Related to discussion in DS-4396
During implementation of Shibboleth (DS-4396), we've found that we can no longer use a wildcard setting for the CORS Header "Access-Control-Allow-Origin". So, we cannot set Access-Control-Allow-Origin: *, as we used to do.
Therefore, we must implement a (configurable) whitelist of client-side URLs which the REST API will accept requests from.
This whitelist should default to the value of dspace.ui.url setting in dspace.cfg/local.cfg. However, it should allow for additional URLs to be added.
[Temporary Workaround] Until this is resolved, if the REST API and Angular UI are run on separate servers, the "Access-Control-Allow-Origin" header can be set in an Apache Configuration as described here: https://wiki.lyrasis.org/display/DSPACE/DSpace+7+Shibboleth+Configuration#DSpace7ShibbolethConfiguration-SeparateRESTandAngularhostname