Forums

Home » Liferay Portal » English » 3. Development

Combination View Flat View Tree View
Threads [ Previous | Next ]
toggle
Carl O Ellam-Speed
My new venture into JSON
August 6, 2013 9:32 AM
Answer

Carl O Ellam-Speed

Rank: New Member

Posts: 22

Join Date: December 23, 2009

Recent Posts

Can anyone point me in the right direction??

I've looked at many articles, especially:

http://www.liferay.com/documentation/liferay-portal/6.1/development/-/ai/json-web-services

I've managed to create a test portlet plugin with a public String hello() method that writes to the console and returns "Hello" string. All well and good!

I've looked at the two invocations:

Option 1 - Accessing the plugin service via the plugin context (e.g. your custom portlet’s context):

http://:/[plugin-context]/api/jsonws/[service-class-name]/[service-method-name]

This works as expected and asks for userid/password.. Excellent.

However, given that i only want the services called when an Administrator, I've tried:

Option 2 - Accessing the plugin service via the portal context:

http://:/[portal-context]/api/jsonws/[plugin-context].[service-class-name]/[service-method-name]

With the following syntax:

http://192.168.0.4:8080/api/jsonws/TestJSON-portlet.student/hello

This ignores any form of authority! I've configured the portlet with administrator security-role-ref in the portlet.xml only. I've tried several odds and sods, but to no avail.

How or what do I need to set to enforce security on methods? I.E. I want to make a service available for creating/updating and deleting data, but I only want defined users with the correct permission to do so.

Any link or direction would be good. I'm happy to figure out, but running out of time to keep searching.

Thanks and kind regards

Carl
David H Nebinger
RE: My new venture into JSON
August 6, 2013 10:08 AM
Answer

David H Nebinger

Rank: Liferay Legend

Posts: 7153

Join Date: September 1, 2006

Recent Posts

What version of Liferay are you using? I know in the past there have been open bugs on security issues such as this, and you may be using a version for which this has not been patched yet...
Carl O Ellam-Speed
RE: My new venture into JSON
August 6, 2013 10:24 AM
Answer

Carl O Ellam-Speed

Rank: New Member

Posts: 22

Join Date: December 23, 2009

Recent Posts

Hi David,

To be precise:

Liferay Portal Community Edition 6.1.1 CE GA2 (Paton / Build 6101 / July 31, 2012)

Kind regards

Carl
David H Nebinger
RE: My new venture into JSON
August 6, 2013 11:45 AM
Answer

David H Nebinger

Rank: Liferay Legend

Posts: 7153

Join Date: September 1, 2006

Recent Posts

Give the version from lcepatchers.org a spin; it is GA2 plus various patches applied and is newer than Liferay's GA2...
Tomas Polesovsky
RE: My new venture into JSON
August 7, 2013 5:54 AM
Answer

Tomas Polesovsky

LIFERAY STAFF

Rank: Liferay Master

Posts: 580

Join Date: February 13, 2009

Recent Posts

Hi,

To get the HTTP Basic challenge, you can use both:
1, http://192.168.0.4:8080/TestJSON-portlet/api/jsonws/student/hello
2, http://192.168.0.4:8080/api/secure/jsonws/TestJSON-portlet.student/hello

Authentication is done using SecureFilter, in portal it's mapped to /api/secure/jsonws/*, in your plugin it's mapped only to /api/jsonws/*. In upcoming Liferay 6.2 it will be only one address /api/jsonws/*


However, given that i only want the services called when an Administrator, I've tried:

....

How or what do I need to set to enforce security on methods? I.E. I want to make a service available for creating/updating and deleting data, but I only want defined users with the correct permission to do so.


You need to perform authorization checks in each method of your service. You can either use Liferay permissions or write your own authorization checks - depends on your needs.

For authenticated users you can use PermissionThreadLocal.getPermissionChecker() to get current userId. You will also use it if you decide to use Liferay permission system for the authorization checks.
Carl O Ellam-Speed
RE: My new venture into JSON
August 7, 2013 6:32 AM
Answer

Carl O Ellam-Speed

Rank: New Member

Posts: 22

Join Date: December 23, 2009

Recent Posts

Hi Tomáš,

Thanks for your response. So I need to put the authorization checks into the methods for where I need restrictions, that does make sense to me to a certain degree, but I'm surprised I can't set the authority against the portlet and have portal enforce that. I.E. If I set the porlet to be accessible by Admin only, why it doesn't perform the same check against the JSON service.

However, thanks for the heads up. I'll give that a try when I get home from work tonight.

Kind regards

Carl

P.S. Thanks David, I looked at lcepatchers.org, but was a little lost. I assume the package is just expanded and used (documentation is quite poor and the help file states the EE not CE version) and changes the tomcat version (therefore, I assume I have to do a full redeployment too). In a nutshell, I've not tried this yet.
Tomas Polesovsky
RE: My new venture into JSON
August 7, 2013 6:38 AM
Answer

Tomas Polesovsky

LIFERAY STAFF

Rank: Liferay Master

Posts: 580

Join Date: February 13, 2009

Recent Posts

I'm surprised I can't set the authority against the portlet and have portal enforce that. I.E. If I set the porlet to be accessible by Admin only, why it doesn't perform the same check against the JSON service


IMHO it's because services are decoupled from portlets - you can have one service used by more portlets.

In portal core each service operates on some entity => the permission check is related to that entity and operation, for example UPDATE on Wiki page.
Carl O Ellam-Speed
RE: My new venture into JSON
August 7, 2013 10:24 AM
Answer

Carl O Ellam-Speed

Rank: New Member

Posts: 22

Join Date: December 23, 2009

Recent Posts

Ah, genious! Thanks for the explaination. Makes complete sense! Especially as I've put all my services into one project/WAR for all the other portlets to use...

Thanks ever so much

Kind regards

Carl
Carl O Ellam-Speed
RE: My new venture into JSON
August 8, 2013 9:34 AM
Answer

Carl O Ellam-Speed

Rank: New Member

Posts: 22

Join Date: December 23, 2009

Recent Posts

Thanks Tomáš,

Can confirm that using PermissionChecker enables me to lock out the JSON services as I desire.

Kind regards

Carl
Tomas Polesovsky
RE: My new venture into JSON
August 8, 2013 11:18 AM
Answer

Tomas Polesovsky

LIFERAY STAFF

Rank: Liferay Master

Posts: 580

Join Date: February 13, 2009

Recent Posts

Good to hear, you are welcome.

Best,
-- tom +