Service Access Policy - how to apply itService Access Policy - how to apply ithttps://liferay.dev/c/message_boards/find_thread?p_l_id=119785294&threadId=1146296292026-04-04T13:23:27Z2026-04-04T13:23:27ZRE: Service Access Policy - how to apply itPete Helgrenhttps://liferay.dev/c/message_boards/find_message?p_l_id=119785294&messageId=1146474972019-08-07T21:34:20Z2019-08-07T21:34:20ZThanks...<br /><br />Hmmm. OK I tried that but perhaps I did it wrong. I added the p_auth token to the end of the url like this:<br /><br /> https://api.mydomain.org/api/jsonws/mycore.lesson/get-lesson-resources/class-number/98765/locale-cd/en/lang/en /p_auth/MYTOKEN<br /><br />I still get access denied when I toggle OFF the "Default" even though the method is whitelisted and the IP is whitelisted.<br /><br />Not sure what the next step would be. I wish there was a trace option so I could see where the security is failing.....Pete Helgren2019-08-07T21:34:20ZRE: Service Access Policy - how to apply itDavid H Nebingerhttps://liferay.dev/c/message_boards/find_message?p_l_id=119785294&messageId=1146466512019-08-07T19:48:16Z2019-08-07T19:48:16ZI think if you don't have a p_auth token, you may need to use an alternate authentication mechanism such as the basic auth header.<br /><br />The problem I have with the IP address filter is that, by turning it on, you affect the ability of the end user's browsers being able to invoke services back on the portal.<br /><br />While there is probable some use cases for it, I'm not sure it works so well in the general cases...David H Nebinger2019-08-07T19:48:16ZRE: Service Access Policy - how to apply itPete Helgrenhttps://liferay.dev/c/message_boards/find_message?p_l_id=119785294&messageId=1146428042019-08-07T15:50:58Z2019-08-07T15:50:58Z<html><head></head><body>OK. I get the fact that portal-ext.propeties entries are blunt. So what would be the next step? I did add the IP to the whitelist, yet any IP can still connect, regardless of that entry. I did restart LR after making that change.<br><br>So, IP restrictions do not appear to be enough. The control panel settings on the Service Access Policy allow me add the methods I want to the "whitelist". Done! At the top of that page I see an "Enable" toggle and a "Default" toggle. When I enable the policy but do not toggle ON the "Default". I cannot connect remotely to the API, even though my IP is whitelisted and the method is whitelisted. When I toggle on "Default" I CAN access the API remotely, but so can any other IP address on the planet. So, the "Default" setting seems to override just about everything and let anyone access the API.<br><br>So, here are the steps as summaried in this knowledge base article: https://portal.liferay.dev/docs/7-0/deploy/-/knowledge_base/d/securing-liferays-remote-services<br><br><ol style="list-style: decimal outside;" start="1"><li>The IP address must be pre-configured in the server’s <pre><code>portal-ext.properties</code></pre> file.</li><li>At least one service access policy which applies to the request must have the API function being invoked in a whitelist.</li><li>If a browser is making the web service invocation request, a valid authentication token (<pre><code>p_auth</code></pre> URL parameter) must be provided.</li><li>The user ID being used must have permission to access the resources it attempts to access.</li></ol> #1 and #2 have been done. #3 doesn't apply since this is not a call from a browser. So the only remaining question is with #4. Do I need to ALSO provide a USERID in order to access the API? <br><br>Thanks for your help with this. </body></html>Pete Helgren2019-08-07T15:50:58ZRE: Service Access Policy - how to apply itDavid H Nebingerhttps://liferay.dev/c/message_boards/find_message?p_l_id=119785294&messageId=1146302462019-08-07T02:11:52Z2019-08-07T02:11:52ZThose properties are not related to the service access policies.<br /><br />They are overall controls over where connections can be established from. They are extremely blunt instruments that dictate what IPs can connect.<br /><br />The linked documentation tells how you can define a service access policy of your own <strong>from within the control panel</strong>, not via portal-ext.properties.David H Nebinger2019-08-07T02:11:52ZService Access Policy - how to apply itPete Helgrenhttps://liferay.dev/c/message_boards/find_message?p_l_id=119785294&messageId=1146296282019-08-07T01:57:19Z2019-08-07T01:57:19Z<html><head></head><body>I thought I had things locked down on my portlet using this guide from the Knowledge base: https://portal.liferay.dev/docs/7-0/deploy/-/knowledge_base/d/service-access-policies I am using the " <strong>IP permission layer:</strong> " approach. I added the whitelisted IP to these two entries in portal.properties file:<br><br><br><pre><code>&nbsp;&nbsp;&nbsp; #
&nbsp;&nbsp;&nbsp; # See the properties "main.servlet.hosts.allowed" and
&nbsp;&nbsp;&nbsp; # "main.servlet.https.required" on how to protect this servlet.
&nbsp;&nbsp;&nbsp; #
&nbsp;&nbsp;&nbsp; jsonws.servlet.hosts.allowed=xxx.xxx.xxx.xxx, 127.0.0.1, SERVER_$
&nbsp;&nbsp;&nbsp; jsonws.servlet.https.required=false
&nbsp;&nbsp;&nbsp; json.servlet.hosts.allowed=xxx.xxx.xxx.xxx, 127.0.0.1, SERVER_IP
&nbsp;&nbsp;&nbsp; json.servlet.https.required=false</code></pre><br><br>My IP in this case represented by the xxx.xxx.xxx.xxx <br><br>If I call the API remotely like this: https://api.mydomain.org/api/jsonws/mycore.lesson/get-lesson-resources/class-number/98765/locale-cd/en/lang/en Then I get an error message:<br><br> "Access denied to org.mydomain.api.core.service.LessonService#getLessonResources"<br><br>The method is listed in the Allowed Service Signatures list. The ONLY way so far to get access to the API is to use the "Default" on the service access policy. Then I can get a JSON response with the content from the api.<br><br>So, am I doing this wrong? Are the "Layers" described in the knowledge base ALL needed? Do I need something in addition to the IP entries in portal-ext.properties?<br><br>It seems like it should be simple, but I am not getting it sorted out....<br><br>Liferay 7.0 GA5</body></html>Pete Helgren2019-08-07T01:57:19Z