Submit Feedback
Legacy Knowledge Base
Published Jun. 30, 2025

Resolving 401 Errors When Using Authorization Bearer Tokens in RestBuilder APIs

Written By

Julián Vela Cubas

How To articles are not official guidelines or officially supported documentation. They are community-contributed content and may not always reflect the latest updates to Liferay DXP. We welcome your feedback to improve How to articles!

While we make every effort to ensure this Knowledge Base is accurate,it may not always reflect the most recent updates or official guidelines.We appreciate your understanding and encourage you to reach out with any feedback or concerns.

Legacy Article

You are viewing an article from our legacy "FastTrack" publication program, made available for informational purposes. Articles in this program were published without a requirement for independent editing or verification and are provided"as is" without guarantee.

Before using any information from this article, independently verify its suitability for your situation and project.

Issue

  • When making calls to a REST API service created with RestBuilder that includes the Authorization Bearer token header, the responses often return a 401 Unauthorized status. However, when the same service is tested using Swagger within a Liferay session, it responds with a 200 OK.

Resolution

If you are using an external token validation mechanism (not relying on a Liferay OAuth application), you need to make some actions:

    1. Add the com.liferay.oauth2.provider.rest.internal.security.auth.verifier.OAuth2RESTAuthVerifier component to the blacklist.

    2. Implement your own token validation logic by creating a custom AuthVerifier. You can refer to the attached SampleAuthVerifier.java for guidance on implementation.

If you want to allow guest users to consume the service, you must include the following properties in the @Component annotation of the RestServicesApplication class generated by RestBuilder

  • Enabling Guest User Access to REST Services:
"liferay.access.control.disable=true", 
"auth.verifier.guest.allowed=true",
"oauth2.scopechecker.type=none"

 

Additional Information

SampleAuthVerifier.java:

import com.liferay.portal.kernel.security.auth.AccessControlContext;
import com.liferay.portal.kernel.security.auth.verifier.AuthVerifier;
import com.liferay.portal.kernel.security.auth.verifier.AuthVerifierResult;
import java.util.Properties;
import org.osgi.service.component.annotations.Component;

@Component(
 property = {
 "auth.verifier.SampleAuthVerifier.urls.includes=*"
 },
 service = AuthVerifier.class
)

public class SampleAuthVerifier implements AuthVerifier {

public String getAuthType() {
 return SampleAuthVerifier.class.getName();
}

@Override
 public AuthVerifierResult verify(
 AccessControlContext accessControlContext, Properties properties) {
 AuthVerifierResult authVerifierResult = new AuthVerifierResult();

// NOT_APPLICABLE
// authVerifierResult.setState(AuthVerifierResult.State.NOT_APPLICABLE);

// SUCCESS
// authVerifierResult.setState(AuthVerifierResult.State.SUCCESS);
// authVerifierResult.setUserId(20122);//Useradmin

// ERROR
// authVerifierResult.setState(AuthVerifierResult.State.SC_UNAUTHORIZED);
// authVerifierResult.setState(AuthVerifierResult.State.INVALID_CREDENTIALS);

 return authVerifierResult;
 }
}

 

 

Did this article resolve your issue ?
Legacy Knowledge Base
Did this article resolve your issue ?