Securing Web Services¶
- Setting Service Access Policies
- Using Authentication Verifiers
- Setting Up CORS
Liferay DXP provides four security layers for web services:
IP permission layer: The IP address from which a web service invocation request originates must be white-listed in the portal properties file. A web service invocation coming from a non-whitelisted IP address automatically fails.
Service access policy layer: Methods corresponding to a web service invocation request must be whitelisted by each service access policy that’s in effect. You can use wildcards to reduce the number of service classes and methods that must be explicitly whitelisted.
Authentication/verification layer (browser-only): If a web service invocation request comes from a browser, the request must include an authentication token. This authentication token is the value of the
p_auth URL parameter. The token is generated by Liferay DXP and associated with your browser session. The
Liferay.Service(...). If Liferay DXP cannot associate the caller’s authentication token with a User, the web service invocation request fails.
User permission layer: Properly implemented web services have permission checks. The user invoking a web service must have permission to invoke the service.