Service: Internal, private, CORS, auth

Help
1

Enonic version: 6.4.2
OS: Mac and Linux

So I have made my self a service:
http://xp.readthedocs.org/en/stable/developer/services/index.html

And I found the url for it using
http://repo.enonic.com/public/com/enonic/xp/docs/6.4.2/docs-6.4.2-libdoc.zip!/module-lib_xp_portal.html#.serviceUrl

So it’s seems the service is available on any page just by adding
_/service/…
to the url.

Now I don’t want to make the service publicly available to the internet.

The doc seems to suggest that it might not be the case by default:

Attention
For sites, you may only access the services of the apps that have been added to that site.

But if I visit the below url in my browser it works, even though I’m not logged in to admin:
http://localhost:8080/portal/master/posten-no/_/service/no.posten.website/servicename?param=whatever

Which seems to indicate to me the service will be available from the internet too, if I deploy to prod…

How should I go about protecting my service urls?

2

I guess I should also mention the service is put in:

  • src/main/resources/services

rather than

  • src/main/resources/site/services

Is there a difference?

What happens if you put a different service with the same name in the other folder:

  • src/main/resources/services/myservice/myservice.js // does something
  • src/main/resources/site/servicesmyservice/myservice.js // does something else
3

Why do you need to create a “secret” service?

You can always check the req object to see where request comes from and handle it from there.

1 Like
4

Why is better answered in private :slight_smile:

Checking req is a good and simple solution.

5