Issue
There are traces in the log of this type:
2019-08-27 08:46:42.641 WARN [http-nio-8080-exec-4][PortalImpl:1003] Redirect URL .... is not allowed
Additionally, some other issues appear at the same time:
- Some buttons in the Control Panel don't work (for instance, the 'Add' button in the Configuration for LDAP).
- Back links don't work or might not show in some cases.
- Informative or error messages that should be displayed in the web interface may not be shown, and some operation will silently fail instead.
Environment
- DXP 7.0, 7.1, 7.2, 7.3, 7.4
- Portal 6.0, 6.1, 6.2
Solution
These traces show up when:
- a request contains a redirect parameter, and
- in Liferay, the redirect configurations are either not set or incorrectly informed.
Note: The configuration of the allowed redirects is set:
- Portal 6.x, DXP 7.0, 7.1, 7.2 and 7.3: in the portal-ext.properties configuration file, see: https://docs.liferay.com/portal/7.0-latest/propertiesdoc/portal.properties.html#Redirect
- DXP 7.4: on Control Panel > Instance Settings > Pages > Redirect URLs
Given this situation, every time such a URL is requested there will be a warning message in the logs of the form:
2019-07-22 06:26:05.369 WARN [http-nio-8080-exec-7][PortalImpl:987] Redirect URL http://problematic-url.... is not allowed
This kind of block avoids security issues in which an attacker could generate a URL with a redirect parameter to another, malicious URL, https://normal-url.com&redirect=https://malicious-url.com, which could appear harmless, but any person using it would be redirected to that malicious URL.
To avoid this, the only allowed values by default for the parameters "redirect" and "noSuchEntryRedirect" are those for the domain 127.0.0.1 or the server IP.
If there are frontal servers or load balancers before Liferay, it will be necessary to configure the allowed redirect settings:
-
Portal 6.x, DXP 7.0, 7.1, 7.2 and 7.3: in the portal-ext.properties configuration file, the redirect properties, namely
redirect.url.security.mode,redirect.url.domains.allowedandredirect.url.ips.allowed. -
DXP 7.4: on Control Panel > Instance Settings > Pages > Redirect URLs, the following configurations:
Security Mode,Allowed Domains,Allowed IPs
The first property, redirect.url.security.mode (DXP 7.4: Security Mode), controls the type of validation to apply: by IP or by domain.
All in all, to configure the allowed redirects two options are available:
-
Option 1: Set
redirect.url.security.mode=ip(DXP 7.4:Security Modeto IP value) andredirect.url.ips.allowed(DXP 7.4:Allowed IPS) to the IPs being used.- The default value is 127.0.0.1 and "SERVER_IP", which is translated in runtime to the Liferay server IPs.
- If Apache Httpd is used as a frontal server (in another machine) or if Liferay cannot detect correctly the server IPs, you will need to configure all IPs that provide service. Otherwise, some redirects might not work correctly if those IPs are requested.
-
Option 2: Set
redirect.url.security.mode=domain(DXP 7.4:Security Modeto Domain value) andredirect.url.domains.allowed(DXP 7.4:Allowed Domains) to the domains being used.- If there is more than one domain, they should be separated by commas (example1.com, example2.com). Subdomains can be specified using a leading wildcard (*): *.example.com
Both configurations, by IP or by domain, have pros and cons:
- If the security mode is by IP, it will be necessary to update them only if the servers are changed, so creating new web sites does not need this maintenance action.
- If the security mode is by domain, it would be the other way around: a change of servers needs no action, but adding a new site with a new domain will require adding it to the list and restarting the installation.
Additional Information
- Errors and Redirect Issues While Using the Control Panel
- Using a Web Server With the Liferay Platform
- Redirect properties of portal.properties: DXP 7.0, DXP 7.1, DXP 7.2, DXP 7.3
- DXP 7.4 issue where the portal-ext.properties properties were moved to the instance settings configuration section: LPS-128837