Submit Feedback
Legacy Knowledge Base
Published Sep. 10, 2025

Access denied error message is thrown in the browser with XML format of the rest API

Written By

Thanga Meena

How To articles are not official guidelines or officially supported documentation. They are community-contributed content and may not always reflect the latest updates to Liferay DXP. We welcome your feedback to improve How To articles!

While we make every effort to ensure this Knowledge Base is accurate, it may not always reflect the most recent updates or official guidelines.We appreciate your understanding and encourage you to reach out with any feedback or concerns.

Legacy Article

You are viewing an article from our legacy "FastTrack" publication program, made available for informational purposes. Articles in this program were published without a requirement for independent editing or verification and are provided"as is" without guarantee.

Before using any information from this article, independently verify its suitability for your situation and project.

Issue

  • After passing the authorization in the HTTP header and while hitting the URL http://localhost:8080/o/greetings/morning, the web service responds to the request with the below error message [XML format] in the browser. 
<Forbidden><message>Access denied to sample.rest.application.Samplexxxx#working</message></Forbidden>
  • Steps to create the rest API:
    • Please follow this help center article to create a rest module API
    • In this article, the JAX-RS sample module is unchanged except for configuration properties in the @Component annotation.
    • Note: Please ensure the following as per the requirement
      • Service endpoint, Service as it appears in the authentication, properties may be required for further configuration.
    • Reference:
      • Rest_module.gif
  • Steps to replicate the issue: 
    • Start the server and log in using admin credentials.
    • Deploy the sample rest plugin
    • Authenticating to JAX-RS web services
      • OAuth 2 authentication:
        • Navigate to Control Panel → Configuration → OAuth2 Administration
        • Click on the plus icon and add an application using a descriptive name
        • For example: Select the "Headless Server profile" template which auto-selects the Client Credentials authorization type.

oauth.PNG

        • Note: Copy the Client ID and Client Secret from this created application and use these to authenticate to your web service.
      • In this example, requesting the OAuth token using the curl tool.
      • Execute the below command using the respective client_id and client_secret of your application.
curl http://localhost:8080/o/oauth2/token -d 'grant_type=client_credentials&client_id=id-XXXXXXXXXXXXXXXX&client_secret=secret-XXXXXXXXXXXXXXXXXXXXXXXXX'

Response-JSON.PNG

      • The token is generated as below with JSON format.
{"access_token":"XXXXXXXXXXXXXXXXXXXXXXXXXX","token_type":"Bearer","expires_in":600}
      • Using the generated token, I have executed the below command to call the service
      • Observed behavior:
        After passing the authorization in the HTTP header and while hitting the URL http://localhost:8080/o/greetings/morning, the web service responds to the request with the below error message [XML format] in the browser. 
<Forbidden><message>Access denied to sample.rest.application.Samplexxxx#working</message></Forbidden>

Environment

  • Liferay-dxp-7.2.10-ga1 bundle with Liferay-fix-pack-dxp-1-7210
  • HSQL database [Liferay DXP is initially configured to use the embedded HSQL database but the HSQL DB is primarily intended for demonstration and trial purposes.]

Resolution

  • Below steps will help to resolve the issue:
    • Create a public endpoint for development purposes. In this example, For public services, setting with the below two properties under the property of @Component annotation.  
"auth.verifier.guest.allowed=true",
"liferay.access.control.disable=true"
    • Rebuild the plugin after adding the endpoint as per the requirement and deploy it.
    • Note Please have a look at this article "Service Access Policies" for further information.
  • With authorization, your web service can be called and responds to the request. In this example, web service gets called and responds to the request as below.

 

Works.jpgGood_morning.jpgwith_param.jpg

Additional Information

Did this article resolve your issue ?
Legacy Knowledge Base
Did this article resolve your issue ?