API security differencesAPI security differenceshttps://liferay.dev/c/message_boards/find_thread?p_l_id=119785294&threadId=1102540542026-04-05T11:11:30Z2026-04-05T11:11:30ZRE: API security differencesPete Helgrenhttps://liferay.dev/c/message_boards/find_message?p_l_id=119785294&messageId=1103430482018-06-26T14:47:31Z2018-06-26T14:47:31Z<p>Thanks. That makes sense. I haven't tested the idea yet because I
ended up changing portal-ext.properties by
adding json.service.auth.token.enabled=false There might be other
side effects with that so I'll have to do some additional testing. As
a follow up, and perhaps a bit OT, I have been looking for some
examples and additional information on support for JSONP. I did read
that you can pass a callback parameter but I saw no example of the
correct syntax. I'll do some debugging but is there a
"quick" answer here? (LR 7 GA5 CE) I plan to try adding
?callBack='myCallBack' but I have no idea if that would work (yet).</p>Pete Helgren2018-06-26T14:47:31ZRE: API security differencesMinhchau Danghttps://liferay.dev/c/message_boards/find_message?p_l_id=119785294&messageId=1103156112018-06-21T23:05:47Z2018-06-21T23:05:47Z<blockquote>
<div class="quote-title">Pete Helgren:</div>
<div class="quote">
<div class="quote-content">
<p>So, why the difference? Postman doesn't authenticate and
works. The URL doesn't....</p></div></div></blockquote>
<p>The authentication token check specifically only triggers when you're
signed in (<a
href="https://github.com/liferay/liferay-portal/blob/7.0.6-ga7/portal-impl/src/com/liferay/portal/struts/JSONAction.java#L152-L160">reference</a>),
so it'll be skipped when you're not authenticated. In other words, the
authentication token check will never run with Postman, and it's
likely to always run in your browser unless you clear your cookies
right before you paste the URL into your address bar.</p>Minhchau Dang2018-06-21T23:05:47ZAPI security differencesPete Helgrenhttps://liferay.dev/c/message_boards/find_message?p_l_id=119785294&messageId=1102540532018-06-21T21:17:35Z2018-06-21T21:17:35Z<p>I have a service builder api that I have exposed and is accessible
using the api/jsonws panel in Liferay. Works fine. I can also
invoke the API using Postman using a POST request with a URL of <a
href="http://localhost:8080/api/jsonws/invoke">http://localhost:8080/api/jsonws/invoke</a> and
a body (raw) of:<br />
<br /> {<br />
"/media.mymediamethod/get-media-list":{<br />
"emailAddr":"me@something.com"<br /> }<br /> }<br />
<br /> This too, works like a charm. But, if I use the URL like so:<br />
<br /> http://localhost:8080/api/jsonws/media.mymediamethod/get-media-list/email-addr/me%40something.com<br />
<br /> I get: </p>
<p>Forbidden<br /> You do not have permission to access the requested resource. </p>
<p>
<br /> Now I understand that adding the p_auth parameter might help
but what is throwing me is that I am running Postman without ANY
authorizations at all. Nothing in the header, no extra p_auth
params. Nothing. And yet Postman will invoke with no authorization
and a URL will not. I even added
the @AccessControlled(guestAccessEnabled=true)annotation to the method
signature (didn't help). I added the api to the "System
Default" service access policy(didn't help) . And yet the URL
invocation doesn't work and Postman does.<br />
<br /> I am trying to enable an ajax invocation of the API (jQuery)
from a remote server. Again, Postman invokes with no issue, the
URL...nothing but forbidden. So, why the difference? Postman doesn't
authenticate and works. The URL doesn't....</p>Pete Helgren2018-06-21T21:17:35Z