Currently, the jsonws api is accessible to everyone (jsonws.servlet.hosts.allowed property is empty by default which means unrestricted access to any client).
(The link to access it is: http://localhost:8080/api/jsonws)
If you set this property to something else, the api will become inaccessible along with the UI.
In the next Liferay version, we would like to have the following features / changes:
1. Securitywise the default setting should be more restrictive (as with other services, by default only 127.0.0.1,SERVER_IP should be allowed).
2. There should be a seperate setting to disable the UI interface even if the service is enabled.