Remote clients run outside of the portal JVM or on a remote machine, but they can still access Liferay’s service APIs. The main benefit of remotely accessing service APIs is that security checks are performed. Unless you want to avoid permission checking, develop your client (even if it’s local) so it triggers the front-end security layer.
Liferay’s API follows a Service Oriented Architecture (SOA). The API supports Java invocation and a variety of protocols including SOAP and JSON over HTTP. A limited set of RESTful web services, based on the AtomPub protocol, are also supported–see the Portal Atom Collections wiki by Igor Spasić for more details. You can also use the API through Remote Procedure Calls (RPC). You have many good options for leveraging Liferay’s API.
Let’s step back now and discuss the security layers of Liferay’s service oriented architecture and how you can configure them.