Mercurial > hg > orthanc-authorization
changeset 154:ae1bd3d15f81
add GET argument tokens as HTTP headers in the query to the auth-service
author | Alain Mazy <am@osimis.io> |
---|---|
date | Mon, 18 Mar 2024 14:52:33 +0100 |
parents | 3683f3d083bd |
children | 6673a963ddf0 |
files | NEWS Plugin/AuthorizationWebService.cpp |
diffstat | 2 files changed, 6 insertions(+), 5 deletions(-) [+] |
line wrap: on
line diff
--- a/NEWS Mon Mar 18 11:58:20 2024 +0100 +++ b/NEWS Mon Mar 18 14:52:33 2024 +0100 @@ -9,7 +9,8 @@ is no StudyInstanceUID in the query. This fixes forbidden access to e.g. /dicom-web/studies/../series/../instances/.. on studies that have at least one authorized_labels. - +* The GET argument tokens are now also added as HTTP headers in the query to the + auth-service (this was already done only for Header tokens). 2024-02-16 - v 0.7.0
--- a/Plugin/AuthorizationWebService.cpp Mon Mar 18 11:58:20 2024 +0100 +++ b/Plugin/AuthorizationWebService.cpp Mon Mar 18 14:52:33 2024 +0100 @@ -116,14 +116,14 @@ authClient.AddHeader("Expect", ""); authClient.SetTimeout(10); - if (token != NULL && - token->GetType() == TokenType_HttpHeader) + if (token != NULL) { - // If the token source is a HTTP header, forward it also as a - // HTTP header except if it is the Authorization header that might conflict with username_ and password_ + // Also include the token in the HTTP headers of the query to the auth-service. std::string lowerTokenKey; Orthanc::Toolbox::ToLowerCase(lowerTokenKey, token->GetKey()); + // However, if we have defined a username/password to access this webservice, + // we should make sure that the added token does not interfere with the username_ and password_. if (!(lowerTokenKey == "authorization" && !username_.empty())) { authClient.AddHeader(token->GetKey(), tokenValue);