsonws is open access for a
Junior Member Posts: 60 Join Date: 8/22/09 Recent Posts
Great help. So I decided not to use Permissions for this purpose. I used jsonws.servlet.hosts.allowed in portal-ext.properties and restricted the access to that page to some safe IPs.