In 7.3, if you attempt to access the "/o/api" URL, you will always encounter a 403 Forbidden error, even if you are signed in as a user who should have access to it.
This is a regression caused by the unique 7.3 changes made by
LPS-129496. In those changes, we modified the logic used when trying to locate the AuthVerifierConfiguration objects for the input URL. The changes caused us to strip the context from the input URL, but not from the contextPath, which led to a mismatch when trying to locate the AuthVerifierConfiguration objects.
Note that there is a separate issue with the "/o/api" URL that occurs when using a non-ROOT context. That issue is described in
LPS-142229, whose 7.3.x backport is already underway. This fix does not aim to resolve that issue, only the 403 Forbidden error.
Steps to Reproduce
1. Rename ROOT to portal under TOMCAT_HOME/webapps
2. Rename ROOT.xml to portal.xml under TOMCAT_HOME/conf/Catalina/localhost
3. Delete temp and work folders under TOMCAT_HOME
4. Start up the portal and log in as the admin user at http://localhost:8080/portal/
5. Navigate to http://localhost:8080/portal/o/api
Expected Result: The page would load successfully, with the Liferay Explorer API visible in the top-right corner. (Note that, due to
LPS-129496, you will see the text No API definition provided. This is fine for this ticket. As long as you can see the Liferay Explorer API in the UI, this ticket should be considered as solved.)
Actual Result: The page fails to load, and instead shows a ForbiddenEntity error.