Liferay JSON Web Services available at /api/jsonws is open access for any uLiferay JSON Web Services available at /api/jsonws is open access for any uhttps://liferay.dev/c/message_boards/find_thread?p_l_id=119785294&threadId=1186914832026-04-04T03:13:46Z2026-04-04T03:13:46ZRE: Liferay JSON Web Services available at /api/jsonws is open access for aAbdollah Esmaeilpourhttps://liferay.dev/c/message_boards/find_message?p_l_id=119785294&messageId=1187042582020-03-10T11:39:21Z2020-03-10T11:39:21ZGreat help. So I decided not to use Permissions for this purpose. I used <strong>jsonws.servlet.hosts.allowed</strong> in <em>portal-ext.properties</em> and restricted the access to that page to some safe IPs.Abdollah Esmaeilpour2020-03-10T11:39:21ZRE: Liferay JSON Web Services available at /api/jsonws is open access for aChristoph Rabelhttps://liferay.dev/c/message_boards/find_message?p_l_id=119785294&messageId=1186921462020-03-08T11:50:23Z2020-03-08T11:50:23ZWell, the page itself is the least of your problems. You really should upgrade to a newer Liferay version.<br />That said, David Nebinger wrote a blog about securing that page, but it applies only to 7.0+<br /><a href="https://liferay.dev/blogs/-/blogs/securing-the-api-jsonws-ui">https://liferay.dev/blogs/-/blogs/securing-the-api-jsonws-ui</a><br />You should be able to do the same (codewise) for 6.2 by using a hook.Christoph Rabel2020-03-08T11:50:23ZLiferay JSON Web Services available at /api/jsonws is open access for any uAbdollah Esmaeilpourhttps://liferay.dev/c/message_boards/find_message?p_l_id=119785294&messageId=1186914822020-03-08T10:44:27Z2020-03-08T10:44:27ZI asked this question on <a href="https://stackoverflow.com/questions/60579109/liferay-json-web-services-available-at-api-jsonws-is-open-access-for-any-user">StackOverflow </a>but I didn't receive any answer. So I am repeating it here. I hope someone can help me.<br /><br />On Liferay 6.2, the JSON Web Services are open access via<span style="color: #212529"><span style="font-family: SFMono-Regular, Menlo, Monaco, Consolas, "Liberation Mono", "Courier New", monospace"><span style="font-size: 14px;"> http://example.com/api/jsonws</span></span></span><span style="font-size: 16px;">. I know that I can restrict access to it to some special IPs via </span><span style="color: #212529"><span style="font-family: SFMono-Regular, Menlo, Monaco, Consolas, "Liberation Mono", "Courier New", monospace"><span style="font-size: 14px;">portal-ext.properties</span></span></span><span style="font-size: 16px;">. But I want to grant this permission just to </span>Administrators <span style="font-size: 16px;">to see this page. A </span><u><span style="font-size: 16px;"><a href="https://portal.liferay.dev/docs/6-2/tutorials/-/knowledge_base/t/service-security-layers">Liferay document</a></span></u><span style="font-size: 16px;"> says</span><br /><blockquote><span style="font-size: 16px;">"Liferay’s user permission layer is the last Liferay security layer triggered when services are invoked remotely."</span><br /></blockquote><span style="font-size: 16px;">But I couldn't find anything nor in </span><span style="color: #212529"><span style="font-family: SFMono-Regular, Menlo, Monaco, Consolas, "Liberation Mono", "Courier New", monospace"><span style="font-size: 14px;">portal.properties</span></span></span><span style="font-size: 16px;"> neither in </span>Control Panel/Roles<span style="font-size: 16px;"> to set such permission for </span>Administrators <span style="font-size: 16px;">to prevent others from seeing </span><span style="color: #212529"><span style="font-family: SFMono-Regular, Menlo, Monaco, Consolas, "Liberation Mono", "Courier New", monospace"><span style="font-size: 14px;">http://example.com/api/jsonws.</span></span></span><span style="font-size: 16px;"><br /></span>..Abdollah Esmaeilpour2020-03-08T10:44:27Z