Invoking the API Remotely
ThemeDisplay objects are often available when you’re making local service calls but not when you’re making remote service calls.
Invoking remote services does require more overhead such as memory, network bandwidth, and processing than does invoking local services. Also, remote services require permission-checking to prevent just anyone from remotely invoking them. The remote services of Liferay’s API perform security checks but these are not automatically generated by Service Builder; they’re manually added by developers. For information on adding permission checks to a plugin’s remote services, please refer to the previous chapter. If you’d like to invoke a plugin’s remote services, make sure to check that the remote service methods perform permission checks. Unless you want to avoid permission checking, it’s often a good idea to develop your clients (even if they’re local) so they trigger the front-end security layer.
Liferay’s API follows a Service Oriented Architecture (SOA). The API supports Java invocation and a variety of protocols including SOAP and JSON over HTTP. A limited set of RESTful web services, based on the AtomPub protocol, are also supported–see the Portal Atom Collections wiki by Igor Spasić for more details. You can also use the API through Remote Procedure Calls (RPC). You have many good options for leveraging Liferay’s API.
Let’s step back now and discuss the security layers of Liferay’s service oriented architecture and how you can configure them.