Moved the iiif cors configuration to separate iiif.cfg config file.

dspace-server-webapp/src/main/java/org/dspace/app/rest/Application.java

@@ -164,10 +164,12 @@ public class Application extends SpringBootServletInitializer {
                     .getCorsAllowedOrigins(configuration.getIiifAllowedOriginsConfig());
 
                 boolean corsAllowCredentials = configuration.getCorsAllowCredentials();
+                boolean iiifAllowCredentials = configuration.getIiifAllowCredentials();
                 if (corsAllowedOrigins != null) {
                     registry.addMapping("/api/**").allowedMethods(CorsConfiguration.ALL)
                             // Set Access-Control-Allow-Credentials to "true" and specify which origins are valid
                             // for our Access-Control-Allow-Origin header
+                            // for our Access-Control-Allow-Origin header
                             .allowCredentials(corsAllowCredentials).allowedOrigins(corsAllowedOrigins)
                             // Allow list of request preflight headers allowed to be sent to us from the client
                             .allowedHeaders("Accept", "Authorization", "Content-Type", "Origin", "X-On-Behalf-Of",
@@ -179,7 +181,7 @@ public class Application extends SpringBootServletInitializer {
                     registry.addMapping("/iiif/**").allowedMethods(CorsConfiguration.ALL)
                             // Set Access-Control-Allow-Credentials to "true" and specify which origins are valid
                             // for our Access-Control-Allow-Origin header
-                            .allowCredentials(corsAllowCredentials).allowedOrigins(iiifAllowedOrigins)
+                            .allowCredentials(iiifAllowCredentials).allowedOrigins(iiifAllowedOrigins)
                             // Allow list of request preflight headers allowed to be sent to us from the client
                             .allowedHeaders("Accept", "Authorization", "Content-Type", "Origin", "X-On-Behalf-Of",
                                 "X-Requested-With", "X-XSRF-TOKEN", "X-CORRELATION-ID", "X-REFERRER")

dspace-server-webapp/src/main/java/org/dspace/app/rest/iiif/service/ManifestService.java

@@ -17,9 +17,7 @@ import org.dspace.app.rest.iiif.model.generator.CanvasGenerator;
 import org.dspace.app.rest.iiif.model.generator.CanvasItemsGenerator;
 import org.dspace.app.rest.iiif.model.generator.ContentSearchGenerator;
 import org.dspace.app.rest.iiif.model.generator.ExternalLinksGenerator;
-import org.dspace.app.rest.iiif.model.generator.ImageContentGenerator;
 import org.dspace.app.rest.iiif.model.generator.ManifestGenerator;
-import org.dspace.app.rest.iiif.model.generator.ProfileGenerator;
 import org.dspace.app.rest.iiif.model.generator.RangeGenerator;
 import org.dspace.app.rest.iiif.model.info.Info;
 import org.dspace.app.rest.iiif.model.info.Range;

dspace-server-webapp/src/main/java/org/dspace/app/rest/utils/ApplicationConfig.java

@@ -34,14 +34,19 @@ public class ApplicationConfig {
 
     // Allowed IIIF CORS origins ("Access-Control-Allow-Origin" header)
     // Can be overridden in DSpace configuration
-    @Value("${rest.iiif.cors.allowed-origins}")
+    @Value("${iiif.cors.allowed-origins}")
-    private String[] corsIiifAllowedOrigins;
+    private String[] iiifCorsAllowedOrigins;
 
     // Whether to allow credentials (cookies) in CORS requests ("Access-Control-Allow-Credentials" header)
     // Defaults to true. Can be overridden in DSpace configuration
     @Value("${rest.cors.allow-credentials:true}")
     private boolean corsAllowCredentials;
 
+    // Whether to allow credentials (cookies) in CORS requests ("Access-Control-Allow-Credentials" header)
+    // Defaults to true. Can be overridden in DSpace configuration
+    @Value("${iiif.cors.allow-credentials:true}")
+    private boolean iiifCAllowCredentials;
+
     // Configured User Interface URL (default: http://localhost:4000)
     @Value("${dspace.ui.url:http://localhost:4000}")
     private String uiURL;
@@ -84,7 +89,7 @@ public class ApplicationConfig {
      * @return allowed origins
      */
     public String[] getIiifAllowedOriginsConfig() {
-        return this.corsIiifAllowedOrigins;
+        return this.iiifCorsAllowedOrigins;
     }
 
     /**
@@ -95,4 +100,13 @@ public class ApplicationConfig {
     public boolean getCorsAllowCredentials() {
         return corsAllowCredentials;
     }
+
+    /**
+     * Return whether to allow credentials (cookies) on IIIF requests. This is used to set the
+     * CORS "Access-Control-Allow-Credentials" header in Application class. Defaults to false.
+     * @return true or false
+     */
+    public boolean getIiifAllowCredentials() {
+        return corsAllowCredentials;
+    }
 }

dspace/config/dspace.cfg

@@ -1594,6 +1594,7 @@ include = ${module_dir}/irus-statistics.cfg
 include = ${module_dir}/oai.cfg
 include = ${module_dir}/rdf.cfg
 include = ${module_dir}/rest.cfg
+include = ${module_dir}/iiif.cfg
 include = ${module_dir}/solr-statistics.cfg
 include = ${module_dir}/solrauthority.cfg
 include = ${module_dir}/spring.cfg

dspace/config/modules/iiif.cfg

@@ -0,0 +1,18 @@
+# Only these origins (client URLs) can successfully communicate with the IIIF API. This
+# allows XHR requests from remote IIIF clients. Defaults to ${dspace.ui.url} if unspecified
+# (as the embedded IIIF client must have access to the API). Multiple allowed origin URLs may
+# be comma separated. Wildcard value (*) is NOT SUPPORTED. # (Requires reboot of servlet
+# container, e.g. Tomcat, to reload)
+iiif.cors.allowed-origins = ${dspace.ui.url}
+
+# Whether or not to allow credentials (e.g. cookies) sent by the client/browser in CORS
+# requests (in "Access-Control-Allow-Credentials" header).
+# For the DSpace iiif endpoint, we default this to "false" .
+# (Requires reboot of servlet container, e.g. Tomcat, to reload)
+iiif.cors.allow-credentials = false
+
+
+
+
+
+

dspace/config/modules/rest.cfg

@@ -10,13 +10,6 @@
 # (Requires reboot of servlet container, e.g. Tomcat, to reload)
 rest.cors.allowed-origins = ${dspace.ui.url}
 
-# Only these origins (client URLs) can successfully communicate with the IIIF API. This
-# allows XHR requests from remote IIIF clients. Defaults to ${dspace.ui.url} if unspecified
-# (as the embedded IIIF client must have access to the API). Multiple allowed origin URLs may
-# be comma separated. Wildcard value (*) is NOT SUPPORTED. # (Requires reboot of servlet
-# container, e.g. Tomcat, to reload)
-rest.iiif.cors.allowed-origins = ${dspace.ui.url}
-
 # Whether or not to allow credentials (e.g. cookies) sent by the client/browser in CORS
 # requests (in "Access-Control-Allow-Credentials" header).
 # For DSpace, we default this to "true" to support external authentication via Shibboleth (and similar).