简体繁体 English

jsonws 对任何用户开放访问

[英]Liferay JSON Web Services available at /api/jsonws is open access for any user

原文 2020-03-07 15:25:20 2 1 java/ liferay-6/ java-ee-6

On Liferay 6.2, the JSON Web Services are open access via http://example.com/api/jsonws .在 Liferay 6.2 上，JSON Web 服务可通过http://example.com/api/jsonws开放访问。 I know that I can restrict access to it to some special IPs via portal-ext.properties .我知道我可以通过portal-ext.properties将对其的访问限制为某些特殊 IP。 But I want to grant this permission just to Administrators to see this page.但我只想将此权限授予Administrators以查看此页面。 A Liferay document says Liferay 文件说

Liferay's user permission layer is the last Liferay security layer triggered when services are invoked remotely. Liferay 的用户权限层是远程调用服务时触发的最后一个 Liferay 安全层。

But I couldn't find anything nor in portal.properties neither in Control Panel/Roles to set such permission for Administrators to prevent others from seeing http://example.com/api/jsonws .但是我在Control Panel/Roles都找不到任何东西，也没有在portal.properties中为Administrators设置此类权限以防止其他人看到http://example.com/api/jsonws 。

1 个解决方案

As @Olaf Kock commented under my question, after not getting answered here, I repeated my question in Liferay forum .正如@Olaf Kock 在我的问题下评论的那样，在这里没有得到回答后，我在Liferay 论坛中重复了我的问题。 I repeat the digest of that thread here:我在这里重复该线程的摘要：

In Liferay 6.2, that page cannot be restricted using Permissions unless I write a hook.在 Liferay 6.2 中，除非我写一个钩子，否则不能使用权限限制该页面。 For Liferay 7.0+, this post is helpful.对于 Liferay 7.0+，这篇文章很有帮助。 Eventually, I used jsonws.servlet.hosts.allowed in portal-ext.properties and restricted the access to that page to some safe IPs.最后，我用jsonws.servlet.hosts.allowed在portal-ext.properties制约了访问该页面的一些安全的IP地址。