changeset 154:ae1bd3d15f81

add GET argument tokens as HTTP headers in the query to the auth-service
author Alain Mazy <am@osimis.io>
date Mon, 18 Mar 2024 14:52:33 +0100
parents 3683f3d083bd
children 6673a963ddf0
files NEWS Plugin/AuthorizationWebService.cpp
diffstat 2 files changed, 6 insertions(+), 5 deletions(-) [+]
line wrap: on
line diff
--- a/NEWS	Mon Mar 18 11:58:20 2024 +0100
+++ b/NEWS	Mon Mar 18 14:52:33 2024 +0100
@@ -9,7 +9,8 @@
   is no StudyInstanceUID in the query.
   This fixes forbidden access to e.g. /dicom-web/studies/../series/../instances/..
   on studies that have at least one authorized_labels.
-
+* The GET argument tokens are now also added as HTTP headers in the query to the
+  auth-service (this was already done only for Header tokens).
 
 
 2024-02-16 - v 0.7.0
--- a/Plugin/AuthorizationWebService.cpp	Mon Mar 18 11:58:20 2024 +0100
+++ b/Plugin/AuthorizationWebService.cpp	Mon Mar 18 14:52:33 2024 +0100
@@ -116,14 +116,14 @@
     authClient.AddHeader("Expect", "");
     authClient.SetTimeout(10);
 
-    if (token != NULL &&
-        token->GetType() == TokenType_HttpHeader)
+    if (token != NULL) 
     {
-      // If the token source is a HTTP header, forward it also as a
-      // HTTP header except if it is the Authorization header that might conflict with username_ and password_
+      // Also include the token in the HTTP headers of the query to the auth-service.
       std::string lowerTokenKey;
       Orthanc::Toolbox::ToLowerCase(lowerTokenKey, token->GetKey());
       
+      // However, if we have defined a username/password to access this webservice, 
+      // we should make sure that the added token does not interfere with the username_ and password_.
       if (!(lowerTokenKey == "authorization" && !username_.empty()))
       {
         authClient.AddHeader(token->GetKey(), tokenValue);