Configuring JSON Web Services

JSON web services are enabled in Liferay by default. If you need to disable them, specify this portal property setting in a file:


This tutorial presents other such properties that you can use to fine-tune exactly how JSON web services work in your Liferay instance. You can find these, and other properties, in the portal properties reference documentation. As with the preceding property, you should set portal properties in a file.

First, you’ll learn about setting whether JSON web services are discoverable via the API page.


By default, JSON web services are discoverable via the API page at http://[address]:[port]/api/jsonws. To disable this, set the following property:


Next, you’ll learn how to disable HTTP methods.

Disabling HTTP Methods

When strict HTTP method mode is enabled, you can filter web service access based on HTTP methods used by the services. For example, you can set your Liferay instance’s JSON web services to work in read-only mode by disabling HTTP methods other than GET. For example:


With this setting, all requests that use DELETE, POST, or PUT HTTP methods are ignored.

Next, you’ll learn how to restrict public access to exposed JSON APIs.

Strict HTTP Methods

All JSON web services are mapped to either GET or POST HTTP methods. If a service method name starts with get, is or has, the service is assumed to be read-only and is bound to the GET method. Otherwise, it’s bound to POST.

By default, Liferay doesn’t check HTTP methods when invoking a service call; it works in non-strict http method mode, where services may be invoked using any HTTP method. If you need the strict mode, you can set it as follows:


When using strict mode, you must use the correct HTTP methods to calll service methods. When strict HTTP mode is enabled, you still might need to disable HTTP methods. You’ll learn how next.

Controlling Public Access

Each service method knows whether a given user has permission to invoke the chosen action. If you’re concerned about security, you can restrict access to exposed JSON APIs by explicitly permitting or restricting certain JSON web service paths.

The property jsonws.web.service.paths.includes denotes patterns for JSON web service action paths that are allowed. Set a blank pattern to allow any service action path.

The property jsonws.web.service.paths.excludes denotes patterns for JSON web service action paths that aren’t allowed even if they match one of the patterns set in jsonws.web.service.paths.includes.

Note that these properties support wildcards. For example, if you set jsonws.web.service.paths.includes=get*,has*,is*, Liferay makes all read-only JSON methods publicly accessible. All other JSON methods are secured. To disable access to all exposed methods, you can leave the right side of the = symbol empty. To enable access to all exposed methods, specify *. Remember that if a path matches both the jsonws.web.service.paths.includes and jsonws.web.service.paths.excludes properties, the jsonws.web.service.paths.excludes property takes precedence.

Registering JSON Web Services

Creating Remote Services

Invoking Remote Services

« JSON Web Services Invocation ExamplesSOAP Web Services »
Was this article helpful?
1 out of 1 found this helpful