Bump org.postgresql:postgresql from 42.7.7 to 42.7.8

Bumps [org.postgresql:postgresql](https://github.com/pgjdbc/pgjdbc) from 42.7.7 to 42.7.8. - [Release notes](https://github.com/pgjdbc/pgjdbc/releases) - [Changelog](https://github.com/pgjdbc/pgjdbc/blob/master/CHANGELOG.md) - [Commits](https://github.com/pgjdbc/pgjdbc/compare/REL42.7.7...REL42.7.8) --- updated-dependencies: - dependency-name: org.postgresql:postgresql dependency-version: 42.7.8 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
Merge pull request #11365 from DSpace/dependabot/maven/spring-268f5d34da
2025-10-07 10:04:21 +00:00 · 2025-10-06 19:56:30 +00:00 · 2025-10-06 13:36:57 -05:00 · 2025-10-06 13:32:22 -05:00 · 2025-10-06 13:30:16 -05:00 · 2025-10-06 13:26:29 -05:00
3072 changed files with 224843 additions and 56602 deletions
--- a/.codecov.yml
+++ b/.codecov.yml
@@ -4,13 +4,6 @@
 # Can be validated via instructions at:
 # https://docs.codecov.io/docs/codecov-yaml#validate-your-repository-yaml

-# Tell Codecov not to send a coverage notification until (at least) 2 builds are completed
-# Since we run Unit & Integration tests in parallel, this lets Codecov know that coverage
-# needs to be merged across those builds
-codecov:
-  notify:
-    after_n_builds: 2
-
 # Settings related to code coverage analysis
 coverage:
  status:
--- a/.dockerignore
+++ b/.dockerignore
@@ -4,8 +4,6 @@
 */target/
 dspace/modules/*/target/
 Dockerfile.*
-dspace/src/main/docker/dspace-postgres-pgcrypto
-dspace/src/main/docker/dspace-postgres-pgcrypto-curl
-dspace/src/main/docker/solr
+dspace/src/main/docker/dspace-postgres-loadsql
 dspace/src/main/docker/README.md
 dspace/src/main/docker-compose/
--- a/.github/ISSUE_TEMPLATE/bug_report.md
+++ b/.github/ISSUE_TEMPLATE/bug_report.md
@@ -7,16 +7,16 @@ assignees: ''

 ---

-**Describe the bug**
+## Describe the bug
 A clear and concise description of what the bug is.  Include the version(s) of DSpace where you've seen this problem. Link to examples if they are public.

-**To Reproduce**
+## To Reproduce
 Steps to reproduce the behavior:
 1. Do this
 2. Then this...

-**Expected behavior**
+## Expected behavior
 A clear and concise description of what you expected to happen.

-**Related work**
+## Related work
 Link to any related tickets or PRs here.
--- a/.github/ISSUE_TEMPLATE/feature_request.md
+++ b/.github/ISSUE_TEMPLATE/feature_request.md
@@ -7,14 +7,14 @@ assignees: ''

 ---

-**Is your feature request related to a problem? Please describe.**
-A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]
+## Is your feature request related to a problem? Please describe.
+A clear and concise description of what the problem or use case is. For example, I'm always frustrated when [...]

-**Describe the solution you'd like**
+## Describe the solution you'd like
 A clear and concise description of what you want to happen.

-**Describe alternatives or workarounds you've considered**
+## Describe alternatives or workarounds you've considered
 A clear and concise description of any alternative solutions or features you've considered.

-**Additional context**
-Add any other context or screenshots about the feature request here.
+## Additional information
+Add any other information, related tickets or screenshots about the feature request here.
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -0,0 +1,511 @@
+#-------------------
+# DSpace's dependabot rules. Enables maven updates for all dependencies on a weekly basis
+# for main and any maintenance branches. Security updates only apply to main.
+#-------------------
+version: 2
+updates:
+  ###############
+  ## Main branch
+  ###############
+  # NOTE: At this time, "security-updates" rules only apply if "target-branch" is unspecified
+  # So, only this first section can include "applies-to: security-updates"
+  - package-ecosystem: "maven"
+    directory: "/"
+    # Monthly dependency updates (NOTE: "schedule" doesn't apply to security updates)
+    schedule:
+      interval: "monthly"
+      time: "02:00"
+    # Allow up to 10 open PRs for dependencies
+    open-pull-requests-limit: 10
+    # Group together some upgrades in a single PR
+    groups:
+      # Group together all Build Tools in a single PR
+      build-tools:
+        applies-to: version-updates
+        patterns:
+        - "org.apache.maven.plugins:*"
+        - "*:*-maven-plugin"
+        - "*:maven-*-plugin"
+        - "com.github.spotbugs:spotbugs"
+        - "com.google.code.findbugs:*"
+        - "com.google.errorprone:*"
+        - "com.puppycrawl.tools:checkstyle"
+        - "org.sonatype.*:*"
+        exclude-patterns:
+        # Exclude anything from Spring, as that is in a separate group
+        - "org.springframework.*:*"
+        update-types:
+        - "minor"
+        - "patch"
+      test-tools:
+        applies-to: version-updates
+        patterns:
+        - "junit:*"
+        - "com.github.stefanbirker:system-rules"
+        - "com.h2database:*"
+        - "io.findify:s3mock*"
+        - "io.netty:*"
+        - "org.apache.httpcomponents.client5:*"
+        - "org.hamcrest:*"
+        - "org.mock-server:*"
+        - "org.mockito:*"
+        - "org.xmlunit:*"
+        update-types:
+        - "minor"
+        - "patch"
+      # Group together all Apache Commons deps in a single PR
+      apache-commons:
+        applies-to: version-updates
+        patterns:
+        - "org.apache.commons:*"
+        - "commons-*:commons-*"
+        update-types:
+        - "minor"
+        - "patch"
+      # Group together all fasterxml deps in a single PR
+      fasterxml:
+        applies-to: version-updates
+        patterns:
+        - "com.fasterxml:*"
+        - "com.fasterxml.*:*"
+        update-types:
+        - "minor"
+        - "patch"
+       # Group together all Hibernate deps in a single PR
+      hibernate:
+        applies-to: version-updates
+        patterns:
+        - "org.hibernate.*:*"
+        update-types:
+        - "patch"
+      # Group together all Jakarta deps in a single PR
+      jakarta:
+        applies-to: version-updates
+        patterns:
+        - "jakarta.*:*"
+        - "org.eclipse.angus:jakarta.mail"
+        - "org.glassfish.jaxb:jaxb-runtime"
+        update-types:
+        - "minor"
+        - "patch"
+      # Group together all Spring deps in a single PR
+      spring:
+        applies-to: version-updates
+        patterns:
+        - "org.springframework:*"
+        - "org.springframework.*:*"
+        update-types:
+        - "minor"
+        - "patch"
+      # Group together all WebJARs deps in a single PR
+      webjars:
+        applies-to: version-updates
+        patterns:
+        - "org.webjars:*"
+        - "org.webjars.*:*"
+        update-types:
+        - "minor"
+        - "patch"
+      # Group Tika, bouncycastle, and asm because they are tightly integrated
+      # and we theoretically want to keep them in sync.
+      tika:
+        applies-to: version-updates
+        patterns:
+        - "org.apache.tika:*:*"
+        - "org.bouncycastle:*:*"
+        - "org.ow2.asm:*:*"
+        update-types:
+        - "minor"
+        - "patch"
+    ignore:
+      # Don't try to auto-update any DSpace dependencies
+      - dependency-name: "org.dspace:*"
+      - dependency-name: "org.dspace.*:*"
+      # Ignore major/minor updates for Hibernate. Only patch updates can be automated.
+      - dependency-name: "org.hibernate.*:*"
+        update-types: ["version-update:semver-major", "version-update:semver-minor"]
+      # Ignore all major version updates for all dependencies. We'll only automate minor/patch updates.
+      - dependency-name: "*"
+        update-types: ["version-update:semver-major"]
+  ######################
+  ## dspace-9_x branch
+  ######################
+  - package-ecosystem: "maven"
+    directory: "/"
+    target-branch: dspace-9_x
+    schedule:
+      interval: "monthly"
+      time: "02:00"
+    # Allow up to 10 open PRs for dependencies
+    open-pull-requests-limit: 10
+    # Group together some upgrades in a single PR
+    groups:
+      # Group together all Build Tools in a single PR
+      build-tools:
+        applies-to: version-updates
+        patterns:
+          - "org.apache.maven.plugins:*"
+          - "*:*-maven-plugin"
+          - "*:maven-*-plugin"
+          - "com.github.spotbugs:spotbugs"
+          - "com.google.code.findbugs:*"
+          - "com.google.errorprone:*"
+          - "com.puppycrawl.tools:checkstyle"
+          - "org.sonatype.*:*"
+        exclude-patterns:
+          # Exclude anything from Spring, as that is in a separate group
+          - "org.springframework.*:*"
+        update-types:
+          - "minor"
+          - "patch"
+      test-tools:
+        applies-to: version-updates
+        patterns:
+          - "junit:*"
+          - "com.github.stefanbirker:system-rules"
+          - "com.h2database:*"
+          - "io.findify:s3mock*"
+          - "io.netty:*"
+          - "org.apache.httpcomponents.client5:*"
+          - "org.hamcrest:*"
+          - "org.mock-server:*"
+          - "org.mockito:*"
+          - "org.xmlunit:*"
+        update-types:
+          - "minor"
+          - "patch"
+      # Group together all Apache Commons deps in a single PR
+      apache-commons:
+        applies-to: version-updates
+        patterns:
+          - "org.apache.commons:*"
+          - "commons-*:commons-*"
+        update-types:
+          - "minor"
+          - "patch"
+      # Group together all fasterxml deps in a single PR
+      fasterxml:
+        applies-to: version-updates
+        patterns:
+          - "com.fasterxml:*"
+          - "com.fasterxml.*:*"
+        update-types:
+          - "minor"
+          - "patch"
+        # Group together all Hibernate deps in a single PR
+      hibernate:
+        applies-to: version-updates
+        patterns:
+          - "org.hibernate.*:*"
+        update-types:
+          - "patch"
+      # Group together all Jakarta deps in a single PR
+      jakarta:
+        applies-to: version-updates
+        patterns:
+          - "jakarta.*:*"
+          - "org.eclipse.angus:jakarta.mail"
+          - "org.glassfish.jaxb:jaxb-runtime"
+        update-types:
+          - "minor"
+          - "patch"
+      # Group together all Spring deps in a single PR
+      spring:
+        applies-to: version-updates
+        patterns:
+          - "org.springframework:*"
+          - "org.springframework.*:*"
+        update-types:
+          - "minor"
+          - "patch"
+      # Group together all WebJARs deps in a single PR
+      webjars:
+        applies-to: version-updates
+        patterns:
+          - "org.webjars:*"
+          - "org.webjars.*:*"
+        update-types:
+          - "minor"
+          - "patch"
+      # Group Tika, bouncycastle, and asm because they are tightly integrated
+      # and we theoretically want to keep them in sync.
+      tika:
+        applies-to: version-updates
+        patterns:
+        - "org.apache.tika:*:*"
+        - "org.bouncycastle:*:*"
+        - "org.ow2.asm:*:*"
+        update-types:
+        - "minor"
+        - "patch"
+    ignore:
+      # Don't try to auto-update any DSpace dependencies
+      - dependency-name: "org.dspace:*"
+      - dependency-name: "org.dspace.*:*"
+      # Ignore major/minor updates for Hibernate. Only patch updates can be automated.
+      - dependency-name: "org.hibernate.*:*"
+        update-types: ["version-update:semver-major", "version-update:semver-minor"]
+      # Ignore all major version updates for all dependencies. We'll only automate minor/patch updates.
+      - dependency-name: "*"
+        update-types: [ "version-update:semver-major" ]
+  ######################
+  ## dspace-8_x branch
+  ######################
+  - package-ecosystem: "maven"
+    directory: "/"
+    target-branch: dspace-8_x
+    schedule:
+      interval: "monthly"
+      time: "02:00"
+    # Allow up to 10 open PRs for dependencies
+    open-pull-requests-limit: 10
+    # Group together some upgrades in a single PR
+    groups:
+      # Group together all Build Tools in a single PR
+      build-tools:
+        applies-to: version-updates
+        patterns:
+          - "org.apache.maven.plugins:*"
+          - "*:*-maven-plugin"
+          - "*:maven-*-plugin"
+          - "com.github.spotbugs:spotbugs"
+          - "com.google.code.findbugs:*"
+          - "com.google.errorprone:*"
+          - "com.puppycrawl.tools:checkstyle"
+          - "org.sonatype.*:*"
+        exclude-patterns:
+          # Exclude anything from Spring, as that is in a separate group
+          - "org.springframework.*:*"
+        update-types:
+          - "minor"
+          - "patch"
+      test-tools:
+        applies-to: version-updates
+        patterns:
+          - "junit:*"
+          - "com.github.stefanbirker:system-rules"
+          - "com.h2database:*"
+          - "io.findify:s3mock*"
+          - "io.netty:*"
+          - "org.apache.httpcomponents.client5:*"
+          - "org.hamcrest:*"
+          - "org.mock-server:*"
+          - "org.mockito:*"
+          - "org.xmlunit:*"
+        update-types:
+          - "minor"
+          - "patch"
+      # Group together all Apache Commons deps in a single PR
+      apache-commons:
+        applies-to: version-updates
+        patterns:
+          - "org.apache.commons:*"
+          - "commons-*:commons-*"
+        update-types:
+          - "minor"
+          - "patch"
+      # Group together all fasterxml deps in a single PR
+      fasterxml:
+        applies-to: version-updates
+        patterns:
+          - "com.fasterxml:*"
+          - "com.fasterxml.*:*"
+        update-types:
+          - "minor"
+          - "patch"
+        # Group together all Hibernate deps in a single PR
+      hibernate:
+        applies-to: version-updates
+        patterns:
+          - "org.hibernate.*:*"
+        update-types:
+          - "patch"
+      # Group together all Jakarta deps in a single PR
+      jakarta:
+        applies-to: version-updates
+        patterns:
+          - "jakarta.*:*"
+          - "org.eclipse.angus:jakarta.mail"
+          - "org.glassfish.jaxb:jaxb-runtime"
+        update-types:
+          - "minor"
+          - "patch"
+      # Group together all Spring deps in a single PR
+      spring:
+        applies-to: version-updates
+        patterns:
+          - "org.springframework:*"
+          - "org.springframework.*:*"
+        update-types:
+          - "minor"
+          - "patch"
+      # Group together all WebJARs deps in a single PR
+      webjars:
+        applies-to: version-updates
+        patterns:
+          - "org.webjars:*"
+          - "org.webjars.*:*"
+        update-types:
+          - "minor"
+          - "patch"
+      # Group Tika, bouncycastle, and asm because they are tightly integrated
+      # and we theoretically want to keep them in sync.
+      tika:
+        applies-to: version-updates
+        patterns:
+        - "org.apache.tika:*:*"
+        - "org.bouncycastle:*:*"
+        - "org.ow2.asm:*:*"
+        update-types:
+        - "minor"
+        - "patch"
+    ignore:
+      # Don't try to auto-update any DSpace dependencies
+      - dependency-name: "org.dspace:*"
+      - dependency-name: "org.dspace.*:*"
+      # Ignore major/minor updates for Hibernate. Only patch updates can be automated.
+      - dependency-name: "org.hibernate.*:*"
+        update-types: ["version-update:semver-major", "version-update:semver-minor"]
+      # Ignore all major version updates for all dependencies. We'll only automate minor/patch updates.
+      - dependency-name: "*"
+        update-types: [ "version-update:semver-major" ]
+  ######################
+  ## dspace-7_x branch
+  ######################
+  - package-ecosystem: "maven"
+    directory: "/"
+    target-branch: dspace-7_x
+    schedule:
+      interval: "monthly"
+      time: "02:00"
+    # Allow up to 10 open PRs for dependencies
+    open-pull-requests-limit: 10
+    # Group together some upgrades in a single PR
+    groups:
+      # Group together all Build Tools in a single PR
+      build-tools:
+        applies-to: version-updates
+        patterns:
+          - "org.apache.maven.plugins:*"
+          - "*:*-maven-plugin"
+          - "*:maven-*-plugin"
+          - "com.github.spotbugs:spotbugs"
+          - "com.google.code.findbugs:*"
+          - "com.google.errorprone:*"
+          - "com.puppycrawl.tools:checkstyle"
+          - "org.sonatype.*:*"
+        exclude-patterns:
+          # Exclude anything from Spring, as that is in a separate group
+          - "org.springframework.*:*"
+        update-types:
+          - "minor"
+          - "patch"
+      test-tools:
+        applies-to: version-updates
+        patterns:
+          - "junit:*"
+          - "com.github.stefanbirker:system-rules"
+          - "com.h2database:*"
+          - "io.findify:s3mock*"
+          - "io.netty:*"
+          - "org.hamcrest:*"
+          - "org.mock-server:*"
+          - "org.mockito:*"
+          - "org.xmlunit:*"
+        update-types:
+          - "minor"
+          - "patch"
+      # Group together all Apache Commons deps in a single PR
+      apache-commons:
+        applies-to: version-updates
+        patterns:
+          - "org.apache.commons:*"
+          - "commons-*:commons-*"
+        update-types:
+          - "minor"
+          - "patch"
+      # Group together all fasterxml deps in a single PR
+      fasterxml:
+        applies-to: version-updates
+        patterns:
+          - "com.fasterxml:*"
+          - "com.fasterxml.*:*"
+        update-types:
+          - "minor"
+          - "patch"
+        # Group together all Hibernate deps in a single PR
+      hibernate:
+        applies-to: version-updates
+        patterns:
+          - "org.hibernate.*:*"
+        update-types:
+          - "patch"
+      # Group together all Javax deps in a single PR
+      # NOTE: Javax is only used in 7.x and has been replaced by Jakarta in 8.x and later
+      jakarta:
+        applies-to: version-updates
+        patterns:
+          - "javax.*:*"
+          - "*:javax.mail"
+          - "org.glassfish.jaxb:jaxb-runtime"
+        update-types:
+          - "minor"
+          - "patch"
+      # Group together all Google deps in a single PR
+      # NOTE: These Google deps are only used in 7.x and have been removed in 8.x and later
+      google-apis:
+        applies-to: version-updates
+        patterns:
+          - "com.google.apis:*"
+          - "com.google.api-client:*"
+          - "com.google.http-client:*"
+          - "com.google.oauth-client:*"
+        update-types:
+          - "minor"
+          - "patch"
+      # Group together all Spring deps in a single PR
+      spring:
+        applies-to: version-updates
+        patterns:
+          - "org.springframework:*"
+          - "org.springframework.*:*"
+        update-types:
+          - "minor"
+          - "patch"
+      # Group together all WebJARs deps in a single PR
+      webjars:
+        applies-to: version-updates
+        patterns:
+          - "org.webjars:*"
+          - "org.webjars.*:*"
+        update-types:
+          - "minor"
+          - "patch"
+      # Group Tika, bouncycastle, and asm because they are tightly integrated
+      # and we theoretically want to keep them in sync.
+      tika:
+        applies-to: version-updates
+        patterns:
+        - "org.apache.tika:*:*"
+        - "org.bouncycastle:*:*"
+        - "org.ow2.asm:*:*"
+        update-types:
+        - "minor"
+        - "patch"
+    ignore:
+      # Don't try to auto-update any DSpace dependencies
+      - dependency-name: "org.dspace:*"
+      - dependency-name: "org.dspace.*:*"
+      # Last version of errorprone to support JDK 11 is 2.31.0
+      - dependency-name: "com.google.errorprone:*"
+        versions: [">=2.32.0"]
+      # Spring Security 5.8 changes the behavior of CSRF Tokens in a way which is incompatible with DSpace 7
+      # See https://github.com/DSpace/DSpace/pull/9888#issuecomment-2408165545
+      - dependency-name: "org.springframework.security:*"
+        versions: [">=5.8.0"]
+      # Ignore major/minor updates for Hibernate. Only patch updates can be automated.
+      - dependency-name: "org.hibernate.*:*"
+        update-types: ["version-update:semver-major", "version-update:semver-minor"]
+      # Ignore all major version updates for all dependencies. We'll only automate minor/patch updates.
+      - dependency-name: "*"
+        update-types: [ "version-update:semver-major" ]
--- a/.github/disabled-workflows/pull_request_opened.yml
+++ b/.github/disabled-workflows/pull_request_opened.yml
@@ -1,26 +0,0 @@
-# This workflow runs whenever a new pull request is created
-# TEMPORARILY DISABLED. Unfortunately this doesn't work for PRs created from forked repositories (which is how we tend to create PRs).
-# There is no known workaround yet. See https://github.community/t/how-to-use-github-token-for-prs-from-forks/16818
-name: Pull Request opened
-
-# Only run for newly opened PRs against the "main" branch
-on: 
-  pull_request:
-    types: [opened]
-    branches: 
-      - main
-
-jobs:
-  automation:
-    runs-on: ubuntu-latest
-    steps:
-    # Assign the PR to whomever created it. This is useful for visualizing assignments on project boards
-    # See https://github.com/marketplace/actions/pull-request-assigner
-    - name: Assign PR to creator
-      uses: thomaseizinger/assign-pr-creator-action@v1.0.0
-      # Note, this authentication token is created automatically
-      # See: https://docs.github.com/en/actions/configuring-and-managing-workflows/authenticating-with-the-github_token
-      with:
-        repo-token: ${{ secrets.GITHUB_TOKEN }}
-      # Ignore errors. It is possible the PR was created by someone who cannot be assigned
-      continue-on-error: true
--- a/.github/pull_request_template.md
+++ b/.github/pull_request_template.md
@@ -1,7 +1,7 @@
 ## References
 _Add references/links to any related issues or PRs. These may include:_
-* Fixes #[issue-number]
-* Related to [REST Contract](https://github.com/DSpace/Rest7Contract)
+* Fixes #issue-number (if this fixes an issue ticket)
+* Related to DSpace/RestContract#pr-number  (if a corresponding REST Contract PR exists)

 ## Description
 Short summary of changes (1-2 sentences).
@@ -16,11 +16,16 @@ List of changes in this PR:
 **Include guidance for how to test or review your PR.** This may include: steps to reproduce a bug, screenshots or description of a new feature, or reasons behind specific changes. 

 ## Checklist
-_This checklist provides a reminder of what we are going to look for when reviewing your PR. You need not complete this checklist prior to creating your PR (draft PRs are always welcome). If you are unsure about an item in the checklist, don't hesitate to ask. We're here to help!_
+_This checklist provides a reminder of what we are going to look for when reviewing your PR. You need not complete this checklist prior to creating your PR (draft PRs are always welcome).
+However, reviewers may request that you complete any actions in this list if you have not done so. If you are unsure about an item in the checklist, don't hesitate to ask. We're here to help!_

- [ ] My PR is small in size (e.g. less than 1,000 lines of code, not including comments & integration tests). Exceptions may be made if previously agreed upon.
- [ ] My PR passes Checkstyle validation based on the [Code Style Guide](https://wiki.lyrasis.org/display/DSPACE/Code+Style+Guide).
- [ ] My PR includes Javadoc for _all new (or modified) public methods and classes_. It also includes Javadoc for large or complex private methods.
- [ ] My PR passes all tests and includes new/updated Unit or Integration Tests based on the [Code Testing Guide](https://wiki.lyrasis.org/display/DSPACE/Code+Testing+Guide).
- [ ] If my PR includes new, third-party dependencies (in any `pom.xml`), I've made sure their licenses align with the [DSpace BSD License](https://github.com/DSpace/DSpace/blob/main/LICENSE) based on the [Licensing of Contributions](https://wiki.lyrasis.org/display/DSPACE/Code+Contribution+Guidelines#CodeContributionGuidelines-LicensingofContributions) documentation.
- [ ] If my PR modifies the REST API, I've linked to the REST Contract page (or open PR) related to this change.
+- [ ] My PR is **created against the `main` branch** of code (unless it is a backport or is fixing an issue specific to an older branch).
+- [ ] My PR is **small in size** (e.g. less than 1,000 lines of code, not including comments & integration tests). Exceptions may be made if previously agreed upon.
+- [ ] My PR **passes Checkstyle** validation based on the [Code Style Guide](https://wiki.lyrasis.org/display/DSPACE/Code+Style+Guide).
+- [ ] My PR **includes Javadoc** for _all new (or modified) public methods and classes_. It also includes Javadoc for large or complex private methods.
+- [ ] My PR **passes all tests and includes new/updated Unit or Integration Tests** based on the [Code Testing Guide](https://wiki.lyrasis.org/display/DSPACE/Code+Testing+Guide).
+- [ ] My PR **includes details on how to test it**. I've provided clear instructions to reviewers on how to successfully test this fix or feature.
+- [ ] If my PR includes new libraries/dependencies (in any `pom.xml`), I've made sure their licenses align with the [DSpace BSD License](https://github.com/DSpace/DSpace/blob/main/LICENSE) based on the [Licensing of Contributions](https://wiki.lyrasis.org/display/DSPACE/Code+Contribution+Guidelines#CodeContributionGuidelines-LicensingofContributions) documentation.
+- [ ] If my PR modifies REST API endpoints, I've opened a separate [REST Contract](https://github.com/DSpace/RestContract/blob/main/README.md) PR related to this change.
+- [ ] If my PR includes new configurations, I've provided basic technical documentation in the PR itself.
+- [ ] If my PR fixes an issue ticket, I've [linked them together](https://docs.github.com/en/issues/tracking-your-work-with-issues/linking-a-pull-request-to-an-issue).
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -6,25 +6,26 @@ name: Build
 # Run this Build for all pushes / PRs to current branch
 on: [push, pull_request]

+permissions:
+  contents: read  #  to fetch code (actions/checkout)
+
 jobs:
  tests:
    runs-on: ubuntu-latest
    env:
      # Give Maven 1GB of memory to work with
-      # Suppress all Maven "downloading" messages in logs (see https://stackoverflow.com/a/35653426)
-      # This also slightly speeds builds, as there is less logging
-      MAVEN_OPTS: "-Xmx1024M -Dorg.slf4j.simpleLogger.log.org.apache.maven.cli.transfer.Slf4jMavenTransferListener=warn"
+      MAVEN_OPTS: "-Xmx1024M"
    strategy:
      # Create a matrix of two separate configurations for Unit vs Integration Tests
      # This will ensure those tasks are run in parallel
      # Also specify version of Java to use (this can allow us to optionally run tests on multiple JDKs in future)
      matrix:
        include:
-          # NOTE: Unit Tests include deprecated REST API v6 (as it has unit tests)
+          # NOTE: Unit Tests include a retry for occasionally failing tests
          #  - surefire.rerunFailingTestsCount => try again for flakey tests, and keep track of/report on number of retries
          - type: "Unit Tests"
-            java: 11
-            mvnflags: "-DskipUnitTests=false -Pdspace-rest -Dsurefire.rerunFailingTestsCount=2"
+            java: 17
+            mvnflags: "-DskipUnitTests=false -Dsurefire.rerunFailingTestsCount=2"
            resultsdir: "**/target/surefire-reports/**"
          # NOTE: ITs skip all code validation checks, as they are already done by Unit Test job.
          #  - enforcer.skip     => Skip maven-enforcer-plugin rules
@@ -33,7 +34,7 @@ jobs:
          #  - xml.skip          => Skip all XML/XSLT validation by xml-maven-plugin
          #  - failsafe.rerunFailingTestsCount => try again for flakey tests, and keep track of/report on number of retries
          - type: "Integration Tests"
-            java: 11
+            java: 17
            mvnflags: "-DskipIntegrationTests=false -Denforcer.skip=true -Dcheckstyle.skip=true -Dlicense.skip=true -Dxml.skip=true -Dfailsafe.rerunFailingTestsCount=2"
            resultsdir: "**/target/failsafe-reports/**"
      # Do NOT exit immediately if one matrix job fails
@@ -44,40 +45,68 @@ jobs:
    steps:
      # https://github.com/actions/checkout
      - name: Checkout codebase
-        uses: actions/checkout@v2
+        uses: actions/checkout@v4

      # https://github.com/actions/setup-java
      - name: Install JDK ${{ matrix.java }}
-        uses: actions/setup-java@v2
+        uses: actions/setup-java@v4
        with:
          java-version: ${{ matrix.java }}
          distribution: 'temurin'
-
-      # https://github.com/actions/cache
-      - name: Cache Maven dependencies
-        uses: actions/cache@v2
-        with:
-          # Cache entire ~/.m2/repository
-          path: ~/.m2/repository
-          # Cache key is hash of all pom.xml files. Therefore any changes to POMs will invalidate cache
-          key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }}
-          restore-keys: ${{ runner.os }}-maven-
+          cache: 'maven'

      # Run parallel Maven builds based on the above 'strategy.matrix'
      - name: Run Maven ${{ matrix.type }}
        env:
          TEST_FLAGS: ${{ matrix.mvnflags }}
-        run: mvn install -B -V -P-assembly -Pcoverage-report $TEST_FLAGS
+        run: mvn --no-transfer-progress -V install -P-assembly -Pcoverage-report $TEST_FLAGS

      # If previous step failed, save results of tests to downloadable artifact for this job
      # (This artifact is downloadable at the bottom of any job's summary page)
      - name: Upload Results of ${{ matrix.type }} to Artifact
        if: ${{ failure() }}
-        uses: actions/upload-artifact@v2
+        uses: actions/upload-artifact@v4
        with:
          name: ${{ matrix.type }} results
          path: ${{ matrix.resultsdir }}

-      # https://github.com/codecov/codecov-action
+      # Upload code coverage report to artifact, so that it can be shared with the 'codecov' job (see below)
+      - name: Upload code coverage report to Artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: ${{ matrix.type }} coverage report
+          path: 'dspace/target/site/jacoco-aggregate/jacoco.xml'
+          retention-days: 14
+
+  # Codecov upload is a separate job in order to allow us to restart this separate from the entire build/test
+  # job above. This is necessary because Codecov uploads seem to randomly fail at times.
+  # See https://community.codecov.com/t/upload-issues-unable-to-locate-build-via-github-actions-api/3954
+  codecov:
+    # Must run after 'tests' job above
+    needs: tests
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      # Download artifacts from previous 'tests' job
+      - name: Download coverage artifacts
+        uses: actions/download-artifact@v4
+
+      # Now attempt upload to Codecov using its action.
+      # NOTE: We use a retry action to retry the Codecov upload if it fails the first time.
+      #
+      # Retry action: https://github.com/marketplace/actions/retry-action
+      # Codecov action: https://github.com/codecov/codecov-action
      - name: Upload coverage to Codecov.io
-        uses: codecov/codecov-action@v2
+        uses: Wandalen/wretry.action@v1.3.0
+        with:
+          action: codecov/codecov-action@v4
+          # Ensure codecov-action throws an error when it fails to upload
+          with: |
+            fail_ci_if_error: true
+            token: ${{ secrets.CODECOV_TOKEN }}
+          # Try re-running action 5 times max
+          attempt_limit: 5
+          # Run again in 30 seconds
+          attempt_delay: 30000
--- a/.github/workflows/codescan.yml
+++ b/.github/workflows/codescan.yml
@@ -0,0 +1,63 @@
+# DSpace CodeQL code scanning configuration for GitHub
+# https://docs.github.com/en/code-security/code-scanning
+#
+# NOTE: Code scanning must be run separate from our default build.yml
+# because CodeQL requires a fresh build with all tests *disabled*.
+name: "Code Scanning"
+
+# Run this code scan for all pushes / PRs to main or maintenance branches. Also run once a week.
+on:
+  push:
+    branches:
+      - main
+      - 'dspace-**'
+  pull_request:
+    branches:
+      - main
+      - 'dspace-**'
+    # Don't run if PR is only updating static documentation
+    paths-ignore:
+      - '**/*.md'
+      - '**/*.txt'
+  schedule:
+    - cron: "37 0 * * 1"
+
+jobs:
+  analyze:
+    name: Analyze Code
+    runs-on: ubuntu-latest
+    # Limit permissions of this GitHub action. Can only write to security-events
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+
+    steps:
+      # https://github.com/actions/checkout
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      # https://github.com/actions/setup-java
+      - name: Install JDK
+        uses: actions/setup-java@v4
+        with:
+          java-version: 17
+          distribution: 'temurin'
+
+      # Initializes the CodeQL tools for scanning.
+      # https://github.com/github/codeql-action
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v3
+        with:
+          # Codescan Javascript as well since a few JS files exist in REST API's interface
+          languages: java, javascript
+
+      # Autobuild attempts to build any compiled languages
+      # NOTE: Based on testing, this autobuild process works well for DSpace. A custom
+      # DSpace build w/caching (like in build.yml) was about the same speed as autobuild.
+      - name: Autobuild
+        uses: github/codeql-action/autobuild@v3
+
+      # Perform GitHub Code Scanning.
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v3
--- a/.github/workflows/docker.yml
+++ b/.github/workflows/docker.yml
@@ -3,6 +3,7 @@ name: Docker images

 # Run this Build for all pushes to 'main' or maintenance branches, or tagged releases.
 # Also run for PRs to ensure PR doesn't break Docker build process
+# NOTE: uses "reusable-docker-build.yml" to actually build each of the Docker images.
 on:
  push:
    branches:
@@ -12,145 +13,230 @@ on:
      - 'dspace-**'
  pull_request:

+permissions:
+  contents: read  #  to fetch code (actions/checkout)
+  packages: write #  to write images to GitHub Container Registry (GHCR)
+
 jobs:
-  docker:
+  ####################################################
+  # Build/Push the 'dspace/dspace-dependencies' image.
+  # This image is used by all other DSpace build jobs.
+  ####################################################
+  dspace-dependencies:
    # Ensure this job never runs on forked repos. It's only executed for 'dspace/dspace'
    if: github.repository == 'dspace/dspace'
-    runs-on: ubuntu-latest
-    env:
-      # Define tags to use for Docker images based on Git tags/branches (for docker/metadata-action)
-      # For a new commit on default branch (main), use the literal tag 'dspace-7_x' on Docker image.
-      # For a new commit on other branches, use the branch name as the tag for Docker image.
-      # For a new tag, copy that tag name as the tag for Docker image.
-      IMAGE_TAGS: |
-        type=raw,value=dspace-7_x,enable=${{ endsWith(github.ref, github.event.repository.default_branch) }}
-        type=ref,event=branch,enable=${{ !endsWith(github.ref, github.event.repository.default_branch) }}
-        type=ref,event=tag
-      # Define default tag "flavor" for docker/metadata-action per
-      # https://github.com/docker/metadata-action#flavor-input
-      # We turn off 'latest' tag by default.
-      TAGS_FLAVOR: |
-        latest=false
-
-    steps:
-      # https://github.com/actions/checkout
-      - name: Checkout codebase
-        uses: actions/checkout@v2
-
-      # https://github.com/docker/setup-buildx-action
-      - name: Setup Docker Buildx
-        uses: docker/setup-buildx-action@v1
-
-      # https://github.com/docker/login-action
-      - name: Login to DockerHub
-        # Only login if not a PR, as PRs only trigger a Docker build and not a push
-        if: github.event_name != 'pull_request'
-        uses: docker/login-action@v1
+    uses: ./.github/workflows/reusable-docker-build.yml
    with:
-          username: ${{ secrets.DOCKER_USERNAME }}
-          password: ${{ secrets.DOCKER_ACCESS_TOKEN }}
-
-      ####################################################
-      # Build/Push the 'dspace/dspace-dependencies' image
-      ####################################################
-      # https://github.com/docker/metadata-action
-      # Get Metadata for docker_build_deps step below
-      - name: Sync metadata (tags, labels) from GitHub to Docker for 'dspace-dependencies' image
-        id: meta_build_deps
-        uses: docker/metadata-action@v3
-        with:
-          images: dspace/dspace-dependencies
-          tags: ${{ env.IMAGE_TAGS }}
-          flavor: ${{ env.TAGS_FLAVOR }}
-
-      # https://github.com/docker/build-push-action
-      - name: Build and push 'dspace-dependencies' image
-        id: docker_build_deps
-        uses: docker/build-push-action@v2
-        with:
-          context: .
-          file: ./Dockerfile.dependencies
-          # For pull requests, we run the Docker build (to ensure no PR changes break the build),
-          # but we ONLY do an image push to DockerHub if it's NOT a PR
-          push: ${{ github.event_name != 'pull_request' }}
-          # Use tags / labels provided by 'docker/metadata-action' above
-          tags: ${{ steps.meta_build_deps.outputs.tags }}
-          labels: ${{ steps.meta_build_deps.outputs.labels }}
+      build_id: dspace-dependencies
+      image_name: dspace/dspace-dependencies
+      dockerfile_path: ./Dockerfile.dependencies
+    secrets:
+      DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
+      DOCKER_ACCESS_TOKEN: ${{ secrets.DOCKER_ACCESS_TOKEN }}

  #######################################
  # Build/Push the 'dspace/dspace' image
  #######################################
-      # Get Metadata for docker_build step below
-      - name: Sync metadata (tags, labels) from GitHub to Docker for 'dspace' image
-        id: meta_build
-        uses: docker/metadata-action@v3
+  dspace:
+    # Ensure this job never runs on forked repos. It's only executed for 'dspace/dspace'
+    if: github.repository == 'dspace/dspace'
+    # Must run after 'dspace-dependencies' job above
+    needs: dspace-dependencies
+    uses: ./.github/workflows/reusable-docker-build.yml
    with:
-          images: dspace/dspace
-          tags: ${{ env.IMAGE_TAGS }}
-          flavor: ${{ env.TAGS_FLAVOR }}
+      build_id: dspace-prod
+      image_name: dspace/dspace
+      dockerfile_path: ./Dockerfile
+    secrets:
+      DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
+      DOCKER_ACCESS_TOKEN: ${{ secrets.DOCKER_ACCESS_TOKEN }}
+      # Enable redeploy of sandbox & demo if the branch for this image matches the deployment branch of
+      # these sites as specified in reusable-docker-build.xml
+      REDEPLOY_SANDBOX_URL: ${{ secrets.REDEPLOY_SANDBOX_URL }}
+      REDEPLOY_DEMO_URL: ${{ secrets.REDEPLOY_DEMO_URL }}

-      - name: Build and push 'dspace' image
-        id: docker_build
-        uses: docker/build-push-action@v2
-        with:
-          context: .
-          file: ./Dockerfile
-          # For pull requests, we run the Docker build (to ensure no PR changes break the build),
-          # but we ONLY do an image push to DockerHub if it's NOT a PR
-          push: ${{ github.event_name != 'pull_request' }}
-          # Use tags / labels provided by 'docker/metadata-action' above
-          tags: ${{ steps.meta_build.outputs.tags }}
-          labels: ${{ steps.meta_build.outputs.labels }}
-
-      #####################################################
+  #############################################################
  # Build/Push the 'dspace/dspace' image ('-test' tag)
-      #####################################################
-      # Get Metadata for docker_build_test step below
-      - name: Sync metadata (tags, labels) from GitHub to Docker for 'dspace-test' image
-        id: meta_build_test
-        uses: docker/metadata-action@v3
+  #############################################################
+  dspace-test:
+    # Ensure this job never runs on forked repos. It's only executed for 'dspace/dspace'
+    if: github.repository == 'dspace/dspace'
+    # Must run after 'dspace-dependencies' job above
+    needs: dspace-dependencies
+    uses: ./.github/workflows/reusable-docker-build.yml
    with:
-          images: dspace/dspace
-          tags: ${{ env.IMAGE_TAGS }}
+      build_id: dspace-test
+      image_name: dspace/dspace
+      dockerfile_path: ./Dockerfile.test
      # As this is a test/development image, its tags are all suffixed with "-test". Otherwise, it uses the same
      # tagging logic as the primary 'dspace/dspace' image above.
-          flavor: ${{ env.TAGS_FLAVOR }}
-            suffix=-test
-
-      - name: Build and push 'dspace-test' image
-        id: docker_build_test
-        uses: docker/build-push-action@v2
-        with:
-          context: .
-          file: ./Dockerfile.test
-          # For pull requests, we run the Docker build (to ensure no PR changes break the build),
-          # but we ONLY do an image push to DockerHub if it's NOT a PR
-          push: ${{ github.event_name != 'pull_request' }}
-          # Use tags / labels provided by 'docker/metadata-action' above
-          tags: ${{ steps.meta_build_test.outputs.tags }}
-          labels: ${{ steps.meta_build_test.outputs.labels }}
+      tags_flavor: suffix=-test
+    secrets:
+      DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
+      DOCKER_ACCESS_TOKEN: ${{ secrets.DOCKER_ACCESS_TOKEN }}

  ###########################################
  # Build/Push the 'dspace/dspace-cli' image
  ###########################################
-      # Get Metadata for docker_build_test step below
-      - name: Sync metadata (tags, labels) from GitHub to Docker for 'dspace-cli' image
-        id: meta_build_cli
-        uses: docker/metadata-action@v3
+  dspace-cli:
+    # Ensure this job never runs on forked repos. It's only executed for 'dspace/dspace'
+    if: github.repository == 'dspace/dspace'
+    # Must run after 'dspace-dependencies' job above
+    needs: dspace-dependencies
+    uses: ./.github/workflows/reusable-docker-build.yml
    with:
-          images: dspace/dspace-cli
-          tags: ${{ env.IMAGE_TAGS }}
-          flavor: ${{ env.TAGS_FLAVOR }}
+      build_id: dspace-cli
+      image_name: dspace/dspace-cli
+      dockerfile_path: ./Dockerfile.cli
+    secrets:
+      DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
+      DOCKER_ACCESS_TOKEN: ${{ secrets.DOCKER_ACCESS_TOKEN }}

-      - name: Build and push 'dspace-cli' image
-        id: docker_build_cli
-        uses: docker/build-push-action@v2
+  ###########################################
+  # Build/Push the 'dspace/dspace-solr' image
+  ###########################################
+  dspace-solr:
+    # Ensure this job never runs on forked repos. It's only executed for 'dspace/dspace'
+    if: github.repository == 'dspace/dspace'
+    uses: ./.github/workflows/reusable-docker-build.yml
    with:
-          context: .
-          file: ./Dockerfile.cli
-          # For pull requests, we run the Docker build (to ensure no PR changes break the build),
-          # but we ONLY do an image push to DockerHub if it's NOT a PR
-          push: ${{ github.event_name != 'pull_request' }}
-          # Use tags / labels provided by 'docker/metadata-action' above
-          tags: ${{ steps.meta_build_cli.outputs.tags }}
-          labels: ${{ steps.meta_build_cli.outputs.labels }}
+      build_id: dspace-solr
+      image_name: dspace/dspace-solr
+      dockerfile_path: ./dspace/src/main/docker/dspace-solr/Dockerfile
+      # Must pass solrconfigs to the Dockerfile so that it can find the required Solr config files
+      dockerfile_additional_contexts: 'solrconfigs=./dspace/solr/'
+    secrets:
+      DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
+      DOCKER_ACCESS_TOKEN: ${{ secrets.DOCKER_ACCESS_TOKEN }}
+      # Enable redeploy of sandbox & demo SOLR instance whenever dspace-solr image changes for deployed branch.
+      # These URLs MUST use different secrets than 'dspace/dspace' image build above as they are deployed separately.
+      REDEPLOY_SANDBOX_URL: ${{ secrets.REDEPLOY_SANDBOX_SOLR_URL }}
+      REDEPLOY_DEMO_URL: ${{ secrets.REDEPLOY_DEMO_SOLR_URL }}
+
+  ########################################################
+  # Build/Push the 'dspace/dspace-postgres-loadsql' image
+  ########################################################
+  dspace-postgres-loadsql:
+    # Ensure this job never runs on forked repos. It's only executed for 'dspace/dspace'
+    if: github.repository == 'dspace/dspace'
+    uses: ./.github/workflows/reusable-docker-build.yml
+    with:
+      build_id: dspace-postgres-loadsql
+      image_name: dspace/dspace-postgres-loadsql
+      # Must build out of subdirectory to have access to install script.
+      # NOTE: this context will build the image based on the Dockerfile in the specified directory
+      dockerfile_context: ./dspace/src/main/docker/dspace-postgres-loadsql/
+    secrets:
+      DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
+      DOCKER_ACCESS_TOKEN: ${{ secrets.DOCKER_ACCESS_TOKEN }}
+
+  #################################################################################
+  # Test Deployment via Docker to ensure newly built images are working properly
+  #################################################################################
+  docker-deploy:
+    # Ensure this job never runs on forked repos. It's only executed for 'dspace/dspace'
+    if: github.repository == 'dspace/dspace'
+    runs-on: ubuntu-latest
+    # Must run after all major images are built
+    needs: [dspace, dspace-test, dspace-cli, dspace-solr]
+    env:
+      # Override defaults dspace.server.url because backend starts at http://127.0.0.1:8080
+      dspace__P__server__P__url: http://127.0.0.1:8080/server
+      # Enable all optional modules / controllers for this test deployment.
+      # This helps check for errors in deploying these modules via Spring Boot
+      iiif__P__enabled: true
+      ldn__P__enabled: true
+      oai__P__enabled: true
+      rdf__P__enabled: true
+      signposting__P__enabled: true
+      sword__D__server__P__enabled: true
+      swordv2__D__server__P__enabled: true
+      # If this is a PR against main (default branch), use "latest".
+      # Else if this is a PR against a different branch, used the base branch name.
+      # Else if this is a commit on main (default branch), use the "latest" tag.
+      # Else, just use the branch name.
+      # NOTE: DSPACE_VER is used because our docker compose scripts default to using the "-test" image.
+      DSPACE_VER: ${{ (github.event_name == 'pull_request' && github.event.pull_request.base.ref == github.event.repository.default_branch && 'latest') || (github.event_name == 'pull_request' && github.event.pull_request.base.ref) || (github.ref_name == github.event.repository.default_branch && 'latest') || github.ref_name }}
+      # Docker Registry to use for Docker compose scripts below.
+      # We use GitHub's Container Registry to avoid aggressive rate limits at DockerHub.
+      DOCKER_REGISTRY: ghcr.io
+    steps:
+      # Checkout our codebase (to get access to Docker Compose scripts)
+      - name: Checkout codebase
+        uses: actions/checkout@v4
+      # Download Docker image artifacts (which were just built by reusable-docker-build.yml)
+      - name: Download Docker image artifacts
+        uses: actions/download-artifact@v4
+        with:
+          # Download all amd64 Docker images (TAR files) into the /tmp/docker directory
+          pattern: docker-image-*-linux-amd64
+          path: /tmp/docker
+          merge-multiple: true
+      # Load each of the images into Docker by calling "docker image load" for each.
+      # This ensures we are using the images just built & not any prior versions on DockerHub
+      - name: Load all downloaded Docker images
+        run: |
+          find /tmp/docker -type f -name "*.tar" -exec docker image load --input "{}" \;
+          docker image ls -a
+      # Start backend using our compose script in the codebase.
+      - name: Start backend in Docker
+        run: |
+          docker compose -f docker-compose.yml up -d
+          sleep 10
+          docker container ls
+      # Create a test admin account. Load test data from a simple set of AIPs as defined in cli.ingest.yml
+      - name: Load test data into Backend
+        run: |
+          docker compose -f docker-compose-cli.yml run --rm dspace-cli create-administrator -e test@test.edu -f admin -l user -p admin -c en
+          docker compose -f docker-compose-cli.yml -f dspace/src/main/docker-compose/cli.ingest.yml run --rm dspace-cli
+      # Verify backend started successfully.
+      # 1. Make sure root endpoint is responding (check for dspace.name defined in docker-compose.yml)
+      # 2. Also check /collections endpoint to ensure the test data loaded properly (check for a collection name in AIPs)
+      - name: Verify backend is responding properly
+        run: |
+          result=$(wget -O- -q http://127.0.0.1:8080/server/api)
+          echo "$result"
+          echo "$result" |  grep -oE "\"DSpace Started with Docker Compose\","
+          result=$(wget -O- -q http://127.0.0.1:8080/server/api/core/collections)
+          echo "$result"
+          echo "$result" |  grep -oE "\"Dog in Yard\","
+      # Verify basic backend logging is working.
+      # 1. Access the top communities list. Verify that the "Before request" INFO statement is logged
+      # 2. Access an invalid endpoint (and ignore 404 response). Verify that a "status:404" WARN statement is logged
+      - name: Verify backend is logging properly
+        run: |
+          wget -O/dev/null -q http://127.0.0.1:8080/server/api/core/communities/search/top
+          logs=$(docker compose -f docker-compose.yml logs -n 5 dspace)
+          echo "$logs"
+          echo "$logs" | grep -o "Before request \[GET /server/api/core/communities/search/top\]"
+          wget -O/dev/null -q http://127.0.0.1:8080/server/api/does/not/exist || true
+          logs=$(docker compose -f docker-compose.yml logs -n 5 dspace)
+          echo "$logs"
+          echo "$logs" | grep -o "status:404 exception: The repository type does.not was not found"
+      # Verify Handle Server can be stared and is working properly
+      # 1. First generate the "[dspace]/handle-server" folder with the sitebndl.zip
+      # 2. Start the Handle Server (and wait 20 seconds to let it start up)
+      # 3. Verify logs do NOT include "Exception" in the text (as that means an error occurred)
+      # 4. Check that Handle Proxy HTML page is responding on default port (8000)
+      - name: Verify Handle Server is working properly
+        run: |
+          docker exec -i dspace /dspace/bin/make-handle-config
+          echo "Starting Handle Server..."
+          docker exec -i dspace /dspace/bin/start-handle-server
+          sleep 20
+          echo "Checking for errors in error.log"
+          result=$(docker exec -i dspace sh -c "cat /dspace/handle-server/logs/error.log* || echo ''")
+          echo "$result"
+          echo "$result" | grep -vqz "Exception"
+          echo "Checking for errors in handle-server.log..."
+          result=$(docker exec -i dspace cat /dspace/log/handle-server.log)
+          echo "$result"
+          echo "$result" | grep -vqz "Exception"
+          echo "Checking to see if Handle Proxy webpage is available..."
+          result=$(wget -O- -q http://127.0.0.1:8000/)
+          echo "$result"
+          echo "$result" | grep -oE "Handle Proxy"
+      # Shutdown our containers
+      - name: Shutdown Docker containers
+        run: |
+          docker compose -f docker-compose.yml down
--- a/.github/workflows/issue_opened.yml
+++ b/.github/workflows/issue_opened.yml
@@ -5,25 +5,22 @@ on:
  issues:
    types: [opened]

+permissions: {}
 jobs:
  automation:
    runs-on: ubuntu-latest
    steps:
    # Add the new issue to a project board, if it needs triage
-    # See https://github.com/marketplace/actions/create-project-card-action
-    - name: Add issue to project board
+    # See https://github.com/actions/add-to-project
+    - name: Add issue to triage board
      # Only add to project board if issue is flagged as "needs triage" or has no labels
      # NOTE: By default we flag new issues as "needs triage" in our issue template
      if: (contains(github.event.issue.labels.*.name, 'needs triage') || join(github.event.issue.labels.*.name) == '')
-      uses: technote-space/create-project-card-action@v1
+      uses: actions/add-to-project@v1.0.0
      # Note, the authentication token below is an ORG level Secret. 
-      # It must be created/recreated manually via a personal access token with "public_repo" and "admin:org" permissions
+      # It must be created/recreated manually via a personal access token with admin:org, project, public_repo permissions
      # See: https://docs.github.com/en/actions/configuring-and-managing-workflows/authenticating-with-the-github_token#permissions-for-the-github_token
      # This is necessary because the "DSpace Backlog" project is an org level project (i.e. not repo specific)
      with:
-        GITHUB_TOKEN: ${{ secrets.ORG_PROJECT_TOKEN }}
-        PROJECT: DSpace Backlog
-        COLUMN: Triage
-        CHECK_ORG_PROJECT: true
-      # Ignore errors.
-      continue-on-error: true
+        github-token: ${{ secrets.TRIAGE_PROJECT_TOKEN }}
+        project-url: https://github.com/orgs/DSpace/projects/24
--- a/.github/workflows/label_merge_conflicts.yml
+++ b/.github/workflows/label_merge_conflicts.yml
@@ -1,25 +1,39 @@
 # This workflow checks open PRs for merge conflicts and labels them when conflicts are found
 name: Check for merge conflicts

-# Run whenever the "main" branch is updated
-# NOTE: This means merge conflicts are only checked for when a PR is merged to main.
+# Run this for all pushes (i.e. merges) to 'main' or maintenance branches
 on:
  push:
    branches:
      - main
+      - 'dspace-**'
+  # So that the `conflict_label_name` is removed if conflicts are resolved,
+  # we allow this to run for `pull_request_target` so that github secrets are available.
+  pull_request_target:
+    types: [ synchronize ]
+
+permissions: {}

 jobs:
  triage:
+    # Ensure this job never runs on forked repos. It's only executed for 'dspace/dspace'
+    if: github.repository == 'dspace/dspace'
    runs-on: ubuntu-latest
+    permissions:
+      pull-requests: write
    steps:
-      # See: https://github.com/mschilde/auto-label-merge-conflicts/
+      # See: https://github.com/prince-chrismc/label-merge-conflicts-action
      - name: Auto-label PRs with merge conflicts
-        uses: mschilde/auto-label-merge-conflicts@v2.0
+        uses: prince-chrismc/label-merge-conflicts-action@v3
+        # Ignore any failures -- may occur (randomly?) for older, outdated PRs.
+        continue-on-error: true
        # Add "merge conflict" label if a merge conflict is detected. Remove it when resolved.
        # Note, the authentication token is created automatically
        # See: https://docs.github.com/en/actions/configuring-and-managing-workflows/authenticating-with-the-github_token
        with:
-          CONFLICT_LABEL_NAME: 'merge conflict'
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        # Ignore errors
-        continue-on-error: true
+          conflict_label_name: 'merge conflict'
+          github_token: ${{ secrets.GITHUB_TOKEN }}
+          conflict_comment: |
+            Hi @${author},
+            Conflicts have been detected against the base branch.
+            Please [resolve these conflicts](https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/addressing-merge-conflicts/about-merge-conflicts) as soon as you can. Thanks!
--- a/.github/workflows/port_merged_pull_request.yml
+++ b/.github/workflows/port_merged_pull_request.yml
@@ -0,0 +1,46 @@
+# This workflow will attempt to port a merged pull request to
+# the branch specified in a "port to" label (if exists)
+name: Port merged Pull Request
+
+# Only run for merged PRs against the "main" or maintenance branches
+# We allow this to run for `pull_request_target` so that github secrets are available
+# (This is required when the PR comes from a forked repo)
+on:
+  pull_request_target:
+    types: [ closed ]
+    branches:
+      - main
+      - 'dspace-**'
+
+permissions:
+  contents: write      # so action can add comments
+  pull-requests: write # so action can create pull requests
+
+jobs:
+  port_pr:
+    runs-on: ubuntu-latest
+    # Don't run on closed *unmerged* pull requests
+    if: github.event.pull_request.merged
+    steps:
+      # Checkout code
+      - uses: actions/checkout@v4
+      # Port PR to other branch (ONLY if labeled with "port to")
+      # See https://github.com/korthout/backport-action
+      - name: Create backport pull requests
+        uses: korthout/backport-action@v2
+        with:
+          # Trigger based on a "port to [branch]" label on PR
+          # (This label must specify the branch name to port to)
+          label_pattern: '^port to ([^ ]+)$'
+          # Title to add to the (newly created) port PR
+          pull_title: '[Port ${target_branch}] ${pull_title}'
+          # Description to add to the (newly created) port PR
+          pull_description: 'Port of #${pull_number} by @${pull_author} to `${target_branch}`.'
+          # Copy all labels from original PR to (newly created) port PR
+          # NOTE: The labels matching 'label_pattern' are automatically excluded
+          copy_labels_pattern: '.*'
+          # Skip any merge commits in the ported PR. This means only non-merge commits are cherry-picked to the new PR
+          merge_commits: 'skip'
+          # Use a personal access token (PAT) to create PR as 'dspace-bot' user.
+          # A PAT is required in order for the new PR to trigger its own actions (for CI checks)
+          github_token: ${{ secrets.PR_PORT_TOKEN }}
--- a/.github/workflows/pull_request_opened.yml
+++ b/.github/workflows/pull_request_opened.yml
@@ -0,0 +1,24 @@
+# This workflow runs whenever a new pull request is created
+name: Pull Request opened
+
+# Only run for newly opened PRs against the "main" or maintenance branches
+# We allow this to run for `pull_request_target` so that github secrets are available
+# (This is required to assign a PR back to the creator when the PR comes from a forked repo)
+on:
+  pull_request_target:
+    types: [ opened ]
+    branches:
+      - main
+      - 'dspace-**'
+
+permissions:
+  pull-requests: write
+
+jobs:
+  automation:
+    runs-on: ubuntu-latest
+    steps:
+    # Assign the PR to whomever created it. This is useful for visualizing assignments on project boards
+    # See https://github.com/toshimaru/auto-author-assign
+    - name: Assign PR to creator
+      uses: toshimaru/auto-author-assign@v2.1.0
--- a/.github/workflows/reusable-docker-build.yml
+++ b/.github/workflows/reusable-docker-build.yml
@@ -0,0 +1,353 @@
+#
+# DSpace's reusable Docker build/push workflow.
+#
+# This is used by docker.yml for all Docker image builds
+name: Reusable DSpace Docker Build
+
+on:
+  workflow_call:
+    # Possible Inputs to this reusable job
+    inputs:
+      # Build name/id for this Docker build. Used for digest storage to avoid digest overlap between builds.
+      build_id:
+        required: true
+        type: string
+      # Requires the image name to build (e.g dspace/dspace-test)
+      image_name:
+        required: true
+        type: string
+      # Optionally the path to the Dockerfile to use for the build. (Default is [dockerfile_context]/Dockerfile)
+      dockerfile_path:
+        required: false
+        type: string
+      # Optionally the context directory to build the Dockerfile within. Defaults to "." (current directory)
+      dockerfile_context:
+        required: false
+        type: string
+        default: '.'
+      # Optionally a list of "additional_contexts" to pass to Dockerfile. Defaults to empty
+      dockerfile_additional_contexts:
+        required: false
+        type: string
+        default: ''
+      # If Docker image should have additional tag flavor details (e.g. a suffix), it may be passed in.
+      tags_flavor:
+        required: false
+        type: string
+    secrets:
+      # Requires that Docker login info be passed in as secrets.
+      DOCKER_USERNAME:
+        required: true
+      DOCKER_ACCESS_TOKEN:
+        required: true
+      # These URL secrets are optional. When specified & branch checks match, the redeployment code below will trigger.
+      # Therefore builds which need to trigger redeployment MUST specify these URLs. All others should leave them empty.
+      REDEPLOY_SANDBOX_URL:
+        required: false
+      REDEPLOY_DEMO_URL:
+        required: false
+
+# Define shared default settings as environment variables
+env:
+  IMAGE_NAME: ${{ inputs.image_name }}
+  # Define tags to use for Docker images based on Git tags/branches (for docker/metadata-action)
+  # For a new commit on default branch (main), use the literal tag 'latest' on Docker image.
+  # For a new commit on other branches, use the branch name as the tag for Docker image.
+  # For a new tag, copy that tag name as the tag for Docker image.
+  # For a pull request, use the name of the base branch that the PR was created against or "latest" (for main).
+  #   e.g. PR against 'main' will use "latest". a PR against 'dspace-7_x' will use 'dspace-7_x'.
+  IMAGE_TAGS: |
+    type=raw,value=latest,enable=${{ github.ref_name == github.event.repository.default_branch }}
+    type=ref,event=branch,enable=${{ github.ref_name != github.event.repository.default_branch }}
+    type=ref,event=tag
+    type=raw,value=${{ (github.event.pull_request.base.ref == github.event.repository.default_branch && 'latest') || github.event.pull_request.base.ref }},enable=${{ github.event_name == 'pull_request' }}
+  # Define default tag "flavor" for docker/metadata-action per
+  # https://github.com/docker/metadata-action#flavor-input
+  # We manage the 'latest' tag ourselves to the 'main' branch (see settings above)
+  TAGS_FLAVOR: |
+    latest=false
+    ${{ inputs.tags_flavor }}
+  # When these URL variables are specified & required branch matches, then the sandbox or demo site will be redeployed.
+  # See "Redeploy" steps below for more details.
+  REDEPLOY_SANDBOX_URL: ${{ secrets.REDEPLOY_SANDBOX_URL }}
+  REDEPLOY_DEMO_URL: ${{ secrets.REDEPLOY_DEMO_URL }}
+  # Current DSpace branches (and architecture) which are deployed to demo.dspace.org & sandbox.dspace.org respectively
+  DEPLOY_DEMO_BRANCH: 'dspace-9_x'
+  DEPLOY_SANDBOX_BRANCH: 'main'
+  DEPLOY_ARCH: 'linux/amd64'
+  # Registry used during building of Docker images. (All images are later copied to docker.io registry)
+  # We use GitHub's Container Registry to avoid aggressive rate limits at DockerHub.
+  DOCKER_BUILD_REGISTRY: ghcr.io
+
+jobs:
+  docker-build:
+
+    strategy:
+      matrix:
+        # Architectures / Platforms for which we will build Docker images
+        arch: [ 'linux/amd64', 'linux/arm64' ]
+        isPr:
+          - ${{ github.event_name == 'pull_request' }}
+        # If this is a PR, we ONLY build for AMD64. For PRs we only do a sanity check test to ensure Docker builds work.
+        # The below exclude therefore ensures we do NOT build ARM64 for PRs.
+        exclude:
+          - isPr: true
+            arch: linux/arm64
+
+    # If ARM64, then use the Ubuntu ARM64 runner. Otherwise, use the Ubuntu AMD64 runner
+    runs-on: ${{ matrix.arch == 'linux/arm64' && 'ubuntu-24.04-arm' || 'ubuntu-latest' }}
+
+    steps:
+      # This step converts the slashes in the "arch" matrix values above into dashes & saves to env.ARCH_NAME
+      # E.g. "linux/amd64" becomes "linux-amd64"
+      # This is necessary because all upload artifacts CANNOT have special chars (like slashes)
+      # NOTE: The regex-like syntax below is Bash Parameter Substitution
+      - name: Prepare
+        run: |
+          platform=${{ matrix.arch }}
+          echo "ARCH_NAME=${platform//\//-}" >> $GITHUB_ENV
+
+      # https://github.com/actions/checkout
+      - name: Checkout codebase
+        uses: actions/checkout@v4
+
+      # https://github.com/docker/login-action
+      # NOTE: This login occurs for BOTH non-PRs or PRs. PRs *must* also login to access private images from GHCR
+      # during the build process
+      - name: Login to ${{ env.DOCKER_BUILD_REGISTRY }}
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.DOCKER_BUILD_REGISTRY }}
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      # https://github.com/docker/setup-buildx-action
+      - name: Setup Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      # https://github.com/docker/metadata-action
+      # Extract metadata used for Docker images in all build steps below
+      - name: Extract metadata (tags, labels) from GitHub for Docker image
+        id: meta_build
+        uses: docker/metadata-action@v5
+        with:
+          images: ${{ env.DOCKER_BUILD_REGISTRY }}/${{ env.IMAGE_NAME }}
+          tags: ${{ env.IMAGE_TAGS }}
+          flavor: ${{ env.TAGS_FLAVOR }}
+
+      #--------------------------------------------------------------------
+      # First, for all branch commits (non-PRs) we build the image & upload
+      # to GitHub Container Registry (GHCR). After uploading the image
+      # to GHCR, we store the image digest in an artifact, so we can
+      # create a merged manifest later (see 'docker-build_manifest' job).
+      #
+      # NOTE: We use GHCR in order to avoid aggressive rate limits at DockerHub.
+      #--------------------------------------------------------------------
+      # https://github.com/docker/build-push-action
+      - name: Build and push image to ${{ env.DOCKER_BUILD_REGISTRY }}
+        if: ${{ ! matrix.isPr }}
+        id: docker_build
+        uses: docker/build-push-action@v5
+        with:
+          build-contexts: |
+            ${{ inputs.dockerfile_additional_contexts }}
+          context: ${{ inputs.dockerfile_context }}
+          file: ${{ inputs.dockerfile_path }}
+          # Tell DSpace's Docker files to use the build registry instead of DockerHub
+          build-args:
+            DOCKER_REGISTRY=${{ env.DOCKER_BUILD_REGISTRY }}
+          platforms: ${{ matrix.arch }}
+          push: true
+          # Use tags / labels provided by 'docker/metadata-action' above
+          tags: ${{ steps.meta_build.outputs.tags }}
+          labels: ${{ steps.meta_build.outputs.labels }}
+          # Use GitHub cache to load cached Docker images and cache the results of this build
+          # This decreases the number of images we need to fetch from DockerHub
+          cache-from: type=gha,scope=${{ inputs.build_id }}
+          cache-to: type=gha,scope=${{ inputs.build_id }},mode=min
+
+      # Export the digest of Docker build locally
+      - name: Export Docker build digest
+        if: ${{ ! matrix.isPr }}
+        run: |
+            mkdir -p /tmp/digests
+            digest="${{ steps.docker_build.outputs.digest }}"
+            touch "/tmp/digests/${digest#sha256:}"
+
+      # Upload digest to an artifact, so that it can be used in combined manifest below
+      # (The purpose of the combined manifest is to list both amd64 and arm64 builds under same tag)
+      - name: Upload Docker build digest to artifact
+        if: ${{ ! matrix.isPr }}
+        uses: actions/upload-artifact@v4
+        with:
+          name: digests-${{ inputs.build_id }}-${{ env.ARCH_NAME }}
+          path: /tmp/digests/*
+          if-no-files-found: error
+          retention-days: 1
+
+      #------------------------------------------------------------------------------
+      # Second, we build the image again in order to store it in a local TAR file.
+      # This TAR of the image is cached/saved as an artifact, so that it can be used
+      # by later jobs to install the brand-new images for automated testing.
+      # This TAR build is performed BOTH for PRs and for branch commits (non-PRs).
+      #
+      # (This approach has the advantage of avoiding having to download the newly built
+      # image from DockerHub or GHCR during automated testing.)
+      #
+      # See the 'docker-deploy' job in docker.yml as an example of where this TAR is used.
+      #-------------------------------------------------------------------------------
+      # Build local image (again) and store in a TAR file in /tmp directory
+      # This step is only done for AMD64, as that's the only image we use in our automated testing (at this time).
+      # NOTE: This step cannot be combined with the build above as it's a different type of output.
+      - name: Build and push image to local TAR file
+        if: ${{ matrix.arch == 'linux/amd64'}}
+        uses: docker/build-push-action@v5
+        with:
+          build-contexts: |
+            ${{ inputs.dockerfile_additional_contexts }}
+          context: ${{ inputs.dockerfile_context }}
+          file: ${{ inputs.dockerfile_path }}
+          # Tell DSpace's Docker files to use the build registry instead of DockerHub
+          build-args:
+            DOCKER_REGISTRY=${{ env.DOCKER_BUILD_REGISTRY }}
+          platforms: ${{ matrix.arch }}
+          tags: ${{ steps.meta_build.outputs.tags }}
+          labels: ${{ steps.meta_build.outputs.labels }}
+          # Use GitHub cache to load cached Docker images and cache the results of this build
+          # This decreases the number of images we need to fetch from DockerHub
+          cache-from: type=gha,scope=${{ inputs.build_id }}
+          cache-to: type=gha,scope=${{ inputs.build_id }},mode=min
+          # Export image to a local TAR file
+          outputs: type=docker,dest=/tmp/${{ inputs.build_id }}.tar
+
+      # Upload the local docker image (in TAR file) to a build Artifact
+      # This step is only done for AMD64, as that's the only image we use in our automated testing (at this time).
+      - name: Upload local image TAR to artifact
+        if: ${{ matrix.arch == 'linux/amd64'}}
+        uses: actions/upload-artifact@v4
+        with:
+          name: docker-image-${{ inputs.build_id }}-${{ env.ARCH_NAME }}
+          path: /tmp/${{ inputs.build_id }}.tar
+          if-no-files-found: error
+          retention-days: 1
+
+  ##########################################################################################
+  # Merge Docker digests (from various architectures) into a single manifest.
+  # This runs after all Docker builds complete above. The purpose is to include all builds
+  # under a single manifest for this tag.
+  # (e.g. both linux/amd64 and linux/arm64 should be listed under the same tagged Docker image)
+  ##########################################################################################
+  docker-build_manifest:
+    # Only run if this is NOT a PR
+    if: ${{ github.event_name != 'pull_request' }}
+    runs-on: ubuntu-latest
+    needs:
+      - docker-build
+    steps:
+      - name: Download Docker build digests
+        uses: actions/download-artifact@v4
+        with:
+          path: /tmp/digests
+          # Download digests for both AMD64 and ARM64 into same directory
+          pattern: digests-${{ inputs.build_id }}-*
+          merge-multiple: true
+
+      - name: Login to ${{ env.DOCKER_BUILD_REGISTRY }}
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.DOCKER_BUILD_REGISTRY }}
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Add Docker metadata for image
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ${{ env.DOCKER_BUILD_REGISTRY }}/${{ env.IMAGE_NAME }}
+          tags: ${{ env.IMAGE_TAGS }}
+          flavor: ${{ env.TAGS_FLAVOR }}
+
+      - name: Create manifest list from digests and push to ${{ env.DOCKER_BUILD_REGISTRY }}
+        working-directory: /tmp/digests
+        run: |
+          docker buildx imagetools create $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \
+          $(printf '${{ env.DOCKER_BUILD_REGISTRY }}/${{ env.IMAGE_NAME }}@sha256:%s ' *)
+
+      - name: Inspect manifest in ${{ env.DOCKER_BUILD_REGISTRY }}
+        run: |
+          docker buildx imagetools inspect ${{ env.DOCKER_BUILD_REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.meta.outputs.version }}
+
+  ##########################################################################################
+  # Copy images / manifest to DockerHub.
+  # This MUST run after *both* images (AMD64 and ARM64) are built and uploaded to GitHub
+  # Container Registry (GHCR). Attempting to run this in parallel to GHCR builds can result
+  # in a race condition...i.e. the copy to DockerHub may fail if GHCR image has been updated
+  # at the moment when the copy occurs.
+  ##########################################################################################
+  docker-copy_to_dockerhub:
+    # Only run if this is NOT a PR
+    if: ${{ github.event_name != 'pull_request' }}
+    runs-on: ubuntu-latest
+    needs:
+      - docker-build_manifest
+
+    steps:
+      # 'regctl' is used to more easily copy the image to DockerHub and obtain the digest from DockerHub
+      # See https://github.com/regclient/regclient/blob/main/docs/regctl.md
+      - name: Install regctl for Docker registry tools
+        uses: regclient/actions/regctl-installer@main
+        with:
+          release: 'v0.8.0'
+
+      # This recreates Docker tags for DockerHub
+      - name: Add Docker metadata for image
+        id: meta_dockerhub
+        uses: docker/metadata-action@v5
+        with:
+          images: ${{ env.IMAGE_NAME }}
+          tags: ${{ env.IMAGE_TAGS }}
+          flavor: ${{ env.TAGS_FLAVOR }}
+
+      # Login to source registry first, as this is where we are copying *from*
+      - name: Login to ${{ env.DOCKER_BUILD_REGISTRY }}
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.DOCKER_BUILD_REGISTRY }}
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      # Login to DockerHub, since this is where we are copying *to*
+      - name: Login to DockerHub
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKER_USERNAME }}
+          password: ${{ secrets.DOCKER_ACCESS_TOKEN }}
+
+      # Copy the image from source to DockerHub
+      - name: Copy image from ${{ env.DOCKER_BUILD_REGISTRY }} to docker.io
+        run: |
+          regctl image copy ${{ env.DOCKER_BUILD_REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.meta_dockerhub.outputs.version }} docker.io/${{ env.IMAGE_NAME }}:${{ steps.meta_dockerhub.outputs.version }}
+
+      #--------------------------------------------------------------------
+      # Finally, check whether demo.dspace.org or sandbox.dspace.org need
+      # to be redeployed based on these new DockerHub images.
+      #--------------------------------------------------------------------
+      # If this build is for the branch that Sandbox uses and passed in a REDEPLOY_SANDBOX_URL secret,
+      # Then redeploy https://sandbox.dspace.org
+      - name: Redeploy sandbox.dspace.org (based on main branch)
+        if: |
+          env.REDEPLOY_SANDBOX_URL != '' &&
+          github.ref_name == env.DEPLOY_SANDBOX_BRANCH
+        run: |
+          curl -X POST $REDEPLOY_SANDBOX_URL
+      # If this build is for the branch that Demo uses and passed in a REDEPLOY_DEMO_URL secret,
+      # Then redeploy https://demo.dspace.org
+      - name: Redeploy demo.dspace.org (based on maintenance branch)
+        if: |
+          env.REDEPLOY_DEMO_URL != '' &&
+          github.ref_name == env.DEPLOY_DEMO_BRANCH
+        run: |
+          curl -X POST $REDEPLOY_DEMO_URL
--- a/.gitignore
+++ b/.gitignore
@@ -10,6 +10,7 @@ tags
 .project
 .classpath
 .checkstyle
+.factorypath

 ## Ignore project files created by IntelliJ IDEA
 *.iml
@@ -27,6 +28,9 @@ nbdist/
 nbactions.xml
 nb-configuration.xml

+## Ignore project files created by Visual Studio Code
+.vscode/
+
 ## Ignore all *.properties file in root folder, EXCEPT build.properties (the default)
 ## KEPT FOR BACKWARDS COMPATIBILITY WITH 5.x (build.properties is now replaced with local.cfg)
 /*.properties
--- a/.lgtm.yml
+++ b/.lgtm.yml
@@ -1,9 +0,0 @@
-# LGTM Settings (https://lgtm.com/)
-# For reference, see https://lgtm.com/help/lgtm/lgtm.yml-configuration-file
-# or template at https://lgtm.com/static/downloads/lgtm.template.yml
-
-extraction:
-  java:
-    index:
-      # Specify the Java version required to build the project
-      java_version: 11
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -0,0 +1,46 @@
+# How to Contribute
+
+DSpace is a community built and supported project. We do not have a centralized development or support team, but have a dedicated group of volunteers who help us improve the software, documentation, resources, etc.
+
+* [Contribute new code via a Pull Request](#contribute-new-code-via-a-pull-request)
+* [Contribute documentation](#contribute-documentation)
+* [Help others on mailing lists or Slack](#help-others-on-mailing-lists-or-slack)
+* [Join a working or interest group](#join-a-working-or-interest-group)
+
+## Contribute new code via a Pull Request
+
+We accept [GitHub Pull Requests (PRs)](https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/creating-a-pull-request-from-a-fork) at any time from anyone.
+Contributors to each release are recognized in our [Release Notes](https://wiki.lyrasis.org/display/DSDOC9x/Release+Notes).
+
+Code Contribution Checklist
+- [ ] PRs _should_ be smaller in size (ideally less than 1,000 lines of code, not including comments & tests)
+- [ ] PRs **must** pass Checkstyle validation based on our [Code Style Guide](https://wiki.lyrasis.org/display/DSPACE/Code+Style+Guide).
+- [ ] PRs **must** include Javadoc for _all new/modified public methods and classes_. Larger private methods should also have Javadoc
+- [ ] PRs **must** pass all automated tests and include new/updated Unit or Integration tests based on our [Code Testing Guide](https://wiki.lyrasis.org/display/DSPACE/Code+Testing+Guide).
+- [ ] Details on how to test the PR **must** be provided. Reviewers must be aware of any steps they need to take to successfully test your fix or feature.
+- [ ] If a PR includes new libraries/dependencies (in any `pom.xml`), then their software licenses **must** align with the [DSpace BSD License](https://github.com/DSpace/DSpace/blob/main/LICENSE) based on the [Licensing of Contributions](https://wiki.lyrasis.org/display/DSPACE/Code+Contribution+Guidelines#CodeContributionGuidelines-LicensingofContributions) documentation.
+- [ ] Basic technical documentation _should_ be provided for any new features or changes to the REST API. REST API changes should be documented in our [Rest Contract](https://github.com/DSpace/RestContract).
+- [ ] If a PR fixes an issue ticket, please [link them together](https://docs.github.com/en/issues/tracking-your-work-with-issues/linking-a-pull-request-to-an-issue).
+
+Additional details on the code contribution process can be found in our [Code Contribution Guidelines](https://wiki.lyrasis.org/display/DSPACE/Code+Contribution+Guidelines)
+
+## Contribute documentation
+
+DSpace Documentation is a collaborative effort in a shared Wiki. The latest documentation is at https://wiki.lyrasis.org/display/DSDOC 
+
+If you find areas of the DSpace Documentation which you wish to improve, please request a Wiki account by emailing wikihelp@lyrasis.org.
+Once you have an account setup, contact @tdonohue (via [Slack](https://wiki.lyrasis.org/display/DSPACE/Slack) or email) for access to edit our Documentation.
+
+## Help others on mailing lists or Slack
+
+DSpace has our own [Slack](https://wiki.lyrasis.org/display/DSPACE/Slack) community and [Mailing Lists](https://wiki.lyrasis.org/display/DSPACE/Mailing+Lists) where discussions take place and questions are answered.
+Anyone is welcome to join and help others. We just ask you to follow our [Code of Conduct](https://www.lyrasis.org/about/Pages/Code-of-Conduct.aspx) (adopted via Lyrasis).
+
+## Join a working or interest group
+
+Most of the work in building/improving DSpace comes via [Working Groups](https://wiki.lyrasis.org/display/DSPACE/DSpace+Working+Groups) or [Interest Groups](https://wiki.lyrasis.org/display/DSPACE/DSpace+Interest+Groups).
+
+All working/interest groups are open to anyone to join and participate.  A few key groups to be aware of include:
+
+* [DSpace Developer Team](https://wiki.lyrasis.org/display/DSPACE/Developer+Meetings) - This is the primary, volunteer development team. We meet weekly to review our current development [project board](https://github.com/orgs/DSpace/projects), assigning tickets and/or PRs. This is also were discussions of the next release or major issues occur. Anyone is welcome to attend.
+* [DSpace Community Advisory Team (DCAT)](https://wiki.lyrasis.org/display/cmtygp/DSpace+Community+Advisory+Team) - This is an interest group for repository managers/administrators. We meet monthly to discuss DSpace, share tips & provide feedback back to developers. Anyone is welcome to attend.
--- a/70
+++ b/70
@@ -1,14 +1,19 @@
 # This image will be published as dspace/dspace
 # See https://github.com/DSpace/DSpace/tree/main/dspace/src/main/docker for usage details
 #
-# - note: default tag for branch: dspace/dspace: dspace/dspace:dspace-7_x
+# - note: default tag for branch: dspace/dspace: dspace/dspace:latest

-# This Dockerfile uses JDK11 by default, but has also been tested with JDK17.
-# To build with JDK17, use "--build-arg JDK_VERSION=17"
-ARG JDK_VERSION=11
+# This Dockerfile uses JDK17 by default.
+# To build with other versions, use "--build-arg JDK_VERSION=[value]"
+ARG JDK_VERSION=17
+# The Docker version tag to build from
+ARG DSPACE_VERSION=latest
+# The Docker registry to use for DSpace images. Defaults to "docker.io"
+# NOTE: non-DSpace images are hardcoded to use "docker.io" and are not impacted by this build argument
+ARG DOCKER_REGISTRY=docker.io

 # Step 1 - Run Maven Build
-FROM dspace/dspace-dependencies:dspace-7_x as build
+FROM ${DOCKER_REGISTRY}/dspace/dspace-dependencies:${DSPACE_VERSION} AS build
 ARG TARGET_DIR=dspace-installer
 WORKDIR /app
 # The dspace-installer directory will be written to /install
@@ -18,50 +23,51 @@ RUN mkdir /install \
 USER dspace
 # Copy the DSpace source code (from local machine) into the workdir (excluding .dockerignore contents)
 ADD --chown=dspace . /app/
-# Build DSpace (note: this build doesn't include the optional, deprecated "dspace-rest" webapp)
+# Build DSpace
 # Copy the dspace-installer directory to /install.  Clean up the build to keep the docker image small
-RUN mvn package && \
+# Maven flags here ensure that we skip building test environment and skip all code verification checks.
+# These flags speed up this compilation as much as reasonably possible.
+ENV MAVEN_FLAGS="-P-test-environment -Denforcer.skip=true -Dcheckstyle.skip=true -Dlicense.skip=true -Dxml.skip=true"
+RUN mvn --no-transfer-progress package ${MAVEN_FLAGS} && \
  mv /app/dspace/target/${TARGET_DIR}/* /install && \
  mvn clean
+# Remove the server webapp to keep image small.
+RUN rm -rf /install/webapps/server/

 # Step 2 - Run Ant Deploy
-FROM openjdk:${JDK_VERSION}-slim as ant_build
+FROM docker.io/eclipse-temurin:${JDK_VERSION} AS ant_build
 ARG TARGET_DIR=dspace-installer
 # COPY the /install directory from 'build' container to /dspace-src in this container
 COPY --from=build /install /dspace-src
 WORKDIR /dspace-src
 # Create the initial install deployment using ANT
-ENV ANT_VERSION 1.10.12
-ENV ANT_HOME /tmp/ant-$ANT_VERSION
-ENV PATH $ANT_HOME/bin:$PATH
-# Need wget to install ant
-RUN apt-get update \
-    && apt-get install -y --no-install-recommends wget \
-    && apt-get purge -y --auto-remove \
-    && rm -rf /var/lib/apt/lists/*
+ENV ANT_VERSION=1.10.13
+ENV ANT_HOME=/tmp/ant-$ANT_VERSION
+ENV PATH=$ANT_HOME/bin:$PATH
 # Download and install 'ant'
 RUN mkdir $ANT_HOME && \
-    wget -qO- "https://archive.apache.org/dist/ant/binaries/apache-ant-$ANT_VERSION-bin.tar.gz" | tar -zx --strip-components=1 -C $ANT_HOME
+    curl --silent --show-error --location --fail --retry 5 --output /tmp/apache-ant.tar.gz \
+      https://archive.apache.org/dist/ant/binaries/apache-ant-${ANT_VERSION}-bin.tar.gz && \
+    tar -zx --strip-components=1 -f /tmp/apache-ant.tar.gz -C $ANT_HOME && \
+    rm /tmp/apache-ant.tar.gz
 # Run necessary 'ant' deploy scripts
 RUN ant init_installation update_configs update_code update_webapps

-# Step 3 - Run tomcat
-# Create a new tomcat image that does not retain the the build directory contents
-FROM tomcat:9-jdk${JDK_VERSION}
+# Step 3 - Start up DSpace via Runnable JAR
+FROM docker.io/eclipse-temurin:${JDK_VERSION}
 # NOTE: DSPACE_INSTALL must align with the "dspace.dir" default configuration.
 ENV DSPACE_INSTALL=/dspace
-# Copy the /dspace directory from 'ant_build' containger to /dspace in this container
+# Copy the /dspace directory from 'ant_build' container to /dspace in this container
 COPY --from=ant_build /dspace $DSPACE_INSTALL
-# Expose Tomcat port and AJP port
-EXPOSE 8080 8009
+WORKDIR $DSPACE_INSTALL
+# Need host command for "[dspace]/bin/make-handle-config"
+RUN apt-get update \
+    && apt-get install -y --no-install-recommends host \
+    && apt-get purge -y --auto-remove \
+    && rm -rf /var/lib/apt/lists/*
+# Expose Tomcat port (8080) & Handle Server HTTP port (8000)
+EXPOSE 8080 8000
 # Give java extra memory (2GB)
 ENV JAVA_OPTS=-Xmx2000m
-
-# Link the DSpace 'server' webapp into Tomcat's webapps directory.
-# This ensures that when we start Tomcat, it runs from /server path (e.g. http://localhost:8080/server/)
-RUN ln -s $DSPACE_INSTALL/webapps/server   /usr/local/tomcat/webapps/server
-# If you wish to run "server" webapp off the ROOT path, then comment out the above RUN, and uncomment the below RUN.
-# You also MUST update the 'dspace.server.url' configuration to match.
-# Please note that server webapp should only run on one path at a time.
-#RUN mv /usr/local/tomcat/webapps/ROOT /usr/local/tomcat/webapps/ROOT.bk && \
-#    ln -s $DSPACE_INSTALL/webapps/server   /usr/local/tomcat/webapps/ROOT
+# On startup, run DSpace Runnable JAR
+ENTRYPOINT ["java", "-jar", "webapps/server-boot.jar", "--dspace.dir=$DSPACE_INSTALL"]
--- a/Dockerfile.cli
+++ b/Dockerfile.cli
@@ -1,14 +1,19 @@
 # This image will be published as dspace/dspace-cli
 # See https://github.com/DSpace/DSpace/tree/main/dspace/src/main/docker for usage details
 #
-# - note: default tag for branch: dspace/dspace-cli: dspace/dspace-cli:dspace-7_x
+# - note: default tag for branch: dspace/dspace-cli: dspace/dspace-cli:latest

-# This Dockerfile uses JDK11 by default, but has also been tested with JDK17.
-# To build with JDK17, use "--build-arg JDK_VERSION=17"
-ARG JDK_VERSION=11
+# This Dockerfile uses JDK17 by default.
+# To build with other versions, use "--build-arg JDK_VERSION=[value]"
+ARG JDK_VERSION=17
+# The Docker version tag to build from
+ARG DSPACE_VERSION=latest
+# The Docker registry to use for DSpace images. Defaults to "docker.io"
+# NOTE: non-DSpace images are hardcoded to use "docker.io" and are not impacted by this build argument
+ARG DOCKER_REGISTRY=docker.io

 # Step 1 - Run Maven Build
-FROM dspace/dspace-dependencies:dspace-7_x as build
+FROM ${DOCKER_REGISTRY}/dspace/dspace-dependencies:${DSPACE_VERSION} AS build
 ARG TARGET_DIR=dspace-installer
 WORKDIR /app
 # The dspace-installer directory will be written to /install
@@ -19,36 +24,39 @@ USER dspace
 # Copy the DSpace source code (from local machine) into the workdir (excluding .dockerignore contents)
 ADD --chown=dspace . /app/
 # Build DSpace.  Copy the dspace-installer directory to /install.  Clean up the build to keep the docker image small
-RUN mvn package && \
+RUN mvn --no-transfer-progress package && \
  mv /app/dspace/target/${TARGET_DIR}/* /install && \
  mvn clean

 # Step 2 - Run Ant Deploy
-FROM openjdk:${JDK_VERSION}-slim as ant_build
+FROM docker.io/eclipse-temurin:${JDK_VERSION} AS ant_build
 ARG TARGET_DIR=dspace-installer
 # COPY the /install directory from 'build' container to /dspace-src in this container
 COPY --from=build /install /dspace-src
 WORKDIR /dspace-src
 # Create the initial install deployment using ANT
-ENV ANT_VERSION 1.10.12
-ENV ANT_HOME /tmp/ant-$ANT_VERSION
-ENV PATH $ANT_HOME/bin:$PATH
-# Need wget to install ant
-RUN apt-get update \
-    && apt-get install -y --no-install-recommends wget \
-    && apt-get purge -y --auto-remove \
-    && rm -rf /var/lib/apt/lists/*
+ENV ANT_VERSION=1.10.13
+ENV ANT_HOME=/tmp/ant-$ANT_VERSION
+ENV PATH=$ANT_HOME/bin:$PATH
 # Download and install 'ant'
 RUN mkdir $ANT_HOME && \
-    wget -qO- "https://archive.apache.org/dist/ant/binaries/apache-ant-$ANT_VERSION-bin.tar.gz" | tar -zx --strip-components=1 -C $ANT_HOME
+    curl --silent --show-error --location --fail --retry 5 --output /tmp/apache-ant.tar.gz \
+      https://archive.apache.org/dist/ant/binaries/apache-ant-${ANT_VERSION}-bin.tar.gz && \
+    tar -zx --strip-components=1 -f /tmp/apache-ant.tar.gz -C $ANT_HOME && \
+    rm /tmp/apache-ant.tar.gz
 # Run necessary 'ant' deploy scripts
 RUN ant init_installation update_configs update_code

 # Step 3 - Run jdk
-FROM openjdk:${JDK_VERSION}
+FROM docker.io/eclipse-temurin:${JDK_VERSION}
 # NOTE: DSPACE_INSTALL must align with the "dspace.dir" default configuration.
 ENV DSPACE_INSTALL=/dspace
 # Copy the /dspace directory from 'ant_build' container to /dspace in this container
 COPY --from=ant_build /dspace $DSPACE_INSTALL
 # Give java extra memory (1GB)
 ENV JAVA_OPTS=-Xmx1000m
+# Install unzip for AIPs
+RUN apt-get update \
+    && apt-get install -y --no-install-recommends unzip \
+    && apt-get purge -y --auto-remove \
+    && rm -rf /var/lib/apt/lists/*
--- a/Dockerfile.dependencies
+++ b/Dockerfile.dependencies
@@ -2,12 +2,12 @@
 # The purpose of this image is to make the build for dspace/dspace run faster
 #

-# This Dockerfile uses JDK11 by default, but has also been tested with JDK17.
-# To build with JDK17, use "--build-arg JDK_VERSION=17"
-ARG JDK_VERSION=11
+# This Dockerfile uses JDK17 by default.
+# To build with other versions, use "--build-arg JDK_VERSION=[value]"
+ARG JDK_VERSION=17

-# Step 1 - Run Maven Build
-FROM maven:3-openjdk-${JDK_VERSION}-slim as build
+# Step 1 - Download all Dependencies
+FROM docker.io/maven:3-eclipse-temurin-${JDK_VERSION} AS build
 ARG TARGET_DIR=dspace-installer
 WORKDIR /app
 # Create the 'dspace' user account & home directory
@@ -15,22 +15,68 @@ RUN useradd dspace \
    && mkdir -p /home/dspace \
    && chown -Rv dspace: /home/dspace
 RUN chown -Rv dspace: /app
-# Need git to support buildnumber-maven-plugin, which lets us know what version of DSpace is being run.
-RUN apt-get update \
-    && apt-get install -y --no-install-recommends git \
-    && apt-get purge -y --auto-remove \
-    && rm -rf /var/lib/apt/lists/*

 # Switch to dspace user & run below commands as that user
 USER dspace

-# Copy the DSpace source code (from local machine) into the workdir (excluding .dockerignore contents)
-ADD --chown=dspace . /app/
+# This next part may look odd, but it speeds up the build of this image *significantly*.
+# Copy ONLY the POMs to this image (from local machine). This will allow us to download all dependencies *without*
+# performing any code compilation steps.
+
+# Parent POM
+ADD --chown=dspace pom.xml /app/
+RUN mkdir -p /app/dspace
+
+# 'dspace' module POM. Includes 'additions' ONLY, as it's the only submodule that is required to exist.
+ADD --chown=dspace dspace/pom.xml /app/dspace/
+RUN mkdir -p /app/dspace/modules/
+ADD --chown=dspace dspace/modules/pom.xml /app/dspace/modules/
+RUN mkdir -p /app/dspace/modules/additions
+ADD --chown=dspace dspace/modules/additions/pom.xml /app/dspace/modules/additions/
+
+# 'dspace-api' module POM
+RUN mkdir -p /app/dspace-api
+ADD --chown=dspace dspace-api/pom.xml /app/dspace-api/
+
+# 'dspace-iiif' module POM
+RUN mkdir -p /app/dspace-iiif
+ADD --chown=dspace dspace-iiif/pom.xml /app/dspace-iiif/
+
+# 'dspace-oai' module POM
+RUN mkdir -p /app/dspace-oai
+ADD --chown=dspace dspace-oai/pom.xml /app/dspace-oai/
+
+# 'dspace-rdf' module POM
+RUN mkdir -p /app/dspace-rdf
+ADD --chown=dspace dspace-rdf/pom.xml /app/dspace-rdf/
+
+# 'dspace-saml2' module POM
+RUN mkdir -p /app/dspace-saml2
+ADD --chown=dspace dspace-saml2/pom.xml /app/dspace-saml2/
+
+# 'dspace-server-webapp' module POM
+RUN mkdir -p /app/dspace-server-webapp
+ADD --chown=dspace dspace-server-webapp/pom.xml /app/dspace-server-webapp/
+
+# 'dspace-services' module POM
+RUN mkdir -p /app/dspace-services
+ADD --chown=dspace dspace-services/pom.xml /app/dspace-services/
+
+# 'dspace-sword' module POM
+RUN mkdir -p /app/dspace-sword
+ADD --chown=dspace dspace-sword/pom.xml /app/dspace-sword/
+
+# 'dspace-swordv2' module POM
+RUN mkdir -p /app/dspace-swordv2
+ADD --chown=dspace dspace-swordv2/pom.xml /app/dspace-swordv2/

 # Trigger the installation of all maven dependencies (hide download progress messages)
-RUN mvn --no-transfer-progress package
+# Maven flags here ensure that we skip final assembly, skip building test environment and skip all code verification checks.
+# These flags speed up this installation and skip tasks we cannot perform as we don't have the full source code.
+ENV MAVEN_FLAGS="-P-assembly -P-test-environment -Denforcer.skip=true -Dcheckstyle.skip=true -Dlicense.skip=true -Dxjc.skip=true -Dxml.skip=true"
+RUN mvn --no-transfer-progress verify ${MAVEN_FLAGS}

-# Clear the contents of the /app directory (including all maven builds), so no artifacts remain.
+# Clear the contents of the /app directory (including all maven target folders), so no artifacts remain.
 # This ensures when dspace:dspace is built, it will use the Maven local cache (~/.m2) for dependencies
 USER root
 RUN rm -rf /app/*
--- a/Dockerfile.test
+++ b/Dockerfile.test
@@ -1,16 +1,21 @@
 # This image will be published as dspace/dspace
 # See https://github.com/DSpace/DSpace/tree/main/dspace/src/main/docker for usage details
 #
-# - note: default tag for branch: dspace/dspace: dspace/dspace:dspace-7_x-test
+# - note: default tag for branch: dspace/dspace: dspace/dspace:latest-test
 #
 # This image is meant for TESTING/DEVELOPMENT ONLY as it deploys the old v6 REST API under HTTP (not HTTPS)

-# This Dockerfile uses JDK11 by default, but has also been tested with JDK17.
-# To build with JDK17, use "--build-arg JDK_VERSION=17"
-ARG JDK_VERSION=11
+# This Dockerfile uses JDK17 by default.
+# To build with other versions, use "--build-arg JDK_VERSION=[value]"
+ARG JDK_VERSION=17
+# The Docker version tag to build from
+ARG DSPACE_VERSION=latest
+# The Docker registry to use for DSpace images. Defaults to "docker.io"
+# NOTE: non-DSpace images are hardcoded to use "docker.io" and are not impacted by this build argument
+ARG DOCKER_REGISTRY=docker.io

 # Step 1 - Run Maven Build
-FROM dspace/dspace-dependencies:dspace-7_x as build
+FROM ${DOCKER_REGISTRY}/dspace/dspace-dependencies:${DSPACE_VERSION} AS build
 ARG TARGET_DIR=dspace-installer
 WORKDIR /app
 # The dspace-installer directory will be written to /install
@@ -20,61 +25,50 @@ RUN mkdir /install \
 USER dspace
 # Copy the DSpace source code (from local machine) into the workdir (excluding .dockerignore contents)
 ADD --chown=dspace . /app/
-# Build DSpace (INCLUDING the optional, deprecated "dspace-rest" webapp)
+# Build DSpace
 # Copy the dspace-installer directory to /install.  Clean up the build to keep the docker image small
-RUN mvn package -Pdspace-rest && \
+RUN mvn --no-transfer-progress package && \
  mv /app/dspace/target/${TARGET_DIR}/* /install && \
  mvn clean
+# Remove the server webapp to keep image small. Rename runnable JAR to server-boot.jar.
+RUN rm -rf /install/webapps/server/

 # Step 2 - Run Ant Deploy
-FROM openjdk:${JDK_VERSION}-slim as ant_build
+FROM docker.io/eclipse-temurin:${JDK_VERSION} AS ant_build
 ARG TARGET_DIR=dspace-installer
 # COPY the /install directory from 'build' container to /dspace-src in this container
 COPY --from=build /install /dspace-src
 WORKDIR /dspace-src
 # Create the initial install deployment using ANT
-ENV ANT_VERSION 1.10.12
-ENV ANT_HOME /tmp/ant-$ANT_VERSION
-ENV PATH $ANT_HOME/bin:$PATH
-# Need wget to install ant
-RUN apt-get update \
-    && apt-get install -y --no-install-recommends wget \
-    && apt-get purge -y --auto-remove \
-    && rm -rf /var/lib/apt/lists/*
+ENV ANT_VERSION=1.10.12
+ENV ANT_HOME=/tmp/ant-$ANT_VERSION
+ENV PATH=$ANT_HOME/bin:$PATH
 # Download and install 'ant'
 RUN mkdir $ANT_HOME && \
-    wget -qO- "https://archive.apache.org/dist/ant/binaries/apache-ant-$ANT_VERSION-bin.tar.gz" | tar -zx --strip-components=1 -C $ANT_HOME
+    curl --silent --show-error --location --fail --retry 5 --output /tmp/apache-ant.tar.gz \
+      https://archive.apache.org/dist/ant/binaries/apache-ant-${ANT_VERSION}-bin.tar.gz && \
+    tar -zx --strip-components=1 -f /tmp/apache-ant.tar.gz -C $ANT_HOME && \
+    rm /tmp/apache-ant.tar.gz
 # Run necessary 'ant' deploy scripts
 RUN ant init_installation update_configs update_code update_webapps

-# Step 3 - Run tomcat
-# Create a new tomcat image that does not retain the the build directory contents
-FROM tomcat:9-jdk${JDK_VERSION}
+# Step 3 - Start up DSpace via Runnable JAR
+FROM docker.io/eclipse-temurin:${JDK_VERSION}
+# NOTE: DSPACE_INSTALL must align with the "dspace.dir" default configuration.
 ENV DSPACE_INSTALL=/dspace
-ENV TOMCAT_INSTALL=/usr/local/tomcat
-# Copy the /dspace directory from 'ant_build' containger to /dspace in this container
+# Copy the /dspace directory from 'ant_build' container to /dspace in this container
 COPY --from=ant_build /dspace $DSPACE_INSTALL
-# Enable the AJP connector in Tomcat's server.xml
-# NOTE: secretRequired="false" should only be used when AJP is NOT accessible from an external network. But, secretRequired="true" isn't supported by mod_proxy_ajp until Apache 2.5
-RUN sed -i '/Service name="Catalina".*/a \\n    <Connector protocol="AJP/1.3" port="8009" address="0.0.0.0" redirectPort="8443" URIEncoding="UTF-8" secretRequired="false" />' $TOMCAT_INSTALL/conf/server.xml
-# Expose Tomcat port and AJP port
-EXPOSE 8080 8009
+WORKDIR $DSPACE_INSTALL
+# Need host command for "[dspace]/bin/make-handle-config"
+RUN apt-get update \
+    && apt-get install -y --no-install-recommends host \
+    && apt-get purge -y --auto-remove \
+    && rm -rf /var/lib/apt/lists/*
+# Expose Tomcat port and debugging port
+EXPOSE 8080 8000
 # Give java extra memory (2GB)
 ENV JAVA_OPTS=-Xmx2000m
-
-# Link the DSpace 'server' webapp into Tomcat's webapps directory.
-# This ensures that when we start Tomcat, it runs from /server path (e.g. http://localhost:8080/server/)
-# Also link the v6.x (deprecated) REST API off the "/rest" path
-RUN ln -s $DSPACE_INSTALL/webapps/server   /usr/local/tomcat/webapps/server   && \
-    ln -s $DSPACE_INSTALL/webapps/rest          /usr/local/tomcat/webapps/rest
-# If you wish to run "server" webapp off the ROOT path, then comment out the above RUN, and uncomment the below RUN.
-# You also MUST update the 'dspace.server.url' configuration to match.
-# Please note that server webapp should only run on one path at a time.
-#RUN mv /usr/local/tomcat/webapps/ROOT /usr/local/tomcat/webapps/ROOT.bk && \
-#    ln -s $DSPACE_INSTALL/webapps/server   /usr/local/tomcat/webapps/ROOT && \
-#    ln -s $DSPACE_INSTALL/webapps/rest          /usr/local/tomcat/webapps/rest
-
-# Overwrite the v6.x (deprecated) REST API's web.xml, so that we can run it on HTTP (defaults to requiring HTTPS)
-# WARNING: THIS IS OBVIOUSLY INSECURE. NEVER DO THIS IN PRODUCTION.
-COPY dspace/src/main/docker/test/rest_web.xml $DSPACE_INSTALL/webapps/rest/WEB-INF/web.xml
-RUN sed -i -e "s|\${dspace.dir}|$DSPACE_INSTALL|" $DSPACE_INSTALL/webapps/rest/WEB-INF/web.xml
+# enable JVM debugging via JDWP
+ENV JAVA_TOOL_OPTIONS=-agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=*:8000
+# On startup, run DSpace Runnable JAR
+ENTRYPOINT ["java", "-jar", "webapps/server-boot.jar", "--dspace.dir=$DSPACE_INSTALL"]
--- a/1055
+++ b/1055
--- a/README.md
+++ b/README.md
@@ -20,7 +20,7 @@ DSpace consists of both a Java-based backend and an Angular-based frontend.
    * The REST Contract is at https://github.com/DSpace/RestContract
 * Frontend (https://github.com/DSpace/dspace-angular/) is the User Interface built on the REST API

-Prior versions of DSpace (v6.x and below) used two different UIs (XMLUI and JSPUI). Those UIs are no longer supported in v7 (and above).
+Prior versions of DSpace (v6.x and below) used two different UIs (XMLUI and JSPUI). Those UIs are no longer supported in v7 and above.
 * A maintenance branch for older versions is still available, see `dspace-6_x` for 6.x maintenance.

 ## Downloads
@@ -33,33 +33,22 @@ Prior versions of DSpace (v6.x and below) used two different UIs (XMLUI and JSPU
 Documentation for each release may be viewed online or downloaded via our [Documentation Wiki](https://wiki.lyrasis.org/display/DSDOC/).

 The latest DSpace Installation instructions are available at:
-https://wiki.lyrasis.org/display/DSDOC7x/Installing+DSpace
+https://wiki.lyrasis.org/display/DSDOC9x/Installing+DSpace

-Please be aware that, as a Java web application, DSpace requires a database (PostgreSQL or Oracle)
+Please be aware that, as a Java web application, DSpace requires a database (PostgreSQL)
 and a servlet container (usually Tomcat) in order to function.
 More information about these and all other prerequisites can be found in the Installation instructions above.

-## Running DSpace 7 in Docker
+## Running DSpace 9 in Docker

 NOTE: At this time, we do not have production-ready Docker images for DSpace.
 That said, we do have quick-start Docker Compose scripts for development or testing purposes.

-See [Running DSpace 7 with Docker Compose](dspace/src/main/docker-compose/README.md)
+See [Running DSpace 9 with Docker Compose](dspace/src/main/docker-compose/README.md)

 ## Contributing

-DSpace is a community built and supported project. We do not have a centralized development or support team,
-but have a dedicated group of volunteers who help us improve the software, documentation, resources, etc.
-
-We welcome contributions of any type. Here's a few basic guides that provide suggestions for contributing to DSpace:
-* [How to Contribute to DSpace](https://wiki.lyrasis.org/display/DSPACE/How+to+Contribute+to+DSpace): How to contribute in general (via code, documentation, bug reports, expertise, etc)
-* [Code Contribution Guidelines](https://wiki.lyrasis.org/display/DSPACE/Code+Contribution+Guidelines): How to give back code or contribute features, bug fixes, etc.
-* [DSpace Community Advisory Team (DCAT)](https://wiki.lyrasis.org/display/cmtygp/DSpace+Community+Advisory+Team): If you are not a developer, we also have an interest group specifically for repository managers. The DCAT group meets virtually, once a month, and sends open invitations to join their meetings via the [DCAT mailing list](https://groups.google.com/d/forum/DSpaceCommunityAdvisoryTeam).
-
-We also encourage GitHub Pull Requests (PRs) at any time. Please see our [Development with Git](https://wiki.lyrasis.org/display/DSPACE/Development+with+Git) guide for more info.
-
-In addition, a listing of all known contributors to DSpace software can be
-found online at: https://wiki.lyrasis.org/display/DSPACE/DSpaceContributors
+See [Contributing documentation](CONTRIBUTING.md)

 ## Getting Help

@@ -75,7 +64,7 @@ Great Q&A is also available under the [DSpace tag on Stackoverflow](http://stack
 Additional support options are at https://wiki.lyrasis.org/display/DSPACE/Support

 DSpace also has an active service provider network. If you'd rather hire a service provider to
-install, upgrade, customize or host DSpace, then we recommend getting in touch with one of our
+install, upgrade, customize, or host DSpace, then we recommend getting in touch with one of our
 [Registered Service Providers](http://www.dspace.org/service-providers).

 ## Issue Tracker
@@ -123,7 +112,7 @@ run automatically by [GitHub Actions](https://github.com/DSpace/DSpace/actions?q
  ```
 * How to run only tests of a specific DSpace module
  ```
-  # Before you can run only one module's tests, other modules may need installing into your ~/.m2
+  # Before you can run only one module's tests, other modules may need to be installed into your ~/.m2
  cd [dspace-src]
  mvn clean install

--- a/checkstyle-suppressions.xml
+++ b/checkstyle-suppressions.xml
@@ -7,4 +7,5 @@
    <!-- TODO: We should have these turned on. But, currently there's a known bug with indentation checks
         on JMockIt Expectations blocks and similar. See https://github.com/checkstyle/checkstyle/issues/3739 -->
    <suppress checks="Indentation" files="src[/\\]test[/\\]java"/>
+    <suppress checks="Regexp" files="DSpaceHttpClientFactory\.java"/>
 </suppressions>
--- a/checkstyle.xml
+++ b/checkstyle.xml
@@ -92,9 +92,7 @@ For more information on CheckStyle configurations below, see: http://checkstyle.
        <!-- Requirements for Javadocs for methods -->
        <module name="JavadocMethod">
            <!-- All public methods MUST HAVE Javadocs -->
-            <!-- <property name="scope" value="public"/> -->
-            <!-- TODO: Above rule has been disabled because of large amount of missing public method Javadocs -->
-            <property name="scope" value="nothing"/>
+            <property name="accessModifiers" value="public"/>
            <!-- Allow params, throws and return tags to be optional -->
            <property name="allowMissingParamTags" value="true"/>
            <property name="allowMissingReturnTag" value="true"/>
@@ -108,6 +106,9 @@ For more information on CheckStyle configurations below, see: http://checkstyle.
        <!-- Right braces should be on start of a new line (default value) -->
        <module name="RightCurly"/>

+        <!-- Enforce Java-style array declaration instead of C-style -->
+        <module name="ArrayTypeStyle"/>
+
        <!-- ##### Indentation / Whitespace requirements ##### -->
        <!-- Require 4-space indentation (default value) -->
        <module name="Indentation"/>
@@ -138,5 +139,22 @@ For more information on CheckStyle configurations below, see: http://checkstyle.
        <module name="OneStatementPerLine"/>
        <!-- Require that "catch" statements are not empty (must at least contain a comment) -->
        <module name="EmptyCatchBlock"/>
+
+        <!-- Require to use DSpaceHttpClientFactory.getClient() statement instead of creating directly the client -->
+        <module name="Regexp">
+            <property name="format" value="HttpClientBuilder\.create\s*\(\s*\)" />
+            <property name="message" value="Use DSpaceHttpClientFactory.getClient() instead of HttpClientBuilder.create()" />
+            <property name="illegalPattern" value="true"/>
+            <property name="ignoreComments" value="true"/>
+        </module>
+        <!-- Require to use DSpaceHttpClientFactory.getClient() statement instead of creating directly the client -->
+        <module name="Regexp">
+            <property name="format" value="HttpClients\.createDefault\s*\(\s*\)" />
+            <property name="message" value="Use DSpaceHttpClientFactory.getClient() instead of HttpClients.createDefault()" />
+            <property name="illegalPattern" value="true"/>
+            <property name="ignoreComments" value="true"/>
+        </module>
+
+
    </module>
 </module>
--- a/docker-compose-cli.yml
+++ b/docker-compose-cli.yml
@@ -1,8 +1,12 @@
-version: "3.7"
-
+networks:
+  # Default to using network named 'dspacenet' from docker-compose.yml.
+  # Its full name will be prepended with the project name (e.g. "-p d7" means it will be named "d7_dspacenet")
+  default:
+    name: ${COMPOSE_PROJECT_NAME}_dspacenet
+    external: true
 services:
  dspace-cli:
-    image: "${DOCKER_OWNER:-dspace}/dspace-cli:${DSPACE_VER:-dspace-7_x}"
+    image: "${DOCKER_REGISTRY:-docker.io}/${DOCKER_OWNER:-dspace}/dspace-cli:${DSPACE_VER:-latest}"
    container_name: dspace-cli
    build:
      context: .
@@ -26,13 +30,8 @@ services:
    - ./dspace/config:/dspace/config
    entrypoint: /dspace/bin/dspace
    command: help
-    networks:
-      - dspacenet
    tty: true
    stdin_open: true

 volumes:
  assetstore:
-
-networks:
-  dspacenet:
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -1,4 +1,3 @@
-version: '3.7'
 networks:
  dspacenet:
    ipam:
@@ -25,22 +24,25 @@ services:
      db__P__url: 'jdbc:postgresql://dspacedb:5432/dspace'
      # solr.server: Ensure we are using the 'dspacesolr' image for Solr
      solr__P__server: http://dspacesolr:8983/solr
+      # matomo.tracker.url: Ensure we are using the 'matomo' image for Matomo
+      matomo__P__tracker__P__url: http://matomo
      # proxies.trusted.ipranges: This setting is required for a REST API running in Docker to trust requests
      # from the host machine. This IP range MUST correspond to the 'dspacenet' subnet defined above.
      proxies__P__trusted__P__ipranges: '172.23.0'
-    image: "${DOCKER_OWNER:-dspace}/dspace:${DSPACE_VER:-dspace-7_x-test}"
+      LOGGING_CONFIG: /dspace/config/log4j2-container.xml
+    image: "${DOCKER_REGISTRY:-docker.io}/${DOCKER_OWNER:-dspace}/dspace:${DSPACE_VER:-latest-test}"
    build:
      context: .
      dockerfile: Dockerfile.test
    depends_on:
    - dspacedb
    networks:
-      dspacenet:
+      - dspacenet
    ports:
    - published: 8080
      target: 8080
-    - published: 8009
-      target: 8009
+    - published: 8000
+      target: 8000
    stdin_open: true
    tty: true
    volumes:
@@ -52,21 +54,24 @@ services:
    # Ensure that the database is ready BEFORE starting tomcat
    # 1. While a TCP connection to dspacedb port 5432 is not available, continue to sleep
    # 2. Then, run database migration to init database tables
-    # 3. Finally, start Tomcat
+    # 3. Finally, start DSpace
    entrypoint:
    - /bin/bash
    - '-c'
    - |
      while (!</dev/tcp/dspacedb/5432) > /dev/null 2>&1; do sleep 1; done;
      /dspace/bin/dspace database migrate
-      catalina.sh run
-  # DSpace database container
+      java -jar /dspace/webapps/server-boot.jar --dspace.dir=/dspace
+  # DSpace PostgreSQL database container
  dspacedb:
    container_name: dspacedb
+    # Uses the base PostgreSQL image
+    image: "docker.io/postgres:${POSTGRES_VERSION:-15}"
    environment:
      PGDATA: /pgdata
-    # Uses a custom Postgres image with pgcrypto installed
-    image: dspace/dspace-postgres-pgcrypto
+      POSTGRES_DB: dspace
+      POSTGRES_USER: dspace
+      POSTGRES_PASSWORD: dspace
    networks:
      dspacenet:
    ports:
@@ -75,12 +80,19 @@ services:
    stdin_open: true
    tty: true
    volumes:
+    # Keep Postgres data directory between reboots
    - pgdata:/pgdata
  # DSpace Solr container
  dspacesolr:
    container_name: dspacesolr
-    # Uses official Solr image at https://hub.docker.com/_/solr/
-    image: solr:8.11-slim
+    image: "${DOCKER_REGISTRY:-docker.io}/${DOCKER_OWNER:-dspace}/dspace-solr:${DSPACE_VER:-latest}"
+    build:
+      context: ./dspace/src/main/docker/dspace-solr/
+      # Provide path to Solr configs necessary to build Docker image
+      additional_contexts:
+        solrconfigs: ./dspace/solr/
+      args:
+        SOLR_VERSION: "${SOLR_VER:-9.8}"
    networks:
      dspacenet:
    ports:
@@ -90,31 +102,36 @@ services:
    tty: true
    working_dir: /var/solr/data
    volumes:
-    # Mount our local Solr core configs so that they are available as Solr configsets on container
-    - ./dspace/solr/authority:/opt/solr/server/solr/configsets/authority
-    - ./dspace/solr/oai:/opt/solr/server/solr/configsets/oai
-    - ./dspace/solr/search:/opt/solr/server/solr/configsets/search
-    - ./dspace/solr/statistics:/opt/solr/server/solr/configsets/statistics
    # Keep Solr data directory between reboots
    - solr_data:/var/solr/data
-    # Initialize all DSpace Solr cores using the mounted local configsets (see above), then start Solr
+    # NOTE: We are not running Solr as "root", but we need root permissions to copy our cores to the mounted
+    # /var/solr/data directory. Then we start Solr as the "solr" user.
+    user: root
+    # Initialize all DSpace Solr cores then start Solr:
    # * First, run precreate-core to create the core (if it doesn't yet exist). If exists already, this is a no-op
-    # * Second, copy updated configs from mounted configsets to this core. If it already existed, this updates core
-    #   to the latest configs. If it's a newly created core, this is a no-op.
+    # * Second, copy configsets to this core:
+    #   Updates to Solr configs require the container to be rebuilt/restarted: `docker compose -p d7 up -d --build dspacesolr`
+    # * Third, ensure all new folders are owned by "solr" user
+    # * Finally, start Solr as the "solr" user via the provided solr-foreground script
    entrypoint:
    - /bin/bash
    - '-c'
    - |
      init-var-solr
      precreate-core authority /opt/solr/server/solr/configsets/authority
-      cp -r -u /opt/solr/server/solr/configsets/authority/* authority
+      cp -r /opt/solr/server/solr/configsets/authority/* authority
      precreate-core oai /opt/solr/server/solr/configsets/oai
-      cp -r -u /opt/solr/server/solr/configsets/oai/* oai
+      cp -r /opt/solr/server/solr/configsets/oai/* oai
      precreate-core search /opt/solr/server/solr/configsets/search
-      cp -r -u /opt/solr/server/solr/configsets/search/* search
+      cp -r /opt/solr/server/solr/configsets/search/* search
      precreate-core statistics /opt/solr/server/solr/configsets/statistics
-      cp -r -u /opt/solr/server/solr/configsets/statistics/* statistics
-      exec solr -f
+      cp -r /opt/solr/server/solr/configsets/statistics/* statistics
+      precreate-core qaevent /opt/solr/server/solr/configsets/qaevent
+      cp -r /opt/solr/server/solr/configsets/qaevent/* qaevent
+      precreate-core suggestion /opt/solr/server/solr/configsets/suggestion
+      cp -r /opt/solr/server/solr/configsets/suggestion/* suggestion
+      chown -R solr:solr /var/solr
+      runuser -u solr -- solr-foreground
 volumes:
  assetstore:
  pgdata:
--- a/dspace-api/pom.xml
+++ b/dspace-api/pom.xml
@@ -12,7 +12,7 @@
    <parent>
        <groupId>org.dspace</groupId>
        <artifactId>dspace-parent</artifactId>
-        <version>7.2</version>
+        <version>10.0-SNAPSHOT</version>
        <relativePath>..</relativePath>
    </parent>

@@ -54,21 +54,21 @@
                        <!-- Enable Hibernate's Metamodel Generator to generate metadata model classes
                             (ending in _ suffix) for more type-safe Criteria queries -->
                        <path>
-                            <groupId>org.hibernate</groupId>
+                            <groupId>org.hibernate.orm</groupId>
                            <artifactId>hibernate-jpamodelgen</artifactId>
                            <version>${hibernate.version}</version>
                        </path>
                        <!-- Enable JAXB -->
                        <path>
-                            <groupId>javax.xml.bind</groupId>
-                            <artifactId>jaxb-api</artifactId>
+                            <groupId>jakarta.xml.bind</groupId>
+                            <artifactId>jakarta.xml.bind-api</artifactId>
                            <version>${jaxb-api.version}</version>
                        </path>
                        <!-- Enable Commons Annotations -->
                        <path>
-                            <groupId>javax.annotation</groupId>
-                            <artifactId>javax.annotation-api</artifactId>
-                            <version>${javax-annotation.version}</version>
+                            <groupId>jakarta.annotation</groupId>
+                            <artifactId>jakarta.annotation-api</artifactId>
+                            <version>${jakarta-annotation.version}</version>
                        </path>
                        <!-- Enable http://errorprone.info -->
                        <path>
@@ -99,24 +99,13 @@
                </executions>
            </plugin>

-            <plugin>
-                <groupId>org.codehaus.mojo</groupId>
-                <artifactId>build-helper-maven-plugin</artifactId>
-                <version>3.0.0</version>
-                <executions>
-                    <execution>
-                        <phase>validate</phase>
-                        <goals>
-                            <goal>maven-version</goal>
-                        </goals>
-                    </execution>
-                </executions>
-            </plugin>
-
            <plugin>
                <groupId>org.codehaus.mojo</groupId>
                <artifactId>buildnumber-maven-plugin</artifactId>
-                <version>1.4</version>
+                <version>3.2.1</version>
+                <configuration>
+                    <revisionOnScmFailure>UNKNOWN_REVISION</revisionOnScmFailure>
+                </configuration>
                <executions>
                    <execution>
                        <phase>validate</phase>
@@ -174,7 +163,7 @@
            <plugin>
                <groupId>org.codehaus.mojo</groupId>
                <artifactId>jaxb2-maven-plugin</artifactId>
-                <version>2.5.0</version>
+                <version>3.3.0</version>
                <executions>
                    <execution>
                        <id>workflow-curation</id>
@@ -262,7 +251,7 @@
                                <!-- Specify the dspace.dir to use for test environment -->
                                <!-- ${agnostic.build.dir} is set dynamically by groovy-maven-plugin above -->
                                <!-- This system property is loaded by AbstractDSpaceTest to initialize the test environment -->
-                                <dspace.dir>${agnostic.build.dir}/testing/dspace/</dspace.dir>
+                                <dspace.dir>${agnostic.build.dir}/testing/dspace</dspace.dir>
                                <!-- Turn off any DSpace logging -->
                                <dspace.log.init.disable>true</dspace.log.init.disable>
                                <solr.install.dir>${agnostic.build.dir}/testing/dspace/solr/</solr.install.dir>
@@ -321,7 +310,7 @@
                            <systemPropertyVariables>
                                <!-- Specify the dspace.dir to use for test environment -->
                                <!-- ${agnostic.build.dir} is set dynamically by groovy-maven-plugin above -->
-                                <dspace.dir>${agnostic.build.dir}/testing/dspace/</dspace.dir>
+                                <dspace.dir>${agnostic.build.dir}/testing/dspace</dspace.dir>
                                <!-- Turn off any DSpace logging -->
                                <dspace.log.init.disable>true</dspace.log.init.disable>
                                <solr.install.dir>${agnostic.build.dir}/testing/dspace/solr/</solr.install.dir>
@@ -334,52 +323,92 @@
    </profiles>

    <dependencies>
-
        <dependency>
-            <groupId>org.hibernate</groupId>
-            <artifactId>hibernate-ehcache</artifactId>
+            <groupId>org.apache.logging.log4j</groupId>
+            <artifactId>log4j-api</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.logging.log4j</groupId>
+            <artifactId>log4j-core</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.logging.log4j</groupId>
+            <artifactId>log4j-slf4j2-impl</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.hibernate.orm</groupId>
+            <artifactId>hibernate-core</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.hibernate.orm</groupId>
+            <artifactId>hibernate-jpamodelgen</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.hibernate.orm</groupId>
+            <artifactId>hibernate-jcache</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.ehcache</groupId>
+            <artifactId>ehcache</artifactId>
+            <version>${ehcache.version}</version>
+        </dependency>
+        <!-- https://mvnrepository.com/artifact/org.springframework.boot/spring-boot-starter-cache
+             Caching dependencies for sherpa service. -->
+        <dependency>
+            <groupId>org.springframework.boot</groupId>
+            <artifactId>spring-boot-starter-cache</artifactId>
+            <version>${spring-boot.version}</version>
            <exclusions>
-                <!-- Newer version pulled in via Jersey below -->
                <exclusion>
-                    <groupId>org.javassist</groupId>
-                    <artifactId>javassist</artifactId>
+                    <groupId>org.springframework.boot</groupId>
+                    <artifactId>spring-boot-starter-logging</artifactId>
                </exclusion>
            </exclusions>
        </dependency>
        <dependency>
-            <groupId>org.hibernate</groupId>
-            <artifactId>hibernate-jpamodelgen</artifactId>
+            <groupId>com.fasterxml.jackson.datatype</groupId>
+            <artifactId>jackson-datatype-jsr310</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>javax.cache</groupId>
+            <artifactId>cache-api</artifactId>
        </dependency>
        <dependency>
            <groupId>org.hibernate.validator</groupId>
            <artifactId>hibernate-validator-cdi</artifactId>
            <version>${hibernate-validator.version}</version>
        </dependency>
-        <dependency>
-            <groupId>org.hibernate.javax.persistence</groupId>
-            <artifactId>hibernate-jpa-2.1-api</artifactId>
-            <version>1.0.0.Final</version>
-        </dependency>

        <dependency>
            <groupId>org.springframework</groupId>
            <artifactId>spring-orm</artifactId>
+            <exclusions>
+                <!-- Spring JCL is unnecessary and conflicts with commons-logging when both are on classpath -->
+                <exclusion>
+                    <groupId>org.springframework</groupId>
+                    <artifactId>spring-jcl</artifactId>
+                </exclusion>
+            </exclusions>
        </dependency>

        <dependency>
            <groupId>net.handle</groupId>
            <artifactId>handle</artifactId>
        </dependency>
+        <!-- Only necessary to run Handle Server from commandline. This is why it is a runtime dependency. -->
        <dependency>
            <groupId>net.cnri</groupId>
            <artifactId>cnri-servlet-container</artifactId>
+            <scope>runtime</scope>
            <exclusions>
-                <!-- Newer versions provided in our parent POM -->
+                <!-- Excluded because this library is incompatible with Jakarta EE. It causes errors in DSpace during
+                     startup & integration testing. Excluding doesn't seem to effect Handle Server startup. -->
                <exclusion>
-                    <groupId>org.ow2.asm</groupId>
-                    <artifactId>asm-commons</artifactId>
+                    <groupId>org.mortbay.jasper</groupId>
+                    <artifactId>apache-jsp</artifactId>
                </exclusion>
-                <!-- Newer version of Bouncycastle brought in via solr-cell -->
+                <!-- Excluded BouncyCastle dependencies because we use a later version of BouncyCastle.
+                     Having two versions of BouncyCastle in the classpath can cause Handle Server to throw errors. -->
                <exclusion>
                    <groupId>org.bouncycastle</groupId>
                    <artifactId>bcpkix-jdk15on</artifactId>
@@ -388,45 +417,14 @@
                    <groupId>org.bouncycastle</groupId>
                    <artifactId>bcprov-jdk15on</artifactId>
                </exclusion>
-                <!-- Newer version of Jetty in our parent POM & via Solr -->
-                <exclusion>
-                    <groupId>org.eclipse.jetty</groupId>
-                    <artifactId>jetty-alpn-java-server</artifactId>
-                </exclusion>
-                <exclusion>
-                    <groupId>org.eclipse.jetty</groupId>
-                    <artifactId>jetty-deploy</artifactId>
-                </exclusion>
-                <exclusion>
-                    <groupId>org.eclipse.jetty</groupId>
-                    <artifactId>jetty-servlet</artifactId>
-                </exclusion>
-                <exclusion>
-                    <groupId>org.eclipse.jetty</groupId>
-                    <artifactId>jetty-servlets</artifactId>
-                </exclusion>
-                <exclusion>
-                    <groupId>org.eclipse.jetty</groupId>
-                    <artifactId>jetty-webapp</artifactId>
-                </exclusion>
-                <exclusion>
-                    <groupId>org.eclipse.jetty</groupId>
-                    <artifactId>jetty-xml</artifactId>
-                </exclusion>
-                <exclusion>
-                    <groupId>org.eclipse.jetty.http2</groupId>
-                    <artifactId>http2-common</artifactId>
-                </exclusion>
-                <exclusion>
-                    <groupId>org.eclipse.jetty.http2</groupId>
-                    <artifactId>http2-server</artifactId>
-                </exclusion>
            </exclusions>
        </dependency>
-        <!-- Jetty is needed to run Handle Server -->
+
+        <!-- Jetty is needed to run Handle Server ONLY. This is why it is a runtime dependency. -->
        <dependency>
            <groupId>org.eclipse.jetty</groupId>
            <artifactId>jetty-server</artifactId>
+            <scope>runtime</scope>
        </dependency>
        <dependency>
            <groupId>org.dspace</groupId>
@@ -436,12 +434,6 @@
            <groupId>org.apache.jena</groupId>
            <artifactId>apache-jena-libs</artifactId>
            <type>pom</type>
-            <exclusions>
-                <exclusion>
-                    <groupId>log4j</groupId>
-                    <artifactId>log4j</artifactId>
-                </exclusion>
-            </exclusions>
        </dependency>
        <dependency>
            <groupId>commons-cli</groupId>
@@ -459,10 +451,6 @@
            <groupId>org.apache.commons</groupId>
            <artifactId>commons-dbcp2</artifactId>
        </dependency>
-        <dependency>
-            <groupId>commons-fileupload</groupId>
-            <artifactId>commons-fileupload</artifactId>
-        </dependency>

        <dependency>
            <groupId>commons-io</groupId>
@@ -481,56 +469,40 @@
            <artifactId>commons-validator</artifactId>
        </dependency>
        <dependency>
-            <groupId>com.sun.mail</groupId>
-            <artifactId>javax.mail</artifactId>
-        </dependency>
-        <dependency>
-            <groupId>javax.servlet</groupId>
-            <artifactId>javax.servlet-api</artifactId>
+            <groupId>jakarta.mail</groupId>
+            <artifactId>jakarta.mail-api</artifactId>
            <scope>provided</scope>
        </dependency>
        <dependency>
-            <groupId>javax.annotation</groupId>
-            <artifactId>javax.annotation-api</artifactId>
+            <groupId>org.eclipse.angus</groupId>
+            <artifactId>jakarta.mail</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>jakarta.servlet</groupId>
+            <artifactId>jakarta.servlet-api</artifactId>
+            <scope>provided</scope>
+        </dependency>
+        <dependency>
+            <groupId>jakarta.annotation</groupId>
+            <artifactId>jakarta.annotation-api</artifactId>
        </dependency>
        <dependency>
            <groupId>jaxen</groupId>
            <artifactId>jaxen</artifactId>
-            <exclusions>
-                <exclusion>
-                    <artifactId>xom</artifactId>
-                    <groupId>xom</groupId>
-                </exclusion>
-            </exclusions>
        </dependency>
        <dependency>
            <groupId>org.jdom</groupId>
-            <artifactId>jdom</artifactId>
+            <artifactId>jdom2</artifactId>
        </dependency>
        <dependency>
            <groupId>org.apache.pdfbox</groupId>
            <artifactId>pdfbox</artifactId>
        </dependency>
-        <dependency>
-            <groupId>org.apache.pdfbox</groupId>
-            <artifactId>fontbox</artifactId>
-        </dependency>
-        <dependency>
-            <groupId>org.apache.poi</groupId>
-            <artifactId>poi-scratchpad</artifactId>
-        </dependency>
-        <dependency>
-            <groupId>xalan</groupId>
-            <artifactId>xalan</artifactId>
-        </dependency>
-        <dependency>
-            <groupId>xerces</groupId>
-            <artifactId>xercesImpl</artifactId>
-        </dependency>
        <dependency>
            <groupId>com.ibm.icu</groupId>
            <artifactId>icu4j</artifactId>
        </dependency>
+        <!-- Codebase at https://github.com/DSpace/oclc-harvester2 -->
        <dependency>
            <groupId>org.dspace</groupId>
            <artifactId>oclc-harvester2</artifactId>
@@ -546,7 +518,7 @@
        </dependency>
        <dependency>
            <groupId>org.hamcrest</groupId>
-            <artifactId>hamcrest-all</artifactId>
+            <artifactId>hamcrest</artifactId>
            <scope>test</scope>
        </dependency>
        <dependency>
@@ -566,41 +538,38 @@
        </dependency>
        <!-- Used for RSS / ATOM syndication feeds -->
        <dependency>
-            <groupId>org.rometools</groupId>
+            <groupId>com.rometools</groupId>
+            <artifactId>rome</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>com.rometools</groupId>
            <artifactId>rome-modules</artifactId>
-            <version>1.0</version>
        </dependency>
        <dependency>
            <groupId>org.jbibtex</groupId>
            <artifactId>jbibtex</artifactId>
-            <version>1.0.10</version>
+            <version>1.0.20</version>
        </dependency>
        <dependency>
            <groupId>org.apache.httpcomponents</groupId>
            <artifactId>httpclient</artifactId>
        </dependency>
+        <dependency>
+            <groupId>org.apache.httpcomponents</groupId>
+            <artifactId>httpcore</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.httpcomponents</groupId>
+            <artifactId>httpmime</artifactId>
+        </dependency>

+        <!-- SolrJ is used to communicate with Solr throughout the dspace-api -->
        <dependency>
            <groupId>org.apache.solr</groupId>
            <artifactId>solr-solrj</artifactId>
            <version>${solr.client.version}</version>
-            <exclusions>
-                <!-- Newer Jetty version brought in via Parent POM -->
-                <exclusion>
-                    <groupId>org.eclipse.jetty</groupId>
-                    <artifactId>jetty-http</artifactId>
-                </exclusion>
-                <exclusion>
-                    <groupId>org.eclipse.jetty</groupId>
-                    <artifactId>jetty-io</artifactId>
-                </exclusion>
-                <exclusion>
-                    <groupId>org.eclipse.jetty</groupId>
-                    <artifactId>jetty-util</artifactId>
-                </exclusion>
-            </exclusions>
        </dependency>
-        <!-- Solr Core is needed for Integration Tests (to run a MockSolrServer)     -->
+        <!-- Solr Core is only needed for Integration Tests (to run a MockSolrServer) -->
        <!-- The following Solr / Lucene dependencies also support integration tests -->
        <dependency>
            <groupId>org.apache.solr</groupId>
@@ -608,47 +577,10 @@
            <scope>test</scope>
            <version>${solr.client.version}</version>
            <exclusions>
-                <!-- Newer version brought in by opencsv -->
+                <!-- Later version provided by Hibernate -->
                <exclusion>
-                    <groupId>org.apache.commons</groupId>
-                    <artifactId>commons-text</artifactId>
-                </exclusion>
-                <!-- Newer Jetty version brought in via Parent POM -->
-                <exclusion>
-                    <groupId>org.eclipse.jetty</groupId>
-                    <artifactId>jetty-http</artifactId>
-                </exclusion>
-                <exclusion>
-                    <groupId>org.eclipse.jetty</groupId>
-                    <artifactId>jetty-io</artifactId>
-                </exclusion>
-                <exclusion>
-                    <groupId>org.eclipse.jetty</groupId>
-                    <artifactId>jetty-util</artifactId>
-                </exclusion>
-            </exclusions>
-        </dependency>
-        <dependency>
-            <groupId>org.apache.solr</groupId>
-            <artifactId>solr-cell</artifactId>
-            <exclusions>
-                <!-- Newer version brought in by opencsv -->
-                <exclusion>
-                    <groupId>org.apache.commons</groupId>
-                    <artifactId>commons-text</artifactId>
-                </exclusion>
-                <!-- Newer Jetty version brought in via Parent POM -->
-                <exclusion>
-                    <groupId>org.eclipse.jetty</groupId>
-                    <artifactId>jetty-http</artifactId>
-                </exclusion>
-                <exclusion>
-                    <groupId>org.eclipse.jetty</groupId>
-                    <artifactId>jetty-io</artifactId>
-                </exclusion>
-                <exclusion>
-                    <groupId>org.eclipse.jetty</groupId>
-                    <artifactId>jetty-util</artifactId>
+                    <groupId>org.antlr</groupId>
+                    <artifactId>antlr4-runtime</artifactId>
                </exclusion>
            </exclusions>
        </dependency>
@@ -656,11 +588,6 @@
            <groupId>org.apache.lucene</groupId>
            <artifactId>lucene-core</artifactId>
        </dependency>
-        <!-- Used for full-text indexing with Solr -->
-        <dependency>
-            <groupId>org.apache.tika</groupId>
-            <artifactId>tika-parsers</artifactId>
-        </dependency>
        <dependency>
            <groupId>org.apache.lucene</groupId>
            <artifactId>lucene-analyzers-icu</artifactId>
@@ -676,15 +603,21 @@
            <artifactId>lucene-analyzers-stempel</artifactId>
            <scope>test</scope>
        </dependency>
+
+        <!-- Tika is used to extract full text from documents in order to index in Solr -->
        <dependency>
-            <groupId>org.apache.xmlbeans</groupId>
-            <artifactId>xmlbeans</artifactId>
+            <groupId>org.apache.tika</groupId>
+            <artifactId>tika-core</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.tika</groupId>
+            <artifactId>tika-parsers-standard-package</artifactId>
        </dependency>

        <dependency>
            <groupId>com.maxmind.geoip2</groupId>
            <artifactId>geoip2</artifactId>
-            <version>2.11.0</version>
+            <version>2.17.0</version>
        </dependency>
        <dependency>
            <groupId>org.apache.ant</groupId>
@@ -693,7 +626,7 @@
        <dependency>
            <groupId>dnsjava</groupId>
            <artifactId>dnsjava</artifactId>
-            <version>2.1.7</version>
+            <version>3.6.3</version>
        </dependency>

        <dependency>
@@ -702,18 +635,18 @@
            <version>1.1.1</version>
        </dependency>

-        <!--  Gson: Java to Json conversion -->
-        <dependency>
-            <groupId>com.google.code.gson</groupId>
-            <artifactId>gson</artifactId>
-            <scope>compile</scope>
-        </dependency>
-
+        <!-- guava is needed by OAuth, Guice, Mockserver, ORCID, s3mock, Solr, JClouds -->
        <dependency>
            <groupId>com.google.guava</groupId>
            <artifactId>guava</artifactId>
        </dependency>

+        <!-- Gson is needed by JENA, borker-client, OAuth, Handle and JClouds -->
+        <dependency>
+            <groupId>com.google.code.gson</groupId>
+            <artifactId>gson</artifactId>
+        </dependency>
+
        <dependency>
            <groupId>org.postgresql</groupId>
            <artifactId>postgresql</artifactId>
@@ -736,29 +669,12 @@
        <dependency>
            <groupId>org.flywaydb</groupId>
            <artifactId>flyway-core</artifactId>
-            <version>6.5.7</version>
-        </dependency>
-
-        <!-- Google Analytics -->
-        <dependency>
-            <groupId>com.google.apis</groupId>
-            <artifactId>google-api-services-analytics</artifactId>
+            <version>${flyway.version}</version>
        </dependency>
        <dependency>
-            <groupId>com.google.api-client</groupId>
-            <artifactId>google-api-client</artifactId>
-        </dependency>
-        <dependency>
-            <groupId>com.google.http-client</groupId>
-            <artifactId>google-http-client</artifactId>
-        </dependency>
-        <dependency>
-            <groupId>com.google.http-client</groupId>
-            <artifactId>google-http-client-jackson2</artifactId>
-        </dependency>
-        <dependency>
-            <groupId>com.google.oauth-client</groupId>
-            <artifactId>google-oauth-client</artifactId>
+            <groupId>org.flywaydb</groupId>
+            <artifactId>flyway-database-postgresql</artifactId>
+            <version>${flyway.version}</version>
        </dependency>

        <!-- FindBugs -->
@@ -772,65 +688,21 @@
        </dependency>

        <dependency>
-            <groupId>joda-time</groupId>
-            <artifactId>joda-time</artifactId>
-        </dependency>
-        <dependency>
-            <groupId>javax.inject</groupId>
-            <artifactId>javax.inject</artifactId>
-            <version>1</version>
-            <type>jar</type>
+            <groupId>jakarta.inject</groupId>
+            <artifactId>jakarta.inject-api</artifactId>
        </dependency>

        <!-- JAXB API and implementation (no longer bundled as of Java 11) -->
        <dependency>
-            <groupId>javax.xml.bind</groupId>
-            <artifactId>jaxb-api</artifactId>
+            <groupId>jakarta.xml.bind</groupId>
+            <artifactId>jakarta.xml.bind-api</artifactId>
        </dependency>
        <dependency>
            <groupId>org.glassfish.jaxb</groupId>
            <artifactId>jaxb-runtime</artifactId>
        </dependency>

-        <!-- Apache Axiom -->
-        <dependency>
-            <groupId>org.apache.ws.commons.axiom</groupId>
-            <artifactId>axiom-impl</artifactId>
-            <version>${axiom.version}</version>
-            <exclusions>
-                <!-- Exclude Geronimo as it is NOT necessary when using javax.activation (which we use)
-                     See: https://ws.apache.org/axiom/userguide/ch04.html#d0e732 -->
-                <exclusion>
-                    <groupId>org.apache.geronimo.specs</groupId>
-                    <artifactId>*</artifactId>
-                </exclusion>
-                <!-- Exclude Woodstox, as later version provided by Solr dependencies -->
-                <exclusion>
-                    <groupId>org.codehaus.woodstox</groupId>
-                    <artifactId>woodstox-core-asl</artifactId>
-                </exclusion>
-            </exclusions>
-        </dependency>
-        <dependency>
-            <groupId>org.apache.ws.commons.axiom</groupId>
-            <artifactId>axiom-api</artifactId>
-            <version>${axiom.version}</version>
-            <exclusions>
-                <!-- Exclude Geronimo as it is NOT necessary when using javax.activation (which we use)
-                     See: https://ws.apache.org/axiom/userguide/ch04.html#d0e732 -->
-                <exclusion>
-                    <groupId>org.apache.geronimo.specs</groupId>
-                    <artifactId>*</artifactId>
-                </exclusion>
-                <!-- Exclude Woodstox, as later version provided by Solr dependencies -->
-                <exclusion>
-                    <groupId>org.codehaus.woodstox</groupId>
-                    <artifactId>woodstox-core-asl</artifactId>
-                </exclusion>
-            </exclusions>
-        </dependency>
-
-        <!-- Jersey / JAX-RS client (javax.ws.rs.*) dependencies needed to integrate with external sources/services -->
+        <!-- Jersey / JAX-RS client (jakarta.ws.rs.*) dependencies needed to integrate with external sources/services -->
        <dependency>
            <groupId>org.glassfish.jersey.core</groupId>
            <artifactId>jersey-client</artifactId>
@@ -848,33 +720,25 @@
        <dependency>
            <groupId>com.amazonaws</groupId>
            <artifactId>aws-java-sdk-s3</artifactId>
-            <version>1.12.116</version>
+            <version>1.12.791</version>
        </dependency>

+        <!-- TODO: This may need to be replaced with the "orcid-model" artifact once this ticket is resolved:
+             https://github.com/ORCID/orcid-model/issues/50 -->
+        <!-- Maintained at https://github.com/DSpace/orcid-model -->
        <dependency>
-            <groupId>org.orcid</groupId>
-            <artifactId>orcid-model</artifactId>
-            <version>3.0.2</version>
+            <groupId>org.dspace</groupId>
+            <artifactId>orcid-model-jakarta</artifactId>
+            <version>3.3.0</version>
            <exclusions>
-                <exclusion>
-                    <groupId>javax.validation</groupId>
-                    <artifactId>validation-api</artifactId>
-                </exclusion>
-                <exclusion>
-                    <groupId>com.fasterxml.jackson.jaxrs</groupId>
-                    <artifactId>jackson-jaxrs-json-provider</artifactId>
-                </exclusion>
-                <exclusion>
-                    <groupId>org.yaml</groupId>
-                    <artifactId>snakeyaml</artifactId>
-                </exclusion>
                <exclusion>
                    <groupId>org.javassist</groupId>
                    <artifactId>javassist</artifactId>
                </exclusion>
+                <!-- Exclude snakeyaml as a newer version is brought in by Spring Boot -->
                <exclusion>
-                	<groupId>io.swagger</groupId>
-                	<artifactId>swagger-jersey-jaxrs</artifactId>
+                    <groupId>org.yaml</groupId>
+                    <artifactId>snakeyaml</artifactId>
                </exclusion>
            </exclusions>
        </dependency>
@@ -882,42 +746,10 @@
        <dependency>
            <groupId>org.json</groupId>
            <artifactId>json</artifactId>
-            <version>20180130</version>
-        </dependency>
-
-        <!-- Used for Solr core export/import -->
-        <dependency>
-            <groupId>com.opencsv</groupId>
-            <artifactId>opencsv</artifactId>
-            <version>5.2</version>
-        </dependency>
-
-        <!-- Email templating -->
-        <dependency>
-            <groupId>org.apache.velocity</groupId>
-            <artifactId>velocity-engine-core</artifactId>
-            <type>jar</type>
-        </dependency>
-
-        <dependency>
-            <groupId>org.xmlunit</groupId>
-            <artifactId>xmlunit-core</artifactId>
-            <scope>test</scope>
-        </dependency>
-
-       <dependency>
-            <groupId>org.apache.bcel</groupId>
-            <artifactId>bcel</artifactId>
-            <version>6.4.0</version>
-        </dependency>
-
-        <!-- required for openaire api integration -->
-        <dependency>
-            <groupId>eu.openaire</groupId>
-            <artifactId>funders-model</artifactId>
-            <version>2.0.0</version>
+            <version>20231013</version>
        </dependency>

+        <!-- Useful for testing command-line tools -->
        <dependency>
            <groupId>com.github.stefanbirkner</groupId>
            <artifactId>system-rules</artifactId>
@@ -925,81 +757,178 @@
            <scope>test</scope>
        </dependency>

+        <!-- Used for Solr core export/import -->
        <dependency>
-            <groupId>org.mock-server</groupId>
-            <artifactId>mockserver-junit-rule</artifactId>
-            <version>5.11.2</version>
-            <scope>test</scope>
+            <groupId>com.opencsv</groupId>
+            <artifactId>opencsv</artifactId>
+            <version>5.12.0</version>
        </dependency>
-    </dependencies>

-    <dependencyManagement>
-        <dependencies>
-          <!-- for mockserver -->
-          <!-- Solve dependency convergence issues related to
-               'mockserver-junit-rule' by selecting the versions we want to use. -->
-          <dependency>
-            <groupId>org.apache.commons</groupId>
-            <artifactId>commons-text</artifactId>
-            <version>1.9</version>
-          </dependency>
-          <dependency>
-            <groupId>io.netty</groupId>
-            <artifactId>netty-buffer</artifactId>
-            <version>4.1.68.Final</version>
-          </dependency>
-          <dependency>
-            <groupId>io.netty</groupId>
-            <artifactId>netty-transport</artifactId>
-            <version>4.1.68.Final</version>
-          </dependency>
-          <dependency>
-            <groupId>io.netty</groupId>
-            <artifactId>netty-common</artifactId>
-            <version>4.1.68.Final</version>
-          </dependency>
-          <dependency>
-            <groupId>io.netty</groupId>
-            <artifactId>netty-handler</artifactId>
-            <version>4.1.68.Final</version>
-          </dependency>
-          <dependency>
-            <groupId>io.netty</groupId>
-            <artifactId>netty-codec</artifactId>
-            <version>4.1.68.Final</version>
-          </dependency>
+        <!-- Email templating -->
        <dependency>
            <groupId>org.apache.velocity</groupId>
            <artifactId>velocity-engine-core</artifactId>
-            <version>2.2</version>
+            <version>2.4.1</version>
        </dependency>
+
        <dependency>
            <groupId>org.xmlunit</groupId>
            <artifactId>xmlunit-core</artifactId>
-              <version>2.8.0</version>
+            <version>2.10.4</version>
            <scope>test</scope>
        </dependency>
+
        <dependency>
-            <groupId>com.github.java-json-tools</groupId>
-            <artifactId>json-schema-validator</artifactId>
-            <version>2.2.14</version>
+            <groupId>org.apache.bcel</groupId>
+            <artifactId>bcel</artifactId>
+            <version>6.10.0</version>
+            <scope>test</scope>
        </dependency>
+
+        <!-- required for openaire api integration -->
        <dependency>
-            <groupId>jakarta.xml.bind</groupId>
-            <artifactId>jakarta.xml.bind-api</artifactId>
-            <version>2.3.3</version>
+            <groupId>eu.openaire</groupId>
+            <artifactId>funders-model</artifactId>
+            <version>2.0.0</version>
+            <exclusions>
+                <!-- Newer version pulled in via Jersey below -->
+                <exclusion>
+                    <groupId>org.javassist</groupId>
+                    <artifactId>javassist</artifactId>
+                </exclusion>
+            </exclusions>
        </dependency>
+        
        <dependency>
-            <groupId>javax.validation</groupId>
-            <artifactId>validation-api</artifactId>
-            <version>2.0.1.Final</version>
+          <groupId>eu.openaire</groupId>
+          <artifactId>broker-client</artifactId>
+          <version>1.1.2</version>
        </dependency>
+
        <dependency>
-            <groupId>io.swagger</groupId>
-            <artifactId>swagger-core</artifactId>
-            <version>1.6.2</version>
+            <groupId>org.mock-server</groupId>
+            <artifactId>mockserver-junit-rule</artifactId>
+            <version>5.15.0</version>
+            <scope>test</scope>
+            <exclusions>
+                <!-- Exclude snakeyaml to avoid conflicts with: spring-boot-starter-cache -->
+            	<exclusion>
+            		<groupId>org.yaml</groupId>
+            		<artifactId>snakeyaml</artifactId>
+            	</exclusion>
+                <exclusion>
+                    <groupId>com.fasterxml.jackson.datatype</groupId>
+                    <artifactId>jackson-datatype-jsr310</artifactId>
+                </exclusion>
+                <!-- Resolve dependency conflicts with Hibernate -->
+                <exclusion>
+                    <groupId>javax.xml.bind</groupId>
+                    <artifactId>jaxb-api</artifactId>
+                </exclusion>
+                <!-- Resolve dependency conflicts with Solr -->
+                <exclusion>
+                    <groupId>javax.servlet</groupId>
+                    <artifactId>javax.servlet-api</artifactId>
+                </exclusion>
+            </exclusions>
+        </dependency>
+        
+        <dependency>
+            <groupId>io.findify</groupId>
+            <artifactId>s3mock_2.13</artifactId>
+            <version>0.2.6</version>
+            <scope>test</scope>
+            <exclusions>
+                <exclusion>
+                    <groupId>com.amazonawsl</groupId>
+                    <artifactId>aws-java-sdk-s3</artifactId>
+                </exclusion>
+                <exclusion>
+                    <groupId>com.amazonaws</groupId>
+                    <artifactId>aws-java-sdk-s3</artifactId>
+                </exclusion>
+            </exclusions>
+        </dependency>
+
+        <!-- JClouds Assetstorage Support -->
+        <dependency>
+            <groupId>org.apache.jclouds</groupId>
+            <artifactId>jclouds-core</artifactId>
+            <version>${jclouds.version}</version>
+            <exclusions>
+                <exclusion>
+                    <groupId>com.google.code.gson</groupId>
+                    <artifactId>gson</artifactId>
+                </exclusion>
+                <exclusion>
+                    <groupId>com.sun.xml.bind</groupId>
+                    <artifactId>jaxb-impl</artifactId>
+                </exclusion>
+                <exclusion>
+                    <groupId>javax.annotation</groupId>
+                    <artifactId>javax.annotation-api</artifactId>
+                </exclusion>
+                <exclusion>
+                    <groupId>jakarta.ws.rs</groupId>
+                    <artifactId>jakarta.ws.rs-api</artifactId>
+                </exclusion>
+            </exclusions>
+        </dependency>
+
+        <dependency>
+            <groupId>org.apache.jclouds</groupId>
+            <artifactId>jclouds-blobstore</artifactId>
+            <version>${jclouds.version}</version>
+            <exclusions>
+                <exclusion>
+                    <groupId>jakarta.ws.rs</groupId>
+                    <artifactId>jakarta.ws.rs-api</artifactId>
+                </exclusion>
+            </exclusions>
+        </dependency>
+
+        <dependency>
+            <groupId>org.apache.jclouds.api</groupId>
+            <artifactId>filesystem</artifactId>
+            <version>${jclouds.version}</version>
+        </dependency>
+
+        <dependency>
+            <groupId>org.apache.jclouds.provider</groupId>
+            <artifactId>aws-s3</artifactId>
+            <version>${jclouds.version}</version>
+        </dependency>
+
+        <!-- required frontpage generation -->
+        <dependency>
+            <groupId>org.thymeleaf</groupId>
+            <artifactId>thymeleaf</artifactId>
+            <version>3.1.3.RELEASE</version>
+            <exclusions>
+                <exclusion>
+                    <groupId>org.javassist</groupId>
+                    <artifactId>javassist</artifactId>
+                </exclusion>
+            </exclusions>
+        </dependency>
+
+        <dependency>
+            <groupId>org.xhtmlrenderer</groupId>
+            <artifactId>flying-saucer-pdf</artifactId>
+            <version>9.13.3</version>
+            <exclusions>
+                <!-- Conflicts with Hibernate. Use version that is brought in via Hibernate -->
+                <exclusion>
+                    <groupId>net.bytebuddy</groupId>
+                    <artifactId>byte-buddy</artifactId>
+                </exclusion>
+            </exclusions>
+        </dependency>
+
+        <dependency>
+            <groupId>com.squareup.okhttp3</groupId>
+            <artifactId>mockwebserver</artifactId>
+            <scope>test</scope>
        </dependency>
    </dependencies>
-    </dependencyManagement>
-
 </project>
--- a/dspace-api/src/main/java/org/dspace/access/status/AccessStatusHelper.java
+++ b/dspace-api/src/main/java/org/dspace/access/status/AccessStatusHelper.java
@@ -0,0 +1,59 @@
+/**
+ * The contents of this file are subject to the license and copyright
+ * detailed in the LICENSE and NOTICE files at the root of the source
+ * tree and available online at
+ *
+ * http://www.dspace.org/license/
+ */
+package org.dspace.access.status;
+
+import java.sql.SQLException;
+import java.time.LocalDate;
+
+import org.dspace.content.AccessStatus;
+import org.dspace.content.Bitstream;
+import org.dspace.content.Item;
+import org.dspace.core.Context;
+
+/**
+ * Plugin interface for the access status calculation.
+ */
+public interface AccessStatusHelper {
+    /**
+     * Calculate the access status for the item.
+     *
+     * @param context the DSpace context
+     * @param item the item
+     * @param threshold the embargo threshold date
+     * @param type the type of calculation
+     * @return the access status
+     * @throws SQLException An exception that provides information on a database access error or other errors.
+     */
+    public AccessStatus getAccessStatusFromItem(Context context,
+        Item item, LocalDate threshold, String type) throws SQLException;
+
+    /**
+     * Calculate the anonymous access status for the item.
+     *
+     * @param context the DSpace context
+     * @param item the item to check for embargo information
+     * @param threshold the embargo threshold date
+     * @return the access status
+     * @throws SQLException An exception that provides information on a database access error or other errors.
+     */
+    public AccessStatus getAnonymousAccessStatusFromItem(Context context,
+        Item item, LocalDate threshold) throws SQLException;
+
+    /**
+     * Calculate the access status for the bitstream.
+     *
+     * @param context the DSpace context
+     * @param bitstream the bitstream
+     * @param threshold the embargo threshold date
+     * @param type the type of calculation
+     * @return the access status
+     * @throws SQLException An exception that provides information on a database access error or other errors.
+     */
+    public AccessStatus getAccessStatusFromBitstream(Context context,
+        Bitstream bitstream, LocalDate threshold, String type) throws SQLException;
+}
--- a/dspace-api/src/main/java/org/dspace/access/status/AccessStatusServiceImpl.java
+++ b/dspace-api/src/main/java/org/dspace/access/status/AccessStatusServiceImpl.java
@@ -0,0 +1,103 @@
+/**
+ * The contents of this file are subject to the license and copyright
+ * detailed in the LICENSE and NOTICE files at the root of the source
+ * tree and available online at
+ *
+ * http://www.dspace.org/license/
+ */
+package org.dspace.access.status;
+
+import java.sql.SQLException;
+import java.time.LocalDate;
+import java.time.ZoneId;
+
+import org.apache.commons.lang3.StringUtils;
+import org.apache.logging.log4j.LogManager;
+import org.apache.logging.log4j.Logger;
+import org.dspace.access.status.service.AccessStatusService;
+import org.dspace.content.AccessStatus;
+import org.dspace.content.Bitstream;
+import org.dspace.content.Item;
+import org.dspace.core.Context;
+import org.dspace.core.service.PluginService;
+import org.dspace.services.ConfigurationService;
+import org.springframework.beans.factory.annotation.Autowired;
+
+/**
+ * Implementation for the access status calculation service.
+ */
+public class AccessStatusServiceImpl implements AccessStatusService {
+    private static final Logger log = LogManager.getLogger(AccessStatusServiceImpl.class);
+
+    // Plugin implementation, set from the DSpace configuration by init().
+    protected AccessStatusHelper helper = null;
+
+    protected LocalDate forever_date = null;
+
+    protected String itemCalculationType = null;
+    protected String bitstreamCalculationType = null;
+
+    @Autowired(required = true)
+    protected ConfigurationService configurationService;
+
+    @Autowired(required = true)
+    protected PluginService pluginService;
+
+    /**
+     * Initialize the bean (after dependency injection has already taken place).
+     * Ensures the configurationService is injected, so that we can get the plugin
+     * and the forever embargo date threshold from the configuration.
+     * Called by "init-method" in Spring configuration.
+     *
+     * @throws Exception on generic exception
+     */
+    public void init() throws Exception {
+        if (helper == null) {
+            helper = (AccessStatusHelper) pluginService.getSinglePlugin(AccessStatusHelper.class);
+            if (helper == null) {
+                throw new IllegalStateException("The AccessStatusHelper plugin was not defined in "
+                        + "DSpace configuration.");
+            }
+
+            // Defines the embargo forever date threshold for the access status.
+            // Look at EmbargoService.FOREVER for some improvements?
+            int year = configurationService.getIntProperty("access.status.embargo.forever.year");
+            int month = configurationService.getIntProperty("access.status.embargo.forever.month");
+            int day = configurationService.getIntProperty("access.status.embargo.forever.day");
+
+            forever_date = LocalDate.of(year, month, day)
+                    .atStartOfDay()
+                    .atZone(ZoneId.systemDefault())
+                    .toLocalDate();
+
+            itemCalculationType = getAccessStatusCalculationType("access.status.for-user.item");
+            bitstreamCalculationType = getAccessStatusCalculationType("access.status.for-user.bitstream");
+        }
+    }
+
+    @Override
+    public AccessStatus getAccessStatus(Context context, Item item) throws SQLException {
+        return helper.getAccessStatusFromItem(context, item, forever_date, itemCalculationType);
+    }
+
+    @Override
+    public AccessStatus getAnonymousAccessStatus(Context context, Item item) throws SQLException {
+        return helper.getAnonymousAccessStatusFromItem(context, item, forever_date);
+    }
+
+    @Override
+    public AccessStatus getAccessStatus(Context context, Bitstream bitstream) throws SQLException {
+        return helper.getAccessStatusFromBitstream(context, bitstream, forever_date, bitstreamCalculationType);
+    }
+
+    private String getAccessStatusCalculationType(String key) {
+        String value = configurationService.getProperty(key, DefaultAccessStatusHelper.STATUS_FOR_ANONYMOUS);
+        if (!StringUtils.equalsIgnoreCase(value, DefaultAccessStatusHelper.STATUS_FOR_ANONYMOUS) &&
+            !StringUtils.equalsIgnoreCase(value, DefaultAccessStatusHelper.STATUS_FOR_CURRENT_USER)) {
+            log.warn("The configuration parameter \"" + key
+                + "\" contains an invalid value. Valid values include: 'anonymous' and 'current'.");
+            value = DefaultAccessStatusHelper.STATUS_FOR_ANONYMOUS;
+        }
+        return value;
+    }
+}
--- a/dspace-api/src/main/java/org/dspace/access/status/DefaultAccessStatusHelper.java
+++ b/dspace-api/src/main/java/org/dspace/access/status/DefaultAccessStatusHelper.java
@@ -0,0 +1,312 @@
+/**
+ * The contents of this file are subject to the license and copyright
+ * detailed in the LICENSE and NOTICE files at the root of the source
+ * tree and available online at
+ *
+ * http://www.dspace.org/license/
+ */
+package org.dspace.access.status;
+
+import java.sql.SQLException;
+import java.time.LocalDate;
+import java.util.ArrayList;
+import java.util.List;
+import java.util.Objects;
+import java.util.stream.Collectors;
+
+import org.apache.commons.lang3.StringUtils;
+import org.dspace.authorize.ResourcePolicy;
+import org.dspace.authorize.factory.AuthorizeServiceFactory;
+import org.dspace.authorize.service.AuthorizeService;
+import org.dspace.authorize.service.ResourcePolicyService;
+import org.dspace.content.AccessStatus;
+import org.dspace.content.Bitstream;
+import org.dspace.content.Bundle;
+import org.dspace.content.DSpaceObject;
+import org.dspace.content.Item;
+import org.dspace.content.factory.ContentServiceFactory;
+import org.dspace.content.service.ItemService;
+import org.dspace.core.Constants;
+import org.dspace.core.Context;
+import org.dspace.eperson.EPerson;
+import org.dspace.eperson.Group;
+import org.dspace.eperson.factory.EPersonServiceFactory;
+import org.dspace.eperson.service.GroupService;
+
+/**
+ * Default plugin implementation of the access status helper.
+ * 
+ * The methods provides a simple logic to calculate the access status
+ * of an item based on the policies of the primary or the first bitstream
+ * in the original bundle. Users can override those methods for
+ * enhanced functionality.
+ */
+public class DefaultAccessStatusHelper implements AccessStatusHelper {
+    public static final String STATUS_FOR_CURRENT_USER  = "current";
+    public static final String STATUS_FOR_ANONYMOUS  = "anonymous";
+
+    public static final String EMBARGO = "embargo";
+    public static final String METADATA_ONLY = "metadata.only";
+    public static final String OPEN_ACCESS = "open.access";
+    public static final String RESTRICTED = "restricted";
+    public static final String UNKNOWN = "unknown";
+
+    protected ItemService itemService =
+            ContentServiceFactory.getInstance().getItemService();
+    protected ResourcePolicyService resourcePolicyService =
+            AuthorizeServiceFactory.getInstance().getResourcePolicyService();
+    protected AuthorizeService authorizeService =
+            AuthorizeServiceFactory.getInstance().getAuthorizeService();
+    protected GroupService groupService =
+            EPersonServiceFactory.getInstance().getGroupService();
+
+    public DefaultAccessStatusHelper() {
+        super();
+    }
+
+    /**
+     * Look at the item's primary or first bitstream policies to determine an access status value.
+     * It is also considering a date threshold for embargoes and restrictions.
+     *
+     * If the item is null, simply returns the "unknown" value.
+     *
+     * @param context     the DSpace context
+     * @param item        the item to check for embargoes
+     * @param threshold   the embargo threshold date
+     * @param type        the type of calculation
+     * @return the access status
+     */
+    @Override
+    public AccessStatus getAccessStatusFromItem(Context context, Item item, LocalDate threshold, String type)
+            throws SQLException {
+        if (item == null) {
+            return new AccessStatus(UNKNOWN, null);
+        }
+        Bitstream bitstream = getPrimaryOrFirstBitstreamInOriginalBundle(item);
+        if (bitstream == null) {
+            return new AccessStatus(METADATA_ONLY, null);
+        }
+        return getAccessStatusFromBitstream(context, bitstream, threshold, type);
+    }
+
+    /**
+     * Look at the bitstream policies to determine an access status value.
+     * It is also considering a date threshold for embargoes and restrictions.
+     *
+     * If the bitstream is null, simply returns the "unknown" value.
+     *
+     * @param context     the DSpace context
+     * @param bitstream   the bitstream to check for embargoes
+     * @param threshold   the embargo threshold date
+     * @param type        the type of calculation
+     * @return the access status
+     */
+    @Override
+    public AccessStatus getAccessStatusFromBitstream(Context context,
+        Bitstream bitstream, LocalDate threshold, String type) throws SQLException {
+        if (bitstream == null) {
+            return new AccessStatus(UNKNOWN, null);
+        }
+        List<ResourcePolicy> policies = getReadPolicies(context, bitstream, type);
+        LocalDate availabilityDate = findAvailabilityDate(policies, threshold);
+        // Get the access status based on the availability date
+        String accessStatus = getAccessStatusFromAvailabilityDate(availabilityDate, threshold);
+        return new AccessStatus(accessStatus, availabilityDate);
+    }
+
+    /**
+     * Look at the anonymous policies of the primary (or first)
+     * bitstream of the item to retrieve its embargo.
+     *
+     * @param context       the DSpace context
+     * @param item          the item
+     * @param threshold     the embargo threshold date
+     * @return the access status
+     */
+    @Override
+    public AccessStatus getAnonymousAccessStatusFromItem(Context context, Item item, LocalDate threshold)
+            throws SQLException {
+        return getAccessStatusFromItem(context, item, threshold, STATUS_FOR_ANONYMOUS);
+    }
+
+    /**
+     * Look in the item's original bundle. First, try to get the primary bitstream.
+     * If the bitstream is null, simply returns the first one.
+     *
+     * @param item      the DSpace item
+     * @return the bitstream
+     */
+    private Bitstream getPrimaryOrFirstBitstreamInOriginalBundle(Item item) {
+        // Consider only the original bundles.
+        List<Bundle> bundles = item.getBundles(Constants.DEFAULT_BUNDLE_NAME);
+        // Check for primary bitstreams first.
+        Bitstream bitstream = bundles.stream()
+            .map(bundle -> bundle.getPrimaryBitstream())
+            .filter(Objects::nonNull)
+            .findFirst()
+            .orElse(null);
+        if (bitstream == null) {
+            // If there is no primary bitstream,
+            // take the first bitstream in the bundles.
+            bitstream = bundles.stream()
+                .map(bundle -> bundle.getBitstreams())
+                .flatMap(List::stream)
+                .findFirst()
+                .orElse(null);
+        }
+        return bitstream;
+    }
+
+    /**
+     * Retrieves the anonymous read policies for a DSpace object
+     *
+     * @param context   the DSpace context
+     * @param dso       the DSpace object
+     * @return a list of policies
+     */
+    private List<ResourcePolicy> getAnonymousReadPolicies(Context context, DSpaceObject dso)
+            throws SQLException {
+        // Only consider read policies. Use the find without a group
+        // as it's not returning all expected values
+        List<ResourcePolicy> readPolicies = resourcePolicyService.find(context, dso, Constants.READ);
+        // Filter the policies with the anonymous group
+        List<ResourcePolicy> filteredPolicies = readPolicies.stream()
+            .filter(p -> p.getGroup() != null && StringUtils.equals(p.getGroup().getName(), Group.ANONYMOUS))
+            .collect(Collectors.toList());
+        return filteredPolicies;
+    }
+
+    /**
+     * Retrieves the current user read policies for a DSpace object
+     *
+     * @param context   the DSpace context
+     * @param dso       the DSpace object
+     * @return a list of policies
+     */
+    private List<ResourcePolicy> getCurrentUserReadPolicies(Context context, DSpaceObject dso)
+            throws SQLException {
+        // First, look if the current user can read the object
+        boolean canRead = authorizeService.authorizeActionBoolean(context, dso, Constants.READ);
+        // If it's true, it can't be an embargo or a restriction, shortcircuit the process
+        // and return a null value (indicating an open access)
+        if (canRead) {
+            return null;
+        }
+        // Only consider read policies
+        List<ResourcePolicy> policies = resourcePolicyService.find(context, dso, Constants.READ);
+        // Only calculate the embargo date for the current user
+        EPerson currentUser = context.getCurrentUser();
+        List<ResourcePolicy> readPolicies = new ArrayList<ResourcePolicy>();
+        for (ResourcePolicy policy : policies) {
+            EPerson eperson = policy.getEPerson();
+            if (eperson != null && currentUser != null && eperson.getID() == currentUser.getID()) {
+                readPolicies.add(policy);
+                continue;
+            }
+            Group group = policy.getGroup();
+            if (group != null && groupService.isMember(context, currentUser, group)) {
+                readPolicies.add(policy);
+            }
+        }
+        return readPolicies;
+    }
+
+    /**
+     * Retrieves the read policies for a DSpace object based on the type
+     * 
+     * If the type is current, consider the current logged in user
+     * If the type is anonymous, only consider the anonymous group
+     *
+     * @param context   the DSpace context
+     * @param dso       the DSpace object
+     * @param type      the type of calculation
+     * @return a list of policies
+     */
+    private List<ResourcePolicy> getReadPolicies(Context context, DSpaceObject dso, String type)
+            throws SQLException {
+        if (StringUtils.equalsIgnoreCase(type, STATUS_FOR_CURRENT_USER)) {
+            return getCurrentUserReadPolicies(context, dso);
+        } else {
+            // Only calculate the status for the anonymous group read policies
+            return getAnonymousReadPolicies(context, dso);
+        }
+    }
+
+    /**
+     * Look at the read policies to retrieve the access status availability date.
+     *
+     * @param readPolicies  the read policies
+     * @param threshold     the embargo threshold date
+     * @return an availability date
+     */
+    private LocalDate findAvailabilityDate(List<ResourcePolicy> readPolicies, LocalDate threshold) {
+        // If the list is null, the object is readable
+        if (readPolicies == null) {
+            return null;
+        }
+        // If there's no policies, return the threshold date (restriction)
+        if (readPolicies.size() == 0) {
+            return threshold;
+        }
+        LocalDate availabilityDate = null;
+        LocalDate currentDate = LocalDate.now();
+        boolean takeMostRecentDate = true;
+        // Looks at all read policies
+        for (ResourcePolicy policy : readPolicies) {
+            boolean isValid = resourcePolicyService.isDateValid(policy);
+            // If any policy is valid, the object is accessible
+            if (isValid) {
+                return null;
+            }
+            // There may be an active embargo
+            LocalDate startDate = policy.getStartDate();
+            // Ignore policy with no start date or which is expired
+            if (startDate == null || startDate.isBefore(currentDate)) {
+                continue;
+            }
+            // Policy with a start date over the threshold (restriction)
+            // overrides the embargos
+            if (!startDate.isBefore(threshold)) {
+                takeMostRecentDate = false;
+            }
+            // Take the most recent embargo date if there is no restriction, otherwise
+            // take the highest date (account for rare cases where more than one resource
+            // policy exists)
+            if (availabilityDate == null) {
+                availabilityDate = startDate;
+            } else if (takeMostRecentDate) {
+                availabilityDate = startDate.isBefore(availabilityDate) ? startDate : availabilityDate;
+            } else {
+                availabilityDate = startDate.isAfter(availabilityDate) ? startDate : availabilityDate;
+            }
+        }
+        return availabilityDate;
+    }
+
+    /**
+     * Look at the DSpace object availability date to determine an access status value.
+     *
+     * If the object is null, returns the "metadata.only" value.
+     * If there's no availability date, returns the "open.access" value.
+     * If the availability date is after or equal to the embargo
+     * threshold date, returns the "restricted" value.
+     * Every other cases return the "embargo" value.
+     *
+     * @param availabilityDate  the DSpace object availability date
+     * @param threshold         the embargo threshold date
+     * @return an access status value
+     */
+    private String getAccessStatusFromAvailabilityDate(LocalDate availabilityDate, LocalDate threshold) {
+        // If there is no availability date, it's an open access.
+        if (availabilityDate == null) {
+            return OPEN_ACCESS;
+        }
+        // If the policy start date have a value and if this value
+        // is equal or superior to the configured forever date, the
+        // access status is also restricted.
+        if (!availabilityDate.isBefore(threshold)) {
+            return RESTRICTED;
+        }
+        return EMBARGO;
+    }
+}
--- a/dspace-api/src/main/java/org/dspace/access/status/factory/AccessStatusServiceFactory.java
+++ b/dspace-api/src/main/java/org/dspace/access/status/factory/AccessStatusServiceFactory.java
@@ -0,0 +1,25 @@
+/**
+ * The contents of this file are subject to the license and copyright
+ * detailed in the LICENSE and NOTICE files at the root of the source
+ * tree and available online at
+ *
+ * http://www.dspace.org/license/
+ */
+package org.dspace.access.status.factory;
+
+import org.dspace.access.status.service.AccessStatusService;
+import org.dspace.services.factory.DSpaceServicesFactory;
+
+/**
+ * Abstract factory to get services for the access status package,
+ * use AccessStatusServiceFactory.getInstance() to retrieve an implementation.
+ */
+public abstract class AccessStatusServiceFactory {
+
+    public abstract AccessStatusService getAccessStatusService();
+
+    public static AccessStatusServiceFactory getInstance() {
+        return DSpaceServicesFactory.getInstance().getServiceManager()
+                .getServiceByName("accessStatusServiceFactory", AccessStatusServiceFactory.class);
+    }
+}
--- a/dspace-api/src/main/java/org/dspace/access/status/factory/AccessStatusServiceFactoryImpl.java
+++ b/dspace-api/src/main/java/org/dspace/access/status/factory/AccessStatusServiceFactoryImpl.java
@@ -0,0 +1,26 @@
+/**
+ * The contents of this file are subject to the license and copyright
+ * detailed in the LICENSE and NOTICE files at the root of the source
+ * tree and available online at
+ *
+ * http://www.dspace.org/license/
+ */
+package org.dspace.access.status.factory;
+
+import org.dspace.access.status.service.AccessStatusService;
+import org.springframework.beans.factory.annotation.Autowired;
+
+/**
+ * Factory implementation to get services for the access status package,
+ * use AccessStatusServiceFactory.getInstance() to retrieve an implementation.
+ */
+public class AccessStatusServiceFactoryImpl extends AccessStatusServiceFactory {
+
+    @Autowired(required = true)
+    private AccessStatusService accessStatusService;
+
+    @Override
+    public AccessStatusService getAccessStatusService() {
+        return accessStatusService;
+    }
+}
--- a/dspace-api/src/main/java/org/dspace/access/status/package-info.java
+++ b/dspace-api/src/main/java/org/dspace/access/status/package-info.java
@@ -0,0 +1,30 @@
+/**
+ * The contents of this file are subject to the license and copyright
+ * detailed in the LICENSE and NOTICE files at the root of the source
+ * tree and available online at
+ *
+ * http://www.dspace.org/license/
+ */
+/**
+ * <p>
+ * Access status allows the users to view the bitstreams availability before
+ * browsing into the item itself.
+ * </p>
+ * <p>
+ * The access status is calculated through a pluggable class:
+ * {@link org.dspace.access.status.AccessStatusHelper}.
+ * The {@link org.dspace.access.status.AccessStatusServiceImpl}
+ * must be configured to specify this class, as well as a forever embargo date
+ * threshold year, month and day.
+ * </p>
+ * <p>
+ * See {@link org.dspace.access.status.DefaultAccessStatusHelper} for a simple calculation
+ * based on the primary or the first bitstream of the original bundle. You can
+ * supply your own class to implement more complex access statuses.
+ * </p>
+ * <p>
+ * For now, the access status is calculated when the item is shown in a list.
+ * </p>
+ */
+
+package org.dspace.access.status;
--- a/dspace-api/src/main/java/org/dspace/access/status/service/AccessStatusService.java
+++ b/dspace-api/src/main/java/org/dspace/access/status/service/AccessStatusService.java
@@ -0,0 +1,69 @@
+/**
+ * The contents of this file are subject to the license and copyright
+ * detailed in the LICENSE and NOTICE files at the root of the source
+ * tree and available online at
+ *
+ * http://www.dspace.org/license/
+ */
+package org.dspace.access.status.service;
+
+import java.sql.SQLException;
+
+import org.dspace.content.AccessStatus;
+import org.dspace.content.Bitstream;
+import org.dspace.content.Item;
+import org.dspace.core.Context;
+
+/**
+ * Public interface to the access status subsystem.
+ * <p>
+ * Configuration properties: (with examples)
+ * {@code
+ * # values for the forever embargo date threshold
+ * # This threshold date is used in the default access status helper to determine if an item is
+ * # restricted or embargoed based on the start date of the primary (or first) file policies.
+ * # In this case, if the policy start date is inferior to the threshold date, the status will
+ * # be embargo, else it will be restricted.
+ * # You might want to change this threshold based on your needs. For example: some databases
+ * # doesn't accept a date superior to 31 december 9999.
+ * access.status.embargo.forever.year = 10000
+ * access.status.embargo.forever.month = 1
+ * access.status.embargo.forever.day = 1
+ * # implementation of access status helper plugin - replace with local implementation if applicable
+ * # This default access status helper provides an item status based on the policies of the primary
+ * # bitstream (or first bitstream in the original bundles if no primary file is specified).
+ * plugin.single.org.dspace.access.status.AccessStatusHelper = org.dspace.access.status.DefaultAccessStatusHelper
+ * }
+ */
+public interface AccessStatusService {
+
+    /**
+     * Calculate the access status for an Item while considering the forever embargo date threshold.
+     *
+     * @param context the DSpace context
+     * @param item the item
+     * @return the access status
+     * @throws SQLException An exception that provides information on a database access error or other errors.
+     */
+    public AccessStatus getAccessStatus(Context context, Item item) throws SQLException;
+
+    /**
+     * Calculate the anonymous access status for an Item while considering the forever embargo date threshold.
+     *
+     * @param context the DSpace context
+     * @param item the item to check for embargo information
+     * @return the access status
+     * @throws SQLException An exception that provides information on a database access error or other errors.
+     */
+    public AccessStatus getAnonymousAccessStatus(Context context, Item item) throws SQLException;
+
+    /**
+     * Calculate the access status for a bitstream while considering the forever embargo date threshold.
+     *
+     * @param context the DSpace context
+     * @param bitstream the bitstream
+     * @return the access status
+     * @throws SQLException An exception that provides information on a database access error or other errors.
+     */
+    public AccessStatus getAccessStatus(Context context, Bitstream bitstream) throws SQLException;
+}
--- a/dspace-api/src/main/java/org/dspace/administer/CreateAdministrator.java
+++ b/dspace-api/src/main/java/org/dspace/administer/CreateAdministrator.java
@@ -14,6 +14,7 @@ import java.util.Locale;
 import org.apache.commons.cli.CommandLine;
 import org.apache.commons.cli.CommandLineParser;
 import org.apache.commons.cli.DefaultParser;
+import org.apache.commons.cli.HelpFormatter;
 import org.apache.commons.cli.Options;
 import org.apache.commons.lang3.StringUtils;
 import org.dspace.core.Context;
@@ -69,19 +70,41 @@ public final class CreateAdministrator {

        options.addOption("e", "email", true, "administrator email address");
        options.addOption("f", "first", true, "administrator first name");
+        options.addOption("h", "help", false, "explain create-administrator options");
        options.addOption("l", "last", true, "administrator last name");
        options.addOption("c", "language", true, "administrator language");
        options.addOption("p", "password", true, "administrator password");

-        CommandLine line = parser.parse(options, argv);
+        CommandLine line = null;
+
+        try {
+
+            line = parser.parse(options, argv);
+
+        } catch (Exception e) {
+
+            System.out.println(e.getMessage() + "\nTry \"dspace create-administrator -h\" to print help information.");
+            System.exit(1);
+
+        }

        if (line.hasOption("e") && line.hasOption("f") && line.hasOption("l") &&
                line.hasOption("c") && line.hasOption("p")) {
            ca.createAdministrator(line.getOptionValue("e"),
                    line.getOptionValue("f"), line.getOptionValue("l"),
                    line.getOptionValue("c"), line.getOptionValue("p"));
+        } else if (line.hasOption("h")) {
+            String header = "\nA command-line tool for creating an initial administrator for setting up a" +
+                    " DSpace site. Unless all the required parameters are passed it will" +
+                    " prompt for an e-mail address, last name, first name and password from" +
+                    " standard input.. An administrator group is then created and the data passed" +
+                    "  in used to create an e-person in that group.\n\n";
+            String footer = "\n";
+            HelpFormatter formatter = new HelpFormatter();
+            formatter.printHelp("dspace create-administrator", header, options, footer, true);
+            return;
        } else {
-            ca.negotiateAdministratorDetails();
+            ca.negotiateAdministratorDetails(line);
        }
    }

@@ -93,6 +116,17 @@ public final class CreateAdministrator {
    protected CreateAdministrator()
            throws Exception {
        context = new Context();
+        try {
+            context.getDBConfig();
+        } catch (NullPointerException npr) {
+            // if database is null, there is no point in continuing. Prior to this exception and catch,
+            // NullPointerException was thrown, that wasn't very helpful.
+            throw new IllegalStateException("Problem connecting to database. This " +
+                    "indicates issue with either network or version (or possibly some other). " +
+                    "If you are running this in docker-compose, please make sure dspace-cli was " +
+                    "built from the same sources as running dspace container AND that they are in " +
+                    "the same project/network.");
+        }
        groupService = EPersonServiceFactory.getInstance().getGroupService();
        ePersonService = EPersonServiceFactory.getInstance().getEPersonService();
    }
@@ -103,20 +137,20 @@ public final class CreateAdministrator {
     *
     * @throws Exception if error
     */
-    protected void negotiateAdministratorDetails()
+    protected void negotiateAdministratorDetails(CommandLine line)
            throws Exception {
        Console console = System.console();

        System.out.println("Creating an initial administrator account");

-        boolean dataOK = false;
-
-        String email = null;
-        String firstName = null;
-        String lastName = null;
-        char[] password1 = null;
-        char[] password2 = null;
+        String email = line.getOptionValue('e');
+        String firstName = line.getOptionValue('f');
+        String lastName = line.getOptionValue('l');
        String language = I18nUtil.getDefaultLocale().getLanguage();
+        ConfigurationService cfg = DSpaceServicesFactory.getInstance().getConfigurationService();
+        boolean flag = line.hasOption('p');
+        char[] password = null;
+        boolean dataOK = line.hasOption('f') && line.hasOption('e') && line.hasOption('l');

        while (!dataOK) {
            System.out.print("E-mail address: ");
@@ -147,8 +181,6 @@ public final class CreateAdministrator {
            if (lastName != null) {
                lastName = lastName.trim();
            }
-
-            ConfigurationService cfg = DSpaceServicesFactory.getInstance().getConfigurationService();
            if (cfg.hasProperty("webui.supported.locales")) {
                System.out.println("Select one of the following languages: "
                        + cfg.getProperty("webui.supported.locales"));
@@ -163,20 +195,6 @@ public final class CreateAdministrator {
                }
            }

-            System.out.println("Password will not display on screen.");
-            System.out.print("Password: ");
-            System.out.flush();
-
-            password1 = console.readPassword();
-
-            System.out.print("Again to confirm: ");
-            System.out.flush();
-
-            password2 = console.readPassword();
-
-            //TODO real password validation
-            if (password1.length > 1 && Arrays.equals(password1, password2)) {
-                // password OK
            System.out.print("Is the above data correct? (y or n): ");
            System.out.flush();

@@ -188,19 +206,46 @@ public final class CreateAdministrator {
                    dataOK = true;
                }
            }
+
+        }
+        if (!flag) {
+            password = getPassword(console);
+            if (password == null) {
+                return;
+            }
+        } else {
+            password = line.getOptionValue("p").toCharArray();
+        }
+        // if we make it to here, we are ready to create an administrator
+        createAdministrator(email, firstName, lastName, language, String.valueOf(password));
+
+    }
+
+    private char[] getPassword(Console console) {
+        char[] password1 = null;
+        char[] password2 = null;
+        System.out.println("Password will not display on screen.");
+        System.out.print("Password: ");
+        System.out.flush();
+
+        password1 = console.readPassword();
+
+        System.out.print("Again to confirm: ");
+        System.out.flush();
+
+        password2 = console.readPassword();
+
+        // TODO real password validation
+        if (password1.length > 1 && Arrays.equals(password1, password2)) {
+            // password OK
+            Arrays.fill(password2, ' ');
+            return password1;
        } else {
            System.out.println("Passwords don't match");
+            return null;
        }
    }

-        // if we make it to here, we are ready to create an administrator
-        createAdministrator(email, firstName, lastName, language, String.valueOf(password1));
-
-        //Cleaning arrays that held password
-        Arrays.fill(password1, ' ');
-        Arrays.fill(password2, ' ');
-    }
-
    /**
     * Create the administrator with the given details. If the user
     * already exists then they are simply upped to administrator status
--- a/dspace-api/src/main/java/org/dspace/administer/MetadataImporter.java
+++ b/dspace-api/src/main/java/org/dspace/administer/MetadataImporter.java
@@ -11,13 +11,18 @@ import java.io.IOException;
 import java.sql.SQLException;
 import javax.xml.parsers.ParserConfigurationException;
 import javax.xml.transform.TransformerException;
+import javax.xml.xpath.XPath;
+import javax.xml.xpath.XPathConstants;
+import javax.xml.xpath.XPathExpressionException;
+import javax.xml.xpath.XPathFactory;

 import org.apache.commons.cli.CommandLine;
 import org.apache.commons.cli.CommandLineParser;
 import org.apache.commons.cli.DefaultParser;
 import org.apache.commons.cli.Options;
 import org.apache.commons.cli.ParseException;
-import org.apache.xpath.XPathAPI;
+import org.apache.logging.log4j.LogManager;
+import org.apache.logging.log4j.Logger;
 import org.dspace.authorize.AuthorizeException;
 import org.dspace.content.MetadataField;
 import org.dspace.content.MetadataSchema;
@@ -27,8 +32,6 @@ import org.dspace.content.factory.ContentServiceFactory;
 import org.dspace.content.service.MetadataFieldService;
 import org.dspace.content.service.MetadataSchemaService;
 import org.dspace.core.Context;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
 import org.w3c.dom.Document;
 import org.w3c.dom.Node;
 import org.w3c.dom.NodeList;
@@ -37,9 +40,9 @@ import org.xml.sax.SAXException;
 /**
 * @author Richard Jones
 *
- * This class takes an xml document as passed in the arguments and
+ * This class takes an XML document as passed in the arguments and
 * uses it to create metadata elements in the Metadata Registry if
- * they do not already exist
+ * they do not already exist.
 *
 * The format of the XML file is as follows:
 *
@@ -66,7 +69,7 @@ public class MetadataImporter {
    /**
     * logging category
     */
-    private static final Logger log = LoggerFactory.getLogger(MetadataImporter.class);
+    private static final Logger log = LogManager.getLogger();

    /**
     * Default constructor
@@ -86,11 +89,12 @@ public class MetadataImporter {
     * @throws SAXException                 if parser error
     * @throws NonUniqueMetadataException   if duplicate metadata
     * @throws RegistryImportException      if import fails
+     * @throws XPathExpressionException     passed through
     **/
    public static void main(String[] args)
        throws ParseException, SQLException, IOException, TransformerException,
        ParserConfigurationException, AuthorizeException, SAXException,
-        NonUniqueMetadataException, RegistryImportException {
+        NonUniqueMetadataException, RegistryImportException, XPathExpressionException {

        // create an options object and populate it
        CommandLineParser parser = new DefaultParser();
@@ -122,10 +126,11 @@ public class MetadataImporter {
     * @throws SAXException                 if parser error
     * @throws NonUniqueMetadataException   if duplicate metadata
     * @throws RegistryImportException      if import fails
+     * @throws XPathExpressionException     passed through
     */
    public static void loadRegistry(String file, boolean forceUpdate)
-        throws SQLException, IOException, TransformerException, ParserConfigurationException,
-        AuthorizeException, SAXException, NonUniqueMetadataException, RegistryImportException {
+        throws SQLException, IOException, TransformerException, ParserConfigurationException, AuthorizeException,
+        SAXException, NonUniqueMetadataException, RegistryImportException, XPathExpressionException {
        Context context = null;

        try {
@@ -137,7 +142,9 @@ public class MetadataImporter {
            Document document = RegistryImporter.loadXML(file);

            // Get the nodes corresponding to types
-            NodeList schemaNodes = XPathAPI.selectNodeList(document, "/dspace-dc-types/dc-schema");
+            XPath xPath = XPathFactory.newInstance().newXPath();
+            NodeList schemaNodes = (NodeList) xPath.compile("/dspace-dc-types/dc-schema")
+                                                   .evaluate(document, XPathConstants.NODESET);

            // Add each one as a new format to the registry
            for (int i = 0; i < schemaNodes.getLength(); i++) {
@@ -146,7 +153,8 @@ public class MetadataImporter {
            }

            // Get the nodes corresponding to types
-            NodeList typeNodes = XPathAPI.selectNodeList(document, "/dspace-dc-types/dc-type");
+            NodeList typeNodes = (NodeList) xPath.compile("/dspace-dc-types/dc-type")
+                                                 .evaluate(document, XPathConstants.NODESET);

            // Add each one as a new format to the registry
            for (int i = 0; i < typeNodes.getLength(); i++) {
@@ -178,8 +186,8 @@ public class MetadataImporter {
     * @throws RegistryImportException    if import fails
     */
    private static void loadSchema(Context context, Node node, boolean updateExisting)
-        throws SQLException, IOException, TransformerException,
-        AuthorizeException, NonUniqueMetadataException, RegistryImportException {
+        throws SQLException, AuthorizeException, NonUniqueMetadataException, RegistryImportException,
+        XPathExpressionException {
        // Get the values
        String name = RegistryImporter.getElementData(node, "name");
        String namespace = RegistryImporter.getElementData(node, "namespace");
@@ -197,7 +205,7 @@ public class MetadataImporter {

        if (s == null) {
            // Schema does not exist - create
-            log.info("Registering Schema " + name + " (" + namespace + ")");
+            log.info("Registering Schema {}({})", name, namespace);
            metadataSchemaService.create(context, name, namespace);
        } else {
            // Schema exists - if it's the same namespace, allow the type imports to continue
@@ -209,7 +217,7 @@ public class MetadataImporter {
            // It's a different namespace - have we been told to update?
            if (updateExisting) {
                // Update the existing schema namespace and continue to type import
-                log.info("Updating Schema " + name + ": New namespace " + namespace);
+                log.info("Updating Schema {}: New namespace {}", name, namespace);
                s.setNamespace(namespace);
                metadataSchemaService.update(context, s);
            } else {
@@ -236,8 +244,8 @@ public class MetadataImporter {
     * @throws RegistryImportException    if import fails
     */
    private static void loadType(Context context, Node node)
-        throws SQLException, IOException, TransformerException,
-        AuthorizeException, NonUniqueMetadataException, RegistryImportException {
+        throws SQLException, IOException, AuthorizeException, NonUniqueMetadataException, RegistryImportException,
+        XPathExpressionException {
        // Get the values
        String schema = RegistryImporter.getElementData(node, "schema");
        String element = RegistryImporter.getElementData(node, "element");
@@ -268,7 +276,7 @@ public class MetadataImporter {
        if (qualifier == null) {
            fieldName = schema + "." + element;
        }
-        log.info("Registering metadata field " + fieldName);
+        log.info("Registering metadata field {}", fieldName);
        MetadataField field = metadataFieldService.create(context, schemaObj, element, qualifier, scopeNote);
        metadataFieldService.update(context, field);
    }
--- a/dspace-api/src/main/java/org/dspace/administer/ProcessCleaner.java
+++ b/dspace-api/src/main/java/org/dspace/administer/ProcessCleaner.java
@@ -0,0 +1,140 @@
+/**
+ * The contents of this file are subject to the license and copyright
+ * detailed in the LICENSE and NOTICE files at the root of the source
+ * tree and available online at
+ *
+ * http://www.dspace.org/license/
+ */
+package org.dspace.administer;
+
+import java.io.IOException;
+import java.sql.SQLException;
+import java.time.Instant;
+import java.time.temporal.ChronoUnit;
+import java.util.ArrayList;
+import java.util.List;
+
+import org.apache.commons.cli.ParseException;
+import org.dspace.authorize.AuthorizeException;
+import org.dspace.content.ProcessStatus;
+import org.dspace.core.Context;
+import org.dspace.scripts.DSpaceRunnable;
+import org.dspace.scripts.Process;
+import org.dspace.scripts.factory.ScriptServiceFactory;
+import org.dspace.scripts.service.ProcessService;
+import org.dspace.services.ConfigurationService;
+import org.dspace.services.factory.DSpaceServicesFactory;
+import org.dspace.utils.DSpace;
+
+/**
+ * Script to cleanup the old processes in the specified state.
+ *
+ * @author Luca Giamminonni (luca.giamminonni at 4science.it)
+ *
+ */
+public class ProcessCleaner extends DSpaceRunnable<ProcessCleanerConfiguration<ProcessCleaner>> {
+
+    private ConfigurationService configurationService;
+
+    private ProcessService processService;
+
+
+    private boolean cleanCompleted = false;
+
+    private boolean cleanFailed = false;
+
+    private boolean cleanRunning = false;
+
+    private boolean help = false;
+
+    private Integer days;
+
+
+    @Override
+    public void setup() throws ParseException {
+
+        this.configurationService = DSpaceServicesFactory.getInstance().getConfigurationService();
+        this.processService = ScriptServiceFactory.getInstance().getProcessService();
+
+        this.help = commandLine.hasOption('h');
+        this.cleanFailed = commandLine.hasOption('f');
+        this.cleanRunning = commandLine.hasOption('r');
+        this.cleanCompleted = commandLine.hasOption('c') || (!cleanFailed && !cleanRunning);
+
+        this.days = configurationService.getIntProperty("process-cleaner.days", 14);
+
+        if (this.days <= 0) {
+            throw new IllegalStateException("The number of days must be a positive integer.");
+        }
+
+    }
+
+    @Override
+    public void internalRun() throws Exception {
+
+        if (help) {
+            printHelp();
+            return;
+        }
+
+        Context context = new Context();
+
+        try {
+            context.turnOffAuthorisationSystem();
+            performDeletion(context);
+        } finally {
+            context.restoreAuthSystemState();
+            context.complete();
+        }
+
+    }
+
+    /**
+     * Delete the processes based on the specified statuses and the configured days
+     * from their creation.
+     */
+    private void performDeletion(Context context) throws SQLException, IOException, AuthorizeException {
+
+        List<ProcessStatus> statuses = getProcessToDeleteStatuses();
+        Instant creationDate = calculateCreationDate();
+
+        handler.logInfo("Searching for processes with status: " + statuses);
+        List<Process> processes = processService.findByStatusAndCreationTimeOlderThan(context, statuses, creationDate);
+        handler.logInfo("Found " + processes.size() + " processes to be deleted");
+        for (Process process : processes) {
+            processService.delete(context, process);
+        }
+
+        handler.logInfo("Process cleanup completed");
+
+    }
+
+    /**
+     * Returns the list of Process statuses do be deleted.
+     */
+    private List<ProcessStatus> getProcessToDeleteStatuses() {
+        List<ProcessStatus> statuses = new ArrayList<ProcessStatus>();
+        if (cleanCompleted) {
+            statuses.add(ProcessStatus.COMPLETED);
+        }
+        if (cleanFailed) {
+            statuses.add(ProcessStatus.FAILED);
+        }
+        if (cleanRunning) {
+            statuses.add(ProcessStatus.RUNNING);
+        }
+        return statuses;
+    }
+
+    private Instant calculateCreationDate() {
+        return Instant.now().minus(days, ChronoUnit.DAYS);
+    }
+
+    @Override
+    @SuppressWarnings("unchecked")
+    public ProcessCleanerConfiguration<ProcessCleaner> getScriptConfiguration() {
+        return new DSpace().getServiceManager()
+            .getServiceByName("process-cleaner", ProcessCleanerConfiguration.class);
+    }
+
+}
--- a/dspace-services/src/main/java/org/dspace/services/caching/model/package-info.java
+++ b/dspace-services/src/main/java/org/dspace/services/caching/model/package-info.java
@@ -5,9 +5,14 @@
 *
 * http://www.dspace.org/license/
 */
+package org.dspace.administer;

 /**
- * Implementations of the Cache type, for various purposes.
+ * The {@link ProcessCleaner} for CLI.
+ *
+ * @author Luca Giamminonni (luca.giamminonni at 4science.it)
+ *
 */
+public class ProcessCleanerCli extends ProcessCleaner {

-package org.dspace.services.caching.model;
+}
--- a/dspace-api/src/main/java/org/dspace/administer/ProcessCleanerCliConfiguration.java
+++ b/dspace-api/src/main/java/org/dspace/administer/ProcessCleanerCliConfiguration.java
@@ -0,0 +1,18 @@
+/**
+ * The contents of this file are subject to the license and copyright
+ * detailed in the LICENSE and NOTICE files at the root of the source
+ * tree and available online at
+ *
+ * http://www.dspace.org/license/
+ */
+package org.dspace.administer;
+
+/**
+ * The {@link ProcessCleanerConfiguration} for CLI.
+ *
+ * @author Luca Giamminonni (luca.giamminonni at 4science.it)
+ *
+ */
+public class ProcessCleanerCliConfiguration extends ProcessCleanerConfiguration<ProcessCleanerCli> {
+
+}
--- a/dspace-api/src/main/java/org/dspace/administer/ProcessCleanerConfiguration.java
+++ b/dspace-api/src/main/java/org/dspace/administer/ProcessCleanerConfiguration.java
@@ -0,0 +1,53 @@
+/**
+ * The contents of this file are subject to the license and copyright
+ * detailed in the LICENSE and NOTICE files at the root of the source
+ * tree and available online at
+ *
+ * http://www.dspace.org/license/
+ */
+package org.dspace.administer;
+
+import org.apache.commons.cli.Options;
+import org.dspace.scripts.configuration.ScriptConfiguration;
+
+/**
+ * The {@link ScriptConfiguration} for the {@link ProcessCleaner} script.
+ */
+public class ProcessCleanerConfiguration<T extends ProcessCleaner> extends ScriptConfiguration<T> {
+
+    private Class<T> dspaceRunnableClass;
+
+    @Override
+    public Options getOptions() {
+        if (options == null) {
+
+            Options options = new Options();
+
+            options.addOption("h", "help", false, "help");
+
+            options.addOption("r", "running", false, "delete the process with RUNNING status");
+            options.getOption("r").setType(boolean.class);
+
+            options.addOption("f", "failed", false, "delete the process with FAILED status");
+            options.getOption("f").setType(boolean.class);
+
+            options.addOption("c", "completed", false,
+                "delete the process with COMPLETED status (default if no statuses are specified)");
+            options.getOption("c").setType(boolean.class);
+
+            super.options = options;
+        }
+        return options;
+    }
+
+    @Override
+    public Class<T> getDspaceRunnableClass() {
+        return dspaceRunnableClass;
+    }
+
+    @Override
+    public void setDspaceRunnableClass(Class<T> dspaceRunnableClass) {
+        this.dspaceRunnableClass = dspaceRunnableClass;
+    }
+
+}
--- a/dspace-api/src/main/java/org/dspace/administer/RegistryImporter.java
+++ b/dspace-api/src/main/java/org/dspace/administer/RegistryImporter.java
@@ -10,11 +10,14 @@ package org.dspace.administer;
 import java.io.File;
 import java.io.IOException;
 import javax.xml.parsers.DocumentBuilder;
-import javax.xml.parsers.DocumentBuilderFactory;
 import javax.xml.parsers.ParserConfigurationException;
 import javax.xml.transform.TransformerException;
+import javax.xml.xpath.XPath;
+import javax.xml.xpath.XPathConstants;
+import javax.xml.xpath.XPathExpressionException;
+import javax.xml.xpath.XPathFactory;

-import org.apache.xpath.XPathAPI;
+import org.dspace.app.util.XMLUtils;
 import org.w3c.dom.Document;
 import org.w3c.dom.Node;
 import org.w3c.dom.NodeList;
@@ -46,8 +49,9 @@ public class RegistryImporter {
     */
    public static Document loadXML(String filename)
        throws IOException, ParserConfigurationException, SAXException {
-        DocumentBuilder builder = DocumentBuilderFactory.newInstance()
-                                                        .newDocumentBuilder();
+        // This XML builder will *not* disable external entities as XML
+        // registries are considered trusted content
+        DocumentBuilder builder = XMLUtils.getTrustedDocumentBuilder();

        Document document = builder.parse(new File(filename));

@@ -72,9 +76,10 @@ public class RegistryImporter {
     * @throws TransformerException if error
     */
    public static String getElementData(Node parentElement, String childName)
-        throws TransformerException {
+        throws XPathExpressionException {
        // Grab the child node
-        Node childNode = XPathAPI.selectSingleNode(parentElement, childName);
+        XPath xPath = XPathFactory.newInstance().newXPath();
+        Node childNode = (Node) xPath.compile(childName).evaluate(parentElement, XPathConstants.NODE);

        if (childNode == null) {
            // No child node, so no values
@@ -115,9 +120,10 @@ public class RegistryImporter {
     * @throws TransformerException if error
     */
    public static String[] getRepeatedElementData(Node parentElement,
-                                                  String childName) throws TransformerException {
+                                                  String childName) throws XPathExpressionException {
        // Grab the child node
-        NodeList childNodes = XPathAPI.selectNodeList(parentElement, childName);
+        XPath xPath = XPathFactory.newInstance().newXPath();
+        NodeList childNodes = (NodeList) xPath.compile(childName).evaluate(parentElement, XPathConstants.NODESET);

        String[] data = new String[childNodes.getLength()];

--- a/dspace-api/src/main/java/org/dspace/administer/RegistryLoader.java
+++ b/dspace-api/src/main/java/org/dspace/administer/RegistryLoader.java
@@ -13,12 +13,22 @@ import java.sql.SQLException;
 import java.util.ArrayList;
 import java.util.Arrays;
 import javax.xml.parsers.DocumentBuilder;
-import javax.xml.parsers.DocumentBuilderFactory;
 import javax.xml.parsers.ParserConfigurationException;
 import javax.xml.transform.TransformerException;
+import javax.xml.xpath.XPath;
+import javax.xml.xpath.XPathConstants;
+import javax.xml.xpath.XPathExpressionException;
+import javax.xml.xpath.XPathFactory;

+import org.apache.commons.cli.CommandLine;
+import org.apache.commons.cli.CommandLineParser;
+import org.apache.commons.cli.DefaultParser;
+import org.apache.commons.cli.HelpFormatter;
+import org.apache.commons.cli.Options;
+import org.apache.commons.cli.ParseException;
+import org.apache.commons.lang3.StringUtils;
 import org.apache.logging.log4j.Logger;
-import org.apache.xpath.XPathAPI;
+import org.dspace.app.util.XMLUtils;
 import org.dspace.authorize.AuthorizeException;
 import org.dspace.content.BitstreamFormat;
 import org.dspace.content.factory.ContentServiceFactory;
@@ -38,7 +48,7 @@ import org.xml.sax.SAXException;
 * <P>
 * <code>RegistryLoader -bitstream bitstream-formats.xml</code>
 * <P>
- * <code>RegistryLoader -dc dc-types.xml</code>
+ * <code>RegistryLoader -metadata dc-types.xml</code>
 *
 * @author Robert Tansley
 * @version $Revision$
@@ -47,7 +57,7 @@ public class RegistryLoader {
    /**
     * log4j category
     */
-    private static Logger log = org.apache.logging.log4j.LogManager.getLogger(RegistryLoader.class);
+    private static final Logger log = org.apache.logging.log4j.LogManager.getLogger(RegistryLoader.class);

    protected static BitstreamFormatService bitstreamFormatService = ContentServiceFactory.getInstance()
                                                                                          .getBitstreamFormatService();
@@ -64,40 +74,55 @@ public class RegistryLoader {
     * @throws Exception if error
     */
    public static void main(String[] argv) throws Exception {
-        String usage = "Usage: " + RegistryLoader.class.getName()
-            + " (-bitstream | -metadata) registry-file.xml";
-
-        Context context = null;
+        // Set up command-line options and parse arguments
+        CommandLineParser parser = new DefaultParser();
+        Options options = createCommandLineOptions();

        try {
-            context = new Context();
+            CommandLine line = parser.parse(options, argv);
+
+            // Check if help option was entered or no options provided
+            if (line.hasOption('h') || line.getOptions().length == 0) {
+                printHelp(options);
+                System.exit(0);
+            }
+
+            Context context = new Context();

            // Can't update registries anonymously, so we need to turn off
            // authorisation
            context.turnOffAuthorisationSystem();

+            try {
                // Work out what we're loading
-            if (argv[0].equalsIgnoreCase("-bitstream")) {
-                RegistryLoader.loadBitstreamFormats(context, argv[1]);
-            } else if (argv[0].equalsIgnoreCase("-metadata")) {
+                if (line.hasOption('b')) {
+                    String filename = line.getOptionValue('b');
+                    if (StringUtils.isEmpty(filename)) {
+                        System.err.println("No file path provided for bitstream format registry");
+                        printHelp(options);
+                        System.exit(1);
+                    }
+                    RegistryLoader.loadBitstreamFormats(context, filename);
+                } else if (line.hasOption('m')) {
+                    String filename = line.getOptionValue('m');
+                    if (StringUtils.isEmpty(filename)) {
+                        System.err.println("No file path provided for metadata registry");
+                        printHelp(options);
+                        System.exit(1);
+                    }
                    // Call MetadataImporter, as it handles Metadata schema updates
-                MetadataImporter.loadRegistry(argv[1], true);
+                    MetadataImporter.loadRegistry(filename, true);
                } else {
-                System.err.println(usage);
+                    System.err.println("No registry type specified");
+                    printHelp(options);
+                    System.exit(1);
                }

                // Commit changes and close Context
                context.complete();
-
                System.exit(0);
-        } catch (ArrayIndexOutOfBoundsException ae) {
-            System.err.println(usage);
-
-            System.exit(1);
            } catch (Exception e) {
-            log.fatal(LogHelper.getHeader(context, "error_loading_registries",
-                                           ""), e);
-
+                log.fatal(LogHelper.getHeader(context, "error_loading_registries", ""), e);
                System.err.println("Error: \n - " + e.getMessage());
                System.exit(1);
            } finally {
@@ -106,6 +131,40 @@ public class RegistryLoader {
                    context.abort();
                }
            }
+        } catch (ParseException e) {
+            System.err.println("Error parsing command-line arguments: " + e.getMessage());
+            printHelp(options);
+            System.exit(1);
+        }
+    }
+
+    /**
+     * Create the command-line options
+     * @return the command-line options
+     */
+    private static Options createCommandLineOptions() {
+        Options options = new Options();
+
+        options.addOption("b", "bitstream", true, "load bitstream format registry from specified file");
+        options.addOption("m", "metadata", true, "load metadata registry from specified file");
+        options.addOption("h", "help", false, "print this help message");
+
+        return options;
+    }
+
+    /**
+     * Print the help message
+     * @param options the command-line options
+     */
+    private static void printHelp(Options options) {
+        HelpFormatter formatter = new HelpFormatter();
+        formatter.printHelp("RegistryLoader",
+                            "Load bitstream format or metadata registries into the database\n",
+                            options,
+                            "\nExamples:\n" +
+                            " RegistryLoader -b bitstream-formats.xml\n" +
+                            " RegistryLoader -m dc-types.xml",
+                            true);
    }

    /**
@@ -122,12 +181,13 @@ public class RegistryLoader {
     */
    public static void loadBitstreamFormats(Context context, String filename)
        throws SQLException, IOException, ParserConfigurationException,
-        SAXException, TransformerException, AuthorizeException {
+        SAXException, TransformerException, AuthorizeException, XPathExpressionException {
        Document document = loadXML(filename);

        // Get the nodes corresponding to formats
-        NodeList typeNodes = XPathAPI.selectNodeList(document,
-                                                     "dspace-bitstream-types/bitstream-type");
+        XPath xPath = XPathFactory.newInstance().newXPath();
+        NodeList typeNodes = (NodeList) xPath.compile("dspace-bitstream-types/bitstream-type")
+                                             .evaluate(document, XPathConstants.NODESET);

        // Add each one as a new format to the registry
        for (int i = 0; i < typeNodes.getLength(); i++) {
@@ -151,8 +211,7 @@ public class RegistryLoader {
     * @throws AuthorizeException   if authorization error
     */
    private static void loadFormat(Context context, Node node)
-        throws SQLException, IOException, TransformerException,
-        AuthorizeException {
+        throws SQLException, AuthorizeException, XPathExpressionException {
        // Get the values
        String mimeType = getElementData(node, "mimetype");
        String shortDesc = getElementData(node, "short_description");
@@ -207,8 +266,9 @@ public class RegistryLoader {
     */
    private static Document loadXML(String filename) throws IOException,
        ParserConfigurationException, SAXException {
-        DocumentBuilder builder = DocumentBuilderFactory.newInstance()
-                                                        .newDocumentBuilder();
+        // This XML builder will *not* disable external entities as XML
+        // registries are considered trusted content
+        DocumentBuilder builder = XMLUtils.getTrustedDocumentBuilder();

        return builder.parse(new File(filename));
    }
@@ -218,7 +278,7 @@ public class RegistryLoader {
     * contains:
     * <P>
     * <code>
-     * &lt;foo&gt;&lt;mimetype&gt;application/pdf&lt;/mimetype&gt;&lt;/foo&gt;
+     * <foo><mimetype>application/pdf</mimetype></foo>
     * </code>
     * passing this the <code>foo</code> node and <code>mimetype</code> will
     * return <code>application/pdf</code>.
@@ -231,9 +291,10 @@ public class RegistryLoader {
     * @throws TransformerException if transformer error
     */
    private static String getElementData(Node parentElement, String childName)
-        throws TransformerException {
+        throws XPathExpressionException {
        // Grab the child node
-        Node childNode = XPathAPI.selectSingleNode(parentElement, childName);
+        XPath xPath = XPathFactory.newInstance().newXPath();
+        Node childNode = (Node) xPath.compile(childName).evaluate(parentElement, XPathConstants.NODE);

        if (childNode == null) {
            // No child node, so no values
@@ -258,10 +319,10 @@ public class RegistryLoader {
     * document contains:
     * <P>
     * <code>
-     * &lt;foo&gt;
-     * &lt;bar&gt;val1&lt;/bar&gt;
-     * &lt;bar&gt;val2&lt;/bar&gt;
-     * &lt;/foo&gt;
+     * <foo>
+     * <bar>val1</bar>
+     * <bar>val2</bar>
+     * </foo>
     * </code>
     * passing this the <code>foo</code> node and <code>bar</code> will
     * return <code>val1</code> and <code>val2</code>.
@@ -274,9 +335,10 @@ public class RegistryLoader {
     * @throws TransformerException if transformer error
     */
    private static String[] getRepeatedElementData(Node parentElement,
-                                                   String childName) throws TransformerException {
+                                                   String childName) throws XPathExpressionException {
        // Grab the child node
-        NodeList childNodes = XPathAPI.selectNodeList(parentElement, childName);
+        XPath xPath = XPathFactory.newInstance().newXPath();
+        NodeList childNodes = (NodeList) xPath.compile(childName).evaluate(parentElement, XPathConstants.NODESET);

        String[] data = new String[childNodes.getLength()];

--- a/dspace-api/src/main/java/org/dspace/administer/StructBuilder.java
+++ b/dspace-api/src/main/java/org/dspace/administer/StructBuilder.java
@@ -27,9 +27,12 @@ import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
 import javax.xml.parsers.DocumentBuilder;
-import javax.xml.parsers.DocumentBuilderFactory;
 import javax.xml.parsers.ParserConfigurationException;
 import javax.xml.transform.TransformerException;
+import javax.xml.xpath.XPath;
+import javax.xml.xpath.XPathConstants;
+import javax.xml.xpath.XPathExpressionException;
+import javax.xml.xpath.XPathFactory;

 import org.apache.commons.cli.CommandLine;
 import org.apache.commons.cli.CommandLineParser;
@@ -38,10 +41,12 @@ import org.apache.commons.cli.HelpFormatter;
 import org.apache.commons.cli.Option;
 import org.apache.commons.cli.Options;
 import org.apache.commons.cli.ParseException;
-import org.apache.xpath.XPathAPI;
+import org.apache.commons.lang3.StringUtils;
+import org.dspace.app.util.XMLUtils;
 import org.dspace.authorize.AuthorizeException;
 import org.dspace.content.Collection;
 import org.dspace.content.Community;
+import org.dspace.content.DSpaceObject;
 import org.dspace.content.Item;
 import org.dspace.content.MetadataFieldName;
 import org.dspace.content.MetadataSchemaEnum;
@@ -49,12 +54,15 @@ import org.dspace.content.MetadataValue;
 import org.dspace.content.factory.ContentServiceFactory;
 import org.dspace.content.service.CollectionService;
 import org.dspace.content.service.CommunityService;
+import org.dspace.core.Constants;
 import org.dspace.core.Context;
 import org.dspace.eperson.factory.EPersonServiceFactory;
 import org.dspace.eperson.service.EPersonService;
-import org.jdom.Element;
-import org.jdom.output.Format;
-import org.jdom.output.XMLOutputter;
+import org.dspace.handle.factory.HandleServiceFactory;
+import org.dspace.handle.service.HandleService;
+import org.jdom2.Element;
+import org.jdom2.output.Format;
+import org.jdom2.output.XMLOutputter;
 import org.w3c.dom.Document;
 import org.w3c.dom.Node;
 import org.w3c.dom.NodeList;
@@ -76,6 +84,7 @@ import org.xml.sax.SAXException;
 *   </community>
 * </import_structure>
 * }</pre>
+ *
 * <p>
 * It can be arbitrarily deep, and supports all the metadata elements
 * that make up the community and collection metadata.  See the system
@@ -104,12 +113,14 @@ public class StructBuilder {
     */
    private static final Map<String, MetadataFieldName> communityMap = new HashMap<>();

-    protected static CommunityService communityService
+    protected static final CommunityService communityService
            = ContentServiceFactory.getInstance().getCommunityService();
-    protected static CollectionService collectionService
+    protected static final CollectionService collectionService
            = ContentServiceFactory.getInstance().getCollectionService();
-    protected static EPersonService ePersonService
+    protected static final EPersonService ePersonService
            = EPersonServiceFactory.getInstance().getEPersonService();
+    protected static final HandleService handleService
+            = HandleServiceFactory.getInstance().getHandleService();

    /**
     * Default constructor
@@ -135,16 +146,18 @@ public class StructBuilder {
     * @throws SQLException passed through.
     * @throws FileNotFoundException if input or output could not be opened.
     * @throws TransformerException if the input document is invalid.
+     * @throws XPathExpressionException passed through.
     */
    public static void main(String[] argv)
        throws ParserConfigurationException, SQLException,
-            FileNotFoundException, IOException, TransformerException {
+        IOException, TransformerException, XPathExpressionException {
        // Define command line options.
        Options options = new Options();

        options.addOption("h", "help", false, "Print this help message.");
        options.addOption("?", "help");
        options.addOption("x", "export", false, "Export the current structure as XML.");
+        options.addOption("k", "keep-handles", false, "Apply Handles from input document.");

        options.addOption(Option.builder("e").longOpt("eperson")
                .desc("User who is manipulating the repository's structure.")
@@ -158,6 +171,10 @@ public class StructBuilder {
                .desc("File to receive the structure map ('-' for standard out).")
                .hasArg().argName("output").required().build());

+        options.addOption(Option.builder("p").longOpt("parent")
+                .desc("Parent community or handle (optional)")
+                .hasArg().argName("parent").required(false).build());
+
        // Parse the command line.
        CommandLineParser parser = new DefaultParser();
        CommandLine line = null;
@@ -191,6 +208,11 @@ public class StructBuilder {
            outputStream = new FileOutputStream(output);
        }

+        String parentID = null;
+        if (line.hasOption('p')) {
+            parentID = line.getOptionValue('p');
+        }
+
        // create a context
        Context context = new Context();

@@ -203,9 +225,34 @@ public class StructBuilder {
            System.exit(1);
        }

+        // Resolve optional "parent community" ID or handle to a community
+        Community parent = null;
+        if (parentID != null) {
+            DSpaceObject dso = handleService.resolveToObject(context, parentID);
+            if (dso != null) {
+                if (dso.getType() == Constants.COMMUNITY) {
+                    parent = (Community) dso;
+                } else {
+                    System.out.println("The handle provided for the -p option does not resolve to a community. " +
+                        parentID + " is an object of type: " + Constants.typeText[dso.getType()]);
+                    System.exit(0);
+                }
+            } else {
+                // Not a handle, see if it is an ID
+                Community community = communityService.findByIdOrLegacyId(context, parentID);
+                if (community != null) {
+                    parent = community;
+                } else {
+                    System.out.println("The value provided for -p is not a valid community ID or handle: " + parentID);
+                    System.exit(0);
+                }
+            }
+        }
+
        // Export? Import?
        if (line.hasOption('x')) { // export
            exportStructure(context, outputStream);
+            outputStream.close();
        } else { // Must be import
            String input = line.getOptionValue('f');
            if (null == input) {
@@ -220,7 +267,12 @@ public class StructBuilder {
                inputStream = new FileInputStream(input);
            }

-            importStructure(context, inputStream, outputStream);
+            boolean keepHandles = options.hasOption("k");
+            importStructure(context, inputStream, outputStream, parent, keepHandles);
+
+            inputStream.close();
+            outputStream.close();
+
            // save changes from import
            context.complete();
        }
@@ -233,14 +285,18 @@ public class StructBuilder {
     * @param context
     * @param input XML which describes the new communities and collections.
     * @param output input, annotated with the new objects' identifiers.
+     * @param parent Community beneath which to attach this structure
+     * @param keepHandles true if Handles should be set from input.
     * @throws IOException
     * @throws ParserConfigurationException
     * @throws SAXException
     * @throws TransformerException
     * @throws SQLException
     */
-    static void importStructure(Context context, InputStream input, OutputStream output)
-            throws IOException, ParserConfigurationException, SQLException, TransformerException {
+    static void importStructure(Context context, InputStream input,
+            OutputStream output, Community parent, boolean keepHandles)
+            throws IOException, ParserConfigurationException, SQLException,
+            TransformerException, XPathExpressionException {

        // load the XML
        Document document = null;
@@ -258,15 +314,29 @@ public class StructBuilder {
        // is properly structured.
        try {
            validate(document);
-        } catch (TransformerException ex) {
+        } catch (XPathExpressionException ex) {
            System.err.format("The input document is invalid:  %s%n", ex.getMessage());
            System.exit(1);
        }

        // Check for 'identifier' attributes -- possibly output by this class.
-        NodeList identifierNodes = XPathAPI.selectNodeList(document, "//*[@identifier]");
+        XPath xPath = XPathFactory.newInstance().newXPath();
+        NodeList identifierNodes = (NodeList) xPath.compile("//*[@identifier]")
+                                                   .evaluate(document, XPathConstants.NODESET);
        if (identifierNodes.getLength() > 0) {
+            if (!keepHandles) {
                System.err.println("The input document has 'identifier' attributes, which will be ignored.");
+            } else {
+                for (int i = 0; i < identifierNodes.getLength() ; i++) {
+                    String identifier = identifierNodes.item(i).getAttributes().item(0).getTextContent();
+                    if (handleService.resolveToURL(context, identifier) != null) {
+                        System.err.printf("The input document contains handle %s,"
+                                + " which is in use already. Aborting...%n",
+                                identifier);
+                        System.exit(1);
+                    }
+                }
+            }
        }

        // load the mappings into the member variable hashmaps
@@ -287,10 +357,11 @@ public class StructBuilder {
        Element[] elements = new Element[]{};
        try {
            // get the top level community list
-            NodeList first = XPathAPI.selectNodeList(document, "/import_structure/community");
+            NodeList first = (NodeList) xPath.compile("/import_structure/community")
+                                             .evaluate(document, XPathConstants.NODESET);

            // run the import starting with the top level communities
-            elements = handleCommunities(context, first, null);
+            elements = handleCommunities(context, first, parent, keepHandles);
        } catch (TransformerException ex) {
            System.err.format("Input content not understood:  %s%n", ex.getMessage());
            System.exit(1);
@@ -307,7 +378,7 @@ public class StructBuilder {
        }

        // finally write the string into the output file.
-        final org.jdom.Document xmlOutput = new org.jdom.Document(root);
+        final org.jdom2.Document xmlOutput = new org.jdom2.Document(root);
        try {
            new XMLOutputter().output(xmlOutput, output);
        } catch (IOException e) {
@@ -411,7 +482,7 @@ public class StructBuilder {
        }

        // Now write the structure out.
-        org.jdom.Document xmlOutput = new org.jdom.Document(rootElement);
+        org.jdom2.Document xmlOutput = new org.jdom2.Document(rootElement);
        try {
            XMLOutputter outputter = new XMLOutputter(Format.getPrettyFormat());
            outputter.output(xmlOutput, output);
@@ -456,14 +527,16 @@ public class StructBuilder {
     * @throws TransformerException if transformer error
     */
    private static void validate(org.w3c.dom.Document document)
-        throws TransformerException {
+        throws XPathExpressionException {
        StringBuilder err = new StringBuilder();
        boolean trip = false;

        err.append("The following errors were encountered parsing the source XML.\n");
        err.append("No changes have been made to the DSpace instance.\n\n");

-        NodeList first = XPathAPI.selectNodeList(document, "/import_structure/community");
+        XPath xPath = XPathFactory.newInstance().newXPath();
+        NodeList first = (NodeList) xPath.compile("/import_structure/community")
+                                         .evaluate(document, XPathConstants.NODESET);
        if (first.getLength() == 0) {
            err.append("-There are no top level communities in the source document.");
            System.out.println(err.toString());
@@ -493,14 +566,15 @@ public class StructBuilder {
     * no errors.
     */
    private static String validateCommunities(NodeList communities, int level)
-        throws TransformerException {
+        throws XPathExpressionException {
        StringBuilder err = new StringBuilder();
        boolean trip = false;
        String errs = null;
+        XPath xPath = XPathFactory.newInstance().newXPath();

        for (int i = 0; i < communities.getLength(); i++) {
            Node n = communities.item(i);
-            NodeList name = XPathAPI.selectNodeList(n, "name");
+            NodeList name = (NodeList) xPath.compile("name").evaluate(n, XPathConstants.NODESET);
            if (name.getLength() != 1) {
                String pos = Integer.toString(i + 1);
                err.append("-The level ").append(level)
@@ -510,7 +584,7 @@ public class StructBuilder {
            }

            // validate sub communities
-            NodeList subCommunities = XPathAPI.selectNodeList(n, "community");
+            NodeList subCommunities = (NodeList) xPath.compile("community").evaluate(n, XPathConstants.NODESET);
            String comErrs = validateCommunities(subCommunities, level + 1);
            if (comErrs != null) {
                err.append(comErrs);
@@ -518,7 +592,7 @@ public class StructBuilder {
            }

            // validate collections
-            NodeList collections = XPathAPI.selectNodeList(n, "collection");
+            NodeList collections = (NodeList) xPath.compile("collection").evaluate(n, XPathConstants.NODESET);
            String colErrs = validateCollections(collections, level + 1);
            if (colErrs != null) {
                err.append(colErrs);
@@ -542,14 +616,15 @@ public class StructBuilder {
     * @return the errors to be generated by the calling method, or null if none
     */
    private static String validateCollections(NodeList collections, int level)
-        throws TransformerException {
+        throws XPathExpressionException {
        StringBuilder err = new StringBuilder();
        boolean trip = false;
        String errs = null;
+        XPath xPath = XPathFactory.newInstance().newXPath();

        for (int i = 0; i < collections.getLength(); i++) {
            Node n = collections.item(i);
-            NodeList name = XPathAPI.selectNodeList(n, "name");
+            NodeList name = (NodeList) xPath.compile("name").evaluate(n, XPathConstants.NODESET);
            if (name.getLength() != 1) {
                String pos = Integer.toString(i + 1);
                err.append("-The level ").append(level)
@@ -574,8 +649,8 @@ public class StructBuilder {
     */
    private static org.w3c.dom.Document loadXML(InputStream input)
        throws IOException, ParserConfigurationException, SAXException {
-        DocumentBuilder builder = DocumentBuilderFactory.newInstance()
-                                                        .newDocumentBuilder();
+        // This builder factory does not disable external DTD, entities, etc.
+        DocumentBuilder builder = XMLUtils.getTrustedDocumentBuilder();

        org.w3c.dom.Document document = builder.parse(input);

@@ -609,22 +684,29 @@ public class StructBuilder {
     * @param context     the context of the request
     * @param communities a nodelist of communities to create along with their sub-structures
     * @param parent      the parent community of the nodelist of communities to create
+     * @param keepHandles use Handles from input.
     * @return an element array containing additional information regarding the
     * created communities (e.g. the handles they have been assigned)
     */
-    private static Element[] handleCommunities(Context context, NodeList communities, Community parent)
-        throws TransformerException, SQLException, AuthorizeException {
+    private static Element[] handleCommunities(Context context, NodeList communities,
+            Community parent, boolean keepHandles)
+        throws TransformerException, SQLException, AuthorizeException,
+            XPathExpressionException {
        Element[] elements = new Element[communities.getLength()];
+        XPath xPath = XPathFactory.newInstance().newXPath();

        for (int i = 0; i < communities.getLength(); i++) {
-            Community community;
-            Element element = new Element("community");
+            Node tn = communities.item(i);
+            Node identifier = tn.getAttributes().getNamedItem("identifier");

            // create the community or sub community
-            if (parent != null) {
+            Community community;
+            if (null == identifier
+                    || StringUtils.isBlank(identifier.getNodeValue())
+                    || !keepHandles) {
                community = communityService.create(parent, context);
            } else {
-                community = communityService.create(null, context);
+                community = communityService.create(parent, context, identifier.getNodeValue());
            }

            // default the short description to be an empty string
@@ -632,9 +714,8 @@ public class StructBuilder {
                    MD_SHORT_DESCRIPTION, null, " ");

            // now update the metadata
-            Node tn = communities.item(i);
            for (Map.Entry<String, MetadataFieldName> entry : communityMap.entrySet()) {
-                NodeList nl = XPathAPI.selectNodeList(tn, entry.getKey());
+                NodeList nl = (NodeList) xPath.compile(entry.getKey()).evaluate(tn, XPathConstants.NODESET);
                if (nl.getLength() == 1) {
                    communityService.setMetadataSingleValue(context, community,
                            entry.getValue(), null, getStringValue(nl.item(0)));
@@ -658,6 +739,7 @@ public class StructBuilder {
            // but it's here to keep it separate from the create process in
            // case
            // we want to move it or make it switchable later
+            Element element = new Element("community");
            element.setAttribute("identifier", community.getHandle());

            Element nameElement = new Element("name");
@@ -700,12 +782,16 @@ public class StructBuilder {
            }

            // handle sub communities
-            NodeList subCommunities = XPathAPI.selectNodeList(tn, "community");
-            Element[] subCommunityElements = handleCommunities(context, subCommunities, community);
+            NodeList subCommunities = (NodeList) xPath.compile("community")
+                    .evaluate(tn, XPathConstants.NODESET);
+            Element[] subCommunityElements = handleCommunities(context,
+                    subCommunities, community, keepHandles);

            // handle collections
-            NodeList collections = XPathAPI.selectNodeList(tn, "collection");
-            Element[] collectionElements = handleCollections(context, collections, community);
+            NodeList collections = (NodeList) xPath.compile("collection")
+                    .evaluate(tn, XPathConstants.NODESET);
+            Element[] collectionElements = handleCollections(context,
+                    collections, community, keepHandles);

            int j;
            for (j = 0; j < subCommunityElements.length; j++) {
@@ -730,22 +816,33 @@ public class StructBuilder {
     * @return an Element array containing additional information about the
     * created collections (e.g. the handle)
     */
-    private static Element[] handleCollections(Context context, NodeList collections, Community parent)
-        throws TransformerException, SQLException, AuthorizeException {
+    private static Element[] handleCollections(Context context,
+            NodeList collections, Community parent, boolean keepHandles)
+        throws SQLException, AuthorizeException, XPathExpressionException {
        Element[] elements = new Element[collections.getLength()];
+        XPath xPath = XPathFactory.newInstance().newXPath();

        for (int i = 0; i < collections.getLength(); i++) {
-            Element element = new Element("collection");
-            Collection collection = collectionService.create(context, parent);
+            Node tn = collections.item(i);
+            Node identifier = tn.getAttributes().getNamedItem("identifier");
+
+            // Create the Collection.
+            Collection collection;
+            if (null == identifier
+                    || StringUtils.isBlank(identifier.getNodeValue())
+                    || !keepHandles) {
+                collection = collectionService.create(context, parent);
+            } else {
+                collection = collectionService.create(context, parent, identifier.getNodeValue());
+            }

            // default the short description to the empty string
            collectionService.setMetadataSingleValue(context, collection,
-                    MD_SHORT_DESCRIPTION, Item.ANY, " ");
+                    MD_SHORT_DESCRIPTION, null, " ");

            // import the rest of the metadata
-            Node tn = collections.item(i);
            for (Map.Entry<String, MetadataFieldName> entry : collectionMap.entrySet()) {
-                NodeList nl = XPathAPI.selectNodeList(tn, entry.getKey());
+                NodeList nl = (NodeList) xPath.compile(entry.getKey()).evaluate(tn, XPathConstants.NODESET);
                if (nl.getLength() == 1) {
                    collectionService.setMetadataSingleValue(context, collection,
                            entry.getValue(), null, getStringValue(nl.item(0)));
@@ -754,6 +851,7 @@ public class StructBuilder {

            collectionService.update(context, collection);

+            Element element = new Element("collection");
            element.setAttribute("identifier", collection.getHandle());

            Element nameElement = new Element("name");
--- a/dspace-api/src/main/java/org/dspace/alerts/AllowSessionsEnum.java
+++ b/dspace-api/src/main/java/org/dspace/alerts/AllowSessionsEnum.java
@@ -0,0 +1,54 @@
+/**
+ * The contents of this file are subject to the license and copyright
+ * detailed in the LICENSE and NOTICE files at the root of the source
+ * tree and available online at
+ *
+ * http://www.dspace.org/license/
+ */
+package org.dspace.alerts;
+
+/**
+ * Enum representing the options for allowing sessions:
+ *  ALLOW_ALL_SESSIONS -    Will allow all users to log in and continue their sessions
+ *  ALLOW_CURRENT_SESSIONS_ONLY -   Will prevent non admin users from logging in, however logged-in users
+ *                                  will remain logged in
+ *  ALLOW_ADMIN_SESSIONS_ONLY - Only admin users can log in, non admin sessions will be interrupted
+ *
+ *  NOTE: This functionality can be stored in the database, but no support is present right now to interrupt and prevent
+ *  sessions.
+ */
+public enum AllowSessionsEnum {
+    ALLOW_ALL_SESSIONS("all"),
+    ALLOW_CURRENT_SESSIONS_ONLY("current"),
+    ALLOW_ADMIN_SESSIONS_ONLY("admin");
+
+    private String allowSessionsType;
+
+    AllowSessionsEnum(String allowSessionsType) {
+        this.allowSessionsType = allowSessionsType;
+    }
+
+    public String getValue() {
+        return allowSessionsType;
+    }
+
+    public static AllowSessionsEnum fromString(String alertAllowSessionType) {
+        if (alertAllowSessionType == null) {
+            return AllowSessionsEnum.ALLOW_ALL_SESSIONS;
+        }
+
+        switch (alertAllowSessionType) {
+            case "all":
+                return AllowSessionsEnum.ALLOW_ALL_SESSIONS;
+            case "current":
+                return AllowSessionsEnum.ALLOW_CURRENT_SESSIONS_ONLY;
+            case "admin" :
+                return AllowSessionsEnum.ALLOW_ADMIN_SESSIONS_ONLY;
+            default:
+                throw new IllegalArgumentException("No corresponding enum value for provided string: "
+                                                           + alertAllowSessionType);
+        }
+    }
+
+
+}
--- a/dspace-api/src/main/java/org/dspace/alerts/SystemWideAlert.java
+++ b/dspace-api/src/main/java/org/dspace/alerts/SystemWideAlert.java
@@ -0,0 +1,176 @@
+/**
+ * The contents of this file are subject to the license and copyright
+ * detailed in the LICENSE and NOTICE files at the root of the source
+ * tree and available online at
+ *
+ * http://www.dspace.org/license/
+ */
+package org.dspace.alerts;
+
+import java.time.ZonedDateTime;
+
+import jakarta.persistence.Cacheable;
+import jakarta.persistence.Column;
+import jakarta.persistence.Entity;
+import jakarta.persistence.GeneratedValue;
+import jakarta.persistence.GenerationType;
+import jakarta.persistence.Id;
+import jakarta.persistence.SequenceGenerator;
+import jakarta.persistence.Table;
+import org.apache.commons.lang3.builder.EqualsBuilder;
+import org.apache.commons.lang3.builder.HashCodeBuilder;
+import org.dspace.core.ReloadableEntity;
+import org.hibernate.annotations.CacheConcurrencyStrategy;
+
+/**
+ * Database object representing system-wide alerts
+ */
+@Entity
+@Cacheable
+@org.hibernate.annotations.Cache(usage = CacheConcurrencyStrategy.NONSTRICT_READ_WRITE, include = "non-lazy")
+@Table(name = "systemwidealert")
+public class SystemWideAlert implements ReloadableEntity<Integer> {
+
+    @Id
+    @GeneratedValue(strategy = GenerationType.SEQUENCE, generator = "alert_id_seq")
+    @SequenceGenerator(name = "alert_id_seq", sequenceName = "alert_id_seq", allocationSize = 1)
+    @Column(name = "alert_id", unique = true, nullable = false)
+    private Integer alertId;
+
+    @Column(name = "message", nullable = false)
+    private String message;
+
+    @Column(name = "allow_sessions")
+    private String allowSessions;
+
+    @Column(name = "countdown_to")
+    private ZonedDateTime countdownTo;
+
+    @Column(name = "active")
+    private boolean active;
+
+    protected SystemWideAlert() {
+    }
+
+    /**
+     * This method returns the ID that the system-wide alert holds within the database
+     *
+     * @return The ID that the system-wide alert holds within the database
+     */
+    @Override
+    public Integer getID() {
+        return alertId;
+    }
+
+    /**
+     * Set the ID for the system-wide alert
+     *
+     * @param alertID The ID to set
+     */
+    public void setID(final Integer alertID) {
+        this.alertId = alertID;
+    }
+
+    /**
+     * Retrieve the message of the system-wide alert
+     *
+     * @return the message of the system-wide alert
+     */
+    public String getMessage() {
+        return message;
+    }
+
+    /**
+     * Set the message of the system-wide alert
+     *
+     * @param message The message to set
+     */
+    public void setMessage(final String message) {
+        this.message = message;
+    }
+
+    /**
+     * Retrieve what kind of sessions are allowed while the system-wide alert is active
+     *
+     * @return what kind of sessions are allowed while the system-wide alert is active
+     */
+    public AllowSessionsEnum getAllowSessions() {
+        return AllowSessionsEnum.fromString(allowSessions);
+    }
+
+    /**
+     * Set what kind of sessions are allowed while the system-wide alert is active
+     *
+     * @param allowSessions Integer representing what kind of sessions are allowed
+     */
+    public void setAllowSessions(AllowSessionsEnum allowSessions) {
+        this.allowSessions = allowSessions.getValue();
+    }
+
+    /**
+     * Retrieve the date to which will be count down when the system-wide alert is active
+     *
+     * @return the date to which will be count down when the system-wide alert is active
+     */
+    public ZonedDateTime getCountdownTo() {
+        return countdownTo;
+    }
+
+    /**
+     * Set the date to which will be count down when the system-wide alert is active
+     *
+     * @param countdownTo The date to which will be count down
+     */
+    public void setCountdownTo(final ZonedDateTime countdownTo) {
+        this.countdownTo = countdownTo;
+    }
+
+    /**
+     * Retrieve whether the system-wide alert is active
+     *
+     * @return whether the system-wide alert is active
+     */
+    public boolean isActive() {
+        return active;
+    }
+
+    /**
+     * Set whether the system-wide alert is active
+     *
+     * @param active    Whether the system-wide alert is active
+     */
+    public void setActive(final boolean active) {
+        this.active = active;
+    }
+
+    /**
+     * Return <code>true</code> if <code>other</code> is the same SystemWideAlert
+     * as this object, <code>false</code> otherwise
+     *
+     * @param other object to compare to
+     * @return <code>true</code> if object passed in represents the same
+     * system-wide alert as this object
+     */
+    @Override
+    public boolean equals(Object other) {
+        return (other instanceof SystemWideAlert &&
+                new EqualsBuilder().append(this.getID(), ((SystemWideAlert) other).getID())
+                                   .append(this.getMessage(), ((SystemWideAlert) other).getMessage())
+                                   .append(this.getAllowSessions(), ((SystemWideAlert) other).getAllowSessions())
+                                   .append(this.getCountdownTo(), ((SystemWideAlert) other).getCountdownTo())
+                                   .append(this.isActive(), ((SystemWideAlert) other).isActive())
+                                   .isEquals());
+    }
+
+    @Override
+    public int hashCode() {
+        return new HashCodeBuilder(17, 37)
+                .append(this.getID())
+                .append(this.getMessage())
+                .append(this.getAllowSessions())
+                .append(this.getCountdownTo())
+                .append(this.isActive())
+                .toHashCode();
+    }
+
+}
--- a/dspace-api/src/main/java/org/dspace/alerts/SystemWideAlertServiceImpl.java
+++ b/dspace-api/src/main/java/org/dspace/alerts/SystemWideAlertServiceImpl.java
@@ -0,0 +1,129 @@
+/**
+ * The contents of this file are subject to the license and copyright
+ * detailed in the LICENSE and NOTICE files at the root of the source
+ * tree and available online at
+ *
+ * http://www.dspace.org/license/
+ */
+package org.dspace.alerts;
+
+import java.io.IOException;
+import java.sql.SQLException;
+import java.time.ZonedDateTime;
+import java.util.List;
+
+import org.apache.logging.log4j.Logger;
+import org.dspace.alerts.dao.SystemWideAlertDAO;
+import org.dspace.alerts.service.SystemWideAlertService;
+import org.dspace.authorize.AuthorizeException;
+import org.dspace.authorize.service.AuthorizeService;
+import org.dspace.core.Context;
+import org.dspace.core.LogHelper;
+import org.dspace.eperson.EPerson;
+import org.springframework.beans.factory.annotation.Autowired;
+
+/**
+ * The implementation for the {@link SystemWideAlertService} class
+ */
+public class SystemWideAlertServiceImpl implements SystemWideAlertService {
+
+    private static final Logger log = org.apache.logging.log4j.LogManager.getLogger(SystemWideAlertService.class);
+
+
+    @Autowired
+    private SystemWideAlertDAO systemWideAlertDAO;
+
+    @Autowired
+    private AuthorizeService authorizeService;
+
+    @Override
+    public SystemWideAlert create(final Context context, final String message,
+                                  final AllowSessionsEnum allowSessionsType,
+                                  final ZonedDateTime countdownTo, final boolean active) throws SQLException,
+            AuthorizeException {
+        if (!authorizeService.isAdmin(context)) {
+            throw new AuthorizeException(
+                    "Only administrators can create a system-wide alert");
+        }
+        SystemWideAlert systemWideAlert = new SystemWideAlert();
+        systemWideAlert.setMessage(message);
+        systemWideAlert.setAllowSessions(allowSessionsType);
+        systemWideAlert.setCountdownTo(countdownTo);
+        systemWideAlert.setActive(active);
+
+        SystemWideAlert createdAlert = systemWideAlertDAO.create(context, systemWideAlert);
+        log.info(LogHelper.getHeader(context, "system_wide_alert_create",
+                                     "System Wide Alert has been created with message: '" + message + "' and ID "
+                                             + createdAlert.getID() + " and allowSessionsType " + allowSessionsType +
+                                             " and active set to " + active));
+
+
+        return createdAlert;
+    }
+
+    @Override
+    public SystemWideAlert find(final Context context, final int alertId) throws SQLException {
+        return systemWideAlertDAO.findByID(context, SystemWideAlert.class, alertId);
+    }
+
+    @Override
+    public List<SystemWideAlert> findAll(final Context context) throws SQLException {
+        return systemWideAlertDAO.findAll(context, SystemWideAlert.class);
+    }
+
+    @Override
+    public List<SystemWideAlert> findAll(final Context context, final int limit, final int offset) throws SQLException {
+        return systemWideAlertDAO.findAll(context, limit, offset);
+    }
+
+    @Override
+    public List<SystemWideAlert> findAllActive(final Context context, final int limit, final int offset)
+            throws SQLException {
+        return systemWideAlertDAO.findAllActive(context, limit, offset);
+    }
+
+    @Override
+    public void delete(final Context context, final SystemWideAlert systemWideAlert)
+            throws SQLException, IOException, AuthorizeException {
+        if (!authorizeService.isAdmin(context)) {
+            throw new AuthorizeException(
+                    "Only administrators can create a system-wide alert");
+        }
+        systemWideAlertDAO.delete(context, systemWideAlert);
+        log.info(LogHelper.getHeader(context, "system_wide_alert_create",
+                                     "System Wide Alert with ID " + systemWideAlert.getID() + " has been deleted"));
+
+    }
+
+    @Override
+    public void update(final Context context, final SystemWideAlert systemWideAlert)
+            throws SQLException, AuthorizeException {
+        if (!authorizeService.isAdmin(context)) {
+            throw new AuthorizeException(
+                    "Only administrators can create a system-wide alert");
+        }
+        systemWideAlertDAO.save(context, systemWideAlert);
+
+    }
+
+    @Override
+    public boolean canNonAdminUserLogin(Context context) throws SQLException {
+        List<SystemWideAlert> active = findAllActive(context, 1, 0);
+        if (active == null || active.isEmpty()) {
+            return true;
+        }
+        return active.get(0).getAllowSessions() == AllowSessionsEnum.ALLOW_ALL_SESSIONS;
+    }
+
+    @Override
+    public boolean canUserMaintainSession(Context context, EPerson ePerson) throws SQLException {
+        if (authorizeService.isAdmin(context, ePerson)) {
+            return true;
+        }
+        List<SystemWideAlert> active = findAllActive(context, 1, 0);
+        if (active == null || active.isEmpty()) {
+            return true;
+        }
+        return active.get(0).getAllowSessions() != AllowSessionsEnum.ALLOW_ADMIN_SESSIONS_ONLY;
+    }
+}
--- a/dspace-api/src/main/java/org/dspace/alerts/dao/SystemWideAlertDAO.java
+++ b/dspace-api/src/main/java/org/dspace/alerts/dao/SystemWideAlertDAO.java
@@ -0,0 +1,45 @@
+/**
+ * The contents of this file are subject to the license and copyright
+ * detailed in the LICENSE and NOTICE files at the root of the source
+ * tree and available online at
+ *
+ * http://www.dspace.org/license/
+ */
+package org.dspace.alerts.dao;
+
+import java.sql.SQLException;
+import java.util.List;
+
+import org.dspace.alerts.SystemWideAlert;
+import org.dspace.core.Context;
+import org.dspace.core.GenericDAO;
+
+/**
+ * This is the Data Access Object for the {@link SystemWideAlert} object
+ */
+public interface SystemWideAlertDAO extends GenericDAO<SystemWideAlert> {
+
+    /**
+     * Returns a list of all SystemWideAlert objects in the database
+     *
+     * @param context The relevant DSpace context
+     * @param limit   The limit for the amount of SystemWideAlerts returned
+     * @param offset  The offset for the Processes to be returned
+     * @return The list of all SystemWideAlert objects in the Database
+     * @throws SQLException If something goes wrong
+     */
+    List<SystemWideAlert> findAll(Context context, int limit, int offset) throws SQLException;
+
+    /**
+     * Returns a list of all active SystemWideAlert objects in the database
+     *
+     * @param context The relevant DSpace context
+     * @param limit   The limit for the amount of SystemWideAlerts returned
+     * @param offset  The offset for the Processes to be returned
+     * @return The list of all SystemWideAlert objects in the Database
+     * @throws SQLException If something goes wrong
+     */
+    List<SystemWideAlert> findAllActive(Context context, int limit, int offset) throws SQLException;
+
+
+}
--- a/dspace-api/src/main/java/org/dspace/alerts/dao/impl/SystemWideAlertDAOImpl.java
+++ b/dspace-api/src/main/java/org/dspace/alerts/dao/impl/SystemWideAlertDAOImpl.java
@@ -0,0 +1,48 @@
+/**
+ * The contents of this file are subject to the license and copyright
+ * detailed in the LICENSE and NOTICE files at the root of the source
+ * tree and available online at
+ *
+ * http://www.dspace.org/license/
+ */
+package org.dspace.alerts.dao.impl;
+
+import java.sql.SQLException;
+import java.util.List;
+
+import jakarta.persistence.criteria.CriteriaBuilder;
+import jakarta.persistence.criteria.CriteriaQuery;
+import jakarta.persistence.criteria.Root;
+import org.dspace.alerts.SystemWideAlert;
+import org.dspace.alerts.SystemWideAlert_;
+import org.dspace.alerts.dao.SystemWideAlertDAO;
+import org.dspace.core.AbstractHibernateDAO;
+import org.dspace.core.Context;
+
+/**
+ * Implementation class for the {@link SystemWideAlertDAO}
+ */
+public class SystemWideAlertDAOImpl extends AbstractHibernateDAO<SystemWideAlert> implements SystemWideAlertDAO {
+
+    public List<SystemWideAlert> findAll(final Context context, final int limit, final int offset) throws SQLException {
+        CriteriaBuilder criteriaBuilder = getCriteriaBuilder(context);
+        CriteriaQuery criteriaQuery = getCriteriaQuery(criteriaBuilder, SystemWideAlert.class);
+        Root<SystemWideAlert> alertRoot = criteriaQuery.from(SystemWideAlert.class);
+        criteriaQuery.select(alertRoot);
+
+        return list(context, criteriaQuery, false, SystemWideAlert.class, limit, offset);
+    }
+
+    public List<SystemWideAlert> findAllActive(final Context context, final int limit, final int offset)
+            throws SQLException {
+        CriteriaBuilder criteriaBuilder = getCriteriaBuilder(context);
+        CriteriaQuery criteriaQuery = getCriteriaQuery(criteriaBuilder, SystemWideAlert.class);
+        Root<SystemWideAlert> alertRoot = criteriaQuery.from(SystemWideAlert.class);
+        criteriaQuery.select(alertRoot);
+        criteriaQuery.where(criteriaBuilder.equal(alertRoot.get(SystemWideAlert_.active), true));
+
+        return list(context, criteriaQuery, false, SystemWideAlert.class, limit, offset);
+    }
+
+
+}
--- a/dspace-api/src/main/java/org/dspace/alerts/service/SystemWideAlertService.java
+++ b/dspace-api/src/main/java/org/dspace/alerts/service/SystemWideAlertService.java
@@ -0,0 +1,118 @@
+/**
+ * The contents of this file are subject to the license and copyright
+ * detailed in the LICENSE and NOTICE files at the root of the source
+ * tree and available online at
+ *
+ * http://www.dspace.org/license/
+ */
+package org.dspace.alerts.service;
+
+import java.io.IOException;
+import java.sql.SQLException;
+import java.time.ZonedDateTime;
+import java.util.List;
+
+import org.dspace.alerts.AllowSessionsEnum;
+import org.dspace.alerts.SystemWideAlert;
+import org.dspace.authorize.AuthorizeException;
+import org.dspace.core.Context;
+import org.dspace.eperson.EPerson;
+
+/**
+ * An interface for the SystemWideAlertService with methods regarding the SystemWideAlert workload
+ */
+public interface SystemWideAlertService {
+
+    /**
+     * This method will create a SystemWideAlert object in the database
+     *
+     * @param context           The relevant DSpace context
+     * @param message           The message of the system-wide alert
+     * @param allowSessionsType Which sessions need to be allowed for the system-wide alert
+     * @param countdownTo       The date to which to count down to when the system-wide alert is active
+     * @param active            Whether the system-wide alert os active
+     * @return The created SystemWideAlert object
+     * @throws SQLException If something goes wrong
+     */
+    SystemWideAlert create(Context context, String message, AllowSessionsEnum allowSessionsType,
+                           ZonedDateTime countdownTo, boolean active
+    ) throws SQLException, AuthorizeException;
+
+    /**
+     * This method will retrieve a SystemWideAlert object from the Database with the given ID
+     *
+     * @param context The relevant DSpace context
+     * @param alertId The alert id on which we'll search for in the database
+     * @return The system-wide alert that holds the given alert id
+     * @throws SQLException If something goes wrong
+     */
+    SystemWideAlert find(Context context, int alertId) throws SQLException;
+
+    /**
+     * Returns a list of all SystemWideAlert objects in the database
+     *
+     * @param context The relevant DSpace context
+     * @return The list of all SystemWideAlert objects in the Database
+     * @throws SQLException If something goes wrong
+     */
+    List<SystemWideAlert> findAll(Context context) throws SQLException;
+
+    /**
+     * Returns a list of all SystemWideAlert objects in the database
+     *
+     * @param context The relevant DSpace context
+     * @param limit   The limit for the amount of system-wide alerts returned
+     * @param offset  The offset for the system-wide alerts to be returned
+     * @return The list of all SystemWideAlert objects in the Database
+     * @throws SQLException If something goes wrong
+     */
+    List<SystemWideAlert> findAll(Context context, int limit, int offset) throws SQLException;
+
+
+    /**
+     * Returns a list of all active SystemWideAlert objects in the database
+     *
+     * @param context The relevant DSpace context
+     * @return The list of all active SystemWideAlert objects in the database
+     * @throws SQLException If something goes wrong
+     */
+    List<SystemWideAlert> findAllActive(Context context, int limit, int offset) throws SQLException;
+
+    /**
+     * This method will delete the given SystemWideAlert object from the database
+     *
+     * @param context         The relevant DSpace context
+     * @param systemWideAlert The SystemWideAlert object to be deleted
+     * @throws SQLException If something goes wrong
+     */
+    void delete(Context context, SystemWideAlert systemWideAlert)
+            throws SQLException, IOException, AuthorizeException;
+
+
+    /**
+     * This method will be used to update the given SystemWideAlert object in the database
+     *
+     * @param context         The relevant DSpace context
+     * @param systemWideAlert The SystemWideAlert object to be updated
+     * @throws SQLException If something goes wrong
+     */
+    void update(Context context, SystemWideAlert systemWideAlert) throws SQLException, AuthorizeException;
+
+
+    /**
+     * Verifies if the user connected to the current context can retain its session
+     *
+     * @param context The relevant DSpace context
+     * @return if the user connected to the current context can retain its session
+     */
+    boolean canUserMaintainSession(Context context, EPerson ePerson) throws SQLException;
+
+
+    /**
+     * Verifies if a non admin user can log in
+     *
+     * @param context The relevant DSpace context
+     * @return if a non admin user can log in
+     */
+    boolean canNonAdminUserLogin(Context context) throws SQLException;
+}
--- a/dspace-api/src/main/java/org/dspace/app/bulkaccesscontrol/BulkAccessControl.java
+++ b/dspace-api/src/main/java/org/dspace/app/bulkaccesscontrol/BulkAccessControl.java
@@ -0,0 +1,689 @@
+/**
+ * The contents of this file are subject to the license and copyright
+ * detailed in the LICENSE and NOTICE files at the root of the source
+ * tree and available online at
+ *
+ * http://www.dspace.org/license/
+ */
+package org.dspace.app.bulkaccesscontrol;
+
+import static org.apache.commons.collections4.CollectionUtils.isEmpty;
+import static org.apache.commons.collections4.CollectionUtils.isNotEmpty;
+import static org.dspace.authorize.ResourcePolicy.TYPE_CUSTOM;
+import static org.dspace.authorize.ResourcePolicy.TYPE_INHERITED;
+import static org.dspace.core.Constants.CONTENT_BUNDLE_NAME;
+
+import java.io.IOException;
+import java.io.InputStream;
+import java.sql.SQLException;
+import java.time.LocalDate;
+import java.time.ZoneOffset;
+import java.time.format.DateTimeFormatter;
+import java.util.Arrays;
+import java.util.Iterator;
+import java.util.List;
+import java.util.Map;
+import java.util.Objects;
+import java.util.Optional;
+import java.util.TimeZone;
+import java.util.UUID;
+import java.util.function.Function;
+import java.util.stream.Collectors;
+
+import com.fasterxml.jackson.databind.ObjectMapper;
+import org.apache.commons.cli.ParseException;
+import org.apache.commons.lang3.StringUtils;
+import org.dspace.app.bulkaccesscontrol.exception.BulkAccessControlException;
+import org.dspace.app.bulkaccesscontrol.model.AccessCondition;
+import org.dspace.app.bulkaccesscontrol.model.AccessConditionBitstream;
+import org.dspace.app.bulkaccesscontrol.model.AccessConditionItem;
+import org.dspace.app.bulkaccesscontrol.model.BulkAccessConditionConfiguration;
+import org.dspace.app.bulkaccesscontrol.model.BulkAccessControlInput;
+import org.dspace.app.bulkaccesscontrol.service.BulkAccessConditionConfigurationService;
+import org.dspace.app.mediafilter.factory.MediaFilterServiceFactory;
+import org.dspace.app.mediafilter.service.MediaFilterService;
+import org.dspace.app.util.DSpaceObjectUtilsImpl;
+import org.dspace.app.util.service.DSpaceObjectUtils;
+import org.dspace.authorize.AuthorizeException;
+import org.dspace.authorize.factory.AuthorizeServiceFactory;
+import org.dspace.authorize.service.ResourcePolicyService;
+import org.dspace.content.Bitstream;
+import org.dspace.content.Collection;
+import org.dspace.content.DSpaceObject;
+import org.dspace.content.Item;
+import org.dspace.content.factory.ContentServiceFactory;
+import org.dspace.content.service.ItemService;
+import org.dspace.core.Constants;
+import org.dspace.core.Context;
+import org.dspace.discovery.DiscoverQuery;
+import org.dspace.discovery.SearchService;
+import org.dspace.discovery.SearchServiceException;
+import org.dspace.discovery.SearchUtils;
+import org.dspace.discovery.indexobject.IndexableItem;
+import org.dspace.eperson.EPerson;
+import org.dspace.eperson.factory.EPersonServiceFactory;
+import org.dspace.eperson.service.EPersonService;
+import org.dspace.scripts.DSpaceRunnable;
+import org.dspace.services.ConfigurationService;
+import org.dspace.services.factory.DSpaceServicesFactory;
+import org.dspace.submit.model.AccessConditionOption;
+import org.dspace.utils.DSpace;
+
+/**
+ * Implementation of {@link DSpaceRunnable} to perform a bulk access control via json file.
+ *
+ * @author Mohamed Eskander (mohamed.eskander at 4science.it)
+ *
+ */
+public class BulkAccessControl extends DSpaceRunnable<BulkAccessControlScriptConfiguration<BulkAccessControl>> {
+
+    private DSpaceObjectUtils dSpaceObjectUtils;
+
+    private SearchService searchService;
+
+    private ItemService itemService;
+
+    private String filename;
+
+    private List<String> uuids;
+
+    private Context context;
+
+    private BulkAccessConditionConfigurationService bulkAccessConditionConfigurationService;
+
+    private ResourcePolicyService resourcePolicyService;
+
+    protected EPersonService epersonService;
+
+    private ConfigurationService configurationService;
+
+    private MediaFilterService mediaFilterService;
+
+    private Map<String, AccessConditionOption> itemAccessConditions;
+
+    private Map<String, AccessConditionOption> uploadAccessConditions;
+
+    private final String ADD_MODE = "add";
+
+    private final String REPLACE_MODE = "replace";
+
+    private boolean help = false;
+
+    protected String eperson = null;
+
+    @Override
+    @SuppressWarnings("unchecked")
+    public void setup() throws ParseException {
+
+        this.searchService = SearchUtils.getSearchService();
+        this.itemService = ContentServiceFactory.getInstance().getItemService();
+        this.resourcePolicyService = AuthorizeServiceFactory.getInstance().getResourcePolicyService();
+        this.epersonService = EPersonServiceFactory.getInstance().getEPersonService();
+        this.configurationService = DSpaceServicesFactory.getInstance().getConfigurationService();
+        mediaFilterService = MediaFilterServiceFactory.getInstance().getMediaFilterService();
+        mediaFilterService.setLogHandler(handler);
+        this.bulkAccessConditionConfigurationService = new DSpace().getServiceManager().getServiceByName(
+            "bulkAccessConditionConfigurationService", BulkAccessConditionConfigurationService.class);
+        this.dSpaceObjectUtils = new DSpace().getServiceManager().getServiceByName(
+            DSpaceObjectUtilsImpl.class.getName(), DSpaceObjectUtilsImpl.class);
+
+        BulkAccessConditionConfiguration bulkAccessConditionConfiguration =
+            bulkAccessConditionConfigurationService.getBulkAccessConditionConfiguration("default");
+
+        itemAccessConditions = bulkAccessConditionConfiguration
+            .getItemAccessConditionOptions()
+            .stream()
+            .collect(Collectors.toMap(AccessConditionOption::getName, Function.identity()));
+
+        uploadAccessConditions = bulkAccessConditionConfiguration
+            .getBitstreamAccessConditionOptions()
+            .stream()
+            .collect(Collectors.toMap(AccessConditionOption::getName, Function.identity()));
+
+        help = commandLine.hasOption('h');
+        filename = commandLine.getOptionValue('f');
+        uuids = commandLine.hasOption('u') ? Arrays.asList(commandLine.getOptionValues('u')) : null;
+    }
+
+    @Override
+    public void internalRun() throws Exception {
+
+        if (help) {
+            printHelp();
+            return;
+        }
+
+        ObjectMapper mapper = new ObjectMapper();
+        mapper.setTimeZone(TimeZone.getTimeZone(ZoneOffset.UTC));
+        BulkAccessControlInput accessControl;
+        context = new Context(Context.Mode.BATCH_EDIT);
+        setEPerson(context);
+
+        if (!isAuthorized(context)) {
+            handler.logError("Current user is not eligible to execute script bulk-access-control");
+            throw new AuthorizeException("Current user is not eligible to execute script bulk-access-control");
+        }
+
+        if (uuids == null || uuids.size() == 0) {
+            handler.logError("A target uuid must be provided with at least on uuid (run with -h flag for details)");
+            throw new IllegalArgumentException("At least one target uuid must be provided");
+        }
+
+        InputStream inputStream = handler.getFileStream(context, filename)
+            .orElseThrow(() -> new IllegalArgumentException("Error reading file, the file couldn't be "
+                + "found for filename: " + filename));
+
+        try {
+            accessControl = mapper.readValue(inputStream, BulkAccessControlInput.class);
+        } catch (IOException e) {
+            handler.logError("Error parsing json file " + e.getMessage());
+            throw new IllegalArgumentException("Error parsing json file", e);
+        }
+        try {
+            validate(accessControl);
+            updateItemsAndBitstreamsPolices(accessControl);
+            context.complete();
+        } catch (Exception e) {
+            handler.handleException(e);
+            context.abort();
+        }
+    }
+
+    /**
+     * check the validation of mapped json data, it must
+     * provide item or bitstream information or both of them
+     * and check the validation of item node if provided,
+     * and check the validation of bitstream node if provided.
+     *
+     * @param accessControl mapped json data
+     * @throws SQLException if something goes wrong in the database
+     * @throws BulkAccessControlException if accessControl is invalid
+     */
+    private void validate(BulkAccessControlInput accessControl) throws SQLException {
+
+        AccessConditionItem item = accessControl.getItem();
+        AccessConditionBitstream bitstream = accessControl.getBitstream();
+
+        if (Objects.isNull(item) && Objects.isNull(bitstream)) {
+            handler.logError("item or bitstream node must be provided");
+            throw new BulkAccessControlException("item or bitstream node must be provided");
+        }
+
+        if (Objects.nonNull(item)) {
+            validateItemNode(item);
+        }
+
+        if (Objects.nonNull(bitstream)) {
+            validateBitstreamNode(bitstream);
+        }
+    }
+
+    /**
+     * check the validation of item node, the item mode
+     * must be provided with value 'add' or 'replace'
+     * if mode equals to add so the information
+     * of accessCondition must be provided,
+     * also checking that accessConditions information are valid.
+     *
+     * @param item the item node
+     * @throws BulkAccessControlException if item node is invalid
+     */
+    private void validateItemNode(AccessConditionItem item) {
+        String mode = item.getMode();
+        List<AccessCondition> accessConditions = item.getAccessConditions();
+
+        if (StringUtils.isEmpty(mode)) {
+            handler.logError("item mode node must be provided");
+            throw new BulkAccessControlException("item mode node must be provided");
+        } else if (!(StringUtils.equalsAny(mode, ADD_MODE, REPLACE_MODE))) {
+            handler.logError("wrong value for item mode<" + mode + ">");
+            throw new BulkAccessControlException("wrong value for item mode<" + mode + ">");
+        } else if (ADD_MODE.equals(mode) && isEmpty(accessConditions)) {
+            handler.logError("accessConditions of item must be provided with mode<" + ADD_MODE + ">");
+            throw new BulkAccessControlException(
+                "accessConditions of item must be provided with mode<" + ADD_MODE + ">");
+        }
+
+        for (AccessCondition accessCondition : accessConditions) {
+            validateAccessCondition(accessCondition);
+        }
+    }
+
+    /**
+     * check the validation of bitstream node, the bitstream mode
+     * must be provided with value 'add' or 'replace'
+     * if mode equals to add so the information of accessConditions
+     * must be provided,
+     * also checking that constraint information is valid,
+     * also checking that accessConditions information are valid.
+     *
+     * @param bitstream the bitstream node
+     * @throws SQLException if something goes wrong in the database
+     * @throws BulkAccessControlException if bitstream node is invalid
+     */
+    private void validateBitstreamNode(AccessConditionBitstream bitstream) throws SQLException {
+        String mode = bitstream.getMode();
+        List<AccessCondition> accessConditions = bitstream.getAccessConditions();
+
+        if (StringUtils.isEmpty(mode)) {
+            handler.logError("bitstream mode node must be provided");
+            throw new BulkAccessControlException("bitstream mode node must be provided");
+        } else if (!(StringUtils.equalsAny(mode, ADD_MODE, REPLACE_MODE))) {
+            handler.logError("wrong value for bitstream mode<" + mode + ">");
+            throw new BulkAccessControlException("wrong value for bitstream mode<" + mode + ">");
+        } else if (ADD_MODE.equals(mode) && isEmpty(accessConditions)) {
+            handler.logError("accessConditions of bitstream must be provided with mode<" + ADD_MODE + ">");
+            throw new BulkAccessControlException(
+                "accessConditions of bitstream must be provided with mode<" + ADD_MODE + ">");
+        }
+
+        validateConstraint(bitstream);
+
+        for (AccessCondition accessCondition : bitstream.getAccessConditions()) {
+            validateAccessCondition(accessCondition);
+        }
+    }
+
+    /**
+     * check the validation of constraint node if provided,
+     * constraint isn't supported when multiple uuids are provided
+     * or when uuid isn't an Item
+     *
+     * @param bitstream the bitstream node
+     * @throws SQLException if something goes wrong in the database
+     * @throws BulkAccessControlException if constraint node is invalid
+     */
+    private void validateConstraint(AccessConditionBitstream bitstream) throws SQLException {
+        if (uuids.size() > 1  && containsConstraints(bitstream)) {
+            handler.logError("constraint isn't supported when multiple uuids are provided");
+            throw new BulkAccessControlException("constraint isn't supported when multiple uuids are provided");
+        } else if (uuids.size() == 1 && containsConstraints(bitstream)) {
+            DSpaceObject dso =
+                dSpaceObjectUtils.findDSpaceObject(context, UUID.fromString(uuids.get(0)));
+
+            if (Objects.nonNull(dso) && dso.getType() != Constants.ITEM) {
+                handler.logError("constraint is not supported when uuid isn't an Item");
+                throw new BulkAccessControlException("constraint is not supported when uuid isn't an Item");
+            }
+        }
+    }
+
+    /**
+     * check the validation of access condition,
+     * the access condition name must equal to one of configured access conditions,
+     * then call {@link AccessConditionOption#validateResourcePolicy(
+     * Context, String, LocalDate, LocalDate)} if exception happens so, it's invalid.
+     *
+     * @param accessCondition the accessCondition
+     * @throws BulkAccessControlException if the accessCondition is invalid
+     */
+    private void validateAccessCondition(AccessCondition accessCondition) {
+
+        if (!itemAccessConditions.containsKey(accessCondition.getName())) {
+            handler.logError("wrong access condition <" + accessCondition.getName() + ">");
+            throw new BulkAccessControlException("wrong access condition <" + accessCondition.getName() + ">");
+        }
+
+        try {
+            itemAccessConditions.get(accessCondition.getName()).validateResourcePolicy(
+                context, accessCondition.getName(), accessCondition.getStartDate(), accessCondition.getEndDate());
+        } catch (Exception e) {
+            handler.logError("invalid access condition, " + e.getMessage());
+            handler.handleException(e);
+        }
+    }
+
+    /**
+     * find all items of provided {@link #uuids} from solr,
+     * then update the resource policies of items
+     * or bitstreams of items (only bitstreams of ORIGINAL bundles)
+     * and derivative bitstreams, or both of them.
+     *
+     * @param accessControl the access control input
+     * @throws SQLException if something goes wrong in the database
+     * @throws SearchServiceException if a search error occurs
+     * @throws AuthorizeException if an authorization error occurs
+     */
+    private void updateItemsAndBitstreamsPolices(BulkAccessControlInput accessControl)
+        throws SQLException, SearchServiceException, AuthorizeException {
+
+        int counter = 0;
+        int start = 0;
+        int limit = 20;
+
+        String query = buildSolrQuery(uuids);
+
+        Iterator<Item> itemIterator = findItems(query, start, limit);
+
+        while (itemIterator.hasNext()) {
+
+            Item item = context.reloadEntity(itemIterator.next());
+
+            if (Objects.nonNull(accessControl.getItem())) {
+                updateItemPolicies(item, accessControl);
+            }
+
+            if (Objects.nonNull(accessControl.getBitstream())) {
+                updateBitstreamsPolicies(item, accessControl);
+            }
+
+            context.commit();
+            context.uncacheEntity(item);
+            counter++;
+
+            if (counter == limit) {
+                counter = 0;
+                start += limit;
+                itemIterator = findItems(query, start, limit);
+            }
+        }
+    }
+
+    private String buildSolrQuery(List<String> uuids) throws SQLException {
+        String [] query = new String[uuids.size()];
+
+        for (int i = 0 ; i < query.length ; i++) {
+            DSpaceObject dso = dSpaceObjectUtils.findDSpaceObject(context, UUID.fromString(uuids.get(i)));
+
+            if (dso.getType() == Constants.COMMUNITY) {
+                query[i] = "location.comm:" + dso.getID();
+            } else if (dso.getType() == Constants.COLLECTION) {
+                query[i] = "location.coll:" + dso.getID();
+            } else if (dso.getType() == Constants.ITEM) {
+                query[i] = "search.resourceid:" + dso.getID();
+            }
+        }
+        return StringUtils.joinWith(" OR ", query);
+    }
+
+    private Iterator<Item> findItems(String query, int start, int limit)
+        throws SearchServiceException {
+
+        DiscoverQuery discoverQuery = buildDiscoveryQuery(query, start, limit);
+
+        return searchService.search(context, discoverQuery)
+                            .getIndexableObjects()
+                            .stream()
+                            .map(indexableObject ->
+                                ((IndexableItem) indexableObject).getIndexedObject())
+                            .collect(Collectors.toList())
+                            .iterator();
+    }
+
+    private DiscoverQuery buildDiscoveryQuery(String query, int start, int limit) {
+        DiscoverQuery discoverQuery = new DiscoverQuery();
+        discoverQuery.setDSpaceObjectFilter(IndexableItem.TYPE);
+        discoverQuery.setQuery(query);
+        discoverQuery.setStart(start);
+        discoverQuery.setMaxResults(limit);
+        discoverQuery.setSortField("search.resourceid", DiscoverQuery.SORT_ORDER.asc);
+        return discoverQuery;
+    }
+
+    /**
+     * update the item resource policies,
+     * when mode equals to 'replace' will remove
+     * all current resource polices of types 'TYPE_CUSTOM'
+     * and 'TYPE_INHERITED' then, set the new resource policies.
+     *
+     * @param item the item
+     * @param accessControl the access control input
+     * @throws SQLException if something goes wrong in the database
+     * @throws AuthorizeException if an authorization error occurs
+     */
+    private void updateItemPolicies(Item item, BulkAccessControlInput accessControl)
+        throws SQLException, AuthorizeException {
+
+        AccessConditionItem acItem = accessControl.getItem();
+
+        if (REPLACE_MODE.equals(acItem.getMode())) {
+            removeReadPolicies(item, TYPE_CUSTOM);
+            removeReadPolicies(item, TYPE_INHERITED);
+        }
+
+        setItemPolicies(item, accessControl);
+        logInfo(acItem.getAccessConditions(), acItem.getMode(), item);
+    }
+
+    /**
+     * create the new resource policies of item.
+     * then, call {@link ItemService#adjustItemPolicies(
+     * Context, Item, Collection)} to adjust item's default policies.
+     *
+     * @param item the item
+     * @param accessControl the access control input
+     * @throws SQLException if something goes wrong in the database
+     * @throws AuthorizeException if an authorization error occurs
+     */
+    private void setItemPolicies(Item item, BulkAccessControlInput accessControl)
+        throws SQLException, AuthorizeException {
+
+        accessControl
+            .getItem()
+            .getAccessConditions()
+            .forEach(accessCondition -> createResourcePolicy(item, accessCondition,
+                itemAccessConditions.get(accessCondition.getName())));
+
+        itemService.adjustItemPolicies(context, item, item.getOwningCollection(), false);
+    }
+
+    /**
+     * update the resource policies of all item's bitstreams
+     * or bitstreams specified into constraint node,
+     * and derivative bitstreams.
+     *
+     * <strong>NOTE:</strong> only bitstreams of ORIGINAL bundles
+     *
+     * @param item the item contains bitstreams
+     * @param accessControl the access control input
+     */
+    private void updateBitstreamsPolicies(Item item, BulkAccessControlInput accessControl) {
+        AccessConditionBitstream.Constraint constraints = accessControl.getBitstream().getConstraints();
+
+        // look over all the bundles and force initialization of bitstreams collection
+        // to avoid lazy initialization exception
+        long count = item.getBundles()
+                         .stream()
+                         .flatMap(bundle ->
+                             bundle.getBitstreams().stream())
+                         .count();
+
+        item.getBundles(CONTENT_BUNDLE_NAME).stream()
+            .flatMap(bundle -> bundle.getBitstreams().stream())
+            .filter(bitstream -> constraints == null ||
+                constraints.getUuid() == null ||
+                constraints.getUuid().size() == 0 ||
+                constraints.getUuid().contains(bitstream.getID().toString()))
+            .forEach(bitstream -> updateBitstreamPolicies(bitstream, item, accessControl));
+    }
+
+    /**
+     * check that the bitstream node is existed,
+     * and contains constraint node,
+     * and constraint contains uuids.
+     *
+     * @param bitstream the bitstream node
+     * @return true when uuids of constraint of bitstream is not empty,
+     * otherwise false
+     */
+    private boolean containsConstraints(AccessConditionBitstream bitstream) {
+        return Objects.nonNull(bitstream) &&
+            Objects.nonNull(bitstream.getConstraints()) &&
+            isNotEmpty(bitstream.getConstraints().getUuid());
+    }
+
+    /**
+     * update the bitstream resource policies,
+     * when mode equals to replace will remove
+     * all current resource polices of types 'TYPE_CUSTOM'
+     * and 'TYPE_INHERITED' then, set the new resource policies.
+     *
+     * @param bitstream the bitstream
+     * @param item the item of bitstream
+     * @param accessControl the access control input
+     * @throws RuntimeException if something goes wrong in the database
+     * or an authorization error occurs
+     */
+    private void updateBitstreamPolicies(Bitstream bitstream, Item item, BulkAccessControlInput accessControl) {
+
+        AccessConditionBitstream acBitstream = accessControl.getBitstream();
+
+        if (REPLACE_MODE.equals(acBitstream.getMode())) {
+            removeReadPolicies(bitstream, TYPE_CUSTOM);
+            removeReadPolicies(bitstream, TYPE_INHERITED);
+        }
+
+        try {
+            setBitstreamPolicies(bitstream, item, accessControl);
+            logInfo(acBitstream.getAccessConditions(), acBitstream.getMode(), bitstream);
+        } catch (SQLException | AuthorizeException e) {
+            throw new RuntimeException(e);
+        }
+
+    }
+
+    /**
+     * remove dspace object's read policies.
+     *
+     * @param dso the dspace object
+     * @param type resource policy type
+     * @throws BulkAccessControlException if something goes wrong
+     * in the database or an authorization error occurs
+     */
+    private void removeReadPolicies(DSpaceObject dso, String type) {
+        try {
+            resourcePolicyService.removePolicies(context, dso, type, Constants.READ);
+        } catch (SQLException | AuthorizeException e) {
+            throw new BulkAccessControlException(e);
+        }
+    }
+
+    /**
+     * create the new resource policies of bitstream.
+     * then, call {@link ItemService#adjustItemPolicies(
+     * Context, Item, Collection)} to adjust bitstream's default policies.
+     * and also update the resource policies of its derivative bitstreams.
+     *
+     * @param bitstream the bitstream
+     * @param item the item of bitstream
+     * @param accessControl the access control input
+     * @throws SQLException if something goes wrong in the database
+     * @throws AuthorizeException if an authorization error occurs
+     */
+    private void setBitstreamPolicies(Bitstream bitstream, Item item, BulkAccessControlInput accessControl)
+        throws SQLException, AuthorizeException {
+
+        accessControl.getBitstream()
+                     .getAccessConditions()
+                     .forEach(accessCondition -> createResourcePolicy(bitstream, accessCondition,
+                         uploadAccessConditions.get(accessCondition.getName())));
+
+        itemService.adjustBitstreamPolicies(context, item, item.getOwningCollection(), bitstream);
+        mediaFilterService.updatePoliciesOfDerivativeBitstreams(context, item, bitstream);
+    }
+
+    /**
+     * create the resource policy from the information
+     * comes from the access condition.
+     *
+     * @param obj the dspace object
+     * @param accessCondition the access condition
+     * @param accessConditionOption the access condition option
+     * @throws BulkAccessControlException if an exception occurs
+     */
+    private void createResourcePolicy(DSpaceObject obj, AccessCondition accessCondition,
+                                      AccessConditionOption accessConditionOption) {
+
+        String name = accessCondition.getName();
+        String description = accessCondition.getDescription();
+        LocalDate startDate = accessCondition.getStartDate();
+        LocalDate endDate = accessCondition.getEndDate();
+
+        try {
+            accessConditionOption.createResourcePolicy(context, obj, name, description, startDate, endDate);
+        } catch (Exception e) {
+            throw new BulkAccessControlException(e);
+        }
+    }
+
+    /**
+     * Set the eperson in the context
+     *
+     * @param context the context
+     * @throws SQLException if database error
+     */
+    protected void setEPerson(Context context) throws SQLException {
+        EPerson myEPerson = epersonService.find(context, this.getEpersonIdentifier());
+
+        if (myEPerson == null) {
+            handler.logError("EPerson cannot be found: " + this.getEpersonIdentifier());
+            throw new UnsupportedOperationException("EPerson cannot be found: " + this.getEpersonIdentifier());
+        }
+
+        context.setCurrentUser(myEPerson);
+    }
+
+    private void logInfo(List<AccessCondition> accessConditions, String mode, DSpaceObject dso) {
+        String type = dso.getClass().getSimpleName();
+
+        if (REPLACE_MODE.equals(mode) && isEmpty(accessConditions)) {
+            handler.logInfo("Cleaning " + type + " {" + dso.getID() + "} policies");
+            handler.logInfo("Inheriting policies from owning Collection in " + type + " {" + dso.getID() + "}");
+            return;
+        }
+
+        StringBuilder message = new StringBuilder();
+        message.append(mode.equals(ADD_MODE) ? "Adding " : "Replacing ")
+               .append(type)
+               .append(" {")
+               .append(dso.getID())
+               .append("} policy")
+               .append(mode.equals(ADD_MODE) ? " with " : " to ")
+               .append("access conditions:");
+
+        AppendAccessConditionsInfo(message, accessConditions);
+
+        handler.logInfo(message.toString());
+
+        if (REPLACE_MODE.equals(mode) && isAppendModeEnabled()) {
+            handler.logInfo("Inheriting policies from owning Collection in " + type + " {" + dso.getID() + "}");
+        }
+    }
+
+    private void AppendAccessConditionsInfo(StringBuilder message, List<AccessCondition> accessConditions) {
+        DateTimeFormatter dateFormat = DateTimeFormatter.ISO_LOCAL_DATE;
+        message.append("{");
+
+        for (int i = 0; i <  accessConditions.size(); i++) {
+            message.append(accessConditions.get(i).getName());
+
+            Optional.ofNullable(accessConditions.get(i).getStartDate())
+                    .ifPresent(date -> message.append(", start_date=" + dateFormat.format(date)));
+
+            Optional.ofNullable(accessConditions.get(i).getEndDate())
+                    .ifPresent(date -> message.append(", end_date=" + dateFormat.format(date)));
+
+            if (i != accessConditions.size() - 1) {
+                message.append(", ");
+            }
+        }
+
+        message.append("}");
+    }
+
+    private boolean isAppendModeEnabled() {
+        return configurationService.getBooleanProperty("core.authorization.installitem.inheritance-read.append-mode");
+    }
+
+    protected boolean isAuthorized(Context context) {
+        return true;
+    }
+
+    @Override
+    @SuppressWarnings("unchecked")
+    public BulkAccessControlScriptConfiguration<BulkAccessControl> getScriptConfiguration() {
+        return new DSpace().getServiceManager()
+                           .getServiceByName("bulk-access-control", BulkAccessControlScriptConfiguration.class);
+    }
+
+}
--- a/dspace-api/src/main/java/org/dspace/app/bulkaccesscontrol/BulkAccessControlCli.java
+++ b/dspace-api/src/main/java/org/dspace/app/bulkaccesscontrol/BulkAccessControlCli.java
@@ -0,0 +1,66 @@
+/**
+ * The contents of this file are subject to the license and copyright
+ * detailed in the LICENSE and NOTICE files at the root of the source
+ * tree and available online at
+ *
+ * http://www.dspace.org/license/
+ */
+package org.dspace.app.bulkaccesscontrol;
+
+import java.sql.SQLException;
+import java.util.Arrays;
+import java.util.UUID;
+import java.util.stream.Collectors;
+
+import org.apache.commons.lang3.StringUtils;
+import org.dspace.core.Context;
+import org.dspace.eperson.EPerson;
+import org.dspace.scripts.DSpaceCommandLineParameter;
+
+/**
+ * Extension of {@link BulkAccessControl} for CLI.
+ *
+ * @author Mohamed Eskander (mohamed.eskander at 4science.it)
+ *
+ */
+public class BulkAccessControlCli extends BulkAccessControl {
+
+    @Override
+    protected void setEPerson(Context context) throws SQLException {
+        EPerson myEPerson;
+        eperson = commandLine.getOptionValue('e');
+
+        if (eperson == null) {
+            handler.logError("An eperson to do the the Bulk Access Control must be specified " +
+                "(run with -h flag for details)");
+            throw new UnsupportedOperationException("An eperson to do the Bulk Access Control must be specified");
+        }
+
+        if (StringUtils.contains(eperson, '@')) {
+            myEPerson = epersonService.findByEmail(context, eperson);
+        } else {
+            myEPerson = epersonService.find(context, UUID.fromString(eperson));
+        }
+
+        if (myEPerson == null) {
+            handler.logError("EPerson cannot be found: " + eperson + " (run with -h flag for details)");
+            throw new UnsupportedOperationException("EPerson cannot be found: " + eperson);
+        }
+
+        context.setCurrentUser(myEPerson);
+    }
+
+    @Override
+    protected boolean isAuthorized(Context context) {
+
+        if (context.getCurrentUser() == null) {
+            return false;
+        }
+
+        return getScriptConfiguration().isAllowedToExecute(context,
+            Arrays.stream(commandLine.getOptions())
+                  .map(option ->
+                      new DSpaceCommandLineParameter("-" + option.getOpt(), option.getValue()))
+                  .collect(Collectors.toList()));
+    }
+}
--- a/dspace-api/src/main/java/org/dspace/app/bulkaccesscontrol/BulkAccessControlCliScriptConfiguration.java
+++ b/dspace-api/src/main/java/org/dspace/app/bulkaccesscontrol/BulkAccessControlCliScriptConfiguration.java
@@ -0,0 +1,42 @@
+/**
+ * The contents of this file are subject to the license and copyright
+ * detailed in the LICENSE and NOTICE files at the root of the source
+ * tree and available online at
+ *
+ * http://www.dspace.org/license/
+ */
+package org.dspace.app.bulkaccesscontrol;
+
+import java.io.InputStream;
+
+import org.apache.commons.cli.Options;
+
+/**
+ * Extension of {@link BulkAccessControlScriptConfiguration} for CLI.
+ *
+ * @author Mohamed Eskander (mohamed.eskander at 4science.it)
+ *
+ */
+public class BulkAccessControlCliScriptConfiguration<T extends BulkAccessControlCli>
+    extends BulkAccessControlScriptConfiguration<T> {
+
+    @Override
+    public Options getOptions() {
+        Options options = new Options();
+
+        options.addOption("u", "uuid", true, "target uuids of communities/collections/items");
+        options.getOption("u").setType(String.class);
+        options.getOption("u").setRequired(true);
+
+        options.addOption("f", "file", true, "source json file");
+        options.getOption("f").setType(InputStream.class);
+        options.getOption("f").setRequired(true);
+
+        options.addOption("e", "eperson", true, "email of EPerson used to perform actions");
+        options.getOption("e").setRequired(true);
+
+        options.addOption("h", "help", false, "help");
+
+        return options;
+    }
+}
--- a/dspace-api/src/main/java/org/dspace/app/bulkaccesscontrol/BulkAccessControlScriptConfiguration.java
+++ b/dspace-api/src/main/java/org/dspace/app/bulkaccesscontrol/BulkAccessControlScriptConfiguration.java
@@ -0,0 +1,110 @@
+/**
+ * The contents of this file are subject to the license and copyright
+ * detailed in the LICENSE and NOTICE files at the root of the source
+ * tree and available online at
+ *
+ * http://www.dspace.org/license/
+ */
+package org.dspace.app.bulkaccesscontrol;
+
+import java.io.InputStream;
+import java.sql.SQLException;
+import java.util.List;
+import java.util.Objects;
+import java.util.UUID;
+import java.util.stream.Collectors;
+
+import org.apache.commons.cli.Options;
+import org.dspace.app.util.DSpaceObjectUtilsImpl;
+import org.dspace.app.util.service.DSpaceObjectUtils;
+import org.dspace.content.DSpaceObject;
+import org.dspace.core.Context;
+import org.dspace.scripts.DSpaceCommandLineParameter;
+import org.dspace.scripts.configuration.ScriptConfiguration;
+import org.dspace.utils.DSpace;
+
+/**
+ * Script configuration for {@link BulkAccessControl}.
+ *
+ * @author Mohamed Eskander (mohamed.eskander at 4science.it)
+ *
+ * @param  <T> the {@link BulkAccessControl} type
+ */
+public class BulkAccessControlScriptConfiguration<T extends BulkAccessControl> extends ScriptConfiguration<T> {
+
+    private Class<T> dspaceRunnableClass;
+
+    @Override
+    public boolean isAllowedToExecute(Context context, List<DSpaceCommandLineParameter> commandLineParameters) {
+
+        try {
+            if (Objects.isNull(commandLineParameters)) {
+                return authorizeService.isAdmin(context) || authorizeService.isComColAdmin(context)
+                    || authorizeService.isItemAdmin(context);
+            } else {
+                List<String> dspaceObjectIDs =
+                    commandLineParameters.stream()
+                                         .filter(parameter -> "-u".equals(parameter.getName()))
+                                         .map(DSpaceCommandLineParameter::getValue)
+                                         .collect(Collectors.toList());
+
+                DSpaceObjectUtils dSpaceObjectUtils = new DSpace().getServiceManager().getServiceByName(
+                    DSpaceObjectUtilsImpl.class.getName(), DSpaceObjectUtilsImpl.class);
+
+                for (String dspaceObjectID : dspaceObjectIDs) {
+
+                    DSpaceObject dso = dSpaceObjectUtils.findDSpaceObject(context, UUID.fromString(dspaceObjectID));
+
+                    if (Objects.isNull(dso)) {
+                        throw new IllegalArgumentException();
+                    }
+
+                    if (!authorizeService.isAdmin(context, dso)) {
+                        return false;
+                    }
+                }
+            }
+        } catch (SQLException e) {
+            throw new RuntimeException(e);
+        }
+
+        return true;
+    }
+
+    @Override
+    public Options getOptions() {
+        if (options == null) {
+            Options options = new Options();
+
+            options.addOption("u", "uuid", true, "target uuids of communities/collections/items");
+            options.getOption("u").setType(String.class);
+            options.getOption("u").setRequired(true);
+
+            options.addOption("f", "file", true, "source json file");
+            options.getOption("f").setType(InputStream.class);
+            options.getOption("f").setRequired(true);
+
+            options.addOption("h", "help", false, "help");
+
+            super.options = options;
+        }
+        return options;
+    }
+
+    @Override
+    public Class<T> getDspaceRunnableClass() {
+        return dspaceRunnableClass;
+    }
+
+    /**
+     * Generic setter for the dspaceRunnableClass
+     *
+     * @param dspaceRunnableClass The dspaceRunnableClass to be set on this
+     *                            BulkImportScriptConfiguration
+     */
+    @Override
+    public void setDspaceRunnableClass(Class<T> dspaceRunnableClass) {
+        this.dspaceRunnableClass = dspaceRunnableClass;
+    }
+
+}
--- a/dspace-api/src/main/java/org/dspace/app/bulkaccesscontrol/exception/BulkAccessControlException.java
+++ b/dspace-api/src/main/java/org/dspace/app/bulkaccesscontrol/exception/BulkAccessControlException.java
@@ -0,0 +1,48 @@
+/**
+ * The contents of this file are subject to the license and copyright
+ * detailed in the LICENSE and NOTICE files at the root of the source
+ * tree and available online at
+ *
+ * http://www.dspace.org/license/
+ */
+package org.dspace.app.bulkaccesscontrol.exception;
+
+/**
+ * Exception for errors that occurs during the bulk access control
+ *
+ * @author Mohamed Eskander (mohamed.eskander at 4science.it)
+ *
+ */
+public class BulkAccessControlException extends RuntimeException {
+
+    private static final long serialVersionUID = -74730626862418515L;
+
+    /**
+     * Constructor with error message and cause.
+     *
+     * @param message the error message
+     * @param cause   the error cause
+     */
+    public BulkAccessControlException(String message, Throwable cause) {
+        super(message, cause);
+    }
+
+    /**
+     * Constructor with error message.
+     *
+     * @param message the error message
+     */
+    public BulkAccessControlException(String message) {
+        super(message);
+    }
+
+    /**
+     * Constructor with error cause.
+     *
+     * @param cause the error cause
+     */
+    public BulkAccessControlException(Throwable cause) {
+        super(cause);
+    }
+
+}
--- a/dspace-api/src/main/java/org/dspace/app/bulkaccesscontrol/model/AccessCondition.java
+++ b/dspace-api/src/main/java/org/dspace/app/bulkaccesscontrol/model/AccessCondition.java
@@ -0,0 +1,59 @@
+/**
+ * The contents of this file are subject to the license and copyright
+ * detailed in the LICENSE and NOTICE files at the root of the source
+ * tree and available online at
+ *
+ * http://www.dspace.org/license/
+ */
+package org.dspace.app.bulkaccesscontrol.model;
+
+import java.time.LocalDate;
+
+import com.fasterxml.jackson.databind.annotation.JsonDeserialize;
+import org.dspace.app.bulkaccesscontrol.BulkAccessControl;
+import org.dspace.util.MultiFormatDateDeserializer;
+
+/**
+ * Class that model the values of an Access Condition as expressed in the {@link BulkAccessControl} input file
+ *
+ * @author Mohamed Eskander (mohamed.eskander at 4science.it)
+ */
+public class AccessCondition {
+
+    private  String name;
+
+    private  String description;
+
+    @JsonDeserialize(using = MultiFormatDateDeserializer.class)
+    private LocalDate startDate;
+
+    @JsonDeserialize(using = MultiFormatDateDeserializer.class)
+    private LocalDate endDate;
+
+    public AccessCondition() {
+    }
+
+    public AccessCondition(String name, String description, LocalDate startDate, LocalDate endDate) {
+        this.name = name;
+        this.description = description;
+        this.startDate = startDate;
+        this.endDate = endDate;
+    }
+
+    public String getName() {
+        return name;
+    }
+
+    public String getDescription() {
+        return description;
+    }
+
+    public LocalDate getStartDate() {
+        return startDate;
+    }
+
+    public LocalDate getEndDate() {
+        return endDate;
+    }
+
+}
--- a/dspace-api/src/main/java/org/dspace/app/bulkaccesscontrol/model/AccessConditionBitstream.java
+++ b/dspace-api/src/main/java/org/dspace/app/bulkaccesscontrol/model/AccessConditionBitstream.java
@@ -0,0 +1,69 @@
+/**
+ * The contents of this file are subject to the license and copyright
+ * detailed in the LICENSE and NOTICE files at the root of the source
+ * tree and available online at
+ *
+ * http://www.dspace.org/license/
+ */
+package org.dspace.app.bulkaccesscontrol.model;
+
+import java.util.ArrayList;
+import java.util.List;
+
+import org.dspace.app.bulkaccesscontrol.BulkAccessControl;
+
+/**
+ * Class that model the value of bitstream node
+ * from json file of the {@link BulkAccessControl}
+ *
+ * @author Mohamed Eskander (mohamed.eskander at 4science.it)
+ */
+public class AccessConditionBitstream {
+
+    private String mode;
+
+    private Constraint constraints;
+
+    private List<AccessCondition> accessConditions;
+
+    public String getMode() {
+        return mode;
+    }
+
+    public void setMode(String mode) {
+        this.mode = mode;
+    }
+
+    public Constraint getConstraints() {
+        return constraints;
+    }
+
+    public void setConstraints(Constraint constraints) {
+        this.constraints = constraints;
+    }
+
+    public List<AccessCondition> getAccessConditions() {
+        if (accessConditions == null) {
+            return new ArrayList<>();
+        }
+        return accessConditions;
+    }
+
+    public void setAccessConditions(List<AccessCondition> accessConditions) {
+        this.accessConditions = accessConditions;
+    }
+
+    public class Constraint {
+
+        private List<String> uuid;
+
+        public List<String> getUuid() {
+            return uuid;
+        }
+
+        public void setUuid(List<String> uuid) {
+            this.uuid = uuid;
+        }
+    }
+
+}
--- a/dspace-api/src/main/java/org/dspace/app/bulkaccesscontrol/model/AccessConditionItem.java
+++ b/dspace-api/src/main/java/org/dspace/app/bulkaccesscontrol/model/AccessConditionItem.java
@@ -0,0 +1,45 @@
+/**
+ * The contents of this file are subject to the license and copyright
+ * detailed in the LICENSE and NOTICE files at the root of the source
+ * tree and available online at
+ *
+ * http://www.dspace.org/license/
+ */
+package org.dspace.app.bulkaccesscontrol.model;
+
+import java.util.ArrayList;
+import java.util.List;
+
+import org.dspace.app.bulkaccesscontrol.BulkAccessControl;
+
+/**
+ * Class that model the value of item node
+ * from json file of the {@link BulkAccessControl}
+ *
+ * @author Mohamed Eskander (mohamed.eskander at 4science.it)
+ */
+public class AccessConditionItem {
+
+    String mode;
+
+    List<AccessCondition> accessConditions;
+
+    public String getMode() {
+        return mode;
+    }
+
+    public void setMode(String mode) {
+        this.mode = mode;
+    }
+
+    public List<AccessCondition> getAccessConditions() {
+        if (accessConditions == null) {
+            return new ArrayList<>();
+        }
+        return accessConditions;
+    }
+
+    public void setAccessConditions(List<AccessCondition> accessConditions) {
+        this.accessConditions = accessConditions;
+    }
+}
--- a/dspace-api/src/main/java/org/dspace/app/bulkaccesscontrol/model/BulkAccessConditionConfiguration.java
+++ b/dspace-api/src/main/java/org/dspace/app/bulkaccesscontrol/model/BulkAccessConditionConfiguration.java
@@ -0,0 +1,50 @@
+/**
+ * The contents of this file are subject to the license and copyright
+ * detailed in the LICENSE and NOTICE files at the root of the source
+ * tree and available online at
+ *
+ * http://www.dspace.org/license/
+ */
+package org.dspace.app.bulkaccesscontrol.model;
+
+import java.util.List;
+
+import org.dspace.submit.model.AccessConditionOption;
+
+/**
+ * A collection of conditions to be met when bulk access condition.
+ *
+ * @author Mohamed Eskander (mohamed.eskander at 4science.it)
+ */
+public class BulkAccessConditionConfiguration {
+
+    private String name;
+    private List<AccessConditionOption> itemAccessConditionOptions;
+    private List<AccessConditionOption> bitstreamAccessConditionOptions;
+
+    public String getName() {
+        return name;
+    }
+
+    public void setName(String name) {
+        this.name = name;
+    }
+
+    public List<AccessConditionOption> getItemAccessConditionOptions() {
+        return itemAccessConditionOptions;
+    }
+
+    public void setItemAccessConditionOptions(
+        List<AccessConditionOption> itemAccessConditionOptions) {
+        this.itemAccessConditionOptions = itemAccessConditionOptions;
+    }
+
+    public List<AccessConditionOption> getBitstreamAccessConditionOptions() {
+        return bitstreamAccessConditionOptions;
+    }
+
+    public void setBitstreamAccessConditionOptions(
+        List<AccessConditionOption> bitstreamAccessConditionOptions) {
+        this.bitstreamAccessConditionOptions = bitstreamAccessConditionOptions;
+    }
+}
--- a/dspace-api/src/main/java/org/dspace/app/bulkaccesscontrol/model/BulkAccessControlInput.java
+++ b/dspace-api/src/main/java/org/dspace/app/bulkaccesscontrol/model/BulkAccessControlInput.java
@@ -0,0 +1,72 @@
+/**
+ * The contents of this file are subject to the license and copyright
+ * detailed in the LICENSE and NOTICE files at the root of the source
+ * tree and available online at
+ *
+ * http://www.dspace.org/license/
+ */
+package org.dspace.app.bulkaccesscontrol.model;
+
+import org.dspace.app.bulkaccesscontrol.BulkAccessControl;
+
+/**
+ * Class that model the content of the JSON file used as input for the {@link BulkAccessControl}
+ *
+ * <code> <br/>
+ * { <br/>
+ *     item: { <br/>
+ *        mode: "replace", <br/>
+ *        accessConditions: [ <br/>
+ *            { <br/>
+ *              "name": "openaccess" <br/>
+ *            } <br/>
+ *        ] <br/>
+ *     }, <br/>
+ *     bitstream: { <br/>
+ *       constraints: { <br/>
+ *           uuid: [bit-uuid1, bit-uuid2, ..., bit-uuidN], <br/>
+ *       }, <br/>
+ *       mode: "add", <br/>
+ *       accessConditions: [ <br/>
+ *         { <br/>
+ *          "name": "embargo", <br/>
+ *          "startDate": "2024-06-24T23:59:59.999+0000" <br/>
+ *         } <br/>
+ *       ] <br/>
+ *    } <br/>
+ * }
+ * </code>
+ *
+ * @author Mohamed Eskander (mohamed.eskander at 4science.it)
+ */
+public class BulkAccessControlInput {
+
+    AccessConditionItem item;
+
+    AccessConditionBitstream bitstream;
+
+    public BulkAccessControlInput() {
+    }
+
+    public BulkAccessControlInput(AccessConditionItem item,
+                                  AccessConditionBitstream bitstream) {
+        this.item = item;
+        this.bitstream = bitstream;
+    }
+
+    public AccessConditionItem getItem() {
+        return item;
+    }
+
+    public void setItem(AccessConditionItem item) {
+        this.item = item;
+    }
+
+    public AccessConditionBitstream getBitstream() {
+        return bitstream;
+    }
+
+    public void setBitstream(AccessConditionBitstream bitstream) {
+        this.bitstream = bitstream;
+    }
+}
--- a/dspace-api/src/main/java/org/dspace/app/bulkaccesscontrol/service/BulkAccessConditionConfigurationService.java
+++ b/dspace-api/src/main/java/org/dspace/app/bulkaccesscontrol/service/BulkAccessConditionConfigurationService.java
@@ -0,0 +1,45 @@
+/**
+ * The contents of this file are subject to the license and copyright
+ * detailed in the LICENSE and NOTICE files at the root of the source
+ * tree and available online at
+ *
+ * http://www.dspace.org/license/
+ */
+package org.dspace.app.bulkaccesscontrol.service;
+
+import java.util.ArrayList;
+import java.util.List;
+
+import org.apache.commons.collections4.CollectionUtils;
+import org.dspace.app.bulkaccesscontrol.model.BulkAccessConditionConfiguration;
+import org.springframework.beans.factory.annotation.Autowired;
+
+/**
+ * Simple bean to manage different Bulk Access Condition configurations
+ *
+ * @author Mohamed Eskander (mohamed.eskander at 4science.it)
+ */
+public class BulkAccessConditionConfigurationService {
+
+    @Autowired
+    private List<BulkAccessConditionConfiguration> bulkAccessConditionConfigurations;
+
+    public List<BulkAccessConditionConfiguration> getBulkAccessConditionConfigurations() {
+        if (CollectionUtils.isEmpty(bulkAccessConditionConfigurations)) {
+            return new ArrayList<>();
+        }
+        return bulkAccessConditionConfigurations;
+    }
+
+    public BulkAccessConditionConfiguration getBulkAccessConditionConfiguration(String name) {
+        return getBulkAccessConditionConfigurations().stream()
+                                                     .filter(x -> name.equals(x.getName()))
+                                                     .findFirst()
+                                                     .orElse(null);
+    }
+
+    public void setBulkAccessConditionConfigurations(
+        List<BulkAccessConditionConfiguration> bulkAccessConditionConfigurations) {
+        this.bulkAccessConditionConfigurations = bulkAccessConditionConfigurations;
+    }
+}
--- a/dspace-api/src/main/java/org/dspace/app/bulkedit/DSpaceCSV.java
+++ b/dspace-api/src/main/java/org/dspace/app/bulkedit/DSpaceCSV.java
@@ -19,6 +19,7 @@ import java.util.HashMap;
 import java.util.Iterator;
 import java.util.List;
 import java.util.Map;
+import java.util.Objects;
 import java.util.UUID;
 import java.util.regex.Matcher;
 import java.util.regex.Pattern;
@@ -188,6 +189,15 @@ public class DSpaceCSV implements Serializable {
                    // Verify that the heading is valid in the metadata registry
                    String[] clean = element.split("\\[");
                    String[] parts = clean[0].split("\\.");
+                    // Check language if present, if it's ANY then throw an exception
+                    if (clean.length > 1 && clean[1].equals(Item.ANY + "]")) {
+                        throw new MetadataImportInvalidHeadingException("Language ANY (*) was found in the heading " +
+                                                                                "of the metadata value to import, " +
+                                                                                "this should never be the case",
+                                                                        MetadataImportInvalidHeadingException.ENTRY,
+                                                                        columnCounter);
+
+                    }

                    if (parts.length < 2) {
                        throw new MetadataImportInvalidHeadingException(element,
@@ -223,6 +233,15 @@ public class DSpaceCSV implements Serializable {
                        }
                    }

+                    // Verify there isn’t already a header that is the same; if it already exists,
+                    // throw MetadataImportInvalidHeadingException
+                    String header = authorityPrefix + element;
+                    if (headings.contains(header)) {
+                        throw new MetadataImportInvalidHeadingException("Duplicate heading found: " + header,
+                                                                        MetadataImportInvalidHeadingException.ENTRY,
+                                                                        columnCounter);
+                    }
+
                    // Store the heading
                    headings.add(authorityPrefix + element);
                }
@@ -439,7 +458,7 @@ public class DSpaceCSV implements Serializable {
        List<Collection> collections = i.getCollections();
        for (Collection c : collections) {
            // Only add if it is not the owning collection
-            if (!c.getHandle().equals(owningCollectionHandle)) {
+            if (!Objects.equals(c.getHandle(), owningCollectionHandle)) {
                line.add("collection", c.getHandle());
            }
        }
@@ -457,7 +476,7 @@ public class DSpaceCSV implements Serializable {
                key = key + "." + metadataField.getQualifier();
            }

-            // Add the language if there is one (schema.element.qualifier[langauge])
+            // Add the language if there is one (schema.element.qualifier[language])
            //if ((value.language != null) && (!"".equals(value.language)))
            if (value.getLanguage() != null) {
                key = key + "[" + value.getLanguage() + "]";
--- a/dspace-api/src/main/java/org/dspace/app/bulkedit/MetadataDeletionScriptConfiguration.java
+++ b/dspace-api/src/main/java/org/dspace/app/bulkedit/MetadataDeletionScriptConfiguration.java
@@ -7,33 +7,16 @@
 */
 package org.dspace.app.bulkedit;

-import java.sql.SQLException;
-
 import org.apache.commons.cli.Options;
-import org.dspace.authorize.service.AuthorizeService;
-import org.dspace.core.Context;
 import org.dspace.scripts.configuration.ScriptConfiguration;
-import org.springframework.beans.factory.annotation.Autowired;

 /**
 * The {@link ScriptConfiguration} for the {@link MetadataDeletion} script.
 */
 public class MetadataDeletionScriptConfiguration<T extends MetadataDeletion> extends ScriptConfiguration<T> {

-    @Autowired
-    private AuthorizeService authorizeService;
-
    private Class<T> dspaceRunnableClass;

-    @Override
-    public boolean isAllowedToExecute(Context context) {
-        try {
-            return authorizeService.isAdmin(context);
-        } catch (SQLException e) {
-            throw new RuntimeException("SQLException occurred when checking if the current user is an admin", e);
-        }
-    }
-
    @Override
    public Options getOptions() {
        if (options == null) {
@@ -41,10 +24,8 @@ public class MetadataDeletionScriptConfiguration<T extends MetadataDeletion> ext
            Options options = new Options();

            options.addOption("m", "metadata", true, "metadata field name");
-            options.getOption("m").setType(String.class);

            options.addOption("l", "list", false, "lists the metadata fields that can be deleted");
-            options.getOption("l").setType(boolean.class);

            super.options = options;
        }
--- a/dspace-api/src/main/java/org/dspace/app/bulkedit/MetadataExportFilteredItemsReport.java
+++ b/dspace-api/src/main/java/org/dspace/app/bulkedit/MetadataExportFilteredItemsReport.java
@@ -0,0 +1,182 @@
+/**
+ * The contents of this file are subject to the license and copyright
+ * detailed in the LICENSE and NOTICE files at the root of the source
+ * tree and available online at
+ *
+ * http://www.dspace.org/license/
+ */
+
+package org.dspace.app.bulkedit;
+
+import java.sql.SQLException;
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.EnumSet;
+import java.util.List;
+import java.util.Optional;
+import java.util.Set;
+import java.util.stream.Collectors;
+import java.util.stream.Stream;
+
+import org.apache.commons.cli.ParseException;
+import org.apache.commons.lang3.StringUtils;
+import org.dspace.content.MetadataDSpaceCsvExportServiceImpl;
+import org.dspace.content.MetadataField;
+import org.dspace.content.factory.ContentReportServiceFactory;
+import org.dspace.content.service.MetadataDSpaceCsvExportService;
+import org.dspace.contentreport.Filter;
+import org.dspace.contentreport.FilteredItems;
+import org.dspace.contentreport.FilteredItemsQuery;
+import org.dspace.contentreport.QueryOperator;
+import org.dspace.contentreport.QueryPredicate;
+import org.dspace.contentreport.service.ContentReportService;
+import org.dspace.core.Context;
+import org.dspace.eperson.factory.EPersonServiceFactory;
+import org.dspace.eperson.service.EPersonService;
+import org.dspace.kernel.ServiceManager;
+import org.dspace.scripts.DSpaceRunnable;
+import org.dspace.services.ConfigurationService;
+import org.dspace.utils.DSpace;
+
+/**
+ * Metadata exporter to allow the batch export of metadata from a Filtered Items content report execution into a file
+ *
+ * @author Jean-François Morin (Université Laval)
+ */
+public class MetadataExportFilteredItemsReport extends DSpaceRunnable
+        <MetadataExportFilteredItemsReportScriptConfiguration<MetadataExportFilteredItemsReport>> {
+
+    private static final String EXPORT_CSV = "exportCSV";
+    public static final String DEFAULT_FILENAME = "metadataExportFilteredItems.csv";
+    private boolean help = false;
+    private String[] collectionUuids;
+    private String[] queryPredicates;
+    private String[] queryFilters;
+
+    private ConfigurationService configurationService;
+    private ContentReportService contentReportService;
+    private EPersonService ePersonService;
+    private MetadataDSpaceCsvExportService metadataDSpaceCsvExportService;
+
+    @SuppressWarnings("unchecked")
+    @Override
+    public MetadataExportFilteredItemsReportScriptConfiguration<MetadataExportFilteredItemsReport>
+            getScriptConfiguration() {
+        return new DSpace().getServiceManager()
+            .getServiceByName("metadata-export-filtered-items-report",
+                    MetadataExportFilteredItemsReportScriptConfiguration.class);
+    }
+
+    @Override
+    public void setup() throws ParseException {
+        ServiceManager serviceManager = new DSpace().getServiceManager();
+        configurationService = serviceManager.getServicesByType(ConfigurationService.class).get(0);
+        contentReportService = ContentReportServiceFactory.getInstance().getContentReportService();
+        ePersonService = EPersonServiceFactory.getInstance().getEPersonService();
+        metadataDSpaceCsvExportService = serviceManager.getServiceByName(
+                MetadataDSpaceCsvExportServiceImpl.class.getCanonicalName(),
+                MetadataDSpaceCsvExportService.class);
+
+        if (commandLine.hasOption('h')) {
+            help = true;
+            return;
+        }
+
+        if (commandLine.hasOption('c')) {
+            collectionUuids = commandLine.getOptionValues('c');
+        }
+
+        if (commandLine.hasOption("qp")) {
+            queryPredicates = commandLine.getOptionValues("qp");
+        }
+
+        if (commandLine.hasOption('f')) {
+            queryFilters = commandLine.getOptionValues('f');
+        }
+    }
+
+    @Override
+    public void internalRun() throws Exception {
+        if (help) {
+            loghelpinfo();
+            printHelp();
+            return;
+        }
+        handler.logDebug("starting content report export");
+
+        Context context = new Context();
+        context.setCurrentUser(ePersonService.find(context, getEpersonIdentifier()));
+
+        List<String> collUuids = List.of();
+        if (collectionUuids != null) {
+            // Using a temporary Set to eliminate duplicates, if any
+            Set<String> setUuids = arrayToStream(collectionUuids)
+                    .map(uuids -> uuids.split("[^0-9A-Fa-f\\-]+"))
+                    .flatMap(Arrays::stream)
+                    .filter(StringUtils::isNotBlank)
+                    .collect(Collectors.toSet());
+            collUuids = new ArrayList<>(setUuids);
+        }
+
+        List<QueryPredicate> predicates = List.of();
+        if (queryPredicates != null) {
+            predicates = arrayToStream(queryPredicates)
+                    .filter(StringUtils::isNotBlank)
+                    .map(pred -> buildPredicate(context, pred))
+                    .collect(Collectors.toList());
+        }
+
+        Set<Filter> filters = EnumSet.noneOf(Filter.class);
+        if (queryFilters != null) {
+            Arrays.stream(queryFilters)
+                    .map(Filter::getFilters)
+                    .flatMap(Set::stream)
+                    .filter(f -> f != null)
+                    .forEach(filters::add);
+        }
+
+        handler.logDebug("building query");
+        FilteredItemsQuery query = FilteredItemsQuery.of(
+                collUuids, predicates, 0, Integer.MAX_VALUE, filters, List.of());
+        handler.logDebug("creating iterator");
+
+        FilteredItems items = contentReportService.findFilteredItems(context, query);
+        handler.logDebug("creating dspacecsv");
+        DSpaceCSV dSpaceCSV = metadataDSpaceCsvExportService.export(context, items.getItems().iterator(),
+                true, handler);
+        handler.logDebug("writing to file " + getFileNameOrExportFile());
+        handler.writeFilestream(context, getFileNameOrExportFile(), dSpaceCSV.getInputStream(), EXPORT_CSV);
+        context.restoreAuthSystemState();
+        context.complete();
+    }
+
+    protected void loghelpinfo() {
+        handler.logInfo("metadata-export-filtered-items-report");
+    }
+
+    protected String getFileNameOrExportFile() {
+        return configurationService.getProperty("contentreport.metadataquery.csv.filename.default", DEFAULT_FILENAME);
+    }
+
+    private static Stream<String> arrayToStream(String... array) {
+        return Optional.ofNullable(array)
+                .stream()
+                .flatMap(Arrays::stream)
+                .filter(StringUtils::isNotBlank);
+    }
+
+    private QueryPredicate buildPredicate(Context context, String exp) {
+        String[] tokens = exp.split("\\:");
+        String field = tokens.length > 0 ? tokens[0].trim() : "";
+        QueryOperator operator = tokens.length > 1 ? QueryOperator.get(tokens[1].trim()) : null;
+        String value = tokens.length > 2 ? StringUtils.trimToEmpty(tokens[2]) : "";
+
+        try {
+            List<MetadataField> fields = contentReportService.getMetadataFields(context, field);
+            return QueryPredicate.of(fields, operator, value);
+        } catch (SQLException e) {
+            throw new IllegalArgumentException(e.getMessage(), e);
+        }
+    }
+
+}
--- a/dspace-api/src/main/java/org/dspace/app/bulkedit/MetadataExportFilteredItemsReportCli.java
+++ b/dspace-api/src/main/java/org/dspace/app/bulkedit/MetadataExportFilteredItemsReportCli.java
@@ -0,0 +1,29 @@
+/**
+ * The contents of this file are subject to the license and copyright
+ * detailed in the LICENSE and NOTICE files at the root of the source
+ * tree and available online at
+ *
+ * http://www.dspace.org/license/
+ */
+
+package org.dspace.app.bulkedit;
+
+import java.util.Optional;
+
+import org.apache.commons.lang3.StringUtils;
+
+/**
+ * The CLI version of the {@link MetadataExportFilteredItemsReport} script
+ *
+ * @author Jean-François Morin (Université Laval)
+ */
+public class MetadataExportFilteredItemsReportCli extends MetadataExportFilteredItemsReport {
+
+    @Override
+    protected String getFileNameOrExportFile() {
+        return Optional.ofNullable(commandLine.getOptionValue('n'))
+                .filter(StringUtils::isNotBlank)
+                .orElseGet(() -> super.getFileNameOrExportFile());
+    }
+
+}
--- a/dspace-api/src/main/java/org/dspace/app/bulkedit/MetadataExportFilteredItemsReportCliScriptConfiguration.java
+++ b/dspace-api/src/main/java/org/dspace/app/bulkedit/MetadataExportFilteredItemsReportCliScriptConfiguration.java
@@ -0,0 +1,36 @@
+/**
+ * The contents of this file are subject to the license and copyright
+ * detailed in the LICENSE and NOTICE files at the root of the source
+ * tree and available online at
+ *
+ * http://www.dspace.org/license/
+ */
+
+package org.dspace.app.bulkedit;
+
+import org.apache.commons.cli.Options;
+import org.dspace.services.ConfigurationService;
+import org.springframework.beans.factory.annotation.Autowired;
+
+/**
+ * This is the CLI version of the {@link MetadataExportFilteredItemsReportScriptConfiguration} class that handles the
+ * configuration for the {@link MetadataExportFilteredItemsReportCli} script
+ *
+ * @author Jean-François Morin (Université Laval)
+ */
+public class MetadataExportFilteredItemsReportCliScriptConfiguration
+    extends MetadataExportFilteredItemsReportScriptConfiguration<MetadataExportFilteredItemsReportCli> {
+
+    @Autowired
+    private ConfigurationService configurationService;
+
+    @Override
+    public Options getOptions() {
+        Options options = super.getOptions();
+        String filename = configurationService.getProperty("contentreport.metadataquery.csv.filename.default",
+                MetadataExportFilteredItemsReport.DEFAULT_FILENAME);
+        options.addOption("n", "filename", true, "the filename to export to (default: " + filename + ")");
+        return options;
+    }
+
+}
--- a/dspace-api/src/main/java/org/dspace/app/bulkedit/MetadataExportFilteredItemsReportScriptConfiguration.java
+++ b/dspace-api/src/main/java/org/dspace/app/bulkedit/MetadataExportFilteredItemsReportScriptConfiguration.java
@@ -0,0 +1,56 @@
+/**
+ * The contents of this file are subject to the license and copyright
+ * detailed in the LICENSE and NOTICE files at the root of the source
+ * tree and available online at
+ *
+ * http://www.dspace.org/license/
+ */
+
+package org.dspace.app.bulkedit;
+
+import org.apache.commons.cli.Options;
+import org.dspace.scripts.configuration.ScriptConfiguration;
+
+/**
+ * The {@link ScriptConfiguration} for the {@link MetadataExportFilteredItemsReport} script
+ *
+ * @author Jean-François Morin (Université Laval)
+ */
+public class MetadataExportFilteredItemsReportScriptConfiguration<T extends MetadataExportFilteredItemsReport>
+        extends ScriptConfiguration<T> {
+
+    private Class<T> dspaceRunnableclass;
+
+    @Override
+    public Class<T> getDspaceRunnableClass() {
+        return dspaceRunnableclass;
+    }
+
+    @Override
+    public void setDspaceRunnableClass(Class<T> dspaceRunnableClass) {
+        dspaceRunnableclass = dspaceRunnableClass;
+    }
+
+    @Override
+    public Options getOptions() {
+        if (options == null) {
+            Options options = new Options();
+            options.addOption("c", "collections", true,
+                "UUIDs of collections to search for eligible records");
+            options.getOption("c").setType(String.class);
+            options.addOption("qp", "queryPredicates", true,
+                "Predicates or field queries used as criteria to filter records");
+            options.getOption("qp").setType(String.class);
+            options.addOption("f", "filters", true, """
+                Filters from the org.dspace.contentreport.Filter enumeration
+                used to filter records. Any filtered included here is considered as being selected,
+                and is considered unselected otherwise.""");
+            options.getOption("f").setType(String.class);
+            options.addOption("h", "help", false, "help");
+
+            super.options =  options;
+        }
+        return options;
+    }
+
+}
--- a/dspace-api/src/main/java/org/dspace/app/bulkedit/MetadataExportScriptConfiguration.java
+++ b/dspace-api/src/main/java/org/dspace/app/bulkedit/MetadataExportScriptConfiguration.java
@@ -7,22 +7,14 @@
 */
 package org.dspace.app.bulkedit;

-import java.sql.SQLException;
-
 import org.apache.commons.cli.Options;
-import org.dspace.authorize.service.AuthorizeService;
-import org.dspace.core.Context;
 import org.dspace.scripts.configuration.ScriptConfiguration;
-import org.springframework.beans.factory.annotation.Autowired;

 /**
 * The {@link ScriptConfiguration} for the {@link MetadataExport} script
 */
 public class MetadataExportScriptConfiguration<T extends MetadataExport> extends ScriptConfiguration<T> {

-    @Autowired
-    private AuthorizeService authorizeService;
-
    private Class<T> dspaceRunnableClass;

    @Override
@@ -39,27 +31,15 @@ public class MetadataExportScriptConfiguration<T extends MetadataExport> extends
        this.dspaceRunnableClass = dspaceRunnableClass;
    }

-    @Override
-    public boolean isAllowedToExecute(Context context) {
-        try {
-            return authorizeService.isAdmin(context);
-        } catch (SQLException e) {
-            throw new RuntimeException("SQLException occurred when checking if the current user is an admin", e);
-        }
-    }
-
    @Override
    public Options getOptions() {
        if (options == null) {
            Options options = new Options();

            options.addOption("i", "id", true, "ID or handle of thing to export (item, collection, or community)");
-            options.getOption("i").setType(String.class);
            options.addOption("a", "all", false,
                              "include all metadata fields that are not normally changed (e.g. provenance)");
-            options.getOption("a").setType(boolean.class);
            options.addOption("h", "help", false, "help");
-            options.getOption("h").setType(boolean.class);


            super.options = options;
--- a/dspace-api/src/main/java/org/dspace/app/bulkedit/MetadataExportSearch.java
+++ b/dspace-api/src/main/java/org/dspace/app/bulkedit/MetadataExportSearch.java
@@ -0,0 +1,182 @@
+/**
+ * The contents of this file are subject to the license and copyright
+ * detailed in the LICENSE and NOTICE files at the root of the source
+ * tree and available online at
+ *
+ * http://www.dspace.org/license/
+ */
+
+package org.dspace.app.bulkedit;
+
+import java.sql.SQLException;
+import java.util.ArrayList;
+import java.util.Iterator;
+import java.util.List;
+import java.util.UUID;
+
+import org.apache.commons.cli.DefaultParser;
+import org.apache.commons.cli.DefaultParser.Builder;
+import org.apache.commons.cli.ParseException;
+import org.dspace.content.Item;
+import org.dspace.content.MetadataDSpaceCsvExportServiceImpl;
+import org.dspace.content.factory.ContentServiceFactory;
+import org.dspace.content.service.CollectionService;
+import org.dspace.content.service.CommunityService;
+import org.dspace.content.service.MetadataDSpaceCsvExportService;
+import org.dspace.core.Context;
+import org.dspace.discovery.DiscoverQuery;
+import org.dspace.discovery.IndexableObject;
+import org.dspace.discovery.SearchService;
+import org.dspace.discovery.SearchUtils;
+import org.dspace.discovery.configuration.DiscoveryConfiguration;
+import org.dspace.discovery.configuration.DiscoveryConfigurationService;
+import org.dspace.discovery.indexobject.IndexableCollection;
+import org.dspace.discovery.indexobject.IndexableCommunity;
+import org.dspace.discovery.utils.DiscoverQueryBuilder;
+import org.dspace.discovery.utils.parameter.QueryBuilderSearchFilter;
+import org.dspace.eperson.factory.EPersonServiceFactory;
+import org.dspace.eperson.service.EPersonService;
+import org.dspace.scripts.DSpaceRunnable;
+import org.dspace.sort.SortOption;
+import org.dspace.utils.DSpace;
+
+/**
+ * Metadata exporter to allow the batch export of metadata from a discovery search into a file
+ *
+ */
+public class MetadataExportSearch extends DSpaceRunnable<MetadataExportSearchScriptConfiguration> {
+    private static final String EXPORT_CSV = "exportCSV";
+    private boolean help = false;
+    private String identifier;
+    private String discoveryConfigName;
+    private String[] filterQueryStrings;
+    private boolean hasScope = false;
+    private String query;
+
+    private SearchService searchService;
+    private MetadataDSpaceCsvExportService metadataDSpaceCsvExportService;
+    private EPersonService ePersonService;
+    private DiscoveryConfigurationService discoveryConfigurationService;
+    private CommunityService communityService;
+    private CollectionService collectionService;
+    private DiscoverQueryBuilder queryBuilder;
+
+    @Override
+    public MetadataExportSearchScriptConfiguration getScriptConfiguration() {
+        return new DSpace().getServiceManager()
+            .getServiceByName("metadata-export-search", MetadataExportSearchScriptConfiguration.class);
+    }
+
+    @Override
+    public void setup() throws ParseException {
+        searchService = SearchUtils.getSearchService();
+        metadataDSpaceCsvExportService = new DSpace().getServiceManager()
+                                                     .getServiceByName(
+                                                         MetadataDSpaceCsvExportServiceImpl.class.getCanonicalName(),
+                                                         MetadataDSpaceCsvExportService.class
+                                                     );
+        ePersonService = EPersonServiceFactory.getInstance().getEPersonService();
+        discoveryConfigurationService = SearchUtils.getConfigurationService();
+        communityService = ContentServiceFactory.getInstance().getCommunityService();
+        collectionService = ContentServiceFactory.getInstance().getCollectionService();
+        queryBuilder = SearchUtils.getQueryBuilder();
+
+        if (commandLine.hasOption('h')) {
+            help = true;
+            return;
+        }
+
+        if (commandLine.hasOption('q')) {
+            query = commandLine.getOptionValue('q');
+        }
+
+        if (commandLine.hasOption('s')) {
+            hasScope = true;
+            identifier = commandLine.getOptionValue('s');
+        }
+
+        if (commandLine.hasOption('c')) {
+            discoveryConfigName = commandLine.getOptionValue('c');
+        }
+
+        if (commandLine.hasOption('f')) {
+            filterQueryStrings = commandLine.getOptionValues('f');
+        }
+    }
+
+    @Override
+    public void internalRun() throws Exception {
+        if (help) {
+            loghelpinfo();
+            printHelp();
+            return;
+        }
+        handler.logDebug("starting search export");
+
+        IndexableObject dso = null;
+        Context context = new Context();
+        context.setCurrentUser(ePersonService.find(context, this.getEpersonIdentifier()));
+
+        if (hasScope) {
+            dso = resolveScope(context, identifier);
+        }
+
+        DiscoveryConfiguration discoveryConfiguration =
+            discoveryConfigurationService.getDiscoveryConfiguration(discoveryConfigName);
+
+        List<QueryBuilderSearchFilter> queryBuilderSearchFilters = new ArrayList<>();
+
+        handler.logDebug("processing filter queries");
+        if (filterQueryStrings != null) {
+            for (String filterQueryString: filterQueryStrings) {
+                String field = filterQueryString.split(",", 2)[0];
+                String operator = filterQueryString.split("(,|=)", 3)[1];
+                String value = filterQueryString.split("=", 2)[1];
+                QueryBuilderSearchFilter queryBuilderSearchFilter =
+                    new QueryBuilderSearchFilter(field, operator, value);
+                queryBuilderSearchFilters.add(queryBuilderSearchFilter);
+            }
+        }
+        handler.logDebug("building query");
+        DiscoverQuery discoverQuery =
+            queryBuilder.buildQuery(context, dso, discoveryConfiguration, query, queryBuilderSearchFilters,
+            "Item", 10, Long.getLong("0"), null, SortOption.DESCENDING);
+        handler.logDebug("creating iterator");
+
+        Iterator<Item> itemIterator = searchService.iteratorSearch(context, dso, discoverQuery);
+        handler.logDebug("creating dspacecsv");
+        DSpaceCSV dSpaceCSV = metadataDSpaceCsvExportService.export(context, itemIterator, true, handler);
+        handler.logDebug("writing to file " + getFileNameOrExportFile());
+        handler.writeFilestream(context, getFileNameOrExportFile(), dSpaceCSV.getInputStream(), EXPORT_CSV);
+        context.restoreAuthSystemState();
+        context.complete();
+
+    }
+
+    protected void loghelpinfo() {
+        handler.logInfo("metadata-export");
+    }
+
+    protected String getFileNameOrExportFile() {
+        return "metadataExportSearch.csv";
+    }
+
+    public IndexableObject resolveScope(Context context, String id) throws SQLException {
+        UUID uuid = UUID.fromString(id);
+        IndexableObject scopeObj = new IndexableCommunity(communityService.find(context, uuid));
+        if (scopeObj.getIndexedObject() == null) {
+            scopeObj = new IndexableCollection(collectionService.find(context, uuid));
+        }
+        return scopeObj;
+    }
+
+    @Override
+    protected StepResult parse(String[] args) throws ParseException {
+        commandLine = new DefaultParser().parse(getScriptConfiguration().getOptions(), args);
+        Builder builder = new DefaultParser().builder();
+        builder.setStripLeadingAndTrailingQuotes(false);
+        commandLine = builder.build().parse(getScriptConfiguration().getOptions(), args);
+        setup();
+        return StepResult.Continue;
+    }
+}
--- a/dspace-api/src/main/java/org/dspace/app/bulkedit/MetadataExportSearchCli.java
+++ b/dspace-api/src/main/java/org/dspace/app/bulkedit/MetadataExportSearchCli.java
@@ -0,0 +1,20 @@
+/**
+ * The contents of this file are subject to the license and copyright
+ * detailed in the LICENSE and NOTICE files at the root of the source
+ * tree and available online at
+ *
+ * http://www.dspace.org/license/
+ */
+
+package org.dspace.app.bulkedit;
+
+/**
+ * The cli version of the {@link MetadataExportSearch} script
+ */
+public class MetadataExportSearchCli extends MetadataExportSearch {
+
+    @Override
+    protected String getFileNameOrExportFile() {
+        return commandLine.getOptionValue('n');
+    }
+}
--- a/dspace-api/src/main/java/org/dspace/app/bulkedit/MetadataExportSearchCliScriptConfiguration.java
+++ b/dspace-api/src/main/java/org/dspace/app/bulkedit/MetadataExportSearchCliScriptConfiguration.java
@@ -0,0 +1,26 @@
+/**
+ * The contents of this file are subject to the license and copyright
+ * detailed in the LICENSE and NOTICE files at the root of the source
+ * tree and available online at
+ *
+ * http://www.dspace.org/license/
+ */
+
+package org.dspace.app.bulkedit;
+
+import org.apache.commons.cli.Options;
+
+/**
+ * This is the CLI version of the {@link MetadataExportSearchScriptConfiguration} class that handles the
+ * configuration for the {@link MetadataExportSearchCli} script
+ */
+public class MetadataExportSearchCliScriptConfiguration
+    extends MetadataExportSearchScriptConfiguration<MetadataExportSearchCli> {
+
+    @Override
+    public Options getOptions() {
+        Options options = super.getOptions();
+        options.addOption("n", "filename", true, "the filename to export to");
+        return super.getOptions();
+    }
+}
--- a/dspace-api/src/main/java/org/dspace/app/bulkedit/MetadataExportSearchScriptConfiguration.java
+++ b/dspace-api/src/main/java/org/dspace/app/bulkedit/MetadataExportSearchScriptConfiguration.java
@@ -0,0 +1,56 @@
+/**
+ * The contents of this file are subject to the license and copyright
+ * detailed in the LICENSE and NOTICE files at the root of the source
+ * tree and available online at
+ *
+ * http://www.dspace.org/license/
+ */
+
+package org.dspace.app.bulkedit;
+
+import org.apache.commons.cli.Options;
+import org.dspace.scripts.configuration.ScriptConfiguration;
+
+/**
+ * The {@link ScriptConfiguration} for the {@link MetadataExportSearch} script
+ */
+public class MetadataExportSearchScriptConfiguration<T extends MetadataExportSearch> extends ScriptConfiguration<T> {
+
+    private Class<T> dspaceRunnableclass;
+
+    @Override
+    public Class<T> getDspaceRunnableClass() {
+        return dspaceRunnableclass;
+    }
+
+    @Override
+    public void setDspaceRunnableClass(Class<T> dspaceRunnableClass) {
+        this.dspaceRunnableclass = dspaceRunnableClass;
+    }
+
+    @Override
+    public Options getOptions() {
+        if (options == null) {
+            Options options = new Options();
+            options.addOption("q", "query", true,
+                "The discovery search string to will be used to match records. Not URL encoded");
+            options.getOption("q").setType(String.class);
+            options.addOption("s", "scope", true,
+                "UUID of a specific DSpace container (site, community or collection) to which the search has to be " +
+                    "limited");
+            options.getOption("s").setType(String.class);
+            options.addOption("c", "configuration", true,
+                "The name of a Discovery configuration that should be used by this search");
+            options.getOption("c").setType(String.class);
+            options.addOption("f", "filter", true,
+                "Advanced search filter that has to be used to filter the result set, with syntax `<:filter-name>," +
+                    "<:filter-operator>=<:filter-value>`. Not URL encoded. For example `author," +
+                    "authority=5df05073-3be7-410d-8166-e254369e4166` or `title,contains=sample text`");
+            options.getOption("f").setType(String.class);
+            options.addOption("h", "help", false, "help");
+
+            super.options =  options;
+        }
+        return options;
+    }
+}
--- a/dspace-api/src/main/java/org/dspace/app/bulkedit/MetadataImport.java
+++ b/dspace-api/src/main/java/org/dspace/app/bulkedit/MetadataImport.java
@@ -20,9 +20,10 @@ import java.util.Map;
 import java.util.Optional;
 import java.util.Set;
 import java.util.UUID;
-import javax.annotation.Nullable;

+import jakarta.annotation.Nullable;
 import org.apache.commons.cli.ParseException;
+import org.apache.commons.lang3.ArrayUtils;
 import org.apache.commons.lang3.StringUtils;
 import org.apache.logging.log4j.Logger;
 import org.dspace.app.util.RelationshipUtils;
@@ -89,7 +90,7 @@ public class MetadataImport extends DSpaceRunnable<MetadataImportScriptConfigura
    /**
     * The authority controlled fields
     */
-    protected static Set<String> authorityControlled;
+    protected Set<String> authorityControlled;

    /**
     * The prefix of the authority controlled field
@@ -253,7 +254,7 @@ public class MetadataImport extends DSpaceRunnable<MetadataImportScriptConfigura
                displayChanges(changes, true);
            }

-            // Finsh off and tidy up
+            // Finish off and tidy up
            c.restoreAuthSystemState();
            c.complete();
        } catch (Exception e) {
@@ -494,7 +495,7 @@ public class MetadataImport extends DSpaceRunnable<MetadataImportScriptConfigura

                // Check it has an owning collection
                List<String> collections = line.get("collection");
-                if (collections == null) {
+                if (collections == null || collections.isEmpty()) {
                    throw new MetadataImportException(
                        "New items must have a 'collection' assigned in the form of a handle");
                }
@@ -578,6 +579,10 @@ public class MetadataImport extends DSpaceRunnable<MetadataImportScriptConfigura
                            wfItem = workflowService.startWithoutNotify(c, wsItem);
                        }
                    } else {
+                        // Add provenance info
+                        String provenance = installItemService.getSubmittedByProvenanceMessage(c, wsItem.getItem());
+                        itemService.addMetadata(c, item, MetadataSchemaEnum.DC.getName(),
+                                "description", "provenance", "en", provenance);
                        // Install the item
                        installItemService.installItem(c, wsItem);
                    }
@@ -598,18 +603,19 @@ public class MetadataImport extends DSpaceRunnable<MetadataImportScriptConfigura
                changes.add(whatHasChanged);
            }

-            if (change) {
-                //only clear cache if changes have been made.
-                c.uncacheEntity(wsItem);
-                c.uncacheEntity(wfItem);
-                c.uncacheEntity(item);
+            if (change && (rowCount % configurationService.getIntProperty("bulkedit.change.commit.count", 100) == 0)) {
+                c.commit();
+                handler.logInfo(LogHelper.getHeader(c, "metadata_import_commit", "lineNumber=" + rowCount));
            }
            populateRefAndRowMap(line, item == null ? null : item.getID());
            // keep track of current rows processed
            rowCount++;
        }
+        if (change) {
+            c.commit();
+        }

-        c.setMode(originalMode);
+        c.setMode(Context.Mode.READ_ONLY);


        // Return the changes
@@ -737,10 +743,7 @@ public class MetadataImport extends DSpaceRunnable<MetadataImportScriptConfigura
            if (value == null || !value.contains(csv.getAuthoritySeparator())) {
                simplyCopyValue(value, dcv);
            } else {
-                String[] parts = value.split(csv.getAuthoritySeparator());
-                dcv.setValue(parts[0]);
-                dcv.setAuthority(parts[1]);
-                dcv.setConfidence((parts.length > 2 ? Integer.valueOf(parts[2]) : Choices.CF_ACCEPTED));
+                resolveValueAndAuthority(value, dcv);
            }

            // fromAuthority==null: with the current implementation metadata values from external authority sources
@@ -820,8 +823,10 @@ public class MetadataImport extends DSpaceRunnable<MetadataImportScriptConfigura
                addRelationships(c, item, element, values);
            } else {
                itemService.clearMetadata(c, item, schema, element, qualifier, language);
+                if (!values.isEmpty()) {
                    itemService.addMetadata(c, item, schema, element, qualifier,
                                            language, values, authorities, confidences);
+                }
                itemService.update(c, item);
            }
        }
@@ -925,11 +930,10 @@ public class MetadataImport extends DSpaceRunnable<MetadataImportScriptConfigura
            rightItem = item;
        }

-        // Create the relationship
-        int leftPlace = relationshipService.findNextLeftPlaceByLeftItem(c, leftItem);
-        int rightPlace = relationshipService.findNextRightPlaceByRightItem(c, rightItem);
-        Relationship persistedRelationship = relationshipService.create(c, leftItem, rightItem,
-                                                                        foundRelationshipType, leftPlace, rightPlace);
+        // Create the relationship, appending to the end
+        Relationship persistedRelationship = relationshipService.create(
+            c, leftItem, rightItem, foundRelationshipType, -1, -1
+        );
        relationshipService.update(c, persistedRelationship);
    }

@@ -1117,8 +1121,8 @@ public class MetadataImport extends DSpaceRunnable<MetadataImportScriptConfigura
                    .getAuthoritySeparator() + dcv.getConfidence();
            }

-            // Add it
-            if ((value != null) && (!"".equals(value))) {
+            // Add it, if value is not blank
+            if (value != null && StringUtils.isNotBlank(value)) {
                changes.registerAdd(dcv);
            }
        }
@@ -1139,12 +1143,12 @@ public class MetadataImport extends DSpaceRunnable<MetadataImportScriptConfigura
            }

            // look up the value and authority in solr
-            List<AuthorityValue> byValue = authorityValueService.findByValue(c, schema, element, qualifier, value);
+            List<AuthorityValue> byValue = authorityValueService.findByValue(schema, element, qualifier, value);
            AuthorityValue authorityValue = null;
            if (byValue.isEmpty()) {
                String toGenerate = fromAuthority.generateString() + value;
                String field = schema + "_" + element + (StringUtils.isNotBlank(qualifier) ? "_" + qualifier : "");
-                authorityValue = authorityValueService.generate(c, toGenerate, value, field);
+                authorityValue = authorityValueService.generate(toGenerate, value, field);
                dcv.setAuthority(toGenerate);
            } else {
                authorityValue = byValue.get(0);
@@ -1156,10 +1160,7 @@ public class MetadataImport extends DSpaceRunnable<MetadataImportScriptConfigura
        } else if (value == null || !value.contains(csv.getAuthoritySeparator())) {
            simplyCopyValue(value, dcv);
        } else {
-            String[] parts = value.split(csv.getEscapedAuthoritySeparator());
-            dcv.setValue(parts[0]);
-            dcv.setAuthority(parts[1]);
-            dcv.setConfidence((parts.length > 2 ? Integer.valueOf(parts[2]) : Choices.CF_ACCEPTED));
+            resolveValueAndAuthority(value, dcv);
        }
        return dcv;
    }
@@ -1170,6 +1171,35 @@ public class MetadataImport extends DSpaceRunnable<MetadataImportScriptConfigura
        dcv.setConfidence(Choices.CF_UNSET);
    }

+    private void resolveValueAndAuthority(String value, BulkEditMetadataValue dcv) {
+        // Cells with valid authority are composed of three parts ~ <value>, <authority>, <confidence>
+        // The value itself may also include the authority separator though
+        String[] parts = value.split(csv.getEscapedAuthoritySeparator());
+
+        // If we don't have enough parts, assume the whole string is the value
+        if (parts.length < 3) {
+            simplyCopyValue(value, dcv);
+            return;
+        }
+
+        try {
+            // The last part of the cell must be a confidence value (integer)
+            int confidence = Integer.parseInt(parts[parts.length - 1]);
+            String authority = parts[parts.length - 2];
+            String plainValue = String.join(
+                csv.getAuthoritySeparator(),
+                ArrayUtils.subarray(parts, 0, parts.length - 2)
+            );
+
+            dcv.setValue(plainValue);
+            dcv.setAuthority(authority);
+            dcv.setConfidence(confidence);
+        } catch (NumberFormatException e) {
+            // Otherwise assume the whole string is the value
+            simplyCopyValue(value, dcv);
+        }
+    }
+
    /**
     * Method to find if a String occurs in an array of Strings
     *
@@ -1362,10 +1392,10 @@ public class MetadataImport extends DSpaceRunnable<MetadataImportScriptConfigura
    /**
     * is the field is defined as authority controlled
     */
-    private static boolean isAuthorityControlledField(String md) {
-        String mdf = StringUtils.substringAfter(md, ":");
+    private boolean isAuthorityControlledField(String md) {
+        String mdf = md.contains(":") ? StringUtils.substringAfter(md, ":") : md;
        mdf = StringUtils.substringBefore(mdf, "[");
-        return authorityControlled.contains(mdf);
+        return authorityControlled.contains(mdf) || authorityControlled.contains(md);
    }

    /**
@@ -1530,7 +1560,7 @@ public class MetadataImport extends DSpaceRunnable<MetadataImportScriptConfigura
                ContentServiceFactory.getInstance().getMetadataFieldService();
            int i = reference.indexOf(":");
            String mfValue = reference.substring(i + 1);
-            String mf[] = reference.substring(0, i).split("\\.");
+            String[] mf = reference.substring(0, i).split("\\.");
            if (mf.length < 2) {
                throw new MetadataImportException("Error in CSV row " + rowCount + ":\n" +
                                                      "Bad metadata field in reference: '" + reference
@@ -1647,7 +1677,7 @@ public class MetadataImport extends DSpaceRunnable<MetadataImportScriptConfigura
                                                  .getLabel();
                } else {
                    // Target item may be archived; check there.
-                    // Add to errors if Realtionship.type cannot be derived
+                    // Add to errors if Relationship.type cannot be derived
                    Item targetItem = null;
                    if (itemService.find(c, UUID.fromString(targetUUID)) != null) {
                        targetItem = itemService.find(c, UUID.fromString(targetUUID));
@@ -1692,7 +1722,7 @@ public class MetadataImport extends DSpaceRunnable<MetadataImportScriptConfigura
                            validateTypesByTypeByTypeName(c, targetType, originType, typeName, originRow);
                        } else {
                            // Origin item may be archived; check there.
-                            // Add to errors if Realtionship.type cannot be derived.
+                            // Add to errors if Relationship.type cannot be derived.
                            Item originItem = null;
                            if (itemService.find(c, UUID.fromString(targetUUID)) != null) {
                                DSpaceCSVLine dSpaceCSVLine = this.csv.getCSVLines()
@@ -1796,5 +1826,4 @@ public class MetadataImport extends DSpaceRunnable<MetadataImportScriptConfigura
                                                   String targetType, String originType, String originTypeName) {
        return RelationshipUtils.matchRelationshipType(relTypes, targetType, originType, originTypeName);
    }
-
 }
--- a/dspace-api/src/main/java/org/dspace/app/bulkedit/MetadataImportCliScriptConfiguration.java
+++ b/dspace-api/src/main/java/org/dspace/app/bulkedit/MetadataImportCliScriptConfiguration.java
@@ -19,7 +19,6 @@ public class MetadataImportCliScriptConfiguration extends MetadataImportScriptCo
    public Options getOptions() {
        Options options = super.getOptions();
        options.addOption("e", "email", true, "email address or user id of user (required if adding new items)");
-        options.getOption("e").setType(String.class);
        options.getOption("e").setRequired(true);
        super.options = options;
        return options;
--- a/dspace-api/src/main/java/org/dspace/app/bulkedit/MetadataImportScriptConfiguration.java
+++ b/dspace-api/src/main/java/org/dspace/app/bulkedit/MetadataImportScriptConfiguration.java
@@ -8,22 +8,15 @@
 package org.dspace.app.bulkedit;

 import java.io.InputStream;
-import java.sql.SQLException;

 import org.apache.commons.cli.Options;
-import org.dspace.authorize.service.AuthorizeService;
-import org.dspace.core.Context;
 import org.dspace.scripts.configuration.ScriptConfiguration;
-import org.springframework.beans.factory.annotation.Autowired;

 /**
 * The {@link ScriptConfiguration} for the {@link MetadataImport} script
 */
 public class MetadataImportScriptConfiguration<T extends MetadataImport> extends ScriptConfiguration<T> {

-    @Autowired
-    private AuthorizeService authorizeService;
-
    private Class<T> dspaceRunnableClass;

    @Override
@@ -40,15 +33,6 @@ public class MetadataImportScriptConfiguration<T extends MetadataImport> extends
        this.dspaceRunnableClass = dspaceRunnableClass;
    }

-    @Override
-    public boolean isAllowedToExecute(Context context) {
-        try {
-            return authorizeService.isAdmin(context);
-        } catch (SQLException e) {
-            throw new RuntimeException("SQLException occurred when checking if the current user is an admin", e);
-        }
-    }
-
    @Override
    public Options getOptions() {
        if (options == null) {
@@ -59,20 +43,14 @@ public class MetadataImportScriptConfiguration<T extends MetadataImport> extends
            options.getOption("f").setRequired(true);
            options.addOption("s", "silent", false,
                              "silent operation - doesn't request confirmation of changes USE WITH CAUTION");
-            options.getOption("s").setType(boolean.class);
            options.addOption("w", "workflow", false, "workflow - when adding new items, use collection workflow");
-            options.getOption("w").setType(boolean.class);
            options.addOption("n", "notify", false,
                              "notify - when adding new items using a workflow, send notification emails");
-            options.getOption("n").setType(boolean.class);
            options.addOption("v", "validate-only", false,
                              "validate - just validate the csv, don't run the import");
-            options.getOption("v").setType(boolean.class);
            options.addOption("t", "template", false,
                              "template - when adding new items, use the collection template (if it exists)");
-            options.getOption("t").setType(boolean.class);
            options.addOption("h", "help", false, "help");
-            options.getOption("h").setType(boolean.class);

            super.options = options;
        }
--- a/dspace-api/src/main/java/org/dspace/app/checker/ChecksumChecker.java
+++ b/dspace-api/src/main/java/org/dspace/app/checker/ChecksumChecker.java
@@ -9,9 +9,8 @@ package org.dspace.app.checker;

 import java.io.FileNotFoundException;
 import java.sql.SQLException;
+import java.time.Instant;
 import java.util.ArrayList;
-import java.util.Calendar;
-import java.util.Date;
 import java.util.List;
 import java.util.UUID;

@@ -149,7 +148,7 @@ public final class ChecksumChecker {
                                       + " old results from the database.");
            }

-            Date processStart = Calendar.getInstance().getTime();
+            Instant processStart = Instant.now();

            BitstreamDispatcher dispatcher = null;

@@ -180,10 +179,8 @@ public final class ChecksumChecker {
                // run checker process for specified duration
                try {
                    dispatcher = new LimitedDurationDispatcher(
-                        new SimpleDispatcher(context, processStart, true), new Date(
-                        System.currentTimeMillis()
-                            + Utils.parseDuration(line
-                                                      .getOptionValue('d'))));
+                        new SimpleDispatcher(context, processStart, true), Instant.ofEpochMilli(
+                        Instant.now().toEpochMilli() + Utils.parseDuration(line.getOptionValue('d'))));
                } catch (Exception e) {
                    LOG.fatal("Couldn't parse " + line.getOptionValue('d')
                                  + " as a duration: ", e);
--- a/dspace-api/src/main/java/org/dspace/app/client/DSpaceHttpClientFactory.java
+++ b/dspace-api/src/main/java/org/dspace/app/client/DSpaceHttpClientFactory.java
@@ -0,0 +1,152 @@
+/**
+ * The contents of this file are subject to the license and copyright
+ * detailed in the LICENSE and NOTICE files at the root of the source
+ * tree and available online at
+ *
+ * http://www.dspace.org/license/
+ */
+package org.dspace.app.client;
+
+import static org.apache.commons.collections4.ListUtils.emptyIfNull;
+
+import java.util.List;
+
+import org.apache.http.HttpRequestInterceptor;
+import org.apache.http.HttpResponseInterceptor;
+import org.apache.http.client.HttpClient;
+import org.apache.http.client.config.RequestConfig;
+import org.apache.http.impl.client.CloseableHttpClient;
+import org.apache.http.impl.client.HttpClientBuilder;
+import org.dspace.services.ConfigurationService;
+import org.dspace.utils.DSpace;
+import org.springframework.beans.factory.annotation.Autowired;
+
+/**
+ * Factory of {@link HttpClient} with common configurations.
+ *
+ * @author Luca Giamminonni (luca.giamminonni at 4science.it)
+ *
+ */
+public class DSpaceHttpClientFactory {
+
+    @Autowired
+    private ConfigurationService configurationService;
+
+    @Autowired
+    private DSpaceProxyRoutePlanner proxyRoutePlanner;
+
+    @Autowired(required = false)
+    private List<HttpRequestInterceptor> requestInterceptors;
+
+    @Autowired(required = false)
+    private List<HttpResponseInterceptor> responseInterceptors;
+
+    /**
+     * Get an instance of {@link DSpaceHttpClientFactory} from the Spring context.
+     * @return the bean instance
+     */
+    public static DSpaceHttpClientFactory getInstance() {
+        return new DSpace().getSingletonService(DSpaceHttpClientFactory.class);
+    }
+
+    /**
+     * Build an instance of {@link HttpClient} setting the proxy if configured.
+     *
+     * @return the client
+     */
+    public CloseableHttpClient build() {
+        return build(HttpClientBuilder.create(), true);
+    }
+
+    /**
+     * return a Builder if an instance of {@link HttpClient} pre-setting the proxy if configured.
+     *
+     * @return the client
+     */
+    public HttpClientBuilder builder(boolean setProxy) {
+        HttpClientBuilder clientBuilder = HttpClientBuilder.create();
+        if (setProxy) {
+            clientBuilder.setRoutePlanner(proxyRoutePlanner);
+        }
+        getRequestInterceptors().forEach(clientBuilder::addInterceptorLast);
+        getResponseInterceptors().forEach(clientBuilder::addInterceptorLast);
+        return clientBuilder;
+    }
+
+    /**
+     * Build an instance of {@link HttpClient} without setting the proxy, even if
+     * configured.
+     *
+     * @return the client
+     */
+    public CloseableHttpClient buildWithoutProxy() {
+        return build(HttpClientBuilder.create(), false);
+    }
+
+    /**
+     * Build an instance of {@link HttpClient} setting the proxy if configured,
+     * disabling automatic retries and setting the maximum total connection.
+     *
+     * @param  maxConnTotal the maximum total connection value
+     * @return              the client
+     */
+    public CloseableHttpClient buildWithoutAutomaticRetries(int maxConnTotal) {
+        HttpClientBuilder clientBuilder = HttpClientBuilder.create()
+                .disableAutomaticRetries()
+                .setMaxConnTotal(maxConnTotal);
+        return build(clientBuilder, true);
+    }
+
+    /**
+     * Build an instance of {@link HttpClient} setting the proxy if configured with
+     * the given request configuration.
+     * @param  requestConfig the request configuration
+     * @return               the client
+     */
+    public CloseableHttpClient buildWithRequestConfig(RequestConfig requestConfig) {
+        HttpClientBuilder httpClientBuilder = HttpClientBuilder.create()
+                .setDefaultRequestConfig(requestConfig);
+        return build(httpClientBuilder, true);
+    }
+
+    private CloseableHttpClient build(HttpClientBuilder clientBuilder, boolean setProxy) {
+        if (setProxy) {
+            clientBuilder.setRoutePlanner(proxyRoutePlanner);
+        }
+        getRequestInterceptors().forEach(clientBuilder::addInterceptorLast);
+        getResponseInterceptors().forEach(clientBuilder::addInterceptorLast);
+        return clientBuilder.build();
+    }
+
+    public ConfigurationService getConfigurationService() {
+        return configurationService;
+    }
+
+    public void setConfigurationService(ConfigurationService configurationService) {
+        this.configurationService = configurationService;
+    }
+
+    public List<HttpRequestInterceptor> getRequestInterceptors() {
+        return emptyIfNull(requestInterceptors);
+    }
+
+    public void setRequestInterceptors(List<HttpRequestInterceptor> requestInterceptors) {
+        this.requestInterceptors = requestInterceptors;
+    }
+
+    public List<HttpResponseInterceptor> getResponseInterceptors() {
+        return emptyIfNull(responseInterceptors);
+    }
+
+    public void setResponseInterceptors(List<HttpResponseInterceptor> responseInterceptors) {
+        this.responseInterceptors = responseInterceptors;
+    }
+
+    public DSpaceProxyRoutePlanner getProxyRoutePlanner() {
+        return proxyRoutePlanner;
+    }
+
+    public void setProxyRoutePlanner(DSpaceProxyRoutePlanner proxyRoutePlanner) {
+        this.proxyRoutePlanner = proxyRoutePlanner;
+    }
+}
--- a/dspace-api/src/main/java/org/dspace/app/client/DSpaceProxyRoutePlanner.java
+++ b/dspace-api/src/main/java/org/dspace/app/client/DSpaceProxyRoutePlanner.java
@@ -0,0 +1,73 @@
+/**
+ * The contents of this file are subject to the license and copyright
+ * detailed in the LICENSE and NOTICE files at the root of the source
+ * tree and available online at
+ *
+ * http://www.dspace.org/license/
+ */
+package org.dspace.app.client;
+
+import java.util.Arrays;
+
+import org.apache.commons.lang3.ArrayUtils;
+import org.apache.commons.lang3.StringUtils;
+import org.apache.http.HttpException;
+import org.apache.http.HttpHost;
+import org.apache.http.HttpRequest;
+import org.apache.http.impl.conn.DefaultRoutePlanner;
+import org.apache.http.protocol.HttpContext;
+import org.dspace.services.ConfigurationService;
+
+/**
+ * Extension of {@link DefaultRoutePlanner} that determine the proxy based on
+ * the configuration service, ignoring configured hosts.
+ *
+ * @author Luca Giamminonni (luca.giamminonni at 4science.it)
+ *
+ */
+public class DSpaceProxyRoutePlanner extends DefaultRoutePlanner {
+
+    private ConfigurationService configurationService;
+
+    public DSpaceProxyRoutePlanner(ConfigurationService configurationService) {
+        super(null);
+        this.configurationService = configurationService;
+    }
+
+    @Override
+    protected HttpHost determineProxy(HttpHost target, HttpRequest request, HttpContext context) throws HttpException {
+        if (isTargetHostConfiguredToBeIgnored(target)) {
+            return null;
+        }
+        String proxyHost = configurationService.getProperty("http.proxy.host");
+        String proxyPort = configurationService.getProperty("http.proxy.port");
+        if (StringUtils.isAnyBlank(proxyHost, proxyPort)) {
+            return null;
+        }
+        try {
+            return new HttpHost(proxyHost, Integer.parseInt(proxyPort), "http");
+        } catch (NumberFormatException e) {
+            throw new RuntimeException("Invalid proxy port configuration: " + proxyPort);
+        }
+    }
+
+    private boolean isTargetHostConfiguredToBeIgnored(HttpHost target) {
+        String[] hostsToIgnore = configurationService.getArrayProperty("http.proxy.hosts-to-ignore");
+        if (ArrayUtils.isEmpty(hostsToIgnore)) {
+            return false;
+        }
+        return Arrays.stream(hostsToIgnore)
+                .anyMatch(host -> matchesHost(host, target.getHostName()));
+    }
+
+    private boolean matchesHost(String hostPattern, String hostName) {
+        if (hostName.equals(hostPattern)) {
+            return true;
+        } else if (hostPattern.startsWith("*")) {
+            return hostName.endsWith(StringUtils.removeStart(hostPattern, "*"));
+        } else if (hostPattern.endsWith("*")) {
+            return hostName.startsWith(StringUtils.removeEnd(hostPattern, "*"));
+        }
+        return false;
+    }
+}
--- a/dspace-api/src/main/java/org/dspace/app/exception/ResourceAlreadyExistsException.java
+++ b/dspace-api/src/main/java/org/dspace/app/exception/ResourceAlreadyExistsException.java
@@ -0,0 +1,32 @@
+/**
+ * The contents of this file are subject to the license and copyright
+ * detailed in the LICENSE and NOTICE files at the root of the source
+ * tree and available online at
+ *
+ * http://www.dspace.org/license/
+ */
+package org.dspace.app.exception;
+
+/**
+ * This class provides an exception to be used when trying to save a resource
+ * that already exists.
+ *
+ * @author Luca Giamminonni (luca.giamminonni at 4science.it)
+ *
+ */
+public class ResourceAlreadyExistsException extends RuntimeException {
+
+    private static final long serialVersionUID = 1L;
+
+    /**
+     * Create a ResourceAlreadyExistsException with a message and the already
+     * existing resource.
+     *
+     * @param message  the error message
+     */
+    public ResourceAlreadyExistsException(String message) {
+        super(message);
+    }
+
+
+}
--- a/dspace-api/src/main/java/org/dspace/app/harvest/HarvestScriptConfiguration.java
+++ b/dspace-api/src/main/java/org/dspace/app/harvest/HarvestScriptConfiguration.java
@@ -7,18 +7,11 @@
 */
 package org.dspace.app.harvest;

-import java.sql.SQLException;
-
 import org.apache.commons.cli.Options;
-import org.dspace.authorize.service.AuthorizeService;
-import org.dspace.core.Context;
 import org.dspace.scripts.configuration.ScriptConfiguration;
-import org.springframework.beans.factory.annotation.Autowired;


 public class HarvestScriptConfiguration<T extends Harvest> extends ScriptConfiguration<T> {
-    @Autowired
-    private AuthorizeService authorizeService;

    private Class<T> dspaceRunnableClass;

@@ -32,33 +25,18 @@ public class HarvestScriptConfiguration<T extends Harvest> extends ScriptConfigu
        this.dspaceRunnableClass = dspaceRunnableClass;
    }

-    public boolean isAllowedToExecute(final Context context) {
-        try {
-            return authorizeService.isAdmin(context);
-        } catch (SQLException e) {
-            throw new RuntimeException("SQLException occurred when checking if the current user is an admin", e);
-        }
-    }

    public Options getOptions() {
        Options options = new Options();
        options.addOption("p", "purge", false, "delete all items in the collection");
-        options.getOption("p").setType(boolean.class);
        options.addOption("r", "run", false, "run the standard harvest procedure");
-        options.getOption("r").setType(boolean.class);
        options.addOption("g", "ping", false, "test the OAI server and set");
-        options.getOption("g").setType(boolean.class);
        options.addOption("s", "setup", false, "Set the collection up for harvesting");
-        options.getOption("s").setType(boolean.class);
        options.addOption("S", "start", false, "start the harvest loop");
-        options.getOption("S").setType(boolean.class);
        options.addOption("R", "reset", false, "reset harvest status on all collections");
-        options.getOption("R").setType(boolean.class);
        options.addOption("P", "purgeCollections", false, "purge all harvestable collections");
-        options.getOption("P").setType(boolean.class);
        options.addOption("o", "reimport", false, "reimport all items in the collection, " +
            "this is equivalent to -p -r, purging all items in a collection and reimporting them");
-        options.getOption("o").setType(boolean.class);
        options.addOption("c", "collection", true,
                          "harvesting collection (handle or id)");
        options.addOption("t", "type", true,
@@ -72,7 +50,6 @@ public class HarvestScriptConfiguration<T extends Harvest> extends ScriptConfigu
                                  "crosswalk in dspace.cfg");

        options.addOption("h", "help", false, "help");
-        options.getOption("h").setType(boolean.class);

        return options;
    }
--- a/dspace-api/src/main/java/org/dspace/app/itemexport/ItemExport.java
+++ b/dspace-api/src/main/java/org/dspace/app/itemexport/ItemExport.java
@@ -0,0 +1,264 @@
+/**
+ * The contents of this file are subject to the license and copyright
+ * detailed in the LICENSE and NOTICE files at the root of the source
+ * tree and available online at
+ *
+ * http://www.dspace.org/license/
+ */
+package org.dspace.app.itemexport;
+
+import java.io.File;
+import java.io.FileInputStream;
+import java.io.InputStream;
+import java.nio.file.Path;
+import java.sql.SQLException;
+import java.util.ArrayList;
+import java.util.Iterator;
+import java.util.List;
+import java.util.UUID;
+
+import org.apache.commons.cli.ParseException;
+import org.apache.commons.io.file.PathUtils;
+import org.dspace.app.itemexport.factory.ItemExportServiceFactory;
+import org.dspace.app.itemexport.service.ItemExportService;
+import org.dspace.content.Collection;
+import org.dspace.content.Item;
+import org.dspace.content.factory.ContentServiceFactory;
+import org.dspace.content.service.CollectionService;
+import org.dspace.content.service.ItemService;
+import org.dspace.core.Constants;
+import org.dspace.core.Context;
+import org.dspace.eperson.EPerson;
+import org.dspace.eperson.factory.EPersonServiceFactory;
+import org.dspace.eperson.service.EPersonService;
+import org.dspace.handle.factory.HandleServiceFactory;
+import org.dspace.handle.service.HandleService;
+import org.dspace.scripts.DSpaceRunnable;
+import org.dspace.utils.DSpace;
+
+/**
+ * Item exporter to create simple AIPs for DSpace content. Currently exports
+ * individual items, or entire collections. For instructions on use, see
+ * printUsage() method.
+ * <P>
+ * ItemExport creates the simple AIP package that the importer also uses. It
+ * consists of:
+ * <P>
+ * /exportdir/42/ (one directory per item) / dublin_core.xml - qualified dublin
+ * core in RDF schema / contents - text file, listing one file per line / file1
+ * - files contained in the item / file2 / ...
+ * <P>
+ * issues -doesn't handle special characters in metadata (needs to turn {@code &'s} into
+ * {@code &amp;}, etc.)
+ * <P>
+ * Modified by David Little, UCSD Libraries 12/21/04 to allow the registration
+ * of files (bitstreams) into DSpace.
+ *
+ * @author David Little
+ * @author Jay Paz
+ */
+public class ItemExport extends DSpaceRunnable<ItemExportScriptConfiguration> {
+
+    public static final String TEMP_DIR = "exportSAF";
+    public static final String ZIP_NAME = "exportSAFZip";
+    public static final String ZIP_FILENAME = "saf-export";
+    public static final String ZIP_EXT = "zip";
+
+    protected String typeString = null;
+    protected String destDirName = null;
+    protected String idString = null;
+    protected int seqStart = -1;
+    protected int type = -1;
+    protected Item item = null;
+    protected Collection collection = null;
+    protected boolean migrate = false;
+    protected boolean zip = false;
+    protected String zipFileName = "";
+    protected boolean excludeBitstreams = false;
+    protected boolean help = false;
+
+    protected static HandleService handleService = HandleServiceFactory.getInstance().getHandleService();
+    protected static ItemService itemService = ContentServiceFactory.getInstance().getItemService();
+    protected static CollectionService collectionService = ContentServiceFactory.getInstance().getCollectionService();
+    protected static final EPersonService epersonService =
+            EPersonServiceFactory.getInstance().getEPersonService();
+
+    @Override
+    public ItemExportScriptConfiguration getScriptConfiguration() {
+        return new DSpace().getServiceManager()
+                .getServiceByName("export", ItemExportScriptConfiguration.class);
+    }
+
+    @Override
+    public void setup() throws ParseException {
+        help = commandLine.hasOption('h');
+
+        if (commandLine.hasOption('t')) { // type
+            typeString = commandLine.getOptionValue('t');
+
+            if ("ITEM".equals(typeString)) {
+                type = Constants.ITEM;
+            } else if ("COLLECTION".equals(typeString)) {
+                type = Constants.COLLECTION;
+            }
+        }
+
+        if (commandLine.hasOption('i')) { // id
+            idString = commandLine.getOptionValue('i');
+        }
+
+        setNumber();
+
+        if (commandLine.hasOption('m')) { // number
+            migrate = true;
+        }
+
+        if (commandLine.hasOption('x')) {
+            excludeBitstreams = true;
+        }
+    }
+
+    @Override
+    public void internalRun() throws Exception {
+        if (help) {
+            printHelp();
+            return;
+        }
+
+        validate();
+
+        Context context = new Context();
+        context.turnOffAuthorisationSystem();
+
+        if (type == Constants.ITEM) {
+            // first, is myIDString a handle?
+            if (idString.indexOf('/') != -1) {
+                item = (Item) handleService.resolveToObject(context, idString);
+
+                if ((item == null) || (item.getType() != Constants.ITEM)) {
+                    item = null;
+                }
+            } else {
+                item = itemService.find(context, UUID.fromString(idString));
+            }
+
+            if (item == null) {
+                handler.logError("The item cannot be found: " + idString + " (run with -h flag for details)");
+                throw new UnsupportedOperationException("The item cannot be found: " + idString);
+            }
+        } else {
+            if (idString.indexOf('/') != -1) {
+                // has a / must be a handle
+                collection = (Collection) handleService.resolveToObject(context,
+                                                                          idString);
+
+                // ensure it's a collection
+                if ((collection == null)
+                    || (collection.getType() != Constants.COLLECTION)) {
+                    collection = null;
+                }
+            } else {
+                collection = collectionService.find(context, UUID.fromString(idString));
+            }
+
+            if (collection == null) {
+                handler.logError("The collection cannot be found: " + idString + " (run with -h flag for details)");
+                throw new UnsupportedOperationException("The collection cannot be found: " + idString);
+            }
+        }
+
+        ItemExportService itemExportService = ItemExportServiceFactory.getInstance()
+                .getItemExportService();
+        try {
+            itemExportService.setHandler(handler);
+            process(context, itemExportService);
+            context.complete();
+        } catch (Exception e) {
+            context.abort();
+            throw new Exception(e);
+        }
+    }
+
+    /**
+     * Validate the options
+     */
+    protected void validate() {
+        if (type == -1) {
+            handler.logError("The type must be either COLLECTION or ITEM (run with -h flag for details)");
+            throw new UnsupportedOperationException("The type must be either COLLECTION or ITEM");
+        }
+
+        if (idString == null) {
+            handler.logError("The ID must be set to either a database ID or a handle (run with -h flag for details)");
+            throw new UnsupportedOperationException("The ID must be set to either a database ID or a handle");
+        }
+    }
+
+    /**
+     * Process the export
+     * @param context
+     * @throws Exception
+     */
+    protected void process(Context context, ItemExportService itemExportService) throws Exception {
+        setEPerson(context);
+        setDestDirName(context, itemExportService);
+        setZip(context);
+
+        Iterator<Item> items;
+        if (item != null) {
+            List<Item> myItems = new ArrayList<>();
+            myItems.add(item);
+            items = myItems.iterator();
+        } else {
+            handler.logInfo("Exporting from collection: " + idString);
+            items = itemService.findByCollection(context, collection);
+        }
+        itemExportService.exportAsZip(context, items, destDirName, zipFileName,
+                seqStart, migrate, excludeBitstreams);
+
+        File zip = new File(destDirName + System.getProperty("file.separator") + zipFileName);
+        try (InputStream is = new FileInputStream(zip)) {
+            // write input stream on handler
+            handler.writeFilestream(context, ZIP_FILENAME + "." + ZIP_EXT, is, ZIP_NAME);
+        } finally {
+            PathUtils.deleteDirectory(Path.of(destDirName));
+        }
+    }
+
+    /**
+     * Set the destination directory option
+     */
+    protected void setDestDirName(Context context, ItemExportService itemExportService) throws Exception {
+        destDirName = itemExportService.getExportWorkDirectory() + File.separator + TEMP_DIR;
+    }
+
+    /**
+     * Set the zip option
+     */
+    protected void setZip(Context context) {
+        zip = true;
+        zipFileName = ZIP_FILENAME + "-" + context.getCurrentUser().getID() + "." + ZIP_EXT;
+    }
+
+    /**
+     * Set the number option
+     */
+    protected void setNumber() {
+        seqStart = 1;
+        if (commandLine.hasOption('n')) { // number
+            seqStart = Integer.parseInt(commandLine.getOptionValue('n'));
+        }
+    }
+
+    private void setEPerson(Context context) throws SQLException {
+        EPerson myEPerson = epersonService.find(context, this.getEpersonIdentifier());
+
+        // check eperson
+        if (myEPerson == null) {
+            handler.logError("EPerson cannot be found: " + this.getEpersonIdentifier());
+            throw new UnsupportedOperationException("EPerson cannot be found: " + this.getEpersonIdentifier());
+        }
+
+        context.setCurrentUser(myEPerson);
+    }
+}
--- a/dspace-api/src/main/java/org/dspace/app/itemexport/ItemExportCLI.java
+++ b/dspace-api/src/main/java/org/dspace/app/itemexport/ItemExportCLI.java
@@ -0,0 +1,96 @@
+/**
+ * The contents of this file are subject to the license and copyright
+ * detailed in the LICENSE and NOTICE files at the root of the source
+ * tree and available online at
+ *
+ * http://www.dspace.org/license/
+ */
+package org.dspace.app.itemexport;
+
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.Iterator;
+import java.util.List;
+
+import org.dspace.app.itemexport.service.ItemExportService;
+import org.dspace.content.Item;
+import org.dspace.core.Context;
+
+/**
+ * CLI variant for the {@link ItemExport} class.
+ * This was done to specify the specific behaviors for the CLI.
+ *
+ * @author Francesco Pio Scognamiglio (francescopio.scognamiglio at 4science.com)
+ */
+public class ItemExportCLI extends ItemExport {
+
+    @Override
+    protected void validate() {
+        super.validate();
+
+        setDestDirName();
+
+        if (destDirName == null) {
+            handler.logError("The destination directory must be set (run with -h flag for details)");
+            throw new UnsupportedOperationException("The destination directory must be set");
+        }
+
+        if (seqStart == -1) {
+            handler.logError("The sequence start number must be set (run with -h flag for details)");
+            throw new UnsupportedOperationException("The sequence start number must be set");
+        }
+    }
+
+    @Override
+    protected void process(Context context, ItemExportService itemExportService) throws Exception {
+        setZip(context);
+
+        if (zip) {
+            Iterator<Item> items;
+            if (item != null) {
+                List<Item> myItems = new ArrayList<>();
+                myItems.add(item);
+                items = myItems.iterator();
+            } else {
+                handler.logInfo("Exporting from collection: " + idString);
+                items = itemService.findByCollection(context, collection);
+            }
+            itemExportService.exportAsZip(context, items, destDirName, zipFileName,
+                    seqStart, migrate, excludeBitstreams);
+        } else {
+            if (item != null) {
+                // it's only a single item
+                itemExportService
+                    .exportItem(context, Collections.singletonList(item).iterator(), destDirName,
+                            seqStart, migrate, excludeBitstreams);
+            } else {
+                handler.logInfo("Exporting from collection: " + idString);
+
+                // it's a collection, so do a bunch of items
+                Iterator<Item> i = itemService.findByCollection(context, collection);
+                itemExportService.exportItem(context, i, destDirName, seqStart, migrate, excludeBitstreams);
+            }
+        }
+    }
+
+    protected void setDestDirName() {
+        if (commandLine.hasOption('d')) { // dest
+            destDirName = commandLine.getOptionValue('d');
+        }
+    }
+
+    @Override
+    protected void setZip(Context context) {
+        if (commandLine.hasOption('z')) {
+            zip = true;
+            zipFileName = commandLine.getOptionValue('z');
+        }
+    }
+
+    @Override
+    protected void setNumber() {
+        if (commandLine.hasOption('n')) { // number
+            seqStart = Integer.parseInt(commandLine.getOptionValue('n'));
+        }
+    }
+}
--- a/dspace-api/src/main/java/org/dspace/app/itemexport/ItemExportCLIScriptConfiguration.java
+++ b/dspace-api/src/main/java/org/dspace/app/itemexport/ItemExportCLIScriptConfiguration.java
@@ -0,0 +1,56 @@
+/**
+ * The contents of this file are subject to the license and copyright
+ * detailed in the LICENSE and NOTICE files at the root of the source
+ * tree and available online at
+ *
+ * http://www.dspace.org/license/
+ */
+package org.dspace.app.itemexport;
+
+import org.apache.commons.cli.Option;
+import org.apache.commons.cli.Options;
+import org.dspace.scripts.configuration.ScriptConfiguration;
+
+/**
+ * The {@link ScriptConfiguration} for the {@link ItemExportCLI} script
+ * 
+ * @author Francesco Pio Scognamiglio (francescopio.scognamiglio at 4science.com)
+ */
+public class ItemExportCLIScriptConfiguration extends ItemExportScriptConfiguration<ItemExportCLI> {
+
+    @Override
+    public Options getOptions() {
+        Options options = new Options();
+
+        options.addOption(Option.builder("t").longOpt("type")
+                .desc("type: COLLECTION or ITEM")
+                .hasArg().required().build());
+        options.addOption(Option.builder("i").longOpt("id")
+                .desc("ID or handle of thing to export")
+                .hasArg().required().build());
+        options.addOption(Option.builder("d").longOpt("dest")
+                .desc("destination where you want items to go")
+                .hasArg().required().build());
+        options.addOption(Option.builder("n").longOpt("number")
+                .desc("sequence number to begin exporting items with")
+                .hasArg().required().build());
+        options.addOption(Option.builder("z").longOpt("zip")
+                .desc("export as zip file (specify filename e.g. export.zip)")
+                .hasArg().required(false).build());
+        options.addOption(Option.builder("m").longOpt("migrate")
+                .desc("export for migration (remove handle and metadata that will be re-created in new system)")
+                .hasArg(false).required(false).build());
+
+        // as pointed out by Peter Dietz this provides similar functionality to export metadata
+        // but it is needed since it directly exports to Simple Archive Format (SAF)
+        options.addOption(Option.builder("x").longOpt("exclude-bitstreams")
+                .desc("do not export bitstreams")
+                .hasArg(false).required(false).build());
+
+        options.addOption(Option.builder("h").longOpt("help")
+                .desc("help")
+                .hasArg(false).required(false).build());
+
+        return options;
+    }
+}
--- a/dspace-api/src/main/java/org/dspace/app/itemexport/ItemExportCLITool.java
+++ b/dspace-api/src/main/java/org/dspace/app/itemexport/ItemExportCLITool.java
@@ -1,246 +0,0 @@
-/**
- * The contents of this file are subject to the license and copyright
- * detailed in the LICENSE and NOTICE files at the root of the source
- * tree and available online at
- *
- * http://www.dspace.org/license/
- */
-package org.dspace.app.itemexport;
-
-import java.util.ArrayList;
-import java.util.Collections;
-import java.util.Iterator;
-import java.util.List;
-import java.util.UUID;
-
-import org.apache.commons.cli.CommandLine;
-import org.apache.commons.cli.CommandLineParser;
-import org.apache.commons.cli.DefaultParser;
-import org.apache.commons.cli.HelpFormatter;
-import org.apache.commons.cli.Options;
-import org.dspace.app.itemexport.factory.ItemExportServiceFactory;
-import org.dspace.app.itemexport.service.ItemExportService;
-import org.dspace.content.Collection;
-import org.dspace.content.Item;
-import org.dspace.content.factory.ContentServiceFactory;
-import org.dspace.content.service.CollectionService;
-import org.dspace.content.service.ItemService;
-import org.dspace.core.Constants;
-import org.dspace.core.Context;
-import org.dspace.handle.factory.HandleServiceFactory;
-import org.dspace.handle.service.HandleService;
-
-/**
- * Item exporter to create simple AIPs for DSpace content. Currently exports
- * individual items, or entire collections. For instructions on use, see
- * printUsage() method.
- * <P>
- * ItemExport creates the simple AIP package that the importer also uses. It
- * consists of:
- * <P>
- * /exportdir/42/ (one directory per item) / dublin_core.xml - qualified dublin
- * core in RDF schema / contents - text file, listing one file per line / file1
- * - files contained in the item / file2 / ...
- * <P>
- * issues -doesn't handle special characters in metadata (needs to turn {@code &'s} into
- * {@code &amp;}, etc.)
- * <P>
- * Modified by David Little, UCSD Libraries 12/21/04 to allow the registration
- * of files (bitstreams) into DSpace.
- *
- * @author David Little
- * @author Jay Paz
- */
-public class ItemExportCLITool {
-
-    protected static ItemExportService itemExportService = ItemExportServiceFactory.getInstance()
-                                                                                   .getItemExportService();
-    protected static HandleService handleService = HandleServiceFactory.getInstance().getHandleService();
-    protected static ItemService itemService = ContentServiceFactory.getInstance().getItemService();
-    protected static CollectionService collectionService = ContentServiceFactory.getInstance().getCollectionService();
-
-    /**
-     * Default constructor
-     */
-    private ItemExportCLITool() { }
-
-    /*
-     *
-     */
-    public static void main(String[] argv) throws Exception {
-        // create an options object and populate it
-        CommandLineParser parser = new DefaultParser();
-
-        Options options = new Options();
-
-        options.addOption("t", "type", true, "type: COLLECTION or ITEM");
-        options.addOption("i", "id", true, "ID or handle of thing to export");
-        options.addOption("d", "dest", true,
-                          "destination where you want items to go");
-        options.addOption("m", "migrate", false,
-                          "export for migration (remove handle and metadata that will be re-created in new system)");
-        options.addOption("n", "number", true,
-                          "sequence number to begin exporting items with");
-        options.addOption("z", "zip", true, "export as zip file (specify filename e.g. export.zip)");
-        options.addOption("h", "help", false, "help");
-
-        // as pointed out by Peter Dietz this provides similar functionality to export metadata
-        // but it is needed since it directly exports to Simple Archive Format (SAF)
-        options.addOption("x", "exclude-bitstreams", false, "do not export bitstreams");
-
-        CommandLine line = parser.parse(options, argv);
-
-        String typeString = null;
-        String destDirName = null;
-        String myIDString = null;
-        int seqStart = -1;
-        int myType = -1;
-
-        Item myItem = null;
-        Collection mycollection = null;
-
-        if (line.hasOption('h')) {
-            HelpFormatter myhelp = new HelpFormatter();
-            myhelp.printHelp("ItemExport\n", options);
-            System.out
-                .println("\nfull collection: ItemExport -t COLLECTION -i ID -d dest -n number");
-            System.out
-                .println("singleitem:       ItemExport -t ITEM -i ID -d dest -n number");
-
-            System.exit(0);
-        }
-
-        if (line.hasOption('t')) { // type
-            typeString = line.getOptionValue('t');
-
-            if ("ITEM".equals(typeString)) {
-                myType = Constants.ITEM;
-            } else if ("COLLECTION".equals(typeString)) {
-                myType = Constants.COLLECTION;
-            }
-        }
-
-        if (line.hasOption('i')) { // id
-            myIDString = line.getOptionValue('i');
-        }
-
-        if (line.hasOption('d')) { // dest
-            destDirName = line.getOptionValue('d');
-        }
-
-        if (line.hasOption('n')) { // number
-            seqStart = Integer.parseInt(line.getOptionValue('n'));
-        }
-
-        boolean migrate = false;
-        if (line.hasOption('m')) { // number
-            migrate = true;
-        }
-
-        boolean zip = false;
-        String zipFileName = "";
-        if (line.hasOption('z')) {
-            zip = true;
-            zipFileName = line.getOptionValue('z');
-        }
-
-        boolean excludeBitstreams = false;
-        if (line.hasOption('x')) {
-            excludeBitstreams = true;
-        }
-
-        // now validate the args
-        if (myType == -1) {
-            System.out
-                .println("type must be either COLLECTION or ITEM (-h for help)");
-            System.exit(1);
-        }
-
-        if (destDirName == null) {
-            System.out
-                .println("destination directory must be set (-h for help)");
-            System.exit(1);
-        }
-
-        if (seqStart == -1) {
-            System.out
-                .println("sequence start number must be set (-h for help)");
-            System.exit(1);
-        }
-
-        if (myIDString == null) {
-            System.out
-                .println("ID must be set to either a database ID or a handle (-h for help)");
-            System.exit(1);
-        }
-
-        Context c = new Context(Context.Mode.READ_ONLY);
-        c.turnOffAuthorisationSystem();
-
-        if (myType == Constants.ITEM) {
-            // first, is myIDString a handle?
-            if (myIDString.indexOf('/') != -1) {
-                myItem = (Item) handleService.resolveToObject(c, myIDString);
-
-                if ((myItem == null) || (myItem.getType() != Constants.ITEM)) {
-                    myItem = null;
-                }
-            } else {
-                myItem = itemService.find(c, UUID.fromString(myIDString));
-            }
-
-            if (myItem == null) {
-                System.out
-                    .println("Error, item cannot be found: " + myIDString);
-            }
-        } else {
-            if (myIDString.indexOf('/') != -1) {
-                // has a / must be a handle
-                mycollection = (Collection) handleService.resolveToObject(c,
-                                                                          myIDString);
-
-                // ensure it's a collection
-                if ((mycollection == null)
-                    || (mycollection.getType() != Constants.COLLECTION)) {
-                    mycollection = null;
-                }
-            } else if (myIDString != null) {
-                mycollection = collectionService.find(c, UUID.fromString(myIDString));
-            }
-
-            if (mycollection == null) {
-                System.out.println("Error, collection cannot be found: "
-                                       + myIDString);
-                System.exit(1);
-            }
-        }
-
-        if (zip) {
-            Iterator<Item> items;
-            if (myItem != null) {
-                List<Item> myItems = new ArrayList<>();
-                myItems.add(myItem);
-                items = myItems.iterator();
-            } else {
-                System.out.println("Exporting from collection: " + myIDString);
-                items = itemService.findByCollection(c, mycollection);
-            }
-            itemExportService.exportAsZip(c, items, destDirName, zipFileName, seqStart, migrate, excludeBitstreams);
-        } else {
-            if (myItem != null) {
-                // it's only a single item
-                itemExportService
-                    .exportItem(c, Collections.singletonList(myItem).iterator(), destDirName, seqStart, migrate,
-                                excludeBitstreams);
-            } else {
-                System.out.println("Exporting from collection: " + myIDString);
-
-                // it's a collection, so do a bunch of items
-                Iterator<Item> i = itemService.findByCollection(c, mycollection);
-                itemExportService.exportItem(c, i, destDirName, seqStart, migrate, excludeBitstreams);
-            }
-        }
-
-        c.complete();
-    }
-}
--- a/dspace-api/src/main/java/org/dspace/app/itemexport/ItemExportScriptConfiguration.java
+++ b/dspace-api/src/main/java/org/dspace/app/itemexport/ItemExportScriptConfiguration.java
@@ -0,0 +1,62 @@
+/**
+ * The contents of this file are subject to the license and copyright
+ * detailed in the LICENSE and NOTICE files at the root of the source
+ * tree and available online at
+ *
+ * http://www.dspace.org/license/
+ */
+package org.dspace.app.itemexport;
+
+import org.apache.commons.cli.Option;
+import org.apache.commons.cli.Options;
+import org.dspace.scripts.configuration.ScriptConfiguration;
+
+/**
+ * The {@link ScriptConfiguration} for the {@link ItemExport} script
+ * 
+ * @author Francesco Pio Scognamiglio (francescopio.scognamiglio at 4science.com)
+ */
+public class ItemExportScriptConfiguration<T extends ItemExport> extends ScriptConfiguration<T> {
+
+    private Class<T> dspaceRunnableClass;
+
+    @Override
+    public Class<T> getDspaceRunnableClass() {
+        return dspaceRunnableClass;
+    }
+
+    @Override
+    public void setDspaceRunnableClass(Class<T> dspaceRunnableClass) {
+        this.dspaceRunnableClass = dspaceRunnableClass;
+    }
+
+    @Override
+    public Options getOptions() {
+        Options options = new Options();
+
+        options.addOption(Option.builder("t").longOpt("type")
+                .desc("type: COLLECTION or ITEM")
+                .hasArg().required().build());
+        options.addOption(Option.builder("i").longOpt("id")
+                .desc("ID or handle of thing to export")
+                .hasArg().required().build());
+        options.addOption(Option.builder("n").longOpt("number")
+                .desc("sequence number to begin exporting items with")
+                .hasArg().required(false).build());
+        options.addOption(Option.builder("m").longOpt("migrate")
+                .desc("export for migration (remove handle and metadata that will be re-created in new system)")
+                .hasArg(false).required(false).build());
+
+        // as pointed out by Peter Dietz this provides similar functionality to export metadata
+        // but it is needed since it directly exports to Simple Archive Format (SAF)
+        options.addOption(Option.builder("x").longOpt("exclude-bitstreams")
+                .desc("do not export bitstreams")
+                .hasArg(false).required(false).build());
+
+        options.addOption(Option.builder("h").longOpt("help")
+                .desc("help")
+                .hasArg(false).required(false).build());
+
+        return options;
+    }
+}
--- a/dspace-api/src/main/java/org/dspace/app/itemexport/ItemExportServiceImpl.java
+++ b/dspace-api/src/main/java/org/dspace/app/itemexport/ItemExportServiceImpl.java
@@ -18,10 +18,11 @@ import java.io.InputStream;
 import java.io.PrintWriter;
 import java.nio.charset.StandardCharsets;
 import java.sql.SQLException;
-import java.text.SimpleDateFormat;
+import java.time.Instant;
+import java.time.LocalDate;
+import java.time.format.DateTimeFormatter;
+import java.time.temporal.ChronoUnit;
 import java.util.ArrayList;
-import java.util.Calendar;
-import java.util.Date;
 import java.util.HashMap;
 import java.util.HashSet;
 import java.util.Iterator;
@@ -31,8 +32,8 @@ import java.util.Set;
 import java.util.UUID;
 import java.util.zip.ZipEntry;
 import java.util.zip.ZipOutputStream;
-import javax.mail.MessagingException;

+import jakarta.mail.MessagingException;
 import org.apache.commons.lang3.StringUtils;
 import org.apache.logging.log4j.Logger;
 import org.dspace.app.itemexport.service.ItemExportService;
@@ -57,6 +58,7 @@ import org.dspace.core.Utils;
 import org.dspace.eperson.EPerson;
 import org.dspace.eperson.service.EPersonService;
 import org.dspace.handle.service.HandleService;
+import org.dspace.scripts.handler.DSpaceRunnableHandler;
 import org.dspace.services.ConfigurationService;
 import org.springframework.beans.factory.annotation.Autowired;

@@ -64,17 +66,21 @@ import org.springframework.beans.factory.annotation.Autowired;
 * Item exporter to create simple AIPs for DSpace content. Currently exports
 * individual items, or entire collections. For instructions on use, see
 * printUsage() method.
- * <P>
+ * <p>
 * ItemExport creates the simple AIP package that the importer also uses. It
 * consists of:
- * <P>
- * /exportdir/42/ (one directory per item) / dublin_core.xml - qualified dublin
- * core in RDF schema / contents - text file, listing one file per line / file1
- * - files contained in the item / file2 / ...
- * <P>
+ * <pre>{@code
+ * /exportdir/42/ (one directory per item)
+ *              / dublin_core.xml - qualified dublin core in RDF schema
+ *              / contents - text file, listing one file per line
+ *              / file1 - files contained in the item
+ *              / file2
+ *              / ...
+ * }</pre>
+ * <p>
 * issues -doesn't handle special characters in metadata (needs to turn {@code &'s} into
 * {@code &amp;}, etc.)
- * <P>
+ * <p>
 * Modified by David Little, UCSD Libraries 12/21/04 to allow the registration
 * of files (bitstreams) into DSpace.
 *
@@ -97,11 +103,12 @@ public class ItemExportServiceImpl implements ItemExportService {
    @Autowired(required = true)
    protected ConfigurationService configurationService;

-
    /**
     * log4j logger
     */
-    private final Logger log = org.apache.logging.log4j.LogManager.getLogger(ItemExportServiceImpl.class);
+    private final Logger log = org.apache.logging.log4j.LogManager.getLogger();
+
+    private DSpaceRunnableHandler handler;

    protected ItemExportServiceImpl() {

@@ -126,7 +133,7 @@ public class ItemExportServiceImpl implements ItemExportService {
            }
        }

-        System.out.println("Beginning export");
+        logInfo("Beginning export");

        while (i.hasNext()) {
            if (SUBDIR_LIMIT > 0 && ++counter == SUBDIR_LIMIT) {
@@ -139,7 +146,7 @@ public class ItemExportServiceImpl implements ItemExportService {
                }
            }

-            System.out.println("Exporting item to " + mySequenceNumber);
+            logInfo("Exporting item to " + mySequenceNumber);
            Item item = i.next();
            exportItem(c, item, fullPath, mySequenceNumber, migrate, excludeBitstreams);
            c.uncacheEntity(item);
@@ -155,7 +162,7 @@ public class ItemExportServiceImpl implements ItemExportService {
            // now create a subdirectory
            File itemDir = new File(destDir + "/" + seqStart);

-            System.out.println("Exporting Item " + myItem.getID() +
+            logInfo("Exporting Item " + myItem.getID() +
                                   (myItem.getHandle() != null ? ", handle " + myItem.getHandle() : "") +
                                   " to " + itemDir);

@@ -168,6 +175,7 @@ public class ItemExportServiceImpl implements ItemExportService {
                // make it this far, now start exporting
                writeMetadata(c, myItem, itemDir, migrate);
                writeBitstreams(c, myItem, itemDir, excludeBitstreams);
+                writeCollections(myItem, itemDir);
                if (!migrate) {
                    writeHandle(c, myItem, itemDir);
                }
@@ -225,7 +233,7 @@ public class ItemExportServiceImpl implements ItemExportService {

        File outFile = new File(destDir, filename);

-        System.out.println("Attempting to create file " + outFile);
+        logInfo("Attempting to create file " + outFile);

        if (outFile.createNewFile()) {
            BufferedOutputStream out = new BufferedOutputStream(
@@ -343,6 +351,35 @@ public class ItemExportServiceImpl implements ItemExportService {
        }
    }

+    /**
+     * Create the 'collections' file.  List handles of all Collections which
+     * contain this Item. The "owning" Collection is listed first.
+     *
+     * @param item list collections holding this Item.
+     * @param destDir write the file here.
+     * @throws IOException if the file cannot be created or written.
+     */
+    protected void writeCollections(Item item, File destDir)
+            throws IOException {
+        File outFile = new File(destDir, "collections");
+        if (outFile.createNewFile()) {
+            try (PrintWriter out = new PrintWriter(new FileWriter(outFile))) {
+                Collection owningCollection = item.getOwningCollection();
+                // The owning collection is null for workspace and workflow items
+                if (owningCollection != null) {
+                    out.println(owningCollection.getHandle());
+                }
+                for (Collection collection : item.getCollections()) {
+                    if (!collection.equals(owningCollection)) {
+                        out.println(collection.getHandle());
+                    }
+                }
+            }
+        } else {
+            throw new IOException("Cannot create 'collections' in " + destDir);
+        }
+    }
+
    /**
     * Create both the bitstreams and the contents file. Any bitstreams that
     * were originally registered will be marked in the contents file as such.
@@ -399,7 +436,7 @@ public class ItemExportServiceImpl implements ItemExportService {
                            File fdirs = new File(destDir + File.separator
                                                      + dirs);
                            if (!fdirs.exists() && !fdirs.mkdirs()) {
-                                log.error("Unable to create destination directory");
+                                logError("Unable to create destination directory");
                            }
                        }

@@ -456,19 +493,26 @@ public class ItemExportServiceImpl implements ItemExportService {

        File wkDir = new File(workDir);
        if (!wkDir.exists() && !wkDir.mkdirs()) {
-            log.error("Unable to create working direcory");
+            logError("Unable to create working directory");
        }

        File dnDir = new File(destDirName);
        if (!dnDir.exists() && !dnDir.mkdirs()) {
-            log.error("Unable to create destination directory");
+            logError("Unable to create destination directory");
        }

-        // export the items using normal export method
+        try {
+            // export the items using normal export method (this exports items to our workDir)
            exportItem(context, items, workDir, seqStart, migrate, excludeBitstreams);

-        // now zip up the export directory created above
+            // now zip up the workDir directory created above
            zip(workDir, destDirName + System.getProperty("file.separator") + zipFileName);
+        } finally {
+            // Cleanup workDir created above, if it still exists
+            if (wkDir.exists()) {
+                deleteDirectory(wkDir);
+            }
+        }
    }

    @Override
@@ -630,23 +674,21 @@ public class ItemExportServiceImpl implements ItemExportService {
            Thread go = new Thread() {
                @Override
                public void run() {
-                    Context context = null;
+                    Context context = new Context();
                    Iterator<Item> iitems = null;
                    try {
-                        // create a new dspace context
-                        context = new Context();
                        // ignore auths
                        context.turnOffAuthorisationSystem();

                        String fileName = assembleFileName("item", eperson,
-                                                           new Date());
+                                                           LocalDate.now());
                        String workParentDir = getExportWorkDirectory()
                            + System.getProperty("file.separator")
                            + fileName;
                        String downloadDir = getExportDownloadDirectory(eperson);
                        File dnDir = new File(downloadDir);
                        if (!dnDir.exists() && !dnDir.mkdirs()) {
-                            log.error("Unable to create download directory");
+                            logError("Unable to create download directory");
                        }

                        Iterator<String> iter = itemsMap.keySet().iterator();
@@ -665,7 +707,7 @@ public class ItemExportServiceImpl implements ItemExportService {

                            File wkDir = new File(workDir);
                            if (!wkDir.exists() && !wkDir.mkdirs()) {
-                                log.error("Unable to create working directory");
+                                logError("Unable to create working directory");
                            }


@@ -686,7 +728,7 @@ public class ItemExportServiceImpl implements ItemExportService {
                        try {
                            emailErrorMessage(eperson, e1.getMessage());
                        } catch (Exception e) {
-                            // wont throw here
+                            // won't throw here
                        }
                        throw new IllegalStateException(e1);
                    } finally {
@@ -711,16 +753,16 @@ public class ItemExportServiceImpl implements ItemExportService {

    @Override
    public String assembleFileName(String type, EPerson eperson,
-                                   Date date) throws Exception {
+                                   LocalDate date) throws Exception {
        // to format the date
-        SimpleDateFormat sdf = new SimpleDateFormat("yyyy_MMM_dd");
+        DateTimeFormatter formatter = DateTimeFormatter.ofPattern("yyyy_MMM_dd");
        String downloadDir = getExportDownloadDirectory(eperson);
        // used to avoid name collision
        int count = 1;
        boolean exists = true;
        String fileName = null;
        while (exists) {
-            fileName = type + "_export_" + sdf.format(date) + "_" + count + "_"
+            fileName = type + "_export_" + formatter.format(date) + "_" + count + "_"
                + eperson.getID();
            exists = new File(downloadDir
                                  + System.getProperty("file.separator") + fileName + ".zip")
@@ -756,7 +798,8 @@ public class ItemExportServiceImpl implements ItemExportService {
            throw new Exception(
                "A dspace.cfg entry for 'org.dspace.app.itemexport.work.dir' does not exist.");
        }
-        return exportDir;
+        // clean work dir path from duplicate separators
+        return StringUtils.replace(exportDir, File.separator + File.separator, File.separator);
    }

    @Override
@@ -875,16 +918,14 @@ public class ItemExportServiceImpl implements ItemExportService {
    public void deleteOldExportArchives(EPerson eperson) throws Exception {
        int hours = configurationService
            .getIntProperty("org.dspace.app.itemexport.life.span.hours");
-        Calendar now = Calendar.getInstance();
-        now.setTime(new Date());
-        now.add(Calendar.HOUR, -hours);
+        Instant modifiedTime = Instant.now().minus(hours, ChronoUnit.HOURS);
        File downloadDir = new File(getExportDownloadDirectory(eperson));
        if (downloadDir.exists()) {
            File[] files = downloadDir.listFiles();
            for (File file : files) {
-                if (file.lastModified() < now.getTimeInMillis()) {
+                if (file.lastModified() < modifiedTime.toEpochMilli()) {
                    if (!file.delete()) {
-                        log.error("Unable to delete export file");
+                        logError("Unable to delete export file");
                    }
                }
            }
@@ -895,9 +936,7 @@ public class ItemExportServiceImpl implements ItemExportService {
    @Override
    public void deleteOldExportArchives() throws Exception {
        int hours = configurationService.getIntProperty("org.dspace.app.itemexport.life.span.hours");
-        Calendar now = Calendar.getInstance();
-        now.setTime(new Date());
-        now.add(Calendar.HOUR, -hours);
+        Instant modifiedTime = Instant.now().minus(hours, ChronoUnit.HOURS);
        File downloadDir = new File(configurationService.getProperty("org.dspace.app.itemexport.download.dir"));
        if (downloadDir.exists()) {
            // Get a list of all the sub-directories, potentially one for each ePerson.
@@ -906,9 +945,9 @@ public class ItemExportServiceImpl implements ItemExportService {
                // For each sub-directory delete any old files.
                File[] files = dir.listFiles();
                for (File file : files) {
-                    if (file.lastModified() < now.getTimeInMillis()) {
+                    if (file.lastModified() < modifiedTime.toEpochMilli()) {
                        if (!file.delete()) {
-                            log.error("Unable to delete old files");
+                            logError("Unable to delete old files");
                        }
                    }
                }
@@ -916,7 +955,7 @@ public class ItemExportServiceImpl implements ItemExportService {
                // If the directory is now empty then we delete it too.
                if (dir.listFiles().length == 0) {
                    if (!dir.delete()) {
-                        log.error("Unable to delete directory");
+                        logError("Unable to delete directory");
                    }
                }
            }
@@ -937,14 +976,14 @@ public class ItemExportServiceImpl implements ItemExportService {

            email.send();
        } catch (Exception e) {
-            log.warn(LogHelper.getHeader(context, "emailSuccessMessage", "cannot notify user of export"), e);
+            logWarn(LogHelper.getHeader(context, "emailSuccessMessage", "cannot notify user of export"), e);
        }
    }

    @Override
    public void emailErrorMessage(EPerson eperson, String error)
        throws MessagingException {
-        log.warn("An error occurred during item export, the user will be notified. " + error);
+        logWarn("An error occurred during item export, the user will be notified. " + error);
        try {
            Locale supportedLocale = I18nUtil.getEPersonLocale(eperson);
            Email email = Email.getEmail(I18nUtil.getEmailFilename(supportedLocale, "export_error"));
@@ -954,7 +993,7 @@ public class ItemExportServiceImpl implements ItemExportService {

            email.send();
        } catch (Exception e) {
-            log.warn("error during item export error notification", e);
+            logWarn("error during item export error notification", e);
        }
    }

@@ -969,7 +1008,7 @@ public class ItemExportServiceImpl implements ItemExportService {
            }
            File targetFile = new File(tempFileName);
            if (!targetFile.createNewFile()) {
-                log.warn("Target file already exists: " + targetFile.getName());
+                logWarn("Target file already exists: " + targetFile.getName());
            }

            FileOutputStream fos = new FileOutputStream(tempFileName);
@@ -985,7 +1024,7 @@ public class ItemExportServiceImpl implements ItemExportService {

            deleteDirectory(cpFile);
            if (!targetFile.renameTo(new File(target))) {
-                log.error("Unable to rename file");
+                logError("Unable to rename file");
            }
        } finally {
            if (cpZipOutputStream != null) {
@@ -1018,8 +1057,11 @@ public class ItemExportServiceImpl implements ItemExportService {
                    return;
                }
                String strAbsPath = cpFile.getPath();
-                String strZipEntryName = strAbsPath.substring(strSource
-                                                                  .length() + 1, strAbsPath.length());
+                int startIndex = strSource.length();
+                if (!StringUtils.endsWith(strSource, File.separator)) {
+                    startIndex++;
+                }
+                String strZipEntryName = strAbsPath.substring(startIndex, strAbsPath.length());

                // byte[] b = new byte[ (int)(cpFile.length()) ];

@@ -1058,7 +1100,7 @@ public class ItemExportServiceImpl implements ItemExportService {
                    deleteDirectory(file);
                } else {
                    if (!file.delete()) {
-                        log.error("Unable to delete file: " + file.getName());
+                        logError("Unable to delete file: " + file.getName());
                    }
                }
            }
@@ -1067,4 +1109,64 @@ public class ItemExportServiceImpl implements ItemExportService {
        return (path.delete());
    }

+    @Override
+    public void setHandler(DSpaceRunnableHandler handler) {
+        this.handler = handler;
+    }
+
+    private void logInfo(String message) {
+        logInfo(message, null);
+    }
+
+    private void logInfo(String message, Exception e) {
+        if (handler != null) {
+            handler.logInfo(message);
+            return;
+        }
+
+        if (e != null) {
+            log.info(message, e);
+        } else {
+            log.info(message);
+        }
+    }
+
+    private void logWarn(String message) {
+        logWarn(message, null);
+    }
+
+    private void logWarn(String message, Exception e) {
+        if (handler != null) {
+            handler.logWarning(message);
+            return;
+        }
+
+        if (e != null) {
+            log.warn(message, e);
+        } else {
+            log.warn(message);
+        }
+    }
+
+    private void logError(String message) {
+        logError(message, null);
+    }
+
+    private void logError(String message, Exception e) {
+        if (handler != null) {
+            if (e != null) {
+                handler.logError(message, e);
+            } else {
+                handler.logError(message);
+            }
+            return;
+        }
+
+        if (e != null) {
+            log.error(message, e);
+        } else {
+            log.error(message);
+        }
+    }
+
 }
--- a/dspace-api/src/main/java/org/dspace/app/itemexport/service/ItemExportService.java
+++ b/dspace-api/src/main/java/org/dspace/app/itemexport/service/ItemExportService.java
@@ -8,15 +8,16 @@
 package org.dspace.app.itemexport.service;

 import java.io.InputStream;
-import java.util.Date;
+import java.time.LocalDate;
 import java.util.Iterator;
 import java.util.List;
-import javax.mail.MessagingException;

+import jakarta.mail.MessagingException;
 import org.dspace.content.DSpaceObject;
 import org.dspace.content.Item;
 import org.dspace.core.Context;
 import org.dspace.eperson.EPerson;
+import org.dspace.scripts.handler.DSpaceRunnableHandler;

 /**
 * Item exporter to create simple AIPs for DSpace content. Currently exports
@@ -68,7 +69,7 @@ public interface ItemExportService {
                            boolean excludeBitstreams) throws Exception;

    /**
-     * Convenience methot to create export a single Community, Collection, or
+     * Convenience method to create export a single Community, Collection, or
     * Item
     *
     * @param dso     - the dspace object to export
@@ -92,7 +93,7 @@ public interface ItemExportService {
                                         Context context, boolean migrate) throws Exception;

    /**
-     * Convenience methot to create export a single Community, Collection, or
+     * Convenience method to create export a single Community, Collection, or
     * Item
     *
     * @param dso             - the dspace object to export
@@ -129,7 +130,7 @@ public interface ItemExportService {
     * @throws Exception if error
     */
    public String assembleFileName(String type, EPerson eperson,
-                                   Date date) throws Exception;
+                                   LocalDate date) throws Exception;


    /**
@@ -155,7 +156,7 @@ public interface ItemExportService {
    public String getExportWorkDirectory() throws Exception;

    /**
-     * Used to read the export archived. Inteded for download.
+     * Used to read the export archived. Intended for download.
     *
     * @param fileName the name of the file to download
     * @param eperson  the eperson requesting the download
@@ -232,7 +233,7 @@ public interface ItemExportService {

    /**
     * Since the archive is created in a new thread we are unable to communicate
-     * with calling method about success or failure. We accomplis this
+     * with calling method about success or failure. We accomplish this
     * communication with email instead. Send a success email once the export
     * archive is complete and ready for download
     *
@@ -247,7 +248,7 @@ public interface ItemExportService {

    /**
     * Since the archive is created in a new thread we are unable to communicate
-     * with calling method about success or failure. We accomplis this
+     * with calling method about success or failure. We accomplish this
     * communication with email instead. Send an error email if the export
     * archive fails
     *
@@ -267,4 +268,10 @@ public interface ItemExportService {
     */
    public void zip(String strSource, String target) throws Exception;

+    /**
+     * Set the DSpace Runnable Handler
+     * @param handler
+     */
+    public void setHandler(DSpaceRunnableHandler handler);
+
 }
--- a/dspace-api/src/main/java/org/dspace/app/itemimport/BatchUpload.java
+++ b/dspace-api/src/main/java/org/dspace/app/itemimport/BatchUpload.java
@@ -11,11 +11,9 @@ import java.io.File;
 import java.io.FileReader;
 import java.io.IOException;
 import java.io.LineNumberReader;
-import java.text.SimpleDateFormat;
+import java.time.Instant;
+import java.time.format.DateTimeFormatter;
 import java.util.ArrayList;
-import java.util.Calendar;
-import java.util.Date;
-import java.util.GregorianCalendar;
 import java.util.List;

 /**
@@ -23,7 +21,7 @@ import java.util.List;
 */
 public class BatchUpload {

-    private Date date;
+    private Instant date;
    private File dir;
    private boolean successful;
    private int itemsImported;
@@ -65,9 +63,7 @@ public class BatchUpload {

        String dirName = dir.getName();
        long timeMillis = Long.parseLong(dirName);
-        Calendar calendar = new GregorianCalendar();
-        calendar.setTimeInMillis(timeMillis);
-        this.date = calendar.getTime();
+        this.date = Instant.ofEpochMilli(timeMillis);

        try {
            this.itemsImported = countLines(dir + File.separator + "mapfile");
@@ -149,7 +145,7 @@ public class BatchUpload {
     *
     * @return Date
     */
-    public Date getDate() {
+    public Instant getDate() {
        return date;
    }

@@ -190,14 +186,12 @@ public class BatchUpload {
    }

    /**
-     * Get formatted date (DD/MM/YY)
+     * Get formatted date (YYYY-MM-DDThh:mm:ssZ)
     *
     * @return date as string
     */
    public String getDateFormatted() {
-        SimpleDateFormat df = new SimpleDateFormat("dd/MM/yyyy - HH:mm");
-
-        return df.format(date);
+        return DateTimeFormatter.ISO_INSTANT.format(date);
    }

    /**
--- a/dspace-api/src/main/java/org/dspace/app/itemimport/ItemImport.java
+++ b/dspace-api/src/main/java/org/dspace/app/itemimport/ItemImport.java
@@ -0,0 +1,447 @@
+/**
+ * The contents of this file are subject to the license and copyright
+ * detailed in the LICENSE and NOTICE files at the root of the source
+ * tree and available online at
+ *
+ * http://www.dspace.org/license/
+ */
+package org.dspace.app.itemimport;
+
+import java.io.File;
+import java.io.FileInputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.net.URL;
+import java.nio.file.Files;
+import java.sql.SQLException;
+import java.time.Instant;
+import java.time.format.DateTimeFormatter;
+import java.util.ArrayList;
+import java.util.List;
+import java.util.Optional;
+import java.util.UUID;
+
+import org.apache.commons.cli.ParseException;
+import org.apache.commons.io.FileUtils;
+import org.apache.commons.io.IOUtils;
+import org.apache.commons.lang3.StringUtils;
+import org.apache.tika.Tika;
+import org.dspace.app.itemimport.factory.ItemImportServiceFactory;
+import org.dspace.app.itemimport.service.ItemImportService;
+import org.dspace.authorize.AuthorizeException;
+import org.dspace.content.Collection;
+import org.dspace.content.factory.ContentServiceFactory;
+import org.dspace.content.service.CollectionService;
+import org.dspace.core.Constants;
+import org.dspace.core.Context;
+import org.dspace.eperson.EPerson;
+import org.dspace.eperson.factory.EPersonServiceFactory;
+import org.dspace.eperson.service.EPersonService;
+import org.dspace.handle.factory.HandleServiceFactory;
+import org.dspace.handle.service.HandleService;
+import org.dspace.scripts.DSpaceRunnable;
+import org.dspace.utils.DSpace;
+
+/**
+ * Import items into DSpace. The conventional use is upload files by copying
+ * them. DSpace writes the item's bitstreams into its assetstore. Metadata is
+ * also loaded to the DSpace database.
+ * <P>
+ * A second use assumes the bitstream files already exist in a storage
+ * resource accessible to DSpace. In this case the bitstreams are 'registered'.
+ * That is, the metadata is loaded to the DSpace database and DSpace is given
+ * the location of the file which is subsumed into DSpace.
+ * <P>
+ * The distinction is controlled by the format of lines in the 'contents' file.
+ * See comments in processContentsFile() below.
+ * <P>
+ * Modified by David Little, UCSD Libraries 12/21/04 to
+ * allow the registration of files (bitstreams) into DSpace.
+ */
+public class ItemImport extends DSpaceRunnable<ItemImportScriptConfiguration> {
+
+    public static String TEMP_DIR = "importSAF";
+    public static String MAPFILE_FILENAME = "mapfile";
+    public static String MAPFILE_BITSTREAM_TYPE = "importSAFMapfile";
+
+    protected boolean template = false;
+    protected String command = null;
+    protected String sourcedir = null;
+    protected String mapfile = null;
+    protected String eperson = null;
+    protected String[] collections = null;
+    protected boolean isTest = false;
+    protected boolean isExcludeContent = false;
+    protected boolean isResume = false;
+    protected boolean useWorkflow = false;
+    protected boolean useWorkflowSendEmail = false;
+    protected boolean isQuiet = false;
+    protected boolean commandLineCollections = false;
+    protected boolean zip = false;
+    protected boolean remoteUrl = false;
+    protected String zipfilename = null;
+    protected boolean zipvalid = false;
+    protected boolean help = false;
+    protected File workDir = null;
+    protected File workFile = null;
+
+    protected static final CollectionService collectionService =
+            ContentServiceFactory.getInstance().getCollectionService();
+    protected static final EPersonService epersonService =
+            EPersonServiceFactory.getInstance().getEPersonService();
+    protected static final HandleService handleService =
+            HandleServiceFactory.getInstance().getHandleService();
+
+    @Override
+    public ItemImportScriptConfiguration getScriptConfiguration() {
+        return new DSpace().getServiceManager()
+                .getServiceByName("import", ItemImportScriptConfiguration.class);
+    }
+
+    @Override
+    public void setup() throws ParseException {
+        help = commandLine.hasOption('h');
+
+        if (commandLine.hasOption('a')) {
+            command = "add";
+        }
+
+        if (commandLine.hasOption('r')) {
+            command = "replace";
+        }
+
+        if (commandLine.hasOption('d')) {
+            command = "delete";
+        }
+
+        if (commandLine.hasOption('w')) {
+            useWorkflow = true;
+            if (commandLine.hasOption('n')) {
+                useWorkflowSendEmail = true;
+            }
+        }
+
+        if (commandLine.hasOption('v')) {
+            isTest = true;
+            handler.logInfo("**Test Run** - not actually importing items.");
+        }
+
+        isExcludeContent = commandLine.hasOption('x');
+
+        if (commandLine.hasOption('p')) {
+            template = true;
+        }
+
+        if (commandLine.hasOption('c')) { // collections
+            collections = commandLine.getOptionValues('c');
+            commandLineCollections = true;
+        } else {
+            handler.logInfo("No collections given. Assuming 'collections' file inside item directory");
+        }
+
+        if (commandLine.hasOption('R')) {
+            isResume = true;
+            handler.logInfo("**Resume import** - attempting to import items not already imported");
+        }
+
+        if (commandLine.hasOption('q')) {
+            isQuiet = true;
+        }
+
+        setZip();
+    }
+
+    @Override
+    public void internalRun() throws Exception {
+        if (help) {
+            printHelp();
+            return;
+        }
+
+        Instant startTime = Instant.now();
+        Context context = new Context(Context.Mode.BATCH_EDIT);
+
+        setMapFile();
+
+        validate(context);
+
+        setEPerson(context);
+
+        // check collection
+        List<Collection> mycollections = null;
+        // don't need to validate collections set if command is "delete"
+        // also if no collections are given in the command line
+        if (!"delete".equals(command) && commandLineCollections) {
+            handler.logInfo("Destination collections:");
+
+            mycollections = new ArrayList<>();
+
+            // validate each collection arg to see if it's a real collection
+            for (int i = 0; i < collections.length; i++) {
+                Collection collection = null;
+                if (collections[i] != null) {
+                    // is the ID a handle?
+                    if (collections[i].indexOf('/') != -1) {
+                        // string has a / so it must be a handle - try and resolve
+                        // it
+                        collection = ((Collection) handleService
+                            .resolveToObject(context, collections[i]));
+                    } else {
+                        // not a handle, try and treat it as an integer collection database ID
+                        collection = collectionService.find(context, UUID.fromString(collections[i]));
+                    }
+                }
+
+                // was the collection valid?
+                if (collection == null
+                        || collection.getType() != Constants.COLLECTION) {
+                    throw new IllegalArgumentException("Cannot resolve "
+                            + collections[i] + " to collection");
+                }
+
+                // add resolved collection to list
+                mycollections.add(collection);
+
+                // print progress info
+                handler.logInfo((i == 0 ? "Owning " : "") + "Collection: " + collection.getName());
+            }
+        }
+        // end validation
+
+        // start
+        ItemImportService itemImportService = ItemImportServiceFactory.getInstance()
+                .getItemImportService();
+        try {
+            itemImportService.setTest(isTest);
+            itemImportService.setExcludeContent(isExcludeContent);
+            itemImportService.setResume(isResume);
+            itemImportService.setUseWorkflow(useWorkflow);
+            itemImportService.setUseWorkflowSendEmail(useWorkflowSendEmail);
+            itemImportService.setQuiet(isQuiet);
+            itemImportService.setHandler(handler);
+
+            try {
+                context.turnOffAuthorisationSystem();
+
+                readZip(context, itemImportService);
+
+                process(context, itemImportService, mycollections);
+
+                // complete all transactions
+                context.complete();
+            } catch (Exception e) {
+                context.abort();
+                throw new Exception(
+                    "Error committing changes to database: " + e.getMessage() + ", aborting most recent changes", e);
+            }
+
+            if (isTest) {
+                handler.logInfo("***End of Test Run***");
+            }
+        } finally {
+            if (zip) {
+                // if zip file was valid then clean sourcedir
+                if (zipvalid && sourcedir != null && new File(sourcedir).exists()) {
+                    FileUtils.deleteDirectory(new File(sourcedir));
+                }
+
+                // clean workdir
+                if (workDir != null && workDir.exists()) {
+                    FileUtils.deleteDirectory(workDir);
+                }
+
+                // conditionally clean workFile if import was done in the UI or via a URL and it still exists
+                if (workFile != null && workFile.exists()) {
+                    workFile.delete();
+                }
+            }
+
+            Instant endTime = Instant.now();
+            handler.logInfo("Started: " + DateTimeFormatter.ISO_INSTANT.format(startTime));
+            handler.logInfo("Ended: " + DateTimeFormatter.ISO_INSTANT.format(endTime));
+            handler.logInfo(
+                "Elapsed time: " + ((endTime.toEpochMilli() - startTime.toEpochMilli()) / 1000) + " secs (" +
+                    (endTime.toEpochMilli() - startTime.toEpochMilli()) + " msecs)");
+        }
+    }
+
+    /**
+     * Validate the options
+     * @param context
+     */
+    protected void validate(Context context) {
+        // check zip type: uploaded file or remote url
+        if (commandLine.hasOption('z')) {
+            zipfilename = commandLine.getOptionValue('z');
+        } else if (commandLine.hasOption('u')) {
+            remoteUrl = true;
+            zipfilename = commandLine.getOptionValue('u');
+        }
+        if (StringUtils.isBlank(zipfilename)) {
+            throw new UnsupportedOperationException("Must run with either name of zip file or url of zip file");
+        }
+
+        if (command == null) {
+            handler.logError("Must run with either add, replace, or remove (run with -h flag for details)");
+            throw new UnsupportedOperationException("Must run with either add, replace, or remove");
+        }
+
+        // can only resume for adds
+        if (isResume && !"add".equals(command)) {
+            handler.logError("Resume option only works with the --add command (run with -h flag for details)");
+            throw new UnsupportedOperationException("Resume option only works with the --add command");
+        }
+
+        if (isResume && StringUtils.isBlank(mapfile)) {
+            handler.logError("The mapfile does not exist. ");
+            throw new UnsupportedOperationException("The mapfile does not exist");
+        }
+    }
+
+    /**
+     * Process the import
+     * @param context
+     * @param itemImportService
+     * @param collections
+     * @throws Exception
+     */
+    protected void process(Context context, ItemImportService itemImportService,
+            List<Collection> collections) throws Exception {
+        readMapfile(context);
+
+        if ("add".equals(command)) {
+            itemImportService.addItems(context, collections, sourcedir, mapfile, template);
+        } else if ("replace".equals(command)) {
+            itemImportService.replaceItems(context, collections, sourcedir, mapfile, template);
+        } else if ("delete".equals(command)) {
+            itemImportService.deleteItems(context, mapfile);
+        }
+
+        // write input stream on handler
+        File mapFile = new File(mapfile);
+        try (InputStream mapfileInputStream = new FileInputStream(mapFile)) {
+            handler.writeFilestream(context, MAPFILE_FILENAME, mapfileInputStream, MAPFILE_BITSTREAM_TYPE);
+        } finally {
+            mapFile.delete();
+        }
+    }
+
+    /**
+     * Read the ZIP archive in SAF format
+     * @param context
+     * @param itemImportService
+     * @throws Exception
+     */
+    protected void readZip(Context context, ItemImportService itemImportService) throws Exception {
+        Optional<InputStream> optionalFileStream = Optional.empty();
+        Optional<InputStream> validationFileStream = Optional.empty();
+        try {
+            if (!remoteUrl) {
+                // manage zip via upload
+                optionalFileStream = handler.getFileStream(context, zipfilename);
+                validationFileStream = handler.getFileStream(context, zipfilename);
+            } else {
+                // manage zip via remote url
+                optionalFileStream = Optional.ofNullable(new URL(zipfilename).openStream());
+                validationFileStream = Optional.ofNullable(new URL(zipfilename).openStream());
+            }
+
+            if (validationFileStream.isPresent()) {
+                // validate zip file
+                if (validationFileStream.isPresent()) {
+                    validateZip(validationFileStream.get());
+                }
+
+                workFile = new File(itemImportService.getTempWorkDir() + File.separator
+                        + zipfilename + "-" + context.getCurrentUser().getID());
+                FileUtils.copyInputStreamToFile(optionalFileStream.get(), workFile);
+            } else {
+                throw new IllegalArgumentException(
+                        "Error reading file, the file couldn't be found for filename: " + zipfilename);
+            }
+
+            workDir = new File(itemImportService.getTempWorkDir() + File.separator + TEMP_DIR
+                    + File.separator + context.getCurrentUser().getID());
+            sourcedir = itemImportService.unzip(workFile, workDir.getAbsolutePath());
+        } finally {
+            optionalFileStream.ifPresent(IOUtils::closeQuietly);
+            validationFileStream.ifPresent(IOUtils::closeQuietly);
+        }
+    }
+
+    /**
+     * Confirm that the zip file has the correct MIME type
+     * @param inputStream
+     */
+    protected void validateZip(InputStream inputStream) {
+        Tika tika = new Tika();
+        try {
+            String mimeType = tika.detect(inputStream);
+            if (mimeType.equals("application/zip")) {
+                zipvalid = true;
+            } else {
+                handler.logError("A valid zip file must be supplied. The provided file has mimetype: " + mimeType);
+                throw new UnsupportedOperationException("A valid zip file must be supplied");
+            }
+        } catch (IOException e) {
+            throw new IllegalArgumentException(
+                "There was an error while reading the zip file: " + zipfilename);
+        }
+    }
+
+    /**
+     * Read the mapfile
+     * @param context
+     */
+    protected void readMapfile(Context context) {
+        if (isResume) {
+            try {
+                Optional<InputStream> optionalFileStream = handler.getFileStream(context, mapfile);
+                if (optionalFileStream.isPresent()) {
+                    File tempFile = File.createTempFile(mapfile, "temp");
+                    tempFile.deleteOnExit();
+                    FileUtils.copyInputStreamToFile(optionalFileStream.get(), tempFile);
+                    mapfile = tempFile.getAbsolutePath();
+                }
+            } catch (IOException | AuthorizeException e) {
+                throw new UnsupportedOperationException("The mapfile does not exist");
+            }
+        }
+    }
+
+    /**
+     * Set the mapfile option
+     * @throws IOException
+     */
+    protected void setMapFile() throws IOException {
+        if (isResume && commandLine.hasOption('m')) {
+            mapfile = commandLine.getOptionValue('m');
+        } else {
+            mapfile = Files.createTempFile(MAPFILE_FILENAME, "temp").toString();
+        }
+    }
+
+    /**
+     * Set the zip option
+     */
+    protected void setZip() {
+        zip = true;
+    }
+
+    /**
+     * Set the eperson in the context
+     * @param context
+     * @throws SQLException
+     */
+    protected void setEPerson(Context context) throws SQLException {
+        EPerson myEPerson = epersonService.find(context, this.getEpersonIdentifier());
+
+        // check eperson
+        if (myEPerson == null) {
+            handler.logError("EPerson cannot be found: " + this.getEpersonIdentifier());
+            throw new UnsupportedOperationException("EPerson cannot be found: " + this.getEpersonIdentifier());
+        }
+
+        context.setCurrentUser(myEPerson);
+    }
+}
--- a/dspace-api/src/main/java/org/dspace/app/itemimport/ItemImportCLI.java
+++ b/dspace-api/src/main/java/org/dspace/app/itemimport/ItemImportCLI.java
@@ -0,0 +1,198 @@
+/**
+ * The contents of this file are subject to the license and copyright
+ * detailed in the LICENSE and NOTICE files at the root of the source
+ * tree and available online at
+ *
+ * http://www.dspace.org/license/
+ */
+package org.dspace.app.itemimport;
+
+import java.io.File;
+import java.io.FileInputStream;
+import java.io.InputStream;
+import java.net.URL;
+import java.sql.SQLException;
+import java.util.List;
+import java.util.Optional;
+import java.util.UUID;
+
+import org.apache.commons.io.FileUtils;
+import org.apache.commons.io.IOUtils;
+import org.apache.commons.lang3.StringUtils;
+import org.dspace.app.itemimport.service.ItemImportService;
+import org.dspace.content.Collection;
+import org.dspace.core.Context;
+import org.dspace.eperson.EPerson;
+
+/**
+ * CLI variant for the {@link ItemImport} class.
+ * This was done to specify the specific behaviors for the CLI.
+ *
+ * @author Francesco Pio Scognamiglio (francescopio.scognamiglio at 4science.com)
+ */
+public class ItemImportCLI extends ItemImport {
+
+    @Override
+    protected void validate(Context context) {
+        // can only resume for adds
+        if (isResume && !"add".equals(command)) {
+            handler.logError("Resume option only works with the --add command (run with -h flag for details)");
+            throw new UnsupportedOperationException("Resume option only works with the --add command");
+        }
+
+        if (commandLine.hasOption('e')) {
+            eperson = commandLine.getOptionValue('e');
+        }
+
+        // check eperson identifier (email or id)
+        if (eperson == null) {
+            handler.logError("An eperson to do the importing must be specified (run with -h flag for details)");
+            throw new UnsupportedOperationException("An eperson to do the importing must be specified");
+        }
+
+        File myFile = null;
+        try {
+            myFile = new File(mapfile);
+        } catch (Exception e) {
+            throw new UnsupportedOperationException("The mapfile " + mapfile + " does not exist");
+        }
+
+        if (!isResume && "add".equals(command) && myFile.exists()) {
+            handler.logError("The mapfile " + mapfile + " already exists. "
+                    + "Either delete it or use --resume if attempting to resume an aborted import. "
+                    + "(run with -h flag for details)");
+            throw new UnsupportedOperationException("The mapfile " + mapfile + " already exists");
+        }
+
+        if (command == null) {
+            handler.logError("Must run with either add, replace, or remove (run with -h flag for details)");
+            throw new UnsupportedOperationException("Must run with either add, replace, or remove");
+        } else if ("add".equals(command) || "replace".equals(command)) {
+            if (!remoteUrl && sourcedir == null) {
+                handler.logError("A source directory containing items must be set (run with -h flag for details)");
+                throw new UnsupportedOperationException("A source directory containing items must be set");
+            }
+
+            if (mapfile == null) {
+                handler.logError(
+                        "A map file to hold importing results must be specified (run with -h flag for details)");
+                throw new UnsupportedOperationException("A map file to hold importing results must be specified");
+            }
+        } else if ("delete".equals(command)) {
+            if (mapfile == null) {
+                handler.logError("A map file must be specified (run with -h flag for details)");
+                throw new UnsupportedOperationException("A map file must be specified");
+            }
+        }
+    }
+
+    @Override
+    protected void process(Context context, ItemImportService itemImportService,
+            List<Collection> collections) throws Exception {
+        if ("add".equals(command)) {
+            itemImportService.addItems(context, collections, sourcedir, mapfile, template);
+        } else if ("replace".equals(command)) {
+            itemImportService.replaceItems(context, collections, sourcedir, mapfile, template);
+        } else if ("delete".equals(command)) {
+            itemImportService.deleteItems(context, mapfile);
+        }
+    }
+
+    @Override
+    protected void readZip(Context context, ItemImportService itemImportService) throws Exception {
+        // If this is a zip archive, unzip it first
+        if (zip) {
+            if (!remoteUrl) {
+                // confirm zip file exists
+                File myZipFile = new File(sourcedir + File.separator + zipfilename);
+                if ((!myZipFile.exists()) || (!myZipFile.isFile())) {
+                    throw new IllegalArgumentException(
+                        "Error reading file, the file couldn't be found for filename: " + zipfilename);
+                }
+
+                // validate zip file
+                InputStream validationFileStream = new FileInputStream(myZipFile);
+                try {
+                    validateZip(validationFileStream);
+                } finally {
+                    IOUtils.closeQuietly(validationFileStream);
+                }
+
+                workDir = new File(itemImportService.getTempWorkDir() + File.separator + TEMP_DIR
+                        + File.separator + context.getCurrentUser().getID());
+                sourcedir = itemImportService.unzip(
+                        new File(sourcedir + File.separator + zipfilename), workDir.getAbsolutePath());
+            } else {
+                // manage zip via remote url
+                Optional<InputStream> optionalFileStream = Optional.ofNullable(new URL(zipfilename).openStream());
+                Optional<InputStream> validationFileStream = Optional.ofNullable(new URL(zipfilename).openStream());
+                try {
+                    if (optionalFileStream.isPresent()) {
+                        // validate zip file via url
+
+                        if (validationFileStream.isPresent()) {
+                            validateZip(validationFileStream.get());
+                        }
+
+                        workFile = new File(itemImportService.getTempWorkDir() + File.separator
+                                + zipfilename + "-" + context.getCurrentUser().getID());
+                        FileUtils.copyInputStreamToFile(optionalFileStream.get(), workFile);
+                        workDir = new File(itemImportService.getTempWorkDir() + File.separator + TEMP_DIR
+                                + File.separator + context.getCurrentUser().getID());
+                        sourcedir = itemImportService.unzip(workFile, workDir.getAbsolutePath());
+                    } else {
+                        throw new IllegalArgumentException(
+                                "Error reading file, the file couldn't be found for filename: " + zipfilename);
+                    }
+                } finally {
+                    optionalFileStream.ifPresent(IOUtils::closeQuietly);
+                    validationFileStream.ifPresent(IOUtils::closeQuietly);
+                }
+            }
+        }
+    }
+
+    @Override
+    protected void setMapFile() {
+        if (commandLine.hasOption('m')) {
+            mapfile = commandLine.getOptionValue('m');
+        }
+    }
+
+    @Override
+    protected void setZip() {
+        if (commandLine.hasOption('s')) { // source
+            sourcedir = commandLine.getOptionValue('s');
+        }
+
+        if (commandLine.hasOption('z')) {
+            zip = true;
+            zipfilename = commandLine.getOptionValue('z');
+        }
+
+        if (commandLine.hasOption('u')) { // remote url
+            zip = true;
+            remoteUrl = true;
+            zipfilename = commandLine.getOptionValue('u');
+        }
+    }
+
+    @Override
+    protected void setEPerson(Context context) throws SQLException {
+        EPerson myEPerson = null;
+        if (StringUtils.contains(eperson, '@')) {
+            // @ sign, must be an email
+            myEPerson = epersonService.findByEmail(context, eperson);
+        } else {
+            myEPerson = epersonService.find(context, UUID.fromString(eperson));
+        }
+
+        // check eperson
+        if (myEPerson == null) {
+            handler.logError("EPerson cannot be found: " + eperson + " (run with -h flag for details)");
+            throw new UnsupportedOperationException("EPerson cannot be found: " + eperson);
+        }
+
+        context.setCurrentUser(myEPerson);
+    }
+}
--- a/dspace-api/src/main/java/org/dspace/app/itemimport/ItemImportCLIScriptConfiguration.java
+++ b/dspace-api/src/main/java/org/dspace/app/itemimport/ItemImportCLIScriptConfiguration.java
@@ -0,0 +1,80 @@
+/**
+ * The contents of this file are subject to the license and copyright
+ * detailed in the LICENSE and NOTICE files at the root of the source
+ * tree and available online at
+ *
+ * http://www.dspace.org/license/
+ */
+package org.dspace.app.itemimport;
+
+import org.apache.commons.cli.Option;
+import org.apache.commons.cli.Options;
+import org.dspace.scripts.configuration.ScriptConfiguration;
+
+/**
+ * The {@link ScriptConfiguration} for the {@link ItemImportCLI} script
+ *
+ * @author Francesco Pio Scognamiglio (francescopio.scognamiglio at 4science.com)
+ */
+public class ItemImportCLIScriptConfiguration extends ItemImportScriptConfiguration<ItemImportCLI> {
+
+    @Override
+    public Options getOptions() {
+        Options options = new Options();
+
+        options.addOption(Option.builder("a").longOpt("add")
+                .desc("add items to DSpace")
+                .hasArg(false).required(false).build());
+        options.addOption(Option.builder("r").longOpt("replace")
+                .desc("replace items in mapfile")
+                .hasArg(false).required(false).build());
+        options.addOption(Option.builder("d").longOpt("delete")
+                .desc("delete items listed in mapfile")
+                .hasArg(false).required(false).build());
+        options.addOption(Option.builder("s").longOpt("source")
+                .desc("source of items (directory)")
+                .hasArg().required(false).build());
+        options.addOption(Option.builder("z").longOpt("zip")
+                .desc("name of zip file")
+                .hasArg().required(false).build());
+        options.addOption(Option.builder("u").longOpt("url")
+                .desc("url of zip file")
+                .hasArg().build());
+        options.addOption(Option.builder("c").longOpt("collection")
+                .desc("destination collection(s) Handle or database ID")
+                .hasArg().required(false).build());
+        options.addOption(Option.builder("m").longOpt("mapfile")
+                .desc("mapfile items in mapfile")
+                .hasArg().required().build());
+        options.addOption(Option.builder("e").longOpt("eperson")
+                .desc("email of eperson doing importing")
+                .hasArg().required().build());
+        options.addOption(Option.builder("w").longOpt("workflow")
+                .desc("send submission through collection's workflow")
+                .hasArg(false).required(false).build());
+        options.addOption(Option.builder("n").longOpt("notify")
+                .desc("if sending submissions through the workflow, send notification emails")
+                .hasArg(false).required(false).build());
+        options.addOption(Option.builder("v").longOpt("validate")
+                .desc("test run - do not actually import items")
+                .hasArg(false).required(false).build());
+        options.addOption(Option.builder("x").longOpt("exclude-bitstreams")
+                .desc("do not load or expect content bitstreams")
+                .hasArg(false).required(false).build());
+        options.addOption(Option.builder("p").longOpt("template")
+                .desc("apply template")
+                .hasArg(false).required(false).build());
+        options.addOption(Option.builder("R").longOpt("resume")
+                .desc("resume a failed import (add only)")
+                .hasArg(false).required(false).build());
+        options.addOption(Option.builder("q").longOpt("quiet")
+                .desc("don't display metadata")
+                .hasArg(false).required(false).build());
+
+        options.addOption(Option.builder("h").longOpt("help")
+                .desc("help")
+                .hasArg(false).required(false).build());
+
+        return options;
+    }
+}
--- a/dspace-api/src/main/java/org/dspace/app/itemimport/ItemImportCLITool.java
+++ b/dspace-api/src/main/java/org/dspace/app/itemimport/ItemImportCLITool.java
@@ -1,395 +0,0 @@
-/**
- * The contents of this file are subject to the license and copyright
- * detailed in the LICENSE and NOTICE files at the root of the source
- * tree and available online at
- *
- * http://www.dspace.org/license/
- */
-package org.dspace.app.itemimport;
-
-import java.io.File;
-import java.io.IOException;
-import java.util.ArrayList;
-import java.util.Date;
-import java.util.List;
-import java.util.UUID;
-
-import org.apache.commons.cli.CommandLine;
-import org.apache.commons.cli.CommandLineParser;
-import org.apache.commons.cli.DefaultParser;
-import org.apache.commons.cli.HelpFormatter;
-import org.apache.commons.cli.Options;
-import org.dspace.app.itemimport.factory.ItemImportServiceFactory;
-import org.dspace.app.itemimport.service.ItemImportService;
-import org.dspace.content.Collection;
-import org.dspace.content.factory.ContentServiceFactory;
-import org.dspace.content.service.CollectionService;
-import org.dspace.core.Constants;
-import org.dspace.core.Context;
-import org.dspace.eperson.EPerson;
-import org.dspace.eperson.factory.EPersonServiceFactory;
-import org.dspace.eperson.service.EPersonService;
-import org.dspace.handle.factory.HandleServiceFactory;
-import org.dspace.handle.service.HandleService;
-
-/**
- * Import items into DSpace. The conventional use is upload files by copying
- * them. DSpace writes the item's bitstreams into its assetstore. Metadata is
- * also loaded to the DSpace database.
- * <P>
- * A second use assumes the bitstream files already exist in a storage
- * resource accessible to DSpace. In this case the bitstreams are 'registered'.
- * That is, the metadata is loaded to the DSpace database and DSpace is given
- * the location of the file which is subsumed into DSpace.
- * <P>
- * The distinction is controlled by the format of lines in the 'contents' file.
- * See comments in processContentsFile() below.
- * <P>
- * Modified by David Little, UCSD Libraries 12/21/04 to
- * allow the registration of files (bitstreams) into DSpace.
- */
-public class ItemImportCLITool {
-
-    private static boolean template = false;
-
-    private static final CollectionService collectionService = ContentServiceFactory.getInstance()
-                                                                                    .getCollectionService();
-    private static final EPersonService epersonService = EPersonServiceFactory.getInstance().getEPersonService();
-    private static final HandleService handleService = HandleServiceFactory.getInstance().getHandleService();
-
-    /**
-     * Default constructor
-     */
-    private ItemImportCLITool() { }
-
-    public static void main(String[] argv) throws Exception {
-        Date startTime = new Date();
-        int status = 0;
-
-        try {
-            // create an options object and populate it
-            CommandLineParser parser = new DefaultParser();
-
-            Options options = new Options();
-
-            options.addOption("a", "add", false, "add items to DSpace");
-            options.addOption("r", "replace", false, "replace items in mapfile");
-            options.addOption("d", "delete", false,
-                              "delete items listed in mapfile");
-            options.addOption("s", "source", true, "source of items (directory)");
-            options.addOption("z", "zip", true, "name of zip file");
-            options.addOption("c", "collection", true,
-                              "destination collection(s) Handle or database ID");
-            options.addOption("m", "mapfile", true, "mapfile items in mapfile");
-            options.addOption("e", "eperson", true,
-                              "email of eperson doing importing");
-            options.addOption("w", "workflow", false,
-                              "send submission through collection's workflow");
-            options.addOption("n", "notify", false,
-                              "if sending submissions through the workflow, send notification emails");
-            options.addOption("t", "test", false,
-                              "test run - do not actually import items");
-            options.addOption("p", "template", false, "apply template");
-            options.addOption("R", "resume", false,
-                              "resume a failed import (add only)");
-            options.addOption("q", "quiet", false, "don't display metadata");
-
-            options.addOption("h", "help", false, "help");
-
-            CommandLine line = parser.parse(options, argv);
-
-            String command = null; // add replace remove, etc
-            String sourcedir = null;
-            String mapfile = null;
-            String eperson = null; // db ID or email
-            String[] collections = null; // db ID or handles
-            boolean isTest = false;
-            boolean isResume = false;
-            boolean useWorkflow = false;
-            boolean useWorkflowSendEmail = false;
-            boolean isQuiet = false;
-
-            if (line.hasOption('h')) {
-                HelpFormatter myhelp = new HelpFormatter();
-                myhelp.printHelp("ItemImport\n", options);
-                System.out
-                    .println("\nadding items:    ItemImport -a -e eperson -c collection -s sourcedir -m mapfile");
-                System.out
-                    .println(
-                        "\nadding items from zip file:    ItemImport -a -e eperson -c collection -s sourcedir -z " +
-                            "filename.zip -m mapfile");
-                System.out
-                    .println("replacing items: ItemImport -r -e eperson -c collection -s sourcedir -m mapfile");
-                System.out
-                    .println("deleting items:  ItemImport -d -e eperson -m mapfile");
-                System.out
-                    .println(
-                        "If multiple collections are specified, the first collection will be the one that owns the " +
-                            "item.");
-
-                System.exit(0);
-            }
-
-            if (line.hasOption('a')) {
-                command = "add";
-            }
-
-            if (line.hasOption('r')) {
-                command = "replace";
-            }
-
-            if (line.hasOption('d')) {
-                command = "delete";
-            }
-
-            if (line.hasOption('w')) {
-                useWorkflow = true;
-                if (line.hasOption('n')) {
-                    useWorkflowSendEmail = true;
-                }
-            }
-
-            if (line.hasOption('t')) {
-                isTest = true;
-                System.out.println("**Test Run** - not actually importing items.");
-            }
-
-            if (line.hasOption('p')) {
-                template = true;
-            }
-
-            if (line.hasOption('s')) { // source
-                sourcedir = line.getOptionValue('s');
-            }
-
-            if (line.hasOption('m')) { // mapfile
-                mapfile = line.getOptionValue('m');
-            }
-
-            if (line.hasOption('e')) { // eperson
-                eperson = line.getOptionValue('e');
-            }
-
-            if (line.hasOption('c')) { // collections
-                collections = line.getOptionValues('c');
-            }
-
-            if (line.hasOption('R')) {
-                isResume = true;
-                System.out
-                    .println("**Resume import** - attempting to import items not already imported");
-            }
-
-            if (line.hasOption('q')) {
-                isQuiet = true;
-            }
-
-            boolean zip = false;
-            String zipfilename = "";
-            if (line.hasOption('z')) {
-                zip = true;
-                zipfilename = line.getOptionValue('z');
-            }
-
-            //By default assume collections will be given on the command line
-            boolean commandLineCollections = true;
-            // now validate
-            // must have a command set
-            if (command == null) {
-                System.out
-                    .println("Error - must run with either add, replace, or remove (run with -h flag for details)");
-                System.exit(1);
-            } else if ("add".equals(command) || "replace".equals(command)) {
-                if (sourcedir == null) {
-                    System.out
-                        .println("Error - a source directory containing items must be set");
-                    System.out.println(" (run with -h flag for details)");
-                    System.exit(1);
-                }
-
-                if (mapfile == null) {
-                    System.out
-                        .println("Error - a map file to hold importing results must be specified");
-                    System.out.println(" (run with -h flag for details)");
-                    System.exit(1);
-                }
-
-                if (eperson == null) {
-                    System.out
-                        .println("Error - an eperson to do the importing must be specified");
-                    System.out.println(" (run with -h flag for details)");
-                    System.exit(1);
-                }
-
-                if (collections == null) {
-                    System.out.println("No collections given. Assuming 'collections' file inside item directory");
-                    commandLineCollections = false;
-                }
-            } else if ("delete".equals(command)) {
-                if (eperson == null) {
-                    System.out
-                        .println("Error - an eperson to do the importing must be specified");
-                    System.exit(1);
-                }
-
-                if (mapfile == null) {
-                    System.out.println("Error - a map file must be specified");
-                    System.exit(1);
-                }
-            }
-
-            // can only resume for adds
-            if (isResume && !"add".equals(command)) {
-                System.out
-                    .println("Error - resume option only works with the --add command");
-                System.exit(1);
-            }
-
-            // do checks around mapfile - if mapfile exists and 'add' is selected,
-            // resume must be chosen
-            File myFile = new File(mapfile);
-
-            if (!isResume && "add".equals(command) && myFile.exists()) {
-                System.out.println("Error - the mapfile " + mapfile
-                                       + " already exists.");
-                System.out
-                    .println("Either delete it or use --resume if attempting to resume an aborted import.");
-                System.exit(1);
-            }
-
-            ItemImportService myloader = ItemImportServiceFactory.getInstance().getItemImportService();
-            myloader.setTest(isTest);
-            myloader.setResume(isResume);
-            myloader.setUseWorkflow(useWorkflow);
-            myloader.setUseWorkflowSendEmail(useWorkflowSendEmail);
-            myloader.setQuiet(isQuiet);
-
-            // create a context
-            Context c = new Context(Context.Mode.BATCH_EDIT);
-
-            // find the EPerson, assign to context
-            EPerson myEPerson = null;
-
-            if (eperson.indexOf('@') != -1) {
-                // @ sign, must be an email
-                myEPerson = epersonService.findByEmail(c, eperson);
-            } else {
-                myEPerson = epersonService.find(c, UUID.fromString(eperson));
-            }
-
-            if (myEPerson == null) {
-                System.out.println("Error, eperson cannot be found: " + eperson);
-                System.exit(1);
-            }
-
-            c.setCurrentUser(myEPerson);
-
-            // find collections
-            List<Collection> mycollections = null;
-
-            // don't need to validate collections set if command is "delete"
-            // also if no collections are given in the command line
-            if (!"delete".equals(command) && commandLineCollections) {
-                System.out.println("Destination collections:");
-
-                mycollections = new ArrayList<>();
-
-                // validate each collection arg to see if it's a real collection
-                for (int i = 0; i < collections.length; i++) {
-
-                    Collection resolved = null;
-
-                    if (collections[i] != null) {
-
-                        // is the ID a handle?
-                        if (collections[i].indexOf('/') != -1) {
-                            // string has a / so it must be a handle - try and resolve
-                            // it
-                            resolved = ((Collection) handleService
-                                .resolveToObject(c, collections[i]));
-
-                        } else {
-                            // not a handle, try and treat it as an integer collection database ID
-                            resolved = collectionService.find(c, UUID.fromString(collections[i]));
-
-                        }
-
-                    }
-
-                    // was the collection valid?
-                    if ((resolved == null)
-                            || (resolved.getType() != Constants.COLLECTION)) {
-                        throw new IllegalArgumentException("Cannot resolve "
-                                                               + collections[i] + " to collection");
-                    }
-
-                    // add resolved collection to list
-                    mycollections.add(resolved);
-
-                    // print progress info
-                    String owningPrefix = "";
-
-                    if (i == 0) {
-                        owningPrefix = "Owning ";
-                    }
-
-                    System.out.println(owningPrefix + " Collection: "
-                                           + resolved.getName());
-                }
-            } // end of validating collections
-
-            try {
-                // If this is a zip archive, unzip it first
-                if (zip) {
-                    sourcedir = myloader.unzip(sourcedir, zipfilename);
-                }
-
-
-                c.turnOffAuthorisationSystem();
-
-                if ("add".equals(command)) {
-                    myloader.addItems(c, mycollections, sourcedir, mapfile, template);
-                } else if ("replace".equals(command)) {
-                    myloader.replaceItems(c, mycollections, sourcedir, mapfile, template);
-                } else if ("delete".equals(command)) {
-                    myloader.deleteItems(c, mapfile);
-                }
-
-                // complete all transactions
-                c.complete();
-            } catch (Exception e) {
-                c.abort();
-                e.printStackTrace();
-                System.out.println(e);
-                status = 1;
-            }
-
-            // Delete the unzipped file
-            try {
-                if (zip) {
-                    System.gc();
-                    System.out.println(
-                        "Deleting temporary zip directory: " + myloader.getTempWorkDirFile().getAbsolutePath());
-                    myloader.cleanupZipTemp();
-                }
-            } catch (IOException ex) {
-                System.out.println("Unable to delete temporary zip archive location: " + myloader.getTempWorkDirFile()
-                                                                                                 .getAbsolutePath());
-            }
-
-
-            if (isTest) {
-                System.out.println("***End of Test Run***");
-            }
-        } finally {
-            Date endTime = new Date();
-            System.out.println("Started: " + startTime.getTime());
-            System.out.println("Ended: " + endTime.getTime());
-            System.out.println(
-                "Elapsed time: " + ((endTime.getTime() - startTime.getTime()) / 1000) + " secs (" + (endTime
-                    .getTime() - startTime.getTime()) + " msecs)");
-        }
-
-        System.exit(status);
-    }
-}
--- a/dspace-api/src/main/java/org/dspace/app/itemimport/ItemImportScriptConfiguration.java
+++ b/dspace-api/src/main/java/org/dspace/app/itemimport/ItemImportScriptConfiguration.java
@@ -0,0 +1,90 @@
+/**
+ * The contents of this file are subject to the license and copyright
+ * detailed in the LICENSE and NOTICE files at the root of the source
+ * tree and available online at
+ *
+ * http://www.dspace.org/license/
+ */
+package org.dspace.app.itemimport;
+
+import java.io.InputStream;
+
+import org.apache.commons.cli.Option;
+import org.apache.commons.cli.Options;
+import org.dspace.scripts.configuration.ScriptConfiguration;
+
+/**
+ * The {@link ScriptConfiguration} for the {@link ItemImport} script
+ *
+ * @author Francesco Pio Scognamiglio (francescopio.scognamiglio at 4science.com)
+ */
+public class ItemImportScriptConfiguration<T extends ItemImport> extends ScriptConfiguration<T> {
+
+    private Class<T> dspaceRunnableClass;
+
+    @Override
+    public Class<T> getDspaceRunnableClass() {
+        return dspaceRunnableClass;
+    }
+
+    @Override
+    public void setDspaceRunnableClass(Class<T> dspaceRunnableClass) {
+        this.dspaceRunnableClass = dspaceRunnableClass;
+    }
+
+    @Override
+    public Options getOptions() {
+        Options options = new Options();
+
+        options.addOption(Option.builder("a").longOpt("add")
+                .desc("add items to DSpace")
+                .hasArg(false).required(false).build());
+        options.addOption(Option.builder("r").longOpt("replace")
+                .desc("replace items in mapfile")
+                .hasArg(false).required(false).build());
+        options.addOption(Option.builder("d").longOpt("delete")
+                .desc("delete items listed in mapfile")
+                .hasArg(false).required(false).build());
+        options.addOption(Option.builder("z").longOpt("zip")
+                .desc("name of zip file")
+                .type(InputStream.class)
+                .hasArg().build());
+        options.addOption(Option.builder("u").longOpt("url")
+                .desc("url of zip file")
+                .hasArg().build());
+        options.addOption(Option.builder("c").longOpt("collection")
+                .desc("destination collection(s) Handle or database ID")
+                .hasArg().required(false).build());
+        options.addOption(Option.builder("m").longOpt("mapfile")
+                .desc("mapfile items in mapfile")
+                .type(InputStream.class)
+                .hasArg().required(false).build());
+        options.addOption(Option.builder("w").longOpt("workflow")
+                .desc("send submission through collection's workflow")
+                .hasArg(false).required(false).build());
+        options.addOption(Option.builder("n").longOpt("notify")
+                .desc("if sending submissions through the workflow, send notification emails")
+                .hasArg(false).required(false).build());
+        options.addOption(Option.builder("v").longOpt("validate")
+                .desc("test run - do not actually import items")
+                .hasArg(false).required(false).build());
+        options.addOption(Option.builder("x").longOpt("exclude-bitstreams")
+                .desc("do not load or expect content bitstreams")
+                .hasArg(false).required(false).build());
+        options.addOption(Option.builder("p").longOpt("template")
+                .desc("apply template")
+                .hasArg(false).required(false).build());
+        options.addOption(Option.builder("R").longOpt("resume")
+                .desc("resume a failed import (add only)")
+                .hasArg(false).required(false).build());
+        options.addOption(Option.builder("q").longOpt("quiet")
+                .desc("don't display metadata")
+                .hasArg(false).required(false).build());
+
+        options.addOption(Option.builder("h").longOpt("help")
+                .desc("help")
+                .hasArg(false).required(false).build());
+
+        return options;
+    }
+}
--- a/dspace-api/src/main/java/org/dspace/app/itemimport/ItemImportServiceImpl.java
+++ b/dspace-api/src/main/java/org/dspace/app/itemimport/ItemImportServiceImpl.java
--- a/dspace-api/src/main/java/org/dspace/app/itemimport/service/ItemImportService.java
+++ b/dspace-api/src/main/java/org/dspace/app/itemimport/service/ItemImportService.java
@@ -10,12 +10,13 @@ package org.dspace.app.itemimport.service;
 import java.io.File;
 import java.io.IOException;
 import java.util.List;
-import javax.mail.MessagingException;

+import jakarta.mail.MessagingException;
 import org.dspace.app.itemimport.BatchUpload;
 import org.dspace.content.Collection;
 import org.dspace.core.Context;
 import org.dspace.eperson.EPerson;
+import org.dspace.scripts.handler.DSpaceRunnableHandler;

 /**
 * Import items into DSpace. The conventional use is upload files by copying
@@ -120,7 +121,7 @@ public interface ItemImportService {

    /**
     * If a batch import is done in a new thread we are unable to communicate
-     * with calling method about success or failure. We accomplis this
+     * with calling method about success or failure. We accomplish this
     * communication with email instead. Send an error email if the batch
     * import fails
     *
@@ -210,6 +211,13 @@ public interface ItemImportService {
     */
    public void setTest(boolean isTest);

+    /**
+     * Set exclude-content flag.
+     *
+     * @param isExcludeContent true or false
+     */
+    public void setExcludeContent(boolean isExcludeContent);
+
    /**
     * Set resume flag
     *
@@ -235,4 +243,10 @@ public interface ItemImportService {
     * @param isQuiet true or false
     */
    public void setQuiet(boolean isQuiet);
+
+    /**
+     * Set the DSpace Runnable Handler
+     * @param handler
+     */
+    public void setHandler(DSpaceRunnableHandler handler);
 }
--- a/dspace-api/src/main/java/org/dspace/app/itemupdate/AddBitstreamsAction.java
+++ b/dspace-api/src/main/java/org/dspace/app/itemupdate/AddBitstreamsAction.java
@@ -27,6 +27,7 @@ import org.dspace.content.Item;
 import org.dspace.content.factory.ContentServiceFactory;
 import org.dspace.content.service.BitstreamFormatService;
 import org.dspace.content.service.InstallItemService;
+import org.dspace.core.Constants;
 import org.dspace.core.Context;
 import org.dspace.eperson.Group;
 import org.dspace.eperson.factory.EPersonServiceFactory;
@@ -77,7 +78,7 @@ public class AddBitstreamsAction extends UpdateBitstreamsAction {
        ItemUpdate.pr("Contents bitstream count: " + contents.size());

        String[] files = dir.list(ItemUpdate.fileFilter);
-        List<String> fileList = new ArrayList<String>();
+        List<String> fileList = new ArrayList<>();
        for (String filename : files) {
            fileList.add(filename);
            ItemUpdate.pr("file: " + filename);
@@ -134,17 +135,14 @@ public class AddBitstreamsAction extends UpdateBitstreamsAction {
        ItemUpdate.pr("contents entry for bitstream: " + ce.toString());
        File f = new File(dir, ce.filename);

-        // get an input stream
-        BufferedInputStream bis = new BufferedInputStream(new FileInputStream(f));
-
        Bitstream bs = null;
        String newBundleName = ce.bundlename;

        if (ce.bundlename == null) { // should be required but default convention established
-            if (ce.filename.equals("license.txt")) {
-                newBundleName = "LICENSE";
+            if (ce.filename.equals(Constants.LICENSE_BITSTREAM_NAME)) {
+                newBundleName = Constants.LICENSE_BUNDLE_NAME;
            } else {
-                newBundleName = "ORIGINAL";
+                newBundleName = Constants.CONTENT_BUNDLE_NAME;
            }
        }
        ItemUpdate.pr("  Bitstream " + ce.filename + " to be added to bundle: " + newBundleName);
@@ -173,7 +171,9 @@ public class AddBitstreamsAction extends UpdateBitstreamsAction {
                targetBundle = bundles.iterator().next();
            }

+            try (BufferedInputStream bis = new BufferedInputStream(new FileInputStream(f));) {
                bs = bitstreamService.create(context, targetBundle, bis);
+            }
            bs.setName(context, ce.filename);

            // Identify the format
--- a/dspace-api/src/main/java/org/dspace/app/itemupdate/DeleteBitstreamsAction.java
+++ b/dspace-api/src/main/java/org/dspace/app/itemupdate/DeleteBitstreamsAction.java
@@ -70,12 +70,14 @@ public class DeleteBitstreamsAction extends UpdateBitstreamsAction {
                                }
                            }

-                            if (alterProvenance) {
+                            if (alterProvenance && !bundles.isEmpty()) {
                                DtoMetadata dtom = DtoMetadata.create("dc.description.provenance", "en", "");

                                String append = "Bitstream " + bs.getName() + " deleted on " + DCDate
                                    .getCurrent() + "; ";
-                                Item item = bundles.iterator().next().getItems().iterator().next();
+                                List<Item> items = bundles.iterator().next().getItems();
+                                if (!items.isEmpty()) {
+                                    Item item = items.iterator().next();
                                    ItemUpdate.pr("Append provenance with: " + append);

                                    if (!isTest) {
@@ -83,6 +85,7 @@ public class DeleteBitstreamsAction extends UpdateBitstreamsAction {
                                    }
                                }
                            }
+                        }
                    } catch (SQLException e) {
                        ItemUpdate.pr("Error finding bitstream from id: " + id + " : " + e.toString());
                    }
--- a/dspace-api/src/main/java/org/dspace/app/itemupdate/ItemArchive.java
+++ b/dspace-api/src/main/java/org/dspace/app/itemupdate/ItemArchive.java
@@ -23,8 +23,6 @@ import java.util.ArrayList;
 import java.util.Iterator;
 import java.util.List;
 import java.util.UUID;
-import javax.xml.parsers.DocumentBuilder;
-import javax.xml.parsers.DocumentBuilderFactory;
 import javax.xml.parsers.ParserConfigurationException;
 import javax.xml.transform.Transformer;
 import javax.xml.transform.TransformerConfigurationException;
@@ -33,6 +31,7 @@ import javax.xml.transform.TransformerFactory;

 import org.apache.logging.log4j.Logger;
 import org.dspace.app.util.LocalSchemaFilenameFilter;
+import org.dspace.app.util.XMLUtils;
 import org.dspace.authorize.AuthorizeException;
 import org.dspace.content.DSpaceObject;
 import org.dspace.content.Item;
@@ -52,7 +51,6 @@ public class ItemArchive {

    public static final String DUBLIN_CORE_XML = "dublin_core.xml";

-    protected static DocumentBuilder builder = null;
    protected Transformer transformer = null;

    protected List<DtoMetadata> dtomList = null;
@@ -95,14 +93,14 @@ public class ItemArchive {
        InputStream is = null;
        try {
            is = new FileInputStream(new File(dir, DUBLIN_CORE_XML));
-            itarch.dtomList = MetadataUtilities.loadDublinCore(getDocumentBuilder(), is);
+            itarch.dtomList = MetadataUtilities.loadDublinCore(XMLUtils.getDocumentBuilder(), is);

            //The code to search for local schema files was copied from org.dspace.app.itemimport
            // .ItemImportServiceImpl.java
-            File file[] = dir.listFiles(new LocalSchemaFilenameFilter());
+            File[] file = dir.listFiles(new LocalSchemaFilenameFilter());
            for (int i = 0; i < file.length; i++) {
                is = new FileInputStream(file[i]);
-                itarch.dtomList.addAll(MetadataUtilities.loadDublinCore(getDocumentBuilder(), is));
+                itarch.dtomList.addAll(MetadataUtilities.loadDublinCore(XMLUtils.getDocumentBuilder(), is));
            }
        } finally {
            if (is != null) {
@@ -126,14 +124,6 @@ public class ItemArchive {
        return itarch;
    }

-    protected static DocumentBuilder getDocumentBuilder()
-        throws ParserConfigurationException {
-        if (builder == null) {
-            builder = DocumentBuilderFactory.newInstance().newDocumentBuilder();
-        }
-        return builder;
-    }
-
    /**
     * Getter for Transformer
     *
@@ -217,7 +207,7 @@ public class ItemArchive {
        throws SQLException, Exception {
        DtoMetadata dtom = getMetadataField("dc.identifier.uri");
        if (dtom == null) {
-            throw new Exception("No dc.identier.uri field found for handle");
+            throw new Exception("No dc.identifier.uri field found for handle");
        }

        this.addUndoMetadataField(dtom);  //seed the undo list with the uri
@@ -318,7 +308,7 @@ public class ItemArchive {

        try {
            out = new FileOutputStream(new File(dir, "dublin_core.xml"));
-            Document doc = MetadataUtilities.writeDublinCore(getDocumentBuilder(), undoDtomList);
+            Document doc = MetadataUtilities.writeDublinCore(XMLUtils.getDocumentBuilder(), undoDtomList);
            MetadataUtilities.writeDocument(doc, getTransformer(), out);

            // if undo has delete bitstream
--- a/dspace-api/src/main/java/org/dspace/app/itemupdate/ItemUpdate.java
+++ b/dspace-api/src/main/java/org/dspace/app/itemupdate/ItemUpdate.java
@@ -14,9 +14,9 @@ import java.io.FileWriter;
 import java.io.FilenameFilter;
 import java.io.IOException;
 import java.io.PrintWriter;
+import java.time.Instant;
 import java.util.ArrayList;
 import java.util.Arrays;
-import java.util.Date;
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
@@ -39,29 +39,34 @@ import org.dspace.handle.factory.HandleServiceFactory;
 import org.dspace.handle.service.HandleService;

 /**
- * Provides some batch editing capabilities for items in DSpace:
- * Metadata fields - Add, Delete
- * Bitstreams - Add, Delete
+ * Provides some batch editing capabilities for items in DSpace.
+ * <ul>
+ *   <li>Metadata fields - Add, Delete</li>
+ *   <li>Bitstreams - Add, Delete</li>
+ * </ul>
 *
- * The design has been for compatibility with ItemImporter
+ * <p>
+ * The design has been for compatibility with
+ * {@link org.dspace.app.itemimport.service.ItemImportService}
 * in the use of the DSpace archive format which is used to
 * specify changes on a per item basis.  The directory names
 * to correspond to each item are arbitrary and will only be
 * used for logging purposes.  The reference to the item is
- * from a required dc.identifier with the item handle to be
- * included in the dublin_core.xml (or similar metadata) file.
+ * from a required {@code dc.identifier} with the item handle to be
+ * included in the {@code dublin_core.xml} (or similar metadata) file.
 *
- * Any combination of these actions is permitted in a single run of this class
+ * <p>
+ * Any combination of these actions is permitted in a single run of this class.
 * The order of actions is important when used in combination.
- * It is the responsibility of the calling class (here, ItemUpdate)
- * to register UpdateAction classes in the order to which they are
+ * It is the responsibility of the calling class (here, {@code ItemUpdate})
+ * to register {@link UpdateAction} classes in the order which they are
 * to be performed.
 *
- *
- * It is unfortunate that so much code needs to be borrowed
- * from ItemImport as it is not reusable in private methods, etc.
- * Some of this has been placed into the MetadataUtilities class
- * for possible reuse elsewhere.
+ * <p>
+ * It is unfortunate that so much code needs to be borrowed from
+ * {@link org.dspace.app.itemimport.service.ItemImportService} as it is not
+ * reusable in private methods, etc.  Some of this has been placed into the
+ * {@link MetadataUtilities} class for possible reuse elsewhere.
 *
 * @author W. Hays based on a conceptual design by R. Rodgers
 */
@@ -73,7 +78,7 @@ public class ItemUpdate {
    public static final String DELETE_CONTENTS_FILE = "delete_contents";

    public static String HANDLE_PREFIX = null;
-    public static final Map<String, String> filterAliases = new HashMap<String, String>();
+    public static final Map<String, String> filterAliases = new HashMap<>();

    public static boolean verbose = false;

@@ -327,7 +332,7 @@ public class ItemUpdate {
                }
            }

-            pr("ItemUpdate - initializing run on " + (new Date()).toString());
+            pr("ItemUpdate - initializing run on " + (Instant.now()).toString());

            context = new Context(Context.Mode.BATCH_EDIT);
            iu.setEPerson(context, iu.eperson);
@@ -375,7 +380,7 @@ public class ItemUpdate {
        // open and process the source directory
        File sourceDir = new File(sourceDirPath);

-        if ((sourceDir == null) || !sourceDir.exists() || !sourceDir.isDirectory()) {
+        if (!sourceDir.exists() || !sourceDir.isDirectory()) {
            pr("Error, cannot open archive source directory " + sourceDirPath);
            throw new Exception("error with archive source directory " + sourceDirPath);
        }
--- a/Show More
+++ b/Show More