Uploaded image for project: 'PUBLIC - Liferay Portal Community Edition'
  1. PUBLIC - Liferay Portal Community Edition
  2. LPS-26803

Introduce a layer for web service access security

    Details

      Description

      Currently, we have different logic protecting different web services (e.g. we have hosts.allowed for certain WS end points, but not others, etc). Therefore, the goal is to add a new security layer that sit between our remote service layer which is performing ACL permission checking and the web service end points (e.g. JSON WS, old JSON, Axis, REST etc). This layer will centralize all our protections so that we don't accidentally introduce holes as we add other WS end points.

      This layer will by default force those who wish to use any WS to authenticate. Only methods that have been explicitly annotated to allow anonymous access will provide anonymous access. Again, as a framework, we cannot assume developers will think about security. Thus, we will secure all first and allow them to open things up.

      This access security layer might be also where we integrate the authentication components (e.g. OAuth server, etc).

        Attachments

        There are no Sub-Tasks for this issue.

          Activity

            People

            • Votes:
              3 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Packages

                Version Package
                6.2.0 CE M3