Introduction
Service access policies are an additional layer of web service security that defines which services or service methods can be invoked remotely.
Prerequisites
- Liferay portal 7/7.x
To show you how service access policies work within Liferay DXP, here’s a simple summary of Liferay DXP’s web service security layers:
- IP Permission Layer : The IP address from which a web service invocation request originates must be whitelisted in the Liferay DXP server’s portal.properties file.
- Service Access Policy (SAP) Layer : The method corresponding to a web service invocation request must be whitelisted by the applicable Service Access Policy.
- Authentication/Verification Layer (Browser-only) : If a web service invocation request comes from a browser, it must include an authentication token.
- User Permission Layer : Properly implemented web services perform permission checks, ensuring that the user invoking a web service has the necessary Liferay DXP permissions to access it.
Understanding Service Access Policy in Liferay
- Service Access Policy (SAP) in Liferay was introduced in Liferay DXP 7.0.
- It is a security mechanism that controls access to Liferay’s services at the API level.
- Service Access Policy is beneficial for securing remote API access, especially when external systems interact with Liferay via web services such as SOAP or JSON.
- Portal administrators can create custom Service Access Policy entries to specify restrictions on which services can be accessed.
- While the Service Access Policy defines who can access specific services, it still respects Liferay’s permissions system. This means that even if a user is granted access through SAP, they must have the appropriate permissions to invoke the service
Managing Service Access Policies
Open the Global Menu > Configuration > Service Access Policy to view and manage service access policies.
Here, you can see Liferay’s default service access policies. Most of these are system-related, while the other policies are for OAuth and JSON web services.
When creating or editing Service Access Policies (SAPs) in Liferay, consider the following points:
- Service access policy names must be unique for each portal instance.
- Service access policy names can include only the following characters:
0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz#:@-./_
- Service access policy titles can be localized, but service access policy names cannot be localized.
- Allowed service signatures must be entered once per line. Wildcards (*) can be used for both class names and method names.
- The # symbol must be used to separate a class name from a method name.
Creating a Service Access Policy
- Open the Global Menu > Configuration > Service Access Policy.
- Click on the Add (+) icon.
- Enter the name.
- Switch the Enabled toggle to enable the policy.
- (Optional) Toggle Default if you want the policy applied to unauthenticated and authenticated requests.
- Provide a localized title.
- Under Allowed Service Signatures, enter the fully qualified name of an installed service class.
(Here, We have created a REST portlet and deployed it on the Liferay server; We will provide that class name)
To allow each method of a class, add *.
If you want to grant access to a specific method, add the method’s name.
Click Save. If you want to specify another service or method, click the plus icon to add another entry.
Now, the APIs for the Allowed method will be accessible.
Using Service Access Policy in Your Liferay Application
Service Access policies are enforced when accessing Liferay’s remote services. If a user attempts to access a service without the correct policy, the request will be denied.
Conclusion
By configuring the Service Access Policy effectively, you can enhance the security of your Liferay application, preventing unauthorized access to sensitive services. This feature is particularly important when exposing services to external systems or integrating with other applications.
