Uploaded image for project: 'PUBLIC - Liferay Portal Community Edition'
  1. PUBLIC - Liferay Portal Community Edition
  2. LPS-25688

Add optional user authentication for old and new JSON api

    Details

      Description

      Currently, user is authenticated by our permission system. If developer does not put the permission check for JSON exposed methods, user may access critical methods. For example, he may call method that fills the database.

      In order to prevent human error, we will add an optional additional check for authenticated users on JSON level. For both old and json, a new property is added: "json.service.public.methods" and "jsonws.web.service.public.methods" that defines what are the public methods prefixes. For example, values:

      • is, get, has - allows public access to all read only methods
      • ALL - special value, meaning all methods can be accessed (but still some would required authenticated user)
      • (empty) or NONE - disable public access to all methods.

      Default value is ALL.

        Attachments

          Issue Links

            Activity

              People

              • Votes:
                0 Vote for this issue
                Watchers:
                0 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  Packages

                  Version Package
                  6.1.1 CE GA2
                  6.1.20 EE GA2
                  --Sprint 11/12
                  6.2.0 CE M2