Correct the default allowed-origins in rest.cfg. Enhance comments in rest.cfg & Application

2025-10-17 15:03:18 +00:00 · 2020-04-02 14:27:54 -05:00
parent d3d4ff9094
commit 1f07d465a2
2 changed files with 27 additions and 22 deletions
--- a/dspace-server-webapp/src/main/java/org/dspace/app/rest/Application.java
+++ b/dspace-server-webapp/src/main/java/org/dspace/app/rest/Application.java
@@ -126,6 +126,10 @@ public class Application extends SpringBootServletInitializer {
    public WebMvcConfigurer webMvcConfigurer() {

        return new WebMvcConfigurer() {
+            /**
+             * Create a custom CORS mapping for the DSpace REST API (/api/ paths), based on configured allowed origins.
+             * @param registry CorsRegistry
+             */
            @Override
            public void addCorsMappings(@NonNull CorsRegistry registry) {
                String[] corsAllowedOrigins = configuration.getCorsAllowedOrigins();
--- a/dspace/config/modules/rest.cfg
+++ b/dspace/config/modules/rest.cfg
@@ -3,10 +3,11 @@
 #---------------------------------------------------------------#
 # These configs are used by the RESTv7 module                   #
 #---------------------------------------------------------------#
-# Allowed CORS origins. Defaults to * (everywhere)
-# Multiple allowed origin URLs may be comma separated
+# Allowed CORS origins ("Access-Control-Allow-Origin" header).
+# Defaults to ${dspace.ui.url} if unspecified.
+# Multiple allowed origin URLs may be comma separated. Wildcard value (*) is *NOT SUPPORTED*.
 # (Requires reboot of servlet container, e.g. Tomcat, to reload)
-rest.cors.allowed-origins = *
+rest.cors.allowed-origins = ${dspace.ui.url}

 # This property determines the max embeddepth for a FullProjection. This is also used by the SpecificLevelProjection
 # as a fallback in case the property is defined on the bean