Understanding Service Access Policies

Understanding Service Access Policies

Use the service access policy tool to set which web services have public access. You can view a list of the default policies. Follow the steps below to add a new policy. See setting service access policies to learn more.

Note that by default, Liferay’s service access policies do not grant public access to any APIs.


The example below is for demonstration purposes only. Granting access to these services makes them public facing and typically should be paired with authentication.

  1. Make an API request without passing any credentials.

    curl "localhost:8080/o/headless-admin-user/v1.0/my-user-account"

    Note, that a forbidden error response is returned.

  2. Navigate to Global Menu (Global Menu) → Control PanelService Access Policy.

  3. Click Add (Add icon).

  4. Configure the new policy as follows:

    • Enter MY_USER_ACCOUNT_GUEST_ACCESS as the name.
    • Toggle the enabled switch on.
    • Toggle the default switch on.
    • Enter My User Account Guest Access as the title.
    • Enter com.liferay.headless.admin.user.internal.resource.v1_0.UserAccountResourceImpl as the service class.
    • Enter getMyUserAccount as the method name.
    • Click Save.
  5. Make the same API request.

    curl "localhost:8080/o/headless-admin-user/v1.0/my-user-account"

    Liferay now returns the user account info of the guest user. Allow or deny access in this way for other services.

Next: Cross-Origin Resource Sharing

Relevant Concepts

Setting Service Access Policies