JSONWS Guest Access

The Liferay platform's JSONWS page is available to unauthenticated users at your Liferay_URL/api/jsonws. However, this does not mean that guest users have access to execute JSON web services. Even if the web services are listed in JSONWS page when accessing as Guest, most of the web services can not be invoked. For example, if a guest uses /announcementsdelivery/update-delivery, you will get the following error when invoking the method as Guest

Access denied to com.liferay.announcements.kernel.service.AnnouncementsDeliveryService#updateDelivery

This is because the underlying services are protected by Liferay's permission framework depending on the type and the purpose of the service, for example, a user must have ADD USER and UPDATE permissions on the User entity in order to execute the updateDelivery service call above.

Unauthenticated service calls only work if the remote method in the Liferay platform instance or your plugin has the @AccessControlled annotation. There are a small amount of services that can be invoked as Guest, for example /country/get-countries. This is because @AccessControlled(guestAccessEnabled = true) annotation in the following code allows that particular method to be accessed via guests.

Line 103 in CountryServiceImpl.java

    @AccessControlled(guestAccessEnabled = true)
    public List<Country> getCountries(boolean active) {
        return countryPersistence.findByActive(active);

Further remote services allowed to be accessed by Guest as of DXP 7.0 SP7/FP57 and DXP 7.1+ are:


/calendar.calendarbooking/searchCount /country/get-countries
/country/get-company-countries [7.4 only]
/pushnotifications.pushnotificationsdevice/add-push-notifications-device /pushnotifications.pushnotificationsdevice/delete-push-notifications-device /region/get-regions /sync.syncdlobject/get-sync-context

API services can be configured to be public using @AccessControlAdvice annotation during compile-time. Please note that this does not allow run-time configuration and portal administrators must re-compile portal in order to make services available without authentication.

It's also possible to disable the JSON API page completely by setting the portal property below to falsein your portal-ext.properties file:

    # Set this property to true if JSON web services are discoverable through
    # the API page.
Was this article helpful?
1 out of 1 found this helpful