[CST-5288] Add CorsMapping for actuator endpoint

2025-10-07 01:54:22 +00:00 · 2022-03-30 13:19:07 +02:00
parent bf7ef19322
commit 3210d9ce38
2 changed files with 29 additions and 19 deletions
--- a/dspace-server-webapp/src/main/java/org/dspace/app/rest/Application.java
+++ b/dspace-server-webapp/src/main/java/org/dspace/app/rest/Application.java
@@ -12,6 +12,7 @@ import java.sql.SQLException;
 import java.util.List;
 import javax.servlet.Filter;

+import org.dspace.app.rest.configuration.ActuatorConfiguration;
 import org.dspace.app.rest.filter.DSpaceRequestContextFilter;
 import org.dspace.app.rest.model.hateoas.DSpaceLinkRelationProvider;
 import org.dspace.app.rest.parameter.resolver.SearchFilterResolver;
@@ -65,6 +66,9 @@ public class Application extends SpringBootServletInitializer {
    @Autowired
    private ApplicationConfig configuration;

+    @Autowired
+    private ActuatorConfiguration actuatorConfiguration;
+
    @Scheduled(cron = "${sitemap.cron:-}")
    public void generateSitemap() throws IOException, SQLException {
        GenerateSitemaps.generateSitemapsScheduled();
@@ -167,29 +171,31 @@ public class Application extends SpringBootServletInitializer {

                boolean corsAllowCredentials = configuration.getCorsAllowCredentials();
                boolean iiifAllowCredentials = configuration.getIiifAllowCredentials();
+
                if (corsAllowedOrigins != null) {
-                    registry.addMapping("/api/**").allowedMethods(CorsConfiguration.ALL)
-                            // Set Access-Control-Allow-Credentials to "true" and specify which origins are valid
-                            // for our Access-Control-Allow-Origin header
-                            // for our Access-Control-Allow-Origin header
-                            .allowCredentials(corsAllowCredentials).allowedOrigins(corsAllowedOrigins)
-                            // Allow list of request preflight headers allowed to be sent to us from the client
-                            .allowedHeaders("Accept", "Authorization", "Content-Type", "Origin", "X-On-Behalf-Of",
-                                "X-Requested-With", "X-XSRF-TOKEN", "X-CORRELATION-ID", "X-REFERRER")
-                            // Allow list of response headers allowed to be sent by us (the server) to the client
-                            .exposedHeaders("Authorization", "DSPACE-XSRF-TOKEN", "Location", "WWW-Authenticate");
+                    addCorsMapping(registry, "/api/**", corsAllowedOrigins, corsAllowCredentials);
+                    addCorsMapping(registry, actuatorConfiguration.getActuatorBasePath() + "/**",
+                        corsAllowedOrigins, corsAllowCredentials);
                }
+
                if (iiifAllowedOrigins != null) {
-                    registry.addMapping("/iiif/**").allowedMethods(CorsConfiguration.ALL)
-                            // Set Access-Control-Allow-Credentials to "true" and specify which origins are valid
-                            // for our Access-Control-Allow-Origin header
-                            .allowCredentials(iiifAllowCredentials).allowedOrigins(iiifAllowedOrigins)
-                            // Allow list of request preflight headers allowed to be sent to us from the client
-                            .allowedHeaders("Accept", "Authorization", "Content-Type", "Origin", "X-On-Behalf-Of",
-                                "X-Requested-With", "X-XSRF-TOKEN", "X-CORRELATION-ID", "X-REFERRER")
-                            // Allow list of response headers allowed to be sent by us (the server) to the client
-                            .exposedHeaders("Authorization", "DSPACE-XSRF-TOKEN", "Location", "WWW-Authenticate");
+                    addCorsMapping(registry, "/iiif/**", iiifAllowedOrigins, iiifAllowCredentials);
                }
+
+            }
+
+            private void addCorsMapping(CorsRegistry registry, String pathPattern,
+                String[] allowedOrigins, boolean allowCredentials) {
+
+                registry.addMapping(pathPattern).allowedMethods(CorsConfiguration.ALL)
+                        // Set Access-Control-Allow-Credentials to "true" and specify which origins are valid
+                        // for our Access-Control-Allow-Origin header
+                        .allowCredentials(allowCredentials).allowedOrigins(allowedOrigins)
+                        // Allow list of request preflight headers allowed to be sent to us from the client
+                        .allowedHeaders("Accept", "Authorization", "Content-Type", "Origin", "X-On-Behalf-Of",
+                            "X-Requested-With", "X-XSRF-TOKEN", "X-CORRELATION-ID", "X-REFERRER")
+                        // Allow list of response headers allowed to be sent by us (the server) to the client
+                        .exposedHeaders("Authorization", "DSPACE-XSRF-TOKEN", "Location", "WWW-Authenticate");
            }

            /**
--- a/dspace-server-webapp/src/main/java/org/dspace/app/rest/configuration/ActuatorConfiguration.java
+++ b/dspace-server-webapp/src/main/java/org/dspace/app/rest/configuration/ActuatorConfiguration.java
@@ -88,4 +88,8 @@ public class ActuatorConfiguration {
        return new GeoIpHealthIndicator();
    }

+    public String getActuatorBasePath() {
+        return actuatorBasePath;
+    }
+
 }