dotCMS · mbiuki · Mar 16, 2026 · Mar 16, 2026 · Mar 16, 2026 · Mar 16, 2026
diff --git a/dotCMS/src/main/java/com/dotcms/auth/providers/saml/v1/DotSamlResource.java b/dotCMS/src/main/java/com/dotcms/auth/providers/saml/v1/DotSamlResource.java
@@ -17,6 +17,7 @@
 import com.dotmarketing.business.APILocator;
 import com.dotmarketing.exception.DoesNotExistException;
 import com.dotmarketing.exception.DotSecurityException;
+import com.dotmarketing.util.Config;
 import com.dotmarketing.util.Logger;
 import com.dotmarketing.util.UtilMethods;
 import com.dotmarketing.util.WebKeys;
@@ -501,12 +502,20 @@ public void logoutGet(@Parameter(description = "Identity Provider configuration
 
 	/*
 	 * Builds the base url from the initiating Servlet Request.
+	 * Prefers the configured sPEndpointHostname (DOT_SAML_SERVICE_PROVIDER_HOST_NAME) over
+	 * the raw request server name, so deployments behind a CDN can use the public hostname
+	 * instead of leaking the origin server hostname.
 	 */
-	private String buildBaseUrlFromRequest(final HttpServletRequest httpServletRequest) {
+	@VisibleForTesting
+	String buildBaseUrlFromRequest(final HttpServletRequest httpServletRequest) {
 
-		final String uri = httpServletRequest.getScheme() + "://" + httpServletRequest.getServerName() + ":"
-				+ httpServletRequest.getServerPort() + "/dotAdmin/show-logout";
+		final String configuredHost = Config.getStringProperty(
+				SamlName.DOT_SAML_SERVICE_PROVIDER_HOST_NAME.getPropertyName(), null);
+		final String host = UtilMethods.isSet(configuredHost)
+				? configuredHost
+				: httpServletRequest.getScheme() + "://" + httpServletRequest.getServerName() + ":"
+						+ httpServletRequest.getServerPort();
 
-		return uri;
+		return host + "/dotAdmin/show-logout";
 	}
 }
diff --git a/dotCMS/src/main/java/com/dotcms/rest/AnonymousAccess.java b/dotCMS/src/main/java/com/dotcms/rest/AnonymousAccess.java
@@ -1,6 +1,7 @@
 package com.dotcms.rest;
 
 import com.dotmarketing.util.Config;
+import com.dotmarketing.util.Logger;
 
 public enum AnonymousAccess {
 
@@ -35,7 +36,16 @@ public static AnonymousAccess from(final String accessString) {
    * @return
    */
   public static AnonymousAccess systemSetting() {
-    return from(Config.getStringProperty(CONTENT_APIS_ALLOW_ANONYMOUS,"READ"));
+    final AnonymousAccess setting = from(Config.getStringProperty(CONTENT_APIS_ALLOW_ANONYMOUS, "READ"));
+    if (setting == READ || setting == WRITE) {
+      Logger.warn(AnonymousAccess.class,
+          "SECURITY: CONTENT_APIS_ALLOW_ANONYMOUS=" + setting
+              + " — content API is accessible without authentication."
+              + " If this instance is deployed behind a CDN/WAF, ensure the origin server"
+              + " is network-restricted to trusted proxies only (e.g., CloudFront IP ranges)."
+              + " Set CONTENT_APIS_ALLOW_ANONYMOUS=NONE for fully private instances.");
+    }
+    return setting;
   }
 
 

diff --git a/dotCMS/src/main/resources/dotmarketing-config.properties b/dotCMS/src/main/resources/dotmarketing-config.properties
@@ -303,15 +303,24 @@ INDEX_METADATA_FIELDS=width,height,contentType,author,keywords,fileSize,content,
 
 
 ## CONTENT_APIS_ALLOW_ANONYMOUS controls what level of access
-## to grant ANONYMOUS (not logged in) visitors to dotCMS Content apis
-## This property is only respected by a few APIs, specifically the APIs that have to do with
-## mananging content in the dotCMS content store.
+## to grant ANONYMOUS (not logged in) visitors to dotCMS Content APIs.
+## This property is only respected by APIs related to managing content in the dotCMS content store.
 ##
 ## For anonymous content submittal to work (form builder, contentAPI)
 ## this needs to be set to WRITE, otherwise
-## users will need to authenticate before subitting content
+## users will need to authenticate before submitting content.
 ##
-## Possible values are NONE | READ | WRITE
+## SECURITY NOTE: When set to READ or WRITE, the content API returns data to unauthenticated
+## callers. If this instance is deployed behind a CDN/WAF (e.g., CloudFront + DataDome),
+## ensure the origin server is network-restricted to only accept traffic from the CDN —
+## otherwise CDN-level security controls can be bypassed via direct origin access.
+## For selective per-path authentication without disabling public content delivery,
+## use the com.dotcms.userproxy plugin: https://github.com/dotcms-community/com.dotcms.userproxy
+##
+## Possible values: NONE | READ | WRITE
+## NONE  — all content API reads require authentication (use for fully private instances)
+## READ  — unauthenticated callers can read content (default; suitable for public-facing sites)
+## WRITE — unauthenticated callers can also write content (highest risk; use with caution)
 CONTENT_APIS_ALLOW_ANONYMOUS=READ
 
 ## Temp Resource File Uploads

diff --git a/dotCMS/src/test/java/com/dotcms/auth/providers/saml/v1/DotSamlResourceBuildBaseUrlTest.java b/dotCMS/src/test/java/com/dotcms/auth/providers/saml/v1/DotSamlResourceBuildBaseUrlTest.java
@@ -0,0 +1,130 @@
+package com.dotcms.auth.providers.saml.v1;
+
+import com.dotcms.UnitTestBase;
+import com.dotcms.rest.WebResource;
+import com.dotcms.saml.IdentityProviderConfigurationFactory;
+import com.dotcms.saml.SamlAuthenticationService;
+import com.dotcms.saml.SamlConfigurationService;
+import com.dotcms.saml.SamlName;
+import com.dotmarketing.util.Config;
+import org.junit.After;
+import org.junit.Test;
+
+import javax.servlet.http.HttpServletRequest;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertTrue;
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.when;
+
+/**
+ * Unit tests for {@link DotSamlResource#buildBaseUrlFromRequest(HttpServletRequest)}.
+ *
+ * Verifies that the logout base URL prefers the configured {@code sPEndpointHostname}
+ * over the raw origin hostname from the servlet request, preventing the origin server
+ * address from leaking through the SAML logout redirect.
+ */
+public class DotSamlResourceBuildBaseUrlTest extends UnitTestBase {
+
+    private static final String CONFIGURED_HOST = "https://public.cdn.example.com";
+    private static final String REQUEST_SCHEME  = "https";
+    private static final String REQUEST_HOST    = "origin-server.internal.example.com";
+    private static final int    REQUEST_PORT    = 443;
+
+    @After
+    public void cleanup() {
+        Config.setProperty(SamlName.DOT_SAML_SERVICE_PROVIDER_HOST_NAME.getPropertyName(), null);
+    }
+
+    private DotSamlResource buildResource() {
+        return new DotSamlResource(
+                mock(SamlConfigurationService.class),
+                mock(SAMLHelper.class),
+                mock(SamlAuthenticationService.class),
+                mock(IdentityProviderConfigurationFactory.class),
+                mock(WebResource.class)
+        );
+    }
+
+    private HttpServletRequest mockRequest() {
+        final HttpServletRequest request = mock(HttpServletRequest.class);
+        when(request.getScheme()).thenReturn(REQUEST_SCHEME);
+        when(request.getServerName()).thenReturn(REQUEST_HOST);
+        when(request.getServerPort()).thenReturn(REQUEST_PORT);
+        return request;
+    }
+
+    /**
+     * Method to test: {@link DotSamlResource#buildBaseUrlFromRequest(HttpServletRequest)}
+     * Given Scenario: {@code sPEndpointHostname} is configured with a CDN/public hostname
+     * ExpectedResult: Returned URL uses the configured hostname, not the request server name,
+     *                 preventing the origin hostname from being exposed in the SAML redirect
+     */
+    @Test
+    public void testBuildBaseUrl_usesConfiguredHostname_whenSet() {
+        Config.setProperty(SamlName.DOT_SAML_SERVICE_PROVIDER_HOST_NAME.getPropertyName(), CONFIGURED_HOST);
+
+        final String result = buildResource().buildBaseUrlFromRequest(mockRequest());
+
+        assertEquals(CONFIGURED_HOST + "/dotAdmin/show-logout", result);
+    }
+
+    /**
+     * Method to test: {@link DotSamlResource#buildBaseUrlFromRequest(HttpServletRequest)}
+     * Given Scenario: {@code sPEndpointHostname} is not configured
+     * ExpectedResult: Falls back to constructing the URL from the request scheme, host and port
+     */
+    @Test
+    public void testBuildBaseUrl_fallsBackToRequestHostname_whenNotConfigured() {
+        Config.setProperty(SamlName.DOT_SAML_SERVICE_PROVIDER_HOST_NAME.getPropertyName(), null);
+
+        final String result = buildResource().buildBaseUrlFromRequest(mockRequest());
+
+        final String expected = REQUEST_SCHEME + "://" + REQUEST_HOST + ":" + REQUEST_PORT + "/dotAdmin/show-logout";
+        assertEquals(expected, result);
+    }
+
+    /**
+     * Method to test: {@link DotSamlResource#buildBaseUrlFromRequest(HttpServletRequest)}
+     * Given Scenario: {@code sPEndpointHostname} is set to an empty string
+     * ExpectedResult: Treated as not-set; falls back to the request hostname
+     */
+    @Test
+    public void testBuildBaseUrl_fallsBackToRequestHostname_whenConfiguredHostIsEmpty() {
+        Config.setProperty(SamlName.DOT_SAML_SERVICE_PROVIDER_HOST_NAME.getPropertyName(), "");
+
+        final String result = buildResource().buildBaseUrlFromRequest(mockRequest());
+
+        assertTrue("Should fall back to request hostname when config is empty",
+                result.contains(REQUEST_HOST));
+    }
+
+    /**
+     * Method to test: {@link DotSamlResource#buildBaseUrlFromRequest(HttpServletRequest)}
+     * Given Scenario: Configured hostname without trailing slash, result must end in the logout path
+     * ExpectedResult: URL always ends with {@code /dotAdmin/show-logout}
+     */
+    @Test
+    public void testBuildBaseUrl_alwaysEndsWithLogoutPath() {
+        Config.setProperty(SamlName.DOT_SAML_SERVICE_PROVIDER_HOST_NAME.getPropertyName(), CONFIGURED_HOST);
+
+        final String result = buildResource().buildBaseUrlFromRequest(mockRequest());
+
+        assertTrue("URL must end with /dotAdmin/show-logout", result.endsWith("/dotAdmin/show-logout"));
+    }
+
+    /**
+     * Method to test: {@link DotSamlResource#buildBaseUrlFromRequest(HttpServletRequest)}
+     * Given Scenario: Configured hostname is set — result must not contain the origin request hostname
+     * ExpectedResult: Origin hostname is absent from the returned URL, preventing origin leakage
+     */
+    @Test
+    public void testBuildBaseUrl_doesNotLeakOriginHostname_whenConfigured() {
+        Config.setProperty(SamlName.DOT_SAML_SERVICE_PROVIDER_HOST_NAME.getPropertyName(), CONFIGURED_HOST);
+
+        final String result = buildResource().buildBaseUrlFromRequest(mockRequest());
+
+        assertTrue("Origin hostname must not appear in the URL when sPEndpointHostname is configured",
+                !result.contains(REQUEST_HOST));
+    }
+}
diff --git a/dotCMS/src/test/java/com/dotcms/rest/AnonymousAccessTest.java b/dotCMS/src/test/java/com/dotcms/rest/AnonymousAccessTest.java
@@ -0,0 +1,129 @@
+package com.dotcms.rest;
+
+import com.dotcms.UnitTestBase;
+import com.dotmarketing.util.Config;
+import org.junit.After;
+import org.junit.Test;
+
+import static org.junit.Assert.assertEquals;
+
+/**
+ * Unit tests for {@link AnonymousAccess#systemSetting()}.
+ *
+ * Verifies that the correct {@link AnonymousAccess} level is resolved from the
+ * {@code CONTENT_APIS_ALLOW_ANONYMOUS} config property, and that the method
+ * behaves consistently across all valid and invalid input values.
+ */
+public class AnonymousAccessTest extends UnitTestBase {
+
+    @After
+    public void cleanup() {
+        Config.setProperty(AnonymousAccess.CONTENT_APIS_ALLOW_ANONYMOUS, null);
+    }
+
+    /**
+     * Method to test: {@link AnonymousAccess#systemSetting()}
+     * Given Scenario: No property is set in config
+     * ExpectedResult: Returns READ (the hardcoded default)
+     */
+    @Test
+    public void testSystemSetting_defaultsToRead_whenPropertyNotSet() {
+        Config.setProperty(AnonymousAccess.CONTENT_APIS_ALLOW_ANONYMOUS, null);
+
+        final AnonymousAccess result = AnonymousAccess.systemSetting();
+
+        assertEquals("Default should be READ when property is not set",
+                AnonymousAccess.READ, result);
+    }
+
+    /**
+     * Method to test: {@link AnonymousAccess#systemSetting()}
+     * Given Scenario: Property is explicitly set to READ
+     * ExpectedResult: Returns READ
+     */
+    @Test
+    public void testSystemSetting_returnsRead_whenSetToRead() {
+        Config.setProperty(AnonymousAccess.CONTENT_APIS_ALLOW_ANONYMOUS, "READ");
+
+        final AnonymousAccess result = AnonymousAccess.systemSetting();
+
+        assertEquals(AnonymousAccess.READ, result);
+    }
+
+    /**
+     * Method to test: {@link AnonymousAccess#systemSetting()}
+     * Given Scenario: Property is explicitly set to NONE
+     * ExpectedResult: Returns NONE (no anonymous access)
+     */
+    @Test
+    public void testSystemSetting_returnsNone_whenSetToNone() {
+        Config.setProperty(AnonymousAccess.CONTENT_APIS_ALLOW_ANONYMOUS, "NONE");
+
+        final AnonymousAccess result = AnonymousAccess.systemSetting();
+
+        assertEquals(AnonymousAccess.NONE, result);
+    }
+
+    /**
+     * Method to test: {@link AnonymousAccess#systemSetting()}
+     * Given Scenario: Property is set to WRITE
+     * ExpectedResult: Returns WRITE
+     */
+    @Test
+    public void testSystemSetting_returnsWrite_whenSetToWrite() {
+        Config.setProperty(AnonymousAccess.CONTENT_APIS_ALLOW_ANONYMOUS, "WRITE");
+
+        final AnonymousAccess result = AnonymousAccess.systemSetting();
+
+        assertEquals(AnonymousAccess.WRITE, result);
+    }
+
+    /**
+     * Method to test: {@link AnonymousAccess#systemSetting()}
+     * Given Scenario: Property is set to an unrecognised value
+     * ExpectedResult: Returns NONE (safe default from {@link AnonymousAccess#from})
+     */
+    @Test
+    public void testSystemSetting_returnsNone_whenValueIsInvalid() {
+        Config.setProperty(AnonymousAccess.CONTENT_APIS_ALLOW_ANONYMOUS, "INVALID_VALUE");
+
+        final AnonymousAccess result = AnonymousAccess.systemSetting();
+
+        assertEquals("Invalid value should fall back to NONE (safest default)",
+                AnonymousAccess.NONE, result);
+    }
+
+    /**
+     * Method to test: {@link AnonymousAccess#systemSetting()}
+     * Given Scenario: Property value is lowercase
+     * ExpectedResult: Returns the matching enum (case-insensitive match)
+     */
+    @Test
+    public void testSystemSetting_isCaseInsensitive() {
+        Config.setProperty(AnonymousAccess.CONTENT_APIS_ALLOW_ANONYMOUS, "read");
+
+        final AnonymousAccess result = AnonymousAccess.systemSetting();
+
+        assertEquals("Matching should be case-insensitive", AnonymousAccess.READ, result);
+    }
+
+    /**
+     * Method to test: {@link AnonymousAccess#systemSetting()}
+     * Given Scenario: READ and WRITE settings represent non-private instances
+     *                 that should trigger a security warning at startup
+     * ExpectedResult: READ and WRITE are not equal to NONE — confirming the
+     *                 warning branch is reached for those values
+     */
+    @Test
+    public void testSystemSetting_readAndWrite_areNotNone_warningBranchReached() {
+        Config.setProperty(AnonymousAccess.CONTENT_APIS_ALLOW_ANONYMOUS, "READ");
+        final AnonymousAccess read = AnonymousAccess.systemSetting();
+
+        Config.setProperty(AnonymousAccess.CONTENT_APIS_ALLOW_ANONYMOUS, "WRITE");
+        final AnonymousAccess write = AnonymousAccess.systemSetting();
+
+        // NONE would not trigger the startup warning; READ and WRITE do
+        assertEquals(false, AnonymousAccess.NONE == read);
+        assertEquals(false, AnonymousAccess.NONE == write);
+    }
+}