mirror of
https://github.com/DSpace/DSpace.git
synced 2025-10-17 15:03:18 +00:00
[CST-5288] Fixed CORS configuration for actuator endpoints
This commit is contained in:
Luca Giamminonni
@@ -12,7 +12,6 @@ import java.sql.SQLException;
|
|||||||
import java.util.List;
|
import java.util.List;
|
||||||
import javax.servlet.Filter;
|
import javax.servlet.Filter;
|
||||||
|
|
||||||
import org.dspace.app.rest.configuration.ActuatorConfiguration;
|
|
||||||
import org.dspace.app.rest.filter.DSpaceRequestContextFilter;
|
import org.dspace.app.rest.filter.DSpaceRequestContextFilter;
|
||||||
import org.dspace.app.rest.model.hateoas.DSpaceLinkRelationProvider;
|
import org.dspace.app.rest.model.hateoas.DSpaceLinkRelationProvider;
|
||||||
import org.dspace.app.rest.parameter.resolver.SearchFilterResolver;
|
import org.dspace.app.rest.parameter.resolver.SearchFilterResolver;
|
||||||
@@ -66,9 +65,6 @@ public class Application extends SpringBootServletInitializer {
|
|||||||
@Autowired
|
@Autowired
|
||||||
private ApplicationConfig configuration;
|
private ApplicationConfig configuration;
|
||||||
|
|
||||||
@Autowired
|
|
||||||
private ActuatorConfiguration actuatorConfiguration;
|
|
||||||
|
|
||||||
@Scheduled(cron = "${sitemap.cron:-}")
|
@Scheduled(cron = "${sitemap.cron:-}")
|
||||||
public void generateSitemap() throws IOException, SQLException {
|
public void generateSitemap() throws IOException, SQLException {
|
||||||
GenerateSitemaps.generateSitemapsScheduled();
|
GenerateSitemaps.generateSitemapsScheduled();
|
||||||
@@ -164,6 +160,7 @@ public class Application extends SpringBootServletInitializer {
|
|||||||
@Override
|
@Override
|
||||||
public void addCorsMappings(@NonNull CorsRegistry registry) {
|
public void addCorsMappings(@NonNull CorsRegistry registry) {
|
||||||
// Get allowed origins for api and iiif endpoints.
|
// Get allowed origins for api and iiif endpoints.
|
||||||
|
// The actuator endpoints are configured using management.endpoints.web.cors.* properties
|
||||||
String[] corsAllowedOrigins = configuration
|
String[] corsAllowedOrigins = configuration
|
||||||
.getCorsAllowedOrigins(configuration.getCorsAllowedOriginsConfig());
|
.getCorsAllowedOrigins(configuration.getCorsAllowedOriginsConfig());
|
||||||
String[] iiifAllowedOrigins = configuration
|
String[] iiifAllowedOrigins = configuration
|
||||||
@@ -171,32 +168,30 @@ public class Application extends SpringBootServletInitializer {
|
|||||||
|
|
||||||
boolean corsAllowCredentials = configuration.getCorsAllowCredentials();
|
boolean corsAllowCredentials = configuration.getCorsAllowCredentials();
|
||||||
boolean iiifAllowCredentials = configuration.getIiifAllowCredentials();
|
boolean iiifAllowCredentials = configuration.getIiifAllowCredentials();
|
||||||
|
|
||||||
if (corsAllowedOrigins != null) {
|
if (corsAllowedOrigins != null) {
|
||||||
addCorsMapping(registry, "/api/**", corsAllowedOrigins, corsAllowCredentials);
|
registry.addMapping("/api/**").allowedMethods(CorsConfiguration.ALL)
|
||||||
addCorsMapping(registry, actuatorConfiguration.getActuatorBasePath() + "/**",
|
|
||||||
corsAllowedOrigins, corsAllowCredentials);
|
|
||||||
}
|
|
||||||
|
|
||||||
if (iiifAllowedOrigins != null) {
|
|
||||||
addCorsMapping(registry, "/iiif/**", iiifAllowedOrigins, iiifAllowCredentials);
|
|
||||||
}
|
|
||||||
|
|
||||||
}
|
|
||||||
|
|
||||||
private void addCorsMapping(CorsRegistry registry, String pathPattern,
|
|
||||||
String[] allowedOrigins, boolean allowCredentials) {
|
|
||||||
|
|
||||||
registry.addMapping(pathPattern).allowedMethods(CorsConfiguration.ALL)
|
|
||||||
// Set Access-Control-Allow-Credentials to "true" and specify which origins are valid
|
// Set Access-Control-Allow-Credentials to "true" and specify which origins are valid
|
||||||
// for our Access-Control-Allow-Origin header
|
// for our Access-Control-Allow-Origin header
|
||||||
.allowCredentials(allowCredentials).allowedOrigins(allowedOrigins)
|
// for our Access-Control-Allow-Origin header
|
||||||
|
.allowCredentials(corsAllowCredentials).allowedOrigins(corsAllowedOrigins)
|
||||||
// Allow list of request preflight headers allowed to be sent to us from the client
|
// Allow list of request preflight headers allowed to be sent to us from the client
|
||||||
.allowedHeaders("Accept", "Authorization", "Content-Type", "Origin", "X-On-Behalf-Of",
|
.allowedHeaders("Accept", "Authorization", "Content-Type", "Origin", "X-On-Behalf-Of",
|
||||||
"X-Requested-With", "X-XSRF-TOKEN", "X-CORRELATION-ID", "X-REFERRER")
|
"X-Requested-With", "X-XSRF-TOKEN", "X-CORRELATION-ID", "X-REFERRER")
|
||||||
// Allow list of response headers allowed to be sent by us (the server) to the client
|
// Allow list of response headers allowed to be sent by us (the server) to the client
|
||||||
.exposedHeaders("Authorization", "DSPACE-XSRF-TOKEN", "Location", "WWW-Authenticate");
|
.exposedHeaders("Authorization", "DSPACE-XSRF-TOKEN", "Location", "WWW-Authenticate");
|
||||||
}
|
}
|
||||||
|
if (iiifAllowedOrigins != null) {
|
||||||
|
registry.addMapping("/iiif/**").allowedMethods(CorsConfiguration.ALL)
|
||||||
|
// Set Access-Control-Allow-Credentials to "true" and specify which origins are valid
|
||||||
|
// for our Access-Control-Allow-Origin header
|
||||||
|
.allowCredentials(iiifAllowCredentials).allowedOrigins(iiifAllowedOrigins)
|
||||||
|
// Allow list of request preflight headers allowed to be sent to us from the client
|
||||||
|
.allowedHeaders("Accept", "Authorization", "Content-Type", "Origin", "X-On-Behalf-Of",
|
||||||
|
"X-Requested-With", "X-XSRF-TOKEN", "X-CORRELATION-ID", "X-REFERRER")
|
||||||
|
// Allow list of response headers allowed to be sent by us (the server) to the client
|
||||||
|
.exposedHeaders("Authorization", "DSPACE-XSRF-TOKEN", "Location", "WWW-Authenticate");
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Add a new ResourceHandler to allow us to use WebJars.org to pull in web dependencies
|
* Add a new ResourceHandler to allow us to use WebJars.org to pull in web dependencies
|
||||||
|
|||||||
@@ -1583,6 +1583,12 @@ management.endpoint.health.status.order= down, out-of-service, up-with-issues, u
|
|||||||
management.health.ping.enabled = false
|
management.health.ping.enabled = false
|
||||||
management.health.diskSpace.enabled = false
|
management.health.diskSpace.enabled = false
|
||||||
|
|
||||||
|
management.endpoints.web.cors.allowed-origins = ${rest.cors.allowed-origins}
|
||||||
|
management.endpoints.web.cors.allowed-methods = *
|
||||||
|
management.endpoints.web.cors.allowed-headers = Accept, Authorization, Content-Type, Origin, X-On-Behalf-Of, X-Requested-With, X-XSRF-TOKEN, X-CORRELATION-ID, X-REFERRER
|
||||||
|
management.endpoints.web.cors.exposed-headers = Authorization, DSPACE-XSRF-TOKEN, Location, WWW-Authenticate
|
||||||
|
management.endpoints.web.cors.allow-credentials = true
|
||||||
|
|
||||||
#------------------------------------------------------------------#
|
#------------------------------------------------------------------#
|
||||||
#-------------------MODULE CONFIGURATIONS--------------------------#
|
#-------------------MODULE CONFIGURATIONS--------------------------#
|
||||||
#------------------------------------------------------------------#
|
#------------------------------------------------------------------#
|
||||||
|
|||||||
Reference in New Issue
Block a user