Submit Feedback
Legacy Knowledge Base
Published Jul. 2, 2025

JSONWS Guest Access

Written By

Christopher Lui

How To articles are not official guidelines or officially supporteddocumentation. They are community-contributed content and may not alwaysreflect the latest updates to Liferay DXP. We welcome your feedback toimprove How to articles!

While we make every effort to ensure this Knowledge Base is accurate, itmay not always reflect the most recent updates or official guidelines.We appreciate your understanding and encourage you to reach out with anyfeedback or concerns.

Legacy Article

You are viewing an article from our legacy "FastTrack"publication program, made available for informational purposes. Articlesin this program were published without a requirement for independentediting or verification and are provided "as is" withoutguarantee.

Before using any information from this article, independently verify itssuitability for your situation and project.

The Liferay platform's JSONWS page is available to unauthenticated users at your Liferay_URL/api/jsonws. However, this does not mean that guest users have access to execute JSON web services. Even if the web services are listed in JSONWS page when accessing as Guest, most of the web services can not be invoked. For example, if a guest uses /announcementsdelivery/update-delivery, you will get the following error when invoking the method as Guest

Access denied to com.liferay.announcements.kernel.service.AnnouncementsDeliveryService#updateDelivery

This is because the underlying services are protected by Liferay's permission framework depending on the type and the purpose of the service, for example, a user must have ADD USER and UPDATE permissions on the User entity in order to execute the updateDelivery service call above.

Unauthenticated service calls only work if the remote method in the Liferay platform instance or your plugin has the @AccessControlled annotation. There are a small amount of services that can be invoked as Guest, for example /country/get-countries. This is because @AccessControlled(guestAccessEnabled = true) annotation in the following code allows that particular method to be accessed via guests.

Line 103 in CountryServiceImpl.java

    @AccessControlled(guestAccessEnabled = true)
    @Override
    public List<Country> getCountries(boolean active) {
        return countryPersistence.findByActive(active);
    }

Further remote services allowed to be accessed by Guest as of DXP 7.0 SP7/FP57 and DXP 7.1+ are:

/assetentry/increment-view-counter

/calendar.calendarbooking/search
/calendar.calendarbooking/searchCount

/country/get-countries
/country/get-company-countries [7.4 only]

/pushnotifications.pushnotificationsdevice/add-push-notifications-device
/pushnotifications.pushnotificationsdevice/delete-push-notifications-device

/region/get-regions

/sync.syncdlobject/get-sync-context

API services can be configured to be public using @AccessControlAdvice annotation during compile-time. Please note that this does not allow run-time configuration and portal administrators must re-compile portal in order to make services available without authentication.

It's also possible to disable the JSON API page completely by setting the portal property below to falsein your portal-ext.properties file:

    #
    # Set this property to true if JSON web services are discoverable through
    # the API page.
    #
    jsonws.web.service.api.discoverable=true
Did this article resolve your issue ?
Legacy Knowledge Base
Did this article resolve your issue ?

Capabilities

Product

Education

Contact Us

Connect

Powered by Liferay
© 2024 Liferay Inc. All Rights Reserved • Privacy Policy