JSON web services are enabled in Liferay by default. If you need to disable them, specify this portal property setting in a
This tutorial presents other such properties that you can use to fine-tune exactly how JSON web services work in your Liferay instance. You can find these, and other properties, in the portal properties reference documentation. As with the preceding property, you should set portal properties in a
First, you’ll learn about setting whether JSON web services are discoverable via the API page.
By default, JSON web services are discoverable via the API page at
http://[address]:[port]/api/jsonws. To disable this, set the following property:
Next, you’ll learn how to disable HTTP methods.
Disabling HTTP Methods
When strict HTTP method mode is enabled, you can filter web service access based on HTTP methods used by the services. For example, you can set your Liferay instance’s JSON web services to work in read-only mode by disabling HTTP methods other than
GET. For example:
With this setting, all requests that use
PUT HTTP methods are ignored.
Next, you’ll learn how to restrict public access to exposed JSON APIs.
Strict HTTP Methods
All JSON web services are mapped to either
POST HTTP methods. If a service method name starts with
has, the service is assumed to be read-only and is bound to the
GET method. Otherwise, it’s bound to
By default, Liferay doesn’t check
HTTP methods when invoking a service call; it works in non-strict http method mode, where services may be invoked using any HTTP method. If you need the strict mode, you can set it as follows:
When using strict mode, you must use the correct HTTP methods to calll service methods. When strict HTTP mode is enabled, you still might need to disable HTTP methods. You’ll learn how next.
Controlling Public Access
Each service method knows whether a given user has permission to invoke the chosen action. If you’re concerned about security, you can restrict access to exposed JSON APIs by explicitly permitting or restricting certain JSON web service paths.
jsonws.web.service.paths.includes denotes patterns for JSON web service action paths that are allowed. Set a blank pattern to allow any service action path.
jsonws.web.service.paths.excludes denotes patterns for JSON web service action paths that aren’t allowed even if they match one of the patterns set in
Note that these properties support wildcards. For example, if you set
jsonws.web.service.paths.includes=get*,has*,is*, Liferay makes all read-only JSON methods publicly accessible. All other JSON methods are secured. To disable access to all exposed methods, you can leave the right side of the
= symbol empty. To enable access to all exposed methods, specify
*. Remember that if a path matches both the
jsonws.web.service.paths.excludes properties, the
jsonws.web.service.paths.excludes property takes precedence.