Moved the iiif cors configuration to separate iiif.cfg config file.

2025-10-07 01:54:22 +00:00 · 2021-08-26 15:44:40 -07:00
parent cbd37eb722
commit 4491837d54
6 changed files with 39 additions and 13 deletions
--- a/dspace-server-webapp/src/main/java/org/dspace/app/rest/Application.java
+++ b/dspace-server-webapp/src/main/java/org/dspace/app/rest/Application.java
@@ -164,10 +164,12 @@ public class Application extends SpringBootServletInitializer {
                    .getCorsAllowedOrigins(configuration.getIiifAllowedOriginsConfig());

                boolean corsAllowCredentials = configuration.getCorsAllowCredentials();
+                boolean iiifAllowCredentials = configuration.getIiifAllowCredentials();
                if (corsAllowedOrigins != null) {
                    registry.addMapping("/api/**").allowedMethods(CorsConfiguration.ALL)
                            // Set Access-Control-Allow-Credentials to "true" and specify which origins are valid
                            // for our Access-Control-Allow-Origin header
+                            // for our Access-Control-Allow-Origin header
                            .allowCredentials(corsAllowCredentials).allowedOrigins(corsAllowedOrigins)
                            // Allow list of request preflight headers allowed to be sent to us from the client
                            .allowedHeaders("Accept", "Authorization", "Content-Type", "Origin", "X-On-Behalf-Of",
@@ -179,7 +181,7 @@ public class Application extends SpringBootServletInitializer {
                    registry.addMapping("/iiif/**").allowedMethods(CorsConfiguration.ALL)
                            // Set Access-Control-Allow-Credentials to "true" and specify which origins are valid
                            // for our Access-Control-Allow-Origin header
-                            .allowCredentials(corsAllowCredentials).allowedOrigins(iiifAllowedOrigins)
+                            .allowCredentials(iiifAllowCredentials).allowedOrigins(iiifAllowedOrigins)
                            // Allow list of request preflight headers allowed to be sent to us from the client
                            .allowedHeaders("Accept", "Authorization", "Content-Type", "Origin", "X-On-Behalf-Of",
                                "X-Requested-With", "X-XSRF-TOKEN", "X-CORRELATION-ID", "X-REFERRER")
--- a/dspace-server-webapp/src/main/java/org/dspace/app/rest/iiif/service/ManifestService.java
+++ b/dspace-server-webapp/src/main/java/org/dspace/app/rest/iiif/service/ManifestService.java
@@ -17,9 +17,7 @@ import org.dspace.app.rest.iiif.model.generator.CanvasGenerator;
 import org.dspace.app.rest.iiif.model.generator.CanvasItemsGenerator;
 import org.dspace.app.rest.iiif.model.generator.ContentSearchGenerator;
 import org.dspace.app.rest.iiif.model.generator.ExternalLinksGenerator;
-import org.dspace.app.rest.iiif.model.generator.ImageContentGenerator;
 import org.dspace.app.rest.iiif.model.generator.ManifestGenerator;
-import org.dspace.app.rest.iiif.model.generator.ProfileGenerator;
 import org.dspace.app.rest.iiif.model.generator.RangeGenerator;
 import org.dspace.app.rest.iiif.model.info.Info;
 import org.dspace.app.rest.iiif.model.info.Range;
--- a/dspace-server-webapp/src/main/java/org/dspace/app/rest/utils/ApplicationConfig.java
+++ b/dspace-server-webapp/src/main/java/org/dspace/app/rest/utils/ApplicationConfig.java
@@ -34,14 +34,19 @@ public class ApplicationConfig {

    // Allowed IIIF CORS origins ("Access-Control-Allow-Origin" header)
    // Can be overridden in DSpace configuration
-    @Value("${rest.iiif.cors.allowed-origins}")
-    private String[] corsIiifAllowedOrigins;
+    @Value("${iiif.cors.allowed-origins}")
+    private String[] iiifCorsAllowedOrigins;

    // Whether to allow credentials (cookies) in CORS requests ("Access-Control-Allow-Credentials" header)
    // Defaults to true. Can be overridden in DSpace configuration
    @Value("${rest.cors.allow-credentials:true}")
    private boolean corsAllowCredentials;

+    // Whether to allow credentials (cookies) in CORS requests ("Access-Control-Allow-Credentials" header)
+    // Defaults to true. Can be overridden in DSpace configuration
+    @Value("${iiif.cors.allow-credentials:true}")
+    private boolean iiifCAllowCredentials;
+
    // Configured User Interface URL (default: http://localhost:4000)
    @Value("${dspace.ui.url:http://localhost:4000}")
    private String uiURL;
@@ -84,7 +89,7 @@ public class ApplicationConfig {
     * @return allowed origins
     */
    public String[] getIiifAllowedOriginsConfig() {
-        return this.corsIiifAllowedOrigins;
+        return this.iiifCorsAllowedOrigins;
    }

    /**
@@ -95,4 +100,13 @@ public class ApplicationConfig {
    public boolean getCorsAllowCredentials() {
        return corsAllowCredentials;
    }
+
+    /**
+     * Return whether to allow credentials (cookies) on IIIF requests. This is used to set the
+     * CORS "Access-Control-Allow-Credentials" header in Application class. Defaults to false.
+     * @return true or false
+     */
+    public boolean getIiifAllowCredentials() {
+        return corsAllowCredentials;
+    }
 }
--- a/dspace/config/dspace.cfg
+++ b/dspace/config/dspace.cfg
@@ -1594,6 +1594,7 @@ include = ${module_dir}/irus-statistics.cfg
 include = ${module_dir}/oai.cfg
 include = ${module_dir}/rdf.cfg
 include = ${module_dir}/rest.cfg
+include = ${module_dir}/iiif.cfg
 include = ${module_dir}/solr-statistics.cfg
 include = ${module_dir}/solrauthority.cfg
 include = ${module_dir}/spring.cfg
--- a/dspace/config/modules/iiif.cfg
+++ b/dspace/config/modules/iiif.cfg
@@ -0,0 +1,18 @@
+# Only these origins (client URLs) can successfully communicate with the IIIF API. This
+# allows XHR requests from remote IIIF clients. Defaults to ${dspace.ui.url} if unspecified
+# (as the embedded IIIF client must have access to the API). Multiple allowed origin URLs may
+# be comma separated. Wildcard value (*) is NOT SUPPORTED. # (Requires reboot of servlet
+# container, e.g. Tomcat, to reload)
+iiif.cors.allowed-origins = ${dspace.ui.url}
+
+# Whether or not to allow credentials (e.g. cookies) sent by the client/browser in CORS
+# requests (in "Access-Control-Allow-Credentials" header).
+# For the DSpace iiif endpoint, we default this to "false" .
+# (Requires reboot of servlet container, e.g. Tomcat, to reload)
+iiif.cors.allow-credentials = false
+
+
+
+
+
+
--- a/dspace/config/modules/rest.cfg
+++ b/dspace/config/modules/rest.cfg
@@ -10,13 +10,6 @@
 # (Requires reboot of servlet container, e.g. Tomcat, to reload)
 rest.cors.allowed-origins = ${dspace.ui.url}

-# Only these origins (client URLs) can successfully communicate with the IIIF API. This
-# allows XHR requests from remote IIIF clients. Defaults to ${dspace.ui.url} if unspecified
-# (as the embedded IIIF client must have access to the API). Multiple allowed origin URLs may
-# be comma separated. Wildcard value (*) is NOT SUPPORTED. # (Requires reboot of servlet
-# container, e.g. Tomcat, to reload)
-rest.iiif.cors.allowed-origins = ${dspace.ui.url}
-
 # Whether or not to allow credentials (e.g. cookies) sent by the client/browser in CORS
 # requests (in "Access-Control-Allow-Credentials" header).
 # For DSpace, we default this to "true" to support external authentication via Shibboleth (and similar).