hazza/DSpace
1
0
Fork 0
mirror of https://github.com/DSpace/DSpace.git synced 2025-10-17 23:13:10 +00:00
Code Issues Packages Projects Releases Wiki Activity

[CST-5288] Fixed CORS configuration for actuator endpoints

Browse Source
This commit is contained in:
Luca Giamminonni
2022-03-30 16:29:52 +02:00
parent 3210d9ce38
commit 95ba7d805b
2 changed files with 26 additions and 25 deletions
Download Patch File Download Diff File Expand all files Collapse all files

45
dspace-server-webapp/src/main/java/org/dspace/app/rest/Application.java
View File

@@ -12,7 +12,6 @@ import java.sql.SQLException;
import java.util.List; import java.util.List;
import javax.servlet.Filter; import javax.servlet.Filter;
import org.dspace.app.rest.configuration.ActuatorConfiguration;
import org.dspace.app.rest.filter.DSpaceRequestContextFilter; import org.dspace.app.rest.filter.DSpaceRequestContextFilter;
import org.dspace.app.rest.model.hateoas.DSpaceLinkRelationProvider; import org.dspace.app.rest.model.hateoas.DSpaceLinkRelationProvider;
import org.dspace.app.rest.parameter.resolver.SearchFilterResolver; import org.dspace.app.rest.parameter.resolver.SearchFilterResolver;
@@ -66,9 +65,6 @@ public class Application extends SpringBootServletInitializer {
@Autowired @Autowired
private ApplicationConfig configuration; private ApplicationConfig configuration;
@Autowired
private ActuatorConfiguration actuatorConfiguration;
@Scheduled(cron = "${sitemap.cron:-}") @Scheduled(cron = "${sitemap.cron:-}")
public void generateSitemap() throws IOException, SQLException { public void generateSitemap() throws IOException, SQLException {
GenerateSitemaps.generateSitemapsScheduled(); GenerateSitemaps.generateSitemapsScheduled();
@@ -164,6 +160,7 @@ public class Application extends SpringBootServletInitializer {
@Override @Override
public void addCorsMappings(@NonNull CorsRegistry registry) { public void addCorsMappings(@NonNull CorsRegistry registry) {
// Get allowed origins for api and iiif endpoints. // Get allowed origins for api and iiif endpoints.
// The actuator endpoints are configured using management.endpoints.web.cors.* properties
String[] corsAllowedOrigins = configuration String[] corsAllowedOrigins = configuration
.getCorsAllowedOrigins(configuration.getCorsAllowedOriginsConfig()); .getCorsAllowedOrigins(configuration.getCorsAllowedOriginsConfig());
String[] iiifAllowedOrigins = configuration String[] iiifAllowedOrigins = configuration
@@ -171,31 +168,29 @@ public class Application extends SpringBootServletInitializer {
boolean corsAllowCredentials = configuration.getCorsAllowCredentials(); boolean corsAllowCredentials = configuration.getCorsAllowCredentials();
boolean iiifAllowCredentials = configuration.getIiifAllowCredentials(); boolean iiifAllowCredentials = configuration.getIiifAllowCredentials();
if (corsAllowedOrigins != null) { if (corsAllowedOrigins != null) {
addCorsMapping(registry, "/api/**", corsAllowedOrigins, corsAllowCredentials); registry.addMapping("/api/**").allowedMethods(CorsConfiguration.ALL)
addCorsMapping(registry, actuatorConfiguration.getActuatorBasePath() + "/**", // Set Access-Control-Allow-Credentials to "true" and specify which origins are valid
corsAllowedOrigins, corsAllowCredentials); // for our Access-Control-Allow-Origin header
// for our Access-Control-Allow-Origin header
.allowCredentials(corsAllowCredentials).allowedOrigins(corsAllowedOrigins)
// Allow list of request preflight headers allowed to be sent to us from the client
.allowedHeaders("Accept", "Authorization", "Content-Type", "Origin", "X-On-Behalf-Of",
"X-Requested-With", "X-XSRF-TOKEN", "X-CORRELATION-ID", "X-REFERRER")
// Allow list of response headers allowed to be sent by us (the server) to the client
.exposedHeaders("Authorization", "DSPACE-XSRF-TOKEN", "Location", "WWW-Authenticate");
} }
if (iiifAllowedOrigins != null) { if (iiifAllowedOrigins != null) {
addCorsMapping(registry, "/iiif/**", iiifAllowedOrigins, iiifAllowCredentials); registry.addMapping("/iiif/**").allowedMethods(CorsConfiguration.ALL)
// Set Access-Control-Allow-Credentials to "true" and specify which origins are valid
// for our Access-Control-Allow-Origin header
.allowCredentials(iiifAllowCredentials).allowedOrigins(iiifAllowedOrigins)
// Allow list of request preflight headers allowed to be sent to us from the client
.allowedHeaders("Accept", "Authorization", "Content-Type", "Origin", "X-On-Behalf-Of",
"X-Requested-With", "X-XSRF-TOKEN", "X-CORRELATION-ID", "X-REFERRER")
// Allow list of response headers allowed to be sent by us (the server) to the client
.exposedHeaders("Authorization", "DSPACE-XSRF-TOKEN", "Location", "WWW-Authenticate");
} }
}
private void addCorsMapping(CorsRegistry registry, String pathPattern,
String[] allowedOrigins, boolean allowCredentials) {
registry.addMapping(pathPattern).allowedMethods(CorsConfiguration.ALL)
// Set Access-Control-Allow-Credentials to "true" and specify which origins are valid
// for our Access-Control-Allow-Origin header
.allowCredentials(allowCredentials).allowedOrigins(allowedOrigins)
// Allow list of request preflight headers allowed to be sent to us from the client
.allowedHeaders("Accept", "Authorization", "Content-Type", "Origin", "X-On-Behalf-Of",
"X-Requested-With", "X-XSRF-TOKEN", "X-CORRELATION-ID", "X-REFERRER")
// Allow list of response headers allowed to be sent by us (the server) to the client
.exposedHeaders("Authorization", "DSPACE-XSRF-TOKEN", "Location", "WWW-Authenticate");
} }
/** /**

6
dspace/config/dspace.cfg
View File

@@ -1583,6 +1583,12 @@ management.endpoint.health.status.order= down, out-of-service, up-with-issues, u
management.health.ping.enabled = false management.health.ping.enabled = false
management.health.diskSpace.enabled = false management.health.diskSpace.enabled = false
management.endpoints.web.cors.allowed-origins = ${rest.cors.allowed-origins}
management.endpoints.web.cors.allowed-methods = *
management.endpoints.web.cors.allowed-headers = Accept, Authorization, Content-Type, Origin, X-On-Behalf-Of, X-Requested-With, X-XSRF-TOKEN, X-CORRELATION-ID, X-REFERRER
management.endpoints.web.cors.exposed-headers = Authorization, DSPACE-XSRF-TOKEN, Location, WWW-Authenticate
management.endpoints.web.cors.allow-credentials = true
#------------------------------------------------------------------# #------------------------------------------------------------------#
#-------------------MODULE CONFIGURATIONS--------------------------# #-------------------MODULE CONFIGURATIONS--------------------------#
#------------------------------------------------------------------# #------------------------------------------------------------------#