Correct the default allowed-origins in rest.cfg. Enhance comments in rest.cfg & Application

dspace-server-webapp/src/main/java/org/dspace/app/rest/Application.java

@@ -126,6 +126,10 @@ public class Application extends SpringBootServletInitializer {
     public WebMvcConfigurer webMvcConfigurer() {
 
         return new WebMvcConfigurer() {
+            /**
+             * Create a custom CORS mapping for the DSpace REST API (/api/ paths), based on configured allowed origins.
+             * @param registry CorsRegistry
+             */
             @Override
             public void addCorsMappings(@NonNull CorsRegistry registry) {
                 String[] corsAllowedOrigins = configuration.getCorsAllowedOrigins();

dspace/config/modules/rest.cfg

@@ -3,13 +3,14 @@
 #---------------------------------------------------------------#
 # These configs are used by the RESTv7 module                   #
 #---------------------------------------------------------------#
-# Allowed CORS origins. Defaults to * (everywhere)
-# Multiple allowed origin URLs may be comma separated
+# Allowed CORS origins ("Access-Control-Allow-Origin" header).
+# Defaults to ${dspace.ui.url} if unspecified.
+# Multiple allowed origin URLs may be comma separated. Wildcard value (*) is *NOT SUPPORTED*.
 # (Requires reboot of servlet container, e.g. Tomcat, to reload)
-rest.cors.allowed-origins = *
+rest.cors.allowed-origins = ${dspace.ui.url}
 
 # This property determines the max embeddepth for a FullProjection. This is also used by the SpecificLevelProjection
-# as a fallback incase the property is defined on the bean
+# as a fallback in case the property is defined on the bean
 rest.projections.full.max = 2
 
 # This property determines the max embed depth for a SpecificLevelProjection
@@ -24,34 +25,34 @@ rest.stats = true
 #------------------------------------------------------------------#
 # REST API Reporting Tools                                         #
 #------------------------------------------------------------------#
-# This project is intended as an optional add-on to DSpace to provide 
-# Quality Control Reporting for Collection Managers.       
+# This project is intended as an optional add-on to DSpace to provide
+# Quality Control Reporting for Collection Managers.
 #
 # See https://github.com/DSpace-Labs/DSpace-REST-Reports
-#                                                                  
-# These reports utilize the DSpace REST API to provide a Collection 
+#
+# These reports utilize the DSpace REST API to provide a Collection
 # Manager with
 #  - an overview of their collections
 #  - a tool to query metadata for consistency
 #
-# When deploying the DSpace REST API, and institution may choose to 
-# make the API publicly accessible or to restrict access to the API. 
-# If these reports are deployed in a protected manner, the reporting 
-# tools can be configured to bypass DSpace authorization when 
-# reporting on collections and items. 
+# When deploying the DSpace REST API, and institution may choose to
+# make the API publicly accessible or to restrict access to the API.
+# If these reports are deployed in a protected manner, the reporting
+# tools can be configured to bypass DSpace authorization when
+# reporting on collections and items.
 
 ##### Configure the report pages that can be requested by name #####
 # Create a map of named reports that are available to a report tool user
-# Each map entry should be prefixed with rest-report-url 
+# Each map entry should be prefixed with rest-report-url
 #   The map key is a name for a report
 #   The map value is a URL to a report page
 # A list of available reports will be available with the call /rest/reports.
 # If a request is sent to /rest/reports/[report key], the request will be re-directed to the specified URL
-# 
+#
 # This project currently contains 2 sample reports.  Eventually, additional reports could be introduced through this mechanism.
 rest.report-url.collections = static/reports/index.html
 rest.report-url.item-query = static/reports/query.html
-#rest.report-url.custom = 
+#rest.report-url.custom =
 
 ##### database specific way to format a regex SQL clause #####
 # The REST Report Tools may pass a regular expression test to the database.
@@ -64,10 +65,10 @@ rest.regex-clause = text_value ~ ?
 # Private items and withdrawn items are frequently excluded from DSpace reports.
 # Additional filters can be configured to examine other item properties.
 # For instance, items containing an image bitstream often have different requirements from a item containing a PDF.
-# The DSpace REST reports come with a variety of filters that examine item properties, item bitstream properties, 
+# The DSpace REST reports come with a variety of filters that examine item properties, item bitstream properties,
 # and item authorization policies.  The existing filters can be used as an example to construct institution specific filters
 # that will test conformity to a set of institutional policies.
-# plugin.sequence.org.dspace.rest.filter points to a list of classes that contain available filters.  
+# plugin.sequence.org.dspace.rest.filter points to a list of classes that contain available filters.
 # Each class must implement the ItemFilterList interface.
 #   ItemFilterDefs:     Filters that examine simple item and bitstream type properties
 #   ItemFilterDefsMisc: Filters that examine bitstream mime types and dependencies between bitstreams
@@ -99,17 +100,17 @@ rest.report-mime-document-supported = application/pdf
 rest.report-mime-document-image = image/jpeg,image/jp2
 
 # Minimum size for a supported PDF in the repository
-# PDF bitstreams smaller than this size will be highlighted in a report.  
+# PDF bitstreams smaller than this size will be highlighted in a report.
 # PDF files smaller than this size are potentially corrupt.
 rest.report-pdf-min-size = 20000
 
 # Maximum size for a typical PDF in the repository
-# PDF bitstreams larger than this size will be highlighted in a report.  
+# PDF bitstreams larger than this size will be highlighted in a report.
 # PDF files larger than this size may be slow to retrieve.
 rest.report-pdf-max-size = 25000000
 
 # Minimum size for a thumbnail - could indicate a corrupted original
-# Thumbnail bitstreams smaller than this size will be highlighted in a report.  
+# Thumbnail bitstreams smaller than this size will be highlighted in a report.
 # Thumbnail files smaller than this size are potentially corrupt.
 rest.report-thumbnail-min-size = 400
 
@@ -118,7 +119,7 @@ rest.report-thumbnail-min-size = 400
 # This description identifies thumbnails that can safely be re-generated.
 rest.report-gen-thumbnail-desc = Generated Thumbnail
 
-#### Metadata Filtering by Regular Expression ##### 
+#### Metadata Filtering by Regular Expression #####
 # Used by org.dspace.rest.filter.ItemFilterDefsMeta
 # This class filters items based on metadata properties.
 # These filters are useful for filtering a small set of items.  These filters will be inefficient as a query tool.