application-default.properties

# External configuration file for Typed PID Maker
# -----------------------------------------------
# Regarding the location of this file, consider the default paths for Spring Boot configurations, documented here:
# https://docs.spring.io/spring-boot/reference/features/external-config.html#:~:text=config%20data%20files%20are%20considered%20in%20the%20following%20order%3A
# You can change the path with e.g. this command (if you use gradle to run it):
# ./gradlew run --args="--spring.config.location=config/application-default.properties"
# Or by passing the parameter directly to the jar file.
#
# Documentation of common Spring Boot configuration properties (logging, ports, and others):
# https://docs.spring.io/spring-boot/appendix/application-properties/index.html
# More specific properties are documented within this file.

### General Spring Boot Settings ###
# When to include the "message" attribute in HTTP responses on uncatched exceptions.
spring.application.name=typed-pid-maker
#spring.profiles.active=default
server.error.include-message=always
springdoc.api-docs.enabled=true
springdoc.swagger-ui.enabled=true
springdoc.show-actuator=true
# Do __not__ change these settings below:
spring.main.allow-bean-definition-overriding=true
spring.data.rest.detection-strategy=annotated
#####################################################


###########################
### Port, SSL, Security ###
###########################

server.port=8090
#server.ssl.key-store: keystore.p12
#server.ssl.key-store-password: test123
#server.ssl.keyStoreType: PKCS12
#server.ssl.keyAlias: tomcat

# Data transfer settings, e.g. transfer compression and multipart message size.
# The properties max-file-size and max-request-size define the maximum size of files 
# transferred to and from the repository. Setting them to -1 removes all limits.
server.compression.enabled=false
spring.servlet.multipart.max-file-size=100MB
spring.servlet.multipart.max-request-size=100MB

# *Generic* Spring Management Endpoint Settings. By default, the health endpoint will be
# enabled to apply service monitoring including detailed information. 
# Furthermore, all endpoints will be exposed to external access. If this is not desired, 
# just comment the property 'management.endpoints.web.exposure.include' in order to only 
# allow local access.
management.endpoint.health.access=unrestricted
management.endpoint.health.show-details=ALWAYS
management.endpoint.health.sensitive=false
management.endpoints.web.exposure.include=health, info


###############
### Logging ###
###############
# Logging Settings. Most logging of KIT DM is performed on TRACE level. However, if you
# plan to enable logging with this granularity it is recommended to this only for 
# a selection of a few packages. Otherwise, the amount of logging information might be
# overwhelming.
#logging.level.root: ERROR
#logging.level.edu.kit.datamanager.doip:TRACE
logging.level.edu.kit=INFO
#logging.level.org.springframework.transaction: TRACE
logging.level.org.springframework=WARN
logging.level.org.springframework.amqp=WARN
#logging.level.com.zaxxer.hikari: ERROR
logging.level.edu.kit.datamanager.pit.cli=INFO


######################
### Authentication ###
######################

# Enable/disable (default) authentication. If authentication is enabled, a separate
# Authentication Service should be used in order to obtain JSON Web Tokens holding 
# login information. The token has then to be provided within the Authentication header
# of each HTTP request with a value of 'Bearer <TOKEN>' without quotes, replacing <TOKEN>
# be the token obtained from the authentication service.
# A token needs a "username" in its payload. A minimal token therefore may look like this:
# https://jwt.io/#debugger-io?token=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VybmFtZSI6InVzZXIifQ.pfZuRuxbj_izZlCnmotWHQuH00BJ35CbjpHILpuQU70
repo.auth.enabled=false

# The jwtSecret is the mutual secret between all trusted services. This means, that if
# authentication is enabled, the jwtSecret used by the Authentication Service to sign
# issued JWTokens must be the same as the jwtSecret of the repository in order to 
# be able to validate the signature. By default, the secret should be selected randomly
# and with a sufficient length.
repo.auth.jwtSecret=vkfvoswsohwrxgjaxipuiyyjgubggzdaqrcuupbugxtnalhiegkppdgjgwxsmvdb


###############################
### Keycloak Authentication ###
###############################
spring.autoconfigure.exclude=org.keycloak.adapters.springboot.KeycloakAutoConfiguration,org.springframework.boot.autoconfigure.security.servlet.SecurityAutoConfiguration
#keycloakjwt.jwk-url=http://localhost:8080/auth/realms/myrealm/protocol/openid-connect/certs
#keycloakjwt.resource=keycloak-angular
#keycloakjwt.jwt-claim=preferred_username  # additional required payload by this application
##keycloakjwt.connect-timeoutms=500  # optional
##keycloakjwt.read-timeoutms=500  # optional
#
#keycloak.realm=myrealm
#keycloak.auth-server-url=http://localhost:8080/auth
#keycloak.resource=keycloak-angular


############################################
### Elastic Indexing and search endpoint ###
######## (requires Elasticsearch 8) ########
############################################
# enables search endpoint at /api/v1/search
repo.search.enabled=false
repo.search.index=*
# only enable if endpoint is enabled:
management.health.elasticsearch.enabled=false

# TO BE REMOVED!
repo.search.url=http://localhost:9200
# Soon will be:
#spring.elasticsearch.uris=http://localhost:9200
#spring.elasticsearch.username=user
#spring.elasticsearch.password=secret
#spring.elasticsearch.socket-timeout=10s
# Due to bug in spring cloud gateway
# https://github.com/spring-cloud/spring-cloud-gateway/issues/3154
spring.cloud.gateway.proxy.sensitive=content-length


#################
### Messaging ###
#################
# Enable (default)/disable messaging. The messaging functionality requires a RabbitMQ
# server receiving and distributing the messages sent by this service. The server is 
# accessed via repo.messaging.hostname and repo.messaging.port 
# The property 'repo.messaging.topic' defines the topic where messages are sent, whereas 
# the all properties with 'binding' define from where messages are received, e.g. the 
# exchange aka. topic and the queue. The routingKeys are defining wich messages are 
# routed to the aforementioned queue.
repo.messaging.enabled=false
# enables report via health actuator. Only activate if messaging is enabled.
management.health.rabbit.enabled=false
repo.messaging.hostname=localhost
repo.messaging.port=5672
repo.messaging.sender.exchange=record_events

# The rate in milliseconds at which the repository itself will check for new messages.
# E.g. if a resource has been created, the repository may has to perform additional
# ingest steps. Therefore, special handlers can be added which will be executed at the
# configured repo.schedule.rate if a new message has been received.
repo.schedule.rate=1000


#######################################################
##################### PIT Service #####################
#######################################################

# Standard resolver for Handle PIDs. Should usually stay like this.
pit.pidsystem.handle.baseURI=https://hdl.handle.net/

### Choosing and configuring the PID system ###
# Available implementations:
# - IN_MEMORY (default, sandboxed, non-permanent PIDs, for short testing / demonstration only),
# - LOCAL (sandboxed, uses local database, no public PIDs!, for long term testing or special use-cases),
# - HANDLE_PROTOCOL (recommended, for real FAIR Digital Objects),
pit.pidsystem.implementation=LOCAL

# If you chose IN_MEMORY, no further configuration is required.
# If you chose LOCAL, no further configuration is required.
# If you chose HANDLE_PROTOCOL, you need to set up your prefix and its key/certificate:
#pit.pidsystem.handle-protocol.credentials.handleIdentifierPrefix=21.T11981
#pit.pidsystem.handle-protocol.credentials.userHandle=21.T11981/USER01
#pit.pidsystem.handle-protocol.credentials.privateKeyPath=test_prefix_data/21.T11981_USER01_300_privkey.bin

# The handle system supports the redirection of web browsers to a URL.
# If your records may have such a URL stored in an attribute, you can
# list the attributes here. The first attribute to be found will have
# its value copied to a handle specific attribute (with key "URL"),
# enabling URL redirection. Only affects the handle system!
# Obligation: Optional (option missing = empty list)
pit.pidsystem.handle-protocol.handleRedirectAttributes={'21.T11148/b8457812905b83046284'}

### Base URL for the DTR used. ###
# Currently, we support the DTRs of GWDG/ePIC.
pit.typeregistry.baseURI=https://typeapi.lab.pidconsortium.net

# If the attribute(s) keys/types in your PID records are not being
# recognized as such, please contact us.
# As a workaround, add them to this list.
# pit.validation.profileKeys={}

### As this service is a RESTful serice without GUI, CSRF protection is not required. ###
pit.security.enable-csrf=false

### You may define patterns here for services which are allowed for communication. (CORS) ###
pit.security.allowedOriginPattern=http*://localhost:[*]

### Caching settings for validation ###
# The maximum number of entries in the cache.
# pit.typeregistry.cache.maxEntries:1000

# The time in minutes after which Entries will expire, starting from the
# last update.
# pit.typeregistry.cache.lifetimeMinutes:10
# Profiles may disallow additional attributes in the PID records. This
# option may be used to override this behavior for this instance.
# If set to false, it will behave as the profiles describe.
# If set to true, additional attributes will always be allowed.
pit.validation.alwaysAllowAdditionalAttributes=true

### DANGEROUS OPTIONS! Please read carefully! ########################################
# This will disable validation. It is only meant for testing and rare cases
# where a DTR may not be available or an external validator is being
# used.
#
# pit.validation.strategy=none-debug
### DANGEROUS OPTIONS! Please read carefully! ########################################


#######################################################
#################### PID GENERATOR ####################
#######################################################
# The PID generator to use for the suffix. Possible values:
# "uuid4": generates a UUID v4 (random) PID suffix.
# "hex-chunks": generates hex-chunks. Each chunk is four characters long. Example: 1D6C-152C-C9E0-C136-1509
pit.pidgeneration.mode=uuid4

# A prefix for branding, in addition to the PID system prefix.
# Structure: <system-prefix><branding-prefix><suffix>
# Example: branding-prefix="my-project.", system-prefix="21.T11981", suffix="12345"
#        => PID="21.T11981/my-project.12345"
# pit.pidgeneration.branding-prefix=my-project.

# Applies a casing on the PIDs after generation (see "mode" property). Possible values:
# "lower": all characters are lower case
# "upper": all characters are upper case
# "unmodified": no casing is applied after generation. Result depends fully on the generator.
pit.pidgeneration.casing=lower

# Affects chunk-based generation modes (see pid.pidgeneration.mode) only.
# Defines the number of chunks the generator should generate for each PID.
# Default: 4
# pit.pidgeneration.num-chunks=4

### DANGEROUS OPTIONS! Please read carefully! ########################################
# Please keep this option as a last resort vor special use-cases
# where you need total control about the PID suffix you want to create.
# In addition to authentication, we recommend fully hide the Typed PID Maker behind
# a gateway which will manage your custom PIDs.
# NOTE! If you do not already include the configured prefix in the PID, it will be appended.
#       This means that you can not create PIDs with a suffix starting with the system prefix.
#       Example: system prefix="abc", suffix=abcdef
#              => PID="abc/def" (delimiter may depend on PID system)
# pit.pidgeneration.custom-client-pids-enabled=false
### DANGEROUS OPTIONS! Please read carefully! ########################################


################################
######## Database ##############
################################
### - Stores known PIDs      ###
### - Stores PID records if  ###
###   system is set to LOCAL ###
### - Required for messaging ###
################################
# This database will always run, as it is also required for the messaging feature,
# but for the messaging it is not required to be persistent.
# But the service will also use this database to store known PIDs.
# This can be used as a backup or documentation of all PIDs.
# The following properties can (and should) be set.
# When to store PIDs in the local database ("known PIDs")
pit.storage.strategy=keep-resolved-and-modified

#pit.storage.strategy: keep-resolved
# The driver determines the database system to start. Other drivers are untested, but may work.
spring.datasource.driver-class-name=org.h2.Driver

# Next, please choose a location for the database file on your file system.
# WARNING: If no url is being defined, an in-memory database is being used,
#          loosing all data on restart.
# WARNING: Change the DB to be stored somewhere outside of /tmp!
spring.datasource.url=jdbc:h2:file:/tmp/database;MODE=LEGACY;NON_KEYWORDS=VALUE


# Credentials for the database:
spring.datasource.username=typid
spring.datasource.password=secure_me
# Do not change ddl-auto if you do not know what you are doing:
# https://docs.spring.io/spring-boot/docs/1.1.0.M1/reference/html/howto-database-initialization.html
spring.jpa.hibernate.ddl-auto=update


################################
####### Observability ##########
################################

### General OpenTelemetry Configuration ###
# Allows unrestricted access to Prometheus metrics endpoint
management.endpoint.prometheus.access=unrestricted
# Enables automatic OpenTelemetry SDK configuration
otel.java.global-autoconfigure.enabled=true
# Integrates OpenTelemetry with Micrometer metrics
otel.instrumentation.micrometer.enabled=true
# Service name appearing in telemetry data
otel.service.name=${spring.application.name}
# OpenTelemetry Collector endpoint URL
otel.exporter.otlp.endpoint=http://localhost:4318
# Protocol for telemetry data export (recommended for performance)
otel.exporter.otlp.protocol=http/protobuf
# Context propagation formats (W3C standards)
otel.propagators=tracecontext,baggage

### OpenTelemetry Metrics Configuration ###
# Export metrics via OTLP protocol
otel.metrics.exporter=otlp
# Enable OTLP metrics export through management endpoints
management.otlp.metrics.export.enabled=true
# Metrics endpoint URL
management.otlp.metrics.export.url=http://localhost:4318/v1/metrics
# Metrics export interval (production-appropriate)
management.metrics.export.defaults.step=15s
# HTTP request duration histogram buckets for SLA monitoring
management.metrics.distribution.sla.http.server.requests=1ms,10ms,50ms,100ms,200ms,500ms,1s,2s,5s
# Enable percentile histograms for timer metrics
management.metrics.distribution.percentiles-histogram[timer]=true
# Timer metrics histogram buckets (database queries, method execution)
management.metrics.distribution.sla[timer]=0.1ms,0.5ms,1ms,10ms,50ms,100ms,200ms,500ms,1s,2s,5s
# Enable percentile histograms for HTTP request metrics
management.metrics.distribution.percentiles-histogram.http.server.requests=true
# Tag all metrics with service name for filtering
management.metrics.tags.service_name=${spring.application.name}
# Tag all metrics with environment for separation
management.metrics.tags.environment=${spring.profiles.active}
# Disable Prometheus export (using OTLP instead)
management.prometheus.metrics.export.enabled=false

### OpenTelemetry Logging Configuration ###
# Enable log export via OTLP
management.otlp.logging.export.enabled=true
# Logs endpoint URL
management.otlp.logging.endpoint=http://localhost:4318/v1/logs
# Capture trace/span IDs in logs for correlation
otel.instrumentation.log4j-appender.experimental.capture-mdc-attributes=trace_id,span_id
# Enable logging context propagation
logging.context.enabled=true

### Tracing Configuration ###
# Production-safe sampling rate (10% of requests)
management.tracing.sampling.probability=0.1
# Traces endpoint URL
management.otlp.tracing.endpoint=http://localhost:4318/v1/traces
# Record HTTP exchanges for detailed analysis
management.httpexchanges.recording.enabled=true
# Enable baggage correlation for distributed traces
management.tracing.baggage.correlation.enabled=true
# Enable @Observed annotation support
management.observations.annotations.enabled=true
# Enable all built-in Spring Boot observations
management.observations.enable.all=true
# Enable runtime telemetry (JVM metrics)
otel.instrumentation.runtime-telemetry.enabled=true
# (optional: enable JFR/Java17-specific telemetry)
otel.instrumentation.runtime-telemetry-java17.enabled=true
# Enable Spring WebMVC request tracing
otel.instrumentation.spring-webmvc.enabled=true
# Enable OpenTelemetry annotation support (@WithSpan)
otel.instrumentation.opentelemetry-instrumentation-annotations.enabled=true
# Enable OpenTelemetry annotation support (@WithSpan)
otel.instrumentation.annotations.enabled=true
# Parent-based sampling with trace ID ratio
otel.traces.sampler=parentbased_traceidratio
# Sampling ratio argument (10%)
otel.traces.sampler.arg=0.1
# Enable Spring Boot application lifecycle tracing
otel.instrumentation.spring-boot.enabled=true
# Enable Spring Data repository tracing
otel.instrumentation.spring-data.enabled=true
# Enable RabbitMQ message tracing
otel.instrumentation.spring-rabbit.enabled=true
# Enable Spring Security tracing
otel.instrumentation.spring-security.enabled=true

### 5) Sensitive Information Configuration (COMMENTED OUT FOR PRODUCTION) ###
## WARNING: These capture potentially sensitive data - NOT for production
## Captures HTTP request headers (may contain auth tokens)
# otel.instrumentation.http.client.capture-request-headers=true
## Captures HTTP response headers (may contain sensitive data)
# otel.instrumentation.http.client.capture-response-headers=true
## Disables URL parameter redaction (may expose sensitive URLs)
# otel.instrumentation.http.client.experimental.redact-query-parameters=false
## Include PII (Personally Identifiable Information) as trace attributes
pit.observability.includePiiInTraces=true

### 6) Experimental/Verbose Configuration (COMMENTED OUT FOR PRODUCTION) ###
## WARNING: Experimental features or high overhead - NOT for production
## Too frequent export (high overhead)
# management.otlp.metrics.export.step=2s
## 100% sampling (performance impact)
# management.tracing.sampling.probability=1.0
## Exports unsampled traces (storage cost)
# management.tracing.opentelemetry.export.include-unsampled=true
## 100% sampling argument
# otel.traces.sampler.arg=1
## Verbose log attributes (experimental)
# otel.instrumentation.logback-appender.experimental-log-attributes=true
## Code location capture (experimental and expensive)
# otel.instrumentation.logback-appender.experimental.capture-code-attributes=true
## Log marker capture (experimental feature)
# otel.instrumentation.logback-appender.experimental.capture-marker-attribute=true
## Experimental HTTP telemetry (may be unstable)
# otel.instrumentation.http.client.emit-experimental-telemetry=true
## Experimental JDBC tracing (may impact performance)
# otel.instrumentation.jdbc.experimental.transaction.enabled=true
## Request parameter capture (may expose sensitive data)
# otel.instrumentation.spring-webmvc.experimental.capture-request-parameters=true
## Verbose controller telemetry (experimental)
# otel.instrumentation.spring-webmvc.experimental.capture-controller-telemetry=true
## View rendering telemetry (experimental and verbose)
# otel.instrumentation.spring-webmvc.experimental.capture-view-telemetry=true
## Hibernate span control (experimental, may miss important data)
# otel.instrumentation.hibernate.experimental.span-suppression-strategy=statement-only
## Verbose JPA query reporting (experimental, performance impact)
# otel.instrumentation.jpa.experimental.query-reporting=true