1. Home
  2. Development
  3. Liferay remote service access for all users

Liferay remote service access for all users

Rafał Pydyniak, modified 5 Years ago.
Liferay remote service access for all users
New Member Posts: 16 Join Date: 6/24/20 Recent Posts
Hello,
I have a problem with using remote services. I have method findAll() in my *Service. This method just returns some entities from database. We want these data to be accessible for both logged users and guests. I have therefore added ServiceAccessPolicy for my Service and it works great for guests users - I get the JSON with data when I enter the urlhttp://localhost:8080/api/jsonws/invoke?cmd={%22/mynamespace.data/find-all%22:{}} 
(the namespace and table names are changed)But when I try to enter the exactly same URL as logged user (either admin user or just newly created user without any additional roles) I get the error:
So basically I can enter the URL as guest but I can't as an administrator which seems quite weird for me. When I try with p_auth parameter obtained from Liferay.auth it works fine (so the same url but with &p_auth=MY_TOKEN)But I'd like not to use the p_auth because we don't want to use Liferay object
I know I could also:
  • Use basic authentication - but in my case I can't because we're actually calling the REST from React application embedded in MVCPortlet and this React app doesn't have the username/password
  • Use Liferay.Service - we don't want to use Liferay object at all
Any clues? Perhaps it's a bug in Liferay remote services?
I'm using Liferay 7.0.6 GA7 at the moment (we're moving to DXP but it's a process that takes time ;))
Best regardsRafał

Attachments:

thumbnail
Christoph Rabel, modified 5 Years ago.
RE: Liferay remote service access for all users
Liferay Legend Posts: 1555 Join Date: 9/24/09 Recent Posts
I guess, it is the missing authToken parameter. Liferay checks if the parameter is there for security reasons, to make sure that the call was actually made by the current user. I don't know if you can disable the check for one specific method only.
If you call it from a Liferay page, you can add the p_auth parameter yourself. Even if you don't want to use the Liferay object, just using window.Liferay.authToken is probably not a big deal.
Another way to solve this would be to implement the service method using the rest template instead of through service builder. That approach really has a lot of merits since you are far more flexible with the interfaces you can provide and you also have a lot more control about things like authentication. (There is also the rest builder, https://help.liferay.com/hc/en-us/articles/360028708852-Introduction-to-REST-Builder  which might also be useful if you plan to have lots of rest services)