Enforcing Secure API Access

Security is paramount when accessing or transferring data with headless APIs. Liferay DXP offers a multi-layered security approach that provides enhanced protection and dynamic management of web service access.

Authentication to resources occurs in this sequence:

• IP Restrictions: Limit API access by filtering requests based on their IP address.
• Service Access Policies: Configure which API methods are exposed to external systems.
• Authentication/Verification: Verify authentication tokens tied to browser sessions to associate incoming API requests with specific users.
• User Permissions: Validate that users have adequate roles and permissions to perform requested API actions.

These authentication checks are processed sequentially. A failed API call at one tier halts processing at subsequent tiers. Your business's specific integration requirements will strongly influence the selection and configuration of these restriction methods.

While Liferay offers some IP restriction options, it's highly recommended to manage all IP restrictions within a dedicated external system such as a web server or firewall.

Understanding Authorization and Authentication

To effectively understand Liferay's security mechanisms, it's important to differentiate between authentication and authorization.

• Authentication: Verifies a user's identity by matching provided credentials with stored information.
• Authorization: Grants permissions to resources by ensuring that the user has the correct access to data, applications, or services.

Authentication is a prerequisite to authorization. Liferay provides industry standard methods of authorization such as HTTPS and OAuth 2.0 to secure web service requests. As Clarity's environments use SaaS, their headless API requests are secured through OAuth 2.0, which you'll learn more about in the next lesson.

Restricting Access with Service Access Policies

Acting as a gatekeeper for your web services, Liferay's service access policies determine which services or service methods can be invoked remotely. By configuring these policies effectively, you ensure that only authorized entities can access your environment's services.

Service access policies can be grouped together within Liferay to produce a combined effect. Clarity can leverage service access policies to define whitelists for methods exposed for public access via web services. By also using wildcards to allow invocation of all methods within specific services and classes, Clarity can streamline configuration and reduce the number of explicit policies required.

If a policy grants access to a remote service, the user invoking it must still have the appropriate permissions.

Liferay enables several service access policies by default, including policies specific to OAuth 2.0. See Default Service Access Policies for more information about configurations and policy restrictions.

Benefits of Securing through Service Access Policies

Service access policies provide many benefits to securing API access, including:

• Enhancing Security: Granularly protect sensitive data to ensure only verified and authorized interactions occur, reducing the risk of data exposure.
• Improving Compliance: Align API access policies to uphold regulatory requirements and industry standards within its structured framework.
• Simplifying Security Management: Centralize policy management to streamline enforcement and enable dynamic adjustments as needed.
• Increasing Agility: Quickly adapt to security and business needs to respond to emerging threats or changing requirements.

Conclusion

Liferay provides a layered security defense approach to protect services and enforce authenticated API access. Implementing robust service access policies ensures web services are secure, reliable, and compliant with relevant regulations.

Next, you'll learn more about available authorization methods for securing requests.