"Redirect URL is not allowed" Log Errors and Redirect Issues

Issue

There are traces in Liferay's logs resembling this:

2019-08-27 08:46:42.641 WARN  [http-nio-8080-exec-4][PortalImpl:1003] Redirect URL .... is not allowed

Additionally, some other issues appear at the same time:

Some buttons in the Control Panel don't work (for instance, the 'Add' button in the Configuration for LDAP).
Back links don't work or might not show in some cases.
Informative or error messages that should be displayed in the web interface may not be shown, and some operation will silently fail instead.

Environment

DXP 7.0, 7.1, 7.2, 7.3, and 7.4+
Portal 6

Solution

These oddities are due to a security property in the Liferay platform that is set to only allow the localhost IP Address by default. These traces show up when:

The request contains a redirect parameter.
The redirect configurations are either not set or incorrectly informed In Liferay.

Given this situation, every time such a URL is requested there will be a warning message in the logs of the form:

2019-07-22 06:26:05.369 WARN  [http-nio-8080-exec-7][PortalImpl:987] Redirect URL http://problematic-url.... is not allowed

This warning helps prevent security breaches, such as when an attacker generates a URL with a redirect parameter to another, malicious URL (e.g., https://normal-url.com&redirect=https://malicious-url.com). While it may appear harmless, any user accessing it would be redirected to the malicious endpoint.

To avoid this, the only values allowed by default for the "redirect" and "noSuchEntryRedirect" parameters are those for the Liferay server IP.

NOTE
If you're using frontal servers or load balancers in your Liferay instance, it's crucial to configure the allowed redirect settings.

There are two ways to configure the allowed redirects.

Option 1: IP Redirects

DXP 7.4 and Beyond	Go to Global Menu () > Control Panel > Instance Settings > Pages > Redirect URLs. For the Security Mode setting, select IP.
Other Versions	Add the `redirect.url.security.mode=ip` property to the `portal-ext.properties` file. Add `redirect.url.ips.allowed=` and enter the IPs being used.

Some considerations:

The default value is 127.0.0.1 and SERVER_IP, which is translated in runtime to the Liferay server IPs.
If Apache Httpd is used as a frontal server (in another machine) or if Liferay cannot correctly detect the server IPs, you'll need to configure all IPs that provide a service. Otherwise, some redirects might not work correctly if those IPs are requested.

Option 2: Domain Redirects

DXP 7.4 and Beyond	Go to Global Menu () > Control Panel > Instance Settings > Pages > Redirect URLs. For the Security Mode setting, select IP.
Other Versions	Add the `redirect.url.security.mode=domain` property to the `portal-ext.properties` file. Add `redirect.url.domains.allowed=` and enter the domains being used.

If there is more than one domain, they should be separated by commas (e.g., "example1.com, example2.com"). Subdomains can be specified using a leading wildcard (*), such as "*.example.com".

Choosing an Option

Both configurations (IP and domain) have pros and cons:

If the security mode is by IP, it will be necessary to update them only if the servers are changed, so creating new websites doesn't require much maintenance.
If the security mode is by domain, changing the servers isn't needed, but adding a new site with a new domain will require adding it to the list and restarting the installation.

Analyze both methods strategically to determine the best approach for your solution.

Additional Information

Redirect properties reference (Portal 6 to DXP 7.3):
- Portal 6.1
- Portal 6.2
- DXP 7.0
- DXP 7.1
- DXP 7.2
- DXP 7.3