issue 23628 admin site api

[wezell]

ref: #23628

This PR creates the idea of a canonical ADMIN_SITE_URL which is the URL that the customer MUST use to manage their sites site. If ADMIN_SITE_URL config variable is set then any admin URLs, e.g. /dotAdmin will not be available on any other domain that points to the environment. It will also automatically set the x-robots-tag: noindex, nofollow on the admin site to prevent the admin domain getting indexed as well.

The ADMIN_SITE_URL can only be set as a ENV or system config variable.

Lots of config switches:

• ADMIN_SITE_ENABLED : boolean. This functionality is disabled by default and can be enabled by setting this variable to true
• ADMIN_SITE_URL : String. the main canonical url for all admin requests - this is protocol :// domain (:optional port), e.g. https://admin.dotcms.com or https://my.supersite.com:8443.
• ADMIN_SITE_REQUESTS_FORCE_SECURE : boolean. defaults to false, can be set to force https (or 8082) for all admin requests
• ADMIN_SITE_REQUEST_HEADERS : comma separate list. response headers to add to request to admin sites. Defaults to x-robots-tag: noindex, nofollow
• ADMIN_SITE_REQUEST_DOMAINS: comma separate list. These domains will automatically be considered as "admin only" domains. These values are automatically added to this list:

"dotcms.com",
"dotcms.site",
"dotcms.io",
"dotcms.host",
"dotcms.cloud",
"dotcmscloud.com",
"localhost"

• ADMIN_SITE_REQUEST_DOMAINS_EXCLUDE : comma separate list. remove these domains from the list of admin domains
• ADMIN_SITE_REQUEST_URIS : comma separate list. uris that should be considered as "admin only" uris. These values are already added to this list:

"/html/",
"/admin/",
"/c/",
"/servlets/",
"/categoriesservlet/",
"/dwr/",
"/dotajaxdirector",
"/dotscheduledjobs",
"/dotadmin/",
"/jsontags/",
"/edit/",
"/servlet/"

• ADMIN_SITE_REQUEST_URIS_EXCLUDE : comma separate list. Remove these URIS as admin URIs

[github-actions]

This PR is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 7 days.

[github-actions]

This PR was closed because it has been stalled with no activity.

[claude]

Claude finished @wezell's task in 1m 48s —— View job

---

Rollback Safety Analysis — Complete

• Load tools
• Read rollback-unsafe categories reference
• Get full PR diff
• Analyze diff against unsafe categories
• Post results and add label

Result: Label AI: Not Safe To Rollback added. Two M-3 (MEDIUM) findings were posted as a PR comment.

Summary of findings:

1. CompanyModel.getPortalURL() contract change — The method now delegates to AdminSiteAPI.getAdminSiteUrl() instead of returning the stored _portalURL field. Rolling back restores the old implementation, which could break login redirect flows and URL-building logic that adapted to the new behavior under N.

2. LoginServiceAPIFactory.doActionLogin() login guard — Backend logins on non-admin domains are now silently blocked when ADMIN_SITE_ENABLED=true. Rolling back removes this guard; the safe mitigation is to ensure ADMIN_SITE_ENABLED is set to false before any rollback.

No database migrations (DDL changes, runonce tasks), Elasticsearch mapping changes, or data model version bumps were found — all changes are pure Java/filter/config additions.

[jsanca]

Set?

[jsanca]

if this is called frequently Lazy would be better

[jsanca]

I think in caffeine you can do something such as

ConcurrentHashMap config = cache.get(_ADMIN_SITE_CACHE_KEY, k -> new ConcurrentHashMap<>());

It is the Caffeine approach for thread safe computeifAbsent

[claude]

Pull Request Unsafe to Rollback!!!

• Category: M-3 — REST / GraphQL / Headless API Contract Change
• Risk Level: 🟡 MEDIUM
• Why it's unsafe: The getPortalURL() method in CompanyModel now delegates to AdminSiteAPI.getAdminSiteUrl() instead of returning the stored _portalURL field. This method is part of the Liferay Company model and is used across the platform to build redirect URLs, links back to admin, and login page URLs. If this PR is rolled back after deployment, the old getPortalURL() will return the raw stored value from the database again — but any code or template that ran under N's version may have already been written to depend on the new behavior (the canonical admin site URL). Rolling back restores the old implementation, which could serve a stale or wrong portal URL to login flows and redirect logic.
• Code that makes it unsafe: dotCMS/src/main/java/com/liferay/portal/model/CompanyModel.java lines 177–180:

  public String getPortalURL() {
      return APILocator.getAdminSiteAPI().getAdminSiteUrl();
  }

• Alternative (if possible): Keep the original getPortalURL() returning _portalURL for backward compatibility, and introduce a new getAdminSiteUrl() method on CompanyModel that callers can migrate to incrementally (two-phase contract change per M-3). Add a deprecated overload or a forwarding shim so N-1 and N both resolve the same call site.

---

• Category: M-3 — REST / GraphQL / Headless API Contract Change (Login behavior)
• Risk Level: 🟡 MEDIUM
• Why it's unsafe: LoginServiceAPIFactory.doActionLogin() now calls APILocator.getAdminSiteAPI().isAdminSite(request) and silently returns false (login blocked) for backend users connecting from a non-admin domain when ADMIN_SITE_ENABLED=true. If deployed and ADMIN_SITE_ENABLED is toggled on, then rolled back to N-1, the AdminSiteAPI guard disappears and backend logins would again be permitted on all domains. The window of inconsistency is narrowly scoped to the ADMIN_SITE_ENABLED config flag being true, but N-1 has no concept of this restriction.
• Code that makes it unsafe: dotCMS/src/main/java/com/dotcms/cms/login/LoginServiceAPIFactory.java — new guard block in doActionLogin():

  if (!APILocator.getAdminSiteAPI().isAdminSite(request) && !loggedInUser.isFrontendUser()
          && !APILocator.getAdminSiteAPI().allowBackendLoginsOnNonAdminSites()) {
      ...
      return false;
  }

• Alternative (if possible): This risk is inherent in the feature. Document that ADMIN_SITE_ENABLED=true must be set to false before rolling back, to restore the N-1 behavior.

[github-actions]

❌ Bedrock Review failed — us.anthropic.claude-opus-4-8

The review job failed before producing output. See the run for details.

_{Run: #28070660030}

[github-actions]

❌ Bedrock Review failed — us.anthropic.claude-opus-4-8

The review job failed before producing output. See the run for details.

_{Run: #28070660030}

[github-actions]

❌ Bedrock Review failed — qwen.qwen3-next-80b-a3b

The review job failed before producing output. See the run for details.

_{Run: #28070660030}