Uploaded image for project: 'PUBLIC - Liferay Portal Community Edition'
  1. PUBLIC - Liferay Portal Community Edition
  2. LPS-26803

Introduce a layer for web service access security



      Currently, we have different logic protecting different web services (e.g. we have hosts.allowed for certain WS end points, but not others, etc). Therefore, the goal is to add a new security layer that sit between our remote service layer which is performing ACL permission checking and the web service end points (e.g. JSON WS, old JSON, Axis, REST etc). This layer will centralize all our protections so that we don't accidentally introduce holes as we add other WS end points.

      This layer will by default force those who wish to use any WS to authenticate. Only methods that have been explicitly annotated to allow anonymous access will provide anonymous access. Again, as a framework, we cannot assume developers will think about security. Thus, we will secure all first and allow them to open things up.

      This access security layer might be also where we integrate the authentication components (e.g. OAuth server, etc).


        There are no Sub-Tasks for this issue.



            • Votes:
              3 Vote for this issue
              6 Start watching this issue


              • Created:


                Version Package
                6.2.0 CE M3