# HG changeset patch # User Alain Mazy # Date 1710769953 -3600 # Node ID ae1bd3d15f818676c5521c71deaa6b59dca0cec5 # Parent 3683f3d083bdeb514072fc4a96f6fa3eeedb3eaa add GET argument tokens as HTTP headers in the query to the auth-service diff -r 3683f3d083bd -r ae1bd3d15f81 NEWS --- a/NEWS Mon Mar 18 11:58:20 2024 +0100 +++ b/NEWS Mon Mar 18 14:52:33 2024 +0100 @@ -9,7 +9,8 @@ is no StudyInstanceUID in the query. This fixes forbidden access to e.g. /dicom-web/studies/../series/../instances/.. on studies that have at least one authorized_labels. - +* The GET argument tokens are now also added as HTTP headers in the query to the + auth-service (this was already done only for Header tokens). 2024-02-16 - v 0.7.0 diff -r 3683f3d083bd -r ae1bd3d15f81 Plugin/AuthorizationWebService.cpp --- a/Plugin/AuthorizationWebService.cpp Mon Mar 18 11:58:20 2024 +0100 +++ b/Plugin/AuthorizationWebService.cpp Mon Mar 18 14:52:33 2024 +0100 @@ -116,14 +116,14 @@ authClient.AddHeader("Expect", ""); authClient.SetTimeout(10); - if (token != NULL && - token->GetType() == TokenType_HttpHeader) + if (token != NULL) { - // If the token source is a HTTP header, forward it also as a - // HTTP header except if it is the Authorization header that might conflict with username_ and password_ + // Also include the token in the HTTP headers of the query to the auth-service. std::string lowerTokenKey; Orthanc::Toolbox::ToLowerCase(lowerTokenKey, token->GetKey()); + // However, if we have defined a username/password to access this webservice, + // we should make sure that the added token does not interfere with the username_ and password_. if (!(lowerTokenKey == "authorization" && !username_.empty())) { authClient.AddHeader(token->GetKey(), tokenValue);