orthanc-book: Sphinx/source/plugins/authorization.rst annotate

annotate Sphinx/source/plugins/authorization.rst @ 920:1d9e0aa08fdd

auth plugin

author	Alain Mazy <am@osimis.io>
date	Fri, 17 Mar 2023 16:59:14 +0100
parents	8b48d42665c4
children	33e8cb14142f

rev	line source
96 750f7ab733c1 start documentation of authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: diff changeset	1 .. _authorization:
750f7ab733c1 start documentation of authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: diff changeset	2
750f7ab733c1 start documentation of authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: diff changeset	3
851 f282da89c1c1 auth plugin not deprecated anymore Alain Mazy <am@osimis.io> parents: 761 diff changeset	4 Advanced authorization plugin
f282da89c1c1 auth plugin not deprecated anymore Alain Mazy <am@osimis.io> parents: 761 diff changeset	5 =============================
96 750f7ab733c1 start documentation of authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: diff changeset	6
750f7ab733c1 start documentation of authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: diff changeset	7 .. contents::
750f7ab733c1 start documentation of authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: diff changeset	8
98 b56083f38695 authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: 97 diff changeset	9 This official plugin by Osimis extends Orthanc with an advanced
97 20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	10 authorization mechanism. For each incoming REST request to some URI,
20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	11 the plugin will query a Web service to know whether the access is
98 b56083f38695 authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: 97 diff changeset	12 granted to the user. If access is not granted, the HTTP status code is
b56083f38695 authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: 97 diff changeset	13 set to ``403`` (Forbidden).
96 750f7ab733c1 start documentation of authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: diff changeset	14
98 b56083f38695 authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: 97 diff changeset	15 The `source code of this plugin
449 2922fb1bd65e fix links Sebastien Jodogne <s.jodogne@gmail.com> parents: 361 diff changeset	16 <https://hg.orthanc-server.com/orthanc-authorization/file/default>`__ is
361 84e3a2612c36 links to hg Sebastien Jodogne <s.jodogne@gmail.com> parents: 274 diff changeset	17 freely available under the terms of the AGPLv3 license.
97 20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	18
920 1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	19 Binaries
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	20 --------
96 750f7ab733c1 start documentation of authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: diff changeset	21
920 1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	22 Binaries are available:
96 750f7ab733c1 start documentation of authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: diff changeset	23
920 1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	24 - in the `Windows Installers <https://www.orthanc-server.com/download-windows.php>`__ .
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	25 - in the `MacOS package <https://www.orthanc-server.com/static.php?page=download-mac>`__ .
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	26 - in the :ref:`osimis/orthanc Docker images <docker-osimis>`
96 750f7ab733c1 start documentation of authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: diff changeset	27
920 1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	28 Release notes
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	29 -------------
96 750f7ab733c1 start documentation of authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: diff changeset	30
920 1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	31 Release notes are available `here <https://hg.orthanc-server.com/orthanc-authorization/file/tip/NEWS>`__.
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	32
96 750f7ab733c1 start documentation of authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: diff changeset	33
750f7ab733c1 start documentation of authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: diff changeset	34 Usage
750f7ab733c1 start documentation of authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: diff changeset	35 -----
750f7ab733c1 start documentation of authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: diff changeset	36
750f7ab733c1 start documentation of authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: diff changeset	37 .. highlight:: json
750f7ab733c1 start documentation of authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: diff changeset	38
750f7ab733c1 start documentation of authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: diff changeset	39 You of course first have to :ref:`install Orthanc <compiling>`. Once
750f7ab733c1 start documentation of authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: diff changeset	40 Orthanc is installed, you must change the :ref:`configuration file
750f7ab733c1 start documentation of authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: diff changeset	41 <configuration>` to tell Orthanc where it can find the plugin: This is
750f7ab733c1 start documentation of authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: diff changeset	42 done by properly modifying the ``Plugins`` option. You could for
750f7ab733c1 start documentation of authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: diff changeset	43 instance use the following configuration file::
750f7ab733c1 start documentation of authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: diff changeset	44
750f7ab733c1 start documentation of authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: diff changeset	45 {
750f7ab733c1 start documentation of authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: diff changeset	46 "Name" : "MyOrthanc",
750f7ab733c1 start documentation of authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: diff changeset	47 [...]
750f7ab733c1 start documentation of authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: diff changeset	48 "Plugins" : [
750f7ab733c1 start documentation of authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: diff changeset	49 "/home/user/OrthancAuthorization/Build/libOrthancAuthorization.so"
97 20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	50 ],
20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	51 "Authorization" : {
920 1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	52 "WebServiceRootUrl" : "http://localhost:8000/",
878 2e3493d618ad auth 0.3.0 Alain Mazy <am@osimis.io> parents: 851 diff changeset	53 "WebServiceUsername": "my-user",
920 1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	54 "WebServicePassword": "my-password"
97 20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	55 }
96 750f7ab733c1 start documentation of authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: diff changeset	56 }
750f7ab733c1 start documentation of authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: diff changeset	57
750f7ab733c1 start documentation of authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: diff changeset	58 Orthanc must of course be restarted after the modification of its
750f7ab733c1 start documentation of authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: diff changeset	59 configuration file.
750f7ab733c1 start documentation of authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: diff changeset	60
97 20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	61
20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	62 Web Service
20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	63 -----------
20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	64
20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	65 This section describes how a Web service suitable for the
20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	66 authorization plugin can be designed.
20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	67
20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	68
20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	69 Incoming request
20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	70 ^^^^^^^^^^^^^^^^
20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	71
20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	72 For each HTTP/REST request that Orthanc receives, the plugin will
20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	73 issue a set of HTTP ``POST`` requests against the Web service that is
20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	74 specified in the configuration file (in the basic configuration file
20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	75 above, the Web service listening at ``http://localhost:8000/`` is
20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	76 used). The body of each of those ``POST`` requests is a JSON file
20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	77 similar to the following one::
20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	78
20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	79 {
20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	80 "dicom-uid" : "123ABC",
20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	81 "level" : "patient",
20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	82 "method" : "get",
878 2e3493d618ad auth 0.3.0 Alain Mazy <am@osimis.io> parents: 851 diff changeset	83 "orthanc-id" : "6eeded74-75005003-c3ae9738-d4a06a4f-6beedeb8",
920 1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	84 "server-id": "my-id"
97 20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	85 }
20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	86
20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	87 In this example, the user is accessing an URI that is related to some
98 b56083f38695 authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: 97 diff changeset	88 DICOM resource, namely a patient whose DICOM identifier is
b56083f38695 authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: 97 diff changeset	89 ``123ABC``. In such a case, the following fields will be set in the
b56083f38695 authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: 97 diff changeset	90 JSON body:
97 20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	91
20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	92 * The ``level`` field specifies which type of resource the user is
20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	93 accessing, according to the :ref:`DICOM model of the real world
20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	94 <model-world>`. This field can be set to ``patient``, ``study``,
20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	95 ``series``, or ``instance``.
20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	96 * The ``method`` field specifies which HTTP method is used by the
98 b56083f38695 authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: 97 diff changeset	97 to-be-authorized request. It can be set to ``get``, ``post``,
b56083f38695 authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: 97 diff changeset	98 ``delete``, or ``put``.
97 20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	99 * The ``dicom-uid`` field gives the :ref:`DICOM identifier
98 b56083f38695 authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: 97 diff changeset	100 <dicom-identifiers>` of the resource that is accessed. If the
97 20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	101 resource is a patient, this field contains the ``PatientID`` DICOM
20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	102 tag. For a study, it contains its ``StudyInstanceUID``. For a
20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	103 series, it contains its ``SeriesInstanceUID``. For an instance, it
20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	104 contains its ``SOPInstanceUID``.
20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	105 * The ``orthanc-id`` field gives the :ref:`Orthanc identifier
20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	106 <orthanc-ids>` of the resource.
920 1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	107 * The ``server-id`` field contains the value of the ``WebServiceIdentifier``
878 2e3493d618ad auth 0.3.0 Alain Mazy <am@osimis.io> parents: 851 diff changeset	108 configuration or ``null`` if this configuration is not defined. This allows
2e3493d618ad auth 0.3.0 Alain Mazy <am@osimis.io> parents: 851 diff changeset	109 the WebService to identity which Orthanc instance is calling it (new in v 0.3.0).
97 20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	110
20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	111 When the user accesses a lower-level resource in the DICOM hierarchy
20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	112 (a study, a series or an instance), the authorization plugin will
20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	113 issue one separate call to the Web service for each level of the
20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	114 hierarchy. For instance, here are the 3 successive requests that are
20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	115 issued when accessing some series::
20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	116
20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	117 {
20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	118 "dicom-uid" : "123ABC",
20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	119 "level" : "patient",
20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	120 "method" : "get",
20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	121 "orthanc-id" : "6eeded74-75005003-c3ae9738-d4a06a4f-6beedeb8"
20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	122 }
20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	123 {
20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	124 "dicom-uid" : "1.3.51.0.1.1.192.168.29.133.1681753.1681732",
20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	125 "level" : "study",
20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	126 "method" : "get",
20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	127 "orthanc-id" : "6e2c0ec2-5d99c8ca-c1c21cee-79a09605-68391d12"
20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	128 }
20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	129 {
20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	130 "dicom-uid" : "1.3.12.2.1107.5.2.33.37097.2012041612474981424569674.0.0.0",
20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	131 "level" : "series",
20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	132 "method" : "get",
20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	133 "orthanc-id" : "6ca4c9f3-5e895cb3-4d82c6da-09e060fe-9c59f228"
20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	134 }
20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	135
20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	136 It the user is accessing a URI that is not directly related to an
20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	137 individual DICOM resource, the JSON body will look as follows::
20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	138
20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	139 {
20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	140 "level" : "system",
20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	141 "method" : "get",
20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	142 "uri" : "/changes"
20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	143 }
20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	144
20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	145 In such a situation, the following fields are set:
20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	146
20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	147 * The ``level`` field is always set to ``system``.
20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	148 * The ``method`` field is the same as above.
20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	149 * The ``uri`` field provides the URI that was accessed by the user.
20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	150
20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	151 Important note: The plugin will transparently parse the URIs of
20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	152 the core :ref:`REST API of Orthanc <rest>`, of the :ref:`Web viewer
20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	153 plugin <webviewer>`, of the :ref:`DICOMweb plugin <dicomweb>`, and of
20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	154 the :ref:`whole-slide imaging plugin <wsi>`. Unrecognized URIs (such
20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	155 as those introduced by other plugins) will be handled as a ``system``
20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	156 call. It is possible to introduce parsing support for more plugins by
20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	157 modifying the ``DefaultAuthorizationParser`` C++ class in the source
20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	158 code of the plugin.
20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	159
20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	160
20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	161 Expected answer
20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	162 ^^^^^^^^^^^^^^^
20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	163
20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	164 The Web service must answer by sending a JSON file that tells whether
20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	165 the access is granted or not to the user. Here is a sample answer::
20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	166
20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	167 {
20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	168 "granted": true,
20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	169 "validity" : 5
20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	170 }
20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	171
20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	172 Here is a description of these two fields:
20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	173
20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	174 * ``granted`` tells whether access to the resource is granted
20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	175 (``true``) or not granted (``false``). In the case the user is
98 b56083f38695 authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: 97 diff changeset	176 accessing a DICOM resource, the access to all the levels of the
b56083f38695 authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: 97 diff changeset	177 hierarchy above this resource must be granted (logical conjunction
b56083f38695 authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: 97 diff changeset	178 over the levels).
97 20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	179 * ``validity`` tells the authorization plugin for how many seconds the
20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	180 result of the Web service must be cached. If set to ``0`` second,
20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	181 the cache entry will never expire.
20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	182
20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	183 Note: The source code of the plugin contains a `basic example
449 2922fb1bd65e fix links Sebastien Jodogne <s.jodogne@gmail.com> parents: 361 diff changeset	184 <https://hg.orthanc-server.com/orthanc-authorization/file/default/Resources/TestService.js>`__
97 20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	185 of such a Web service written in node.js.
20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	186
20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	187
20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	188 Authentication tokens
20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	189 ^^^^^^^^^^^^^^^^^^^^^
96 750f7ab733c1 start documentation of authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: diff changeset	190
98 b56083f38695 authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: 97 diff changeset	191 It is obviously desirable to limit access to the resources depending
b56083f38695 authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: 97 diff changeset	192 on the user that is logged in. Real-life Web framework such as Django
b56083f38695 authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: 97 diff changeset	193 would send the identity of the authenticated user either as an HTTP
b56083f38695 authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: 97 diff changeset	194 header, or as an additional argument for ``GET`` requests. The
b56083f38695 authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: 97 diff changeset	195 authorization plugin allows to forward these authentication tokens to
b56083f38695 authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: 97 diff changeset	196 the Web service.
b56083f38695 authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: 97 diff changeset	197
b56083f38695 authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: 97 diff changeset	198 To configure the authentication plugin to use some HTTP header, one
b56083f38695 authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: 97 diff changeset	199 must provide the option ``TokenHttpHeaders`` the configuration file of
b56083f38695 authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: 97 diff changeset	200 Orthanc as follows::
b56083f38695 authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: 97 diff changeset	201
b56083f38695 authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: 97 diff changeset	202 {
b56083f38695 authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: 97 diff changeset	203 "Name" : "MyOrthanc",
b56083f38695 authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: 97 diff changeset	204 [...]
b56083f38695 authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: 97 diff changeset	205 "Authorization" : {
b56083f38695 authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: 97 diff changeset	206 "WebService" : "http://localhost:8000/",
920 1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	207 "TokenHttpHeaders" : [ "token" ]
98 b56083f38695 authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: 97 diff changeset	208 }
b56083f38695 authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: 97 diff changeset	209 }
b56083f38695 authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: 97 diff changeset	210
b56083f38695 authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: 97 diff changeset	211 .. highlight:: text
b56083f38695 authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: 97 diff changeset	212
b56083f38695 authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: 97 diff changeset	213 In such a situation, if some HTTP client issues the following call::
b56083f38695 authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: 97 diff changeset	214
920 1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	215 # curl -H 'token: my-token' http://localhost:8042/patients/6eeded74-75005003-c3ae9738-d4a06a4f-6beedeb8
98 b56083f38695 authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: 97 diff changeset	216
b56083f38695 authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: 97 diff changeset	217 .. highlight:: json
b56083f38695 authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: 97 diff changeset	218
b56083f38695 authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: 97 diff changeset	219 Here is the JSON body the Web service would receive::
96 750f7ab733c1 start documentation of authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: diff changeset	220
98 b56083f38695 authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: 97 diff changeset	221 {
b56083f38695 authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: 97 diff changeset	222 "dicom-uid" : "123ABC",
b56083f38695 authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: 97 diff changeset	223 "level" : "patient",
b56083f38695 authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: 97 diff changeset	224 "method" : "get",
b56083f38695 authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: 97 diff changeset	225 "orthanc-id" : "6eeded74-75005003-c3ae9738-d4a06a4f-6beedeb8",
920 1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	226 "token-key" : "token",
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	227 "token-value" : "my-token"
98 b56083f38695 authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: 97 diff changeset	228 }
b56083f38695 authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: 97 diff changeset	229
b56083f38695 authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: 97 diff changeset	230 .. highlight:: text
b56083f38695 authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: 97 diff changeset	231
b56083f38695 authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: 97 diff changeset	232 Note how the key and the value of the authentication token stored as a
b56083f38695 authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: 97 diff changeset	233 HTTP header are forwarded to the Web service.
b56083f38695 authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: 97 diff changeset	234
b56083f38695 authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: 97 diff changeset	235 The same mechanism can be used if the authentication token is provided
b56083f38695 authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: 97 diff changeset	236 as some ``GET`` argument by setting the ``TokenGetArguments``
b56083f38695 authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: 97 diff changeset	237 configuration option::
97 20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	238
98 b56083f38695 authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: 97 diff changeset	239 # curl http://localhost:8042/patients/6eeded74-75005003-c3ae9738-d4a06a4f-6beedeb8?hello=world
b56083f38695 authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: 97 diff changeset	240 {
b56083f38695 authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: 97 diff changeset	241 "dicom-uid" : "123ABC",
b56083f38695 authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: 97 diff changeset	242 "level" : "patient",
b56083f38695 authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: 97 diff changeset	243 "method" : "get",
b56083f38695 authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: 97 diff changeset	244 "orthanc-id" : "6eeded74-75005003-c3ae9738-d4a06a4f-6beedeb8",
920 1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	245 "token-key" : "token",
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	246 "token-value" : "my-token"
98 b56083f38695 authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: 97 diff changeset	247 }
b56083f38695 authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: 97 diff changeset	248
b56083f38695 authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: 97 diff changeset	249 Note 1: It is allowed to provide a list of HTTP tokens or a list
b56083f38695 authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: 97 diff changeset	250 of ``GET`` arguments in the configuration options. In this case, the
b56083f38695 authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: 97 diff changeset	251 authorization plugin will loop over all the available authentication
b56083f38695 authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: 97 diff changeset	252 tokens, until it finds one for which the access is granted (logical
b56083f38695 authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: 97 diff changeset	253 disjunction over the authentication tokens).
b56083f38695 authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: 97 diff changeset	254
b56083f38695 authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: 97 diff changeset	255 Note 2: The cache entry that remembers whether some access was
b56083f38695 authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: 97 diff changeset	256 granted in the past, depends on the value of the token.
b56083f38695 authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: 97 diff changeset	257
b56083f38695 authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: 97 diff changeset	258 Note 3: The support of authentication tokens provided as ``GET``
b56083f38695 authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: 97 diff changeset	259 arguments requires a version of Orthanc that is above 1.2.1.
97 20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	260
20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	261
20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	262 Full configuration
20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	263 ------------------
20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	264
98 b56083f38695 authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: 97 diff changeset	265 .. highlight:: json
b56083f38695 authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: 97 diff changeset	266
920 1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	267 The full list of configuration is available `here <https://hg.orthanc-server.com/orthanc-authorization/file/tip/Plugin/DefaultConfiguration.json>`__.
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	268
98 b56083f38695 authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: 97 diff changeset	269 Here is the list of all the configuration options::
97 20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	270
98 b56083f38695 authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: 97 diff changeset	271 {
920 1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	272 "Authorization" : {
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	273 // The Base URL of the auth webservice. This is an alias for all 3 next configurations:
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	274 // // "WebServiceUserProfileUrl" : " ROOT /user/get-profile",
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	275 // // "WebServiceTokenValidationUrl" : " ROOT /tokens/validate",
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	276 // // "WebServiceTokenCreationBaseUrl" : " ROOT /tokens/",
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	277 // // "WebServiceTokenDecoderUrl" : " ROOT /tokens/decode",
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	278 // You should define it only if your auth webservice implements all 3 routes !
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	279 // "WebServiceRootUrl" : "http://change-me:8000/",
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	280
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	281 // The URL of the auth webservice route implementing user profile (optional)
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	282 // (this configuration was previously named "WebService" and its old name is still accepted
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	283 // for backward compatibility)
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	284 // "WebServiceUserProfileUrl" : "http://change-me:8000/user/profile",
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	285
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	286 // The URL of the auth webservice route implementing resource level authorization (optional)
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	287 // "WebServiceTokenValidationUrl" : "http://change-me:8000/tokens/validate",
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	288
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	289 // The Base URL of the auth webservice route to create tokens (optional)
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	290 // "WebServiceTokenCreationBaseUrl" : "http://change-me:8000/tokens/",
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	291
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	292 // The URL of the auth webservice route implementing token decoding (optional)
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	293 // "WebServiceTokenDecoderUrl": "http://change-me:8000/tokens/decode"
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	294
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	295 // The username and password to connect to the webservice (optional)
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	296 //"WebServiceUsername": "change-me",
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	297 //"WebServicePassword": "change-me",
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	298
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	299 // An identifier added to the payload of each request to the auth webservice (optional)
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	300 //"WebServiceIdentifier": "change-me"
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	301
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	302 // The name of the HTTP headers that may contain auth tokens
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	303 //"TokenHttpHeaders" : [],
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	304
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	305 // the name of the GET arguments that may contain auth tokens
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	306 //"TokenGetArguments" : [],
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	307
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	308 // A list of predefined configurations for well-known plugins
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	309 // "StandardConfigurations": [ // new in v 0.4.0
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	310 // "osimis-web-viewer",
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	311 // "stone-webviewer",
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	312 // "orthanc-explorer-2"
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	313 // ],
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	314
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	315 //"UncheckedResources" : [],
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	316 //"UncheckedFolders" : [],
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	317 //"CheckedLevel" : "studies",
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	318 //"UncheckedLevels" : [],
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	319
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	320 // Definition of required "user-permissions". This can be fully customized.
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	321 // You may define other permissions yourself as long as they match the permissions
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	322 // provided in the user-profile route implemented by the auth-service.
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	323 // You may test your regex in https://regex101.com/ by selecting .NET (C#) and removing the leading ^ and trailing $
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	324 // The default configuration is suitable for Orthanc-Explorer-2 (see TBD sample)
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	325 "Permissions" : [
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	326 ["post", "^/auth/tokens/decode$", ""],
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	327 ["post", "^/tools/lookup$", ""], // currently used to authorize downloads in Stone (to map the StudyInstanceUID into an OrthancID. Not ideal -> we should define a new API that has the resource ID in the path to be able to check it at resource level) but, on another hand, you do not get any Patient information from this route
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	328
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	329 // elemental browsing in OE2
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	330 ["post", "^/tools/find$", "all\|view"],
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	331 ["get" , "^/(patients\|studies\|series\|instances)/([a-f0-9-]+)$", "all\|view"],
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	332 ["get" , "^/(patients\|studies\|series\|instances)/([a-f0-9-]+)/(studies\|study\|series\|instances)$", "all\|view"],
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	333 ["get" , "^/instances/([a-f0-9-]+)/(tags\|header)$", "all\|view"],
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	334 ["get" , "^/statistics$", "all\|view"],
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	335
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	336 // create links to open viewer or download resources
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	337 ["put", "^/auth/tokens/(viewer-instant-link\|meddream-instant-link)$", "all\|view"],
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	338 ["put", "^/auth/tokens/(download-instant-link)$", "all\|download"],
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	339
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	340 // share a link to open a study
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	341 ["put", "^/auth/tokens/(stone-viewer-publication\|meddream-viewer-publication\|osimis-viewer-publication)$", "all\|share"],
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	342
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	343 // uploads
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	344 ["post", "^/instances$", "all\|upload"],
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	345
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	346 // monitor jobs you have created
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	347 ["get" , "^/jobs/([a-f0-9-]+)$", "all\|send\|modify\|anonymize\|q-r-remote-modalities"],
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	348
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	349 // interacting with peers/modalities/dicomweb
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	350 ["post", "^/(peers\|modalities)/(.*)/store$", "all\|send"],
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	351 ["get" , "^/(peers\|modalities)$", "all\|send\|q-r-remote-modalities"],
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	352 ["post", "^/modalities/(.*)/echo$", "all\|send\|q-r-remote-modalities"],
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	353 ["post", "^/modalities/(.*)/query$", "all\|q-r-remote-modalities"],
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	354 ["get", "^/queries/([a-f0-9-]+)/answers$", "all\|q-r-remote-modalities"],
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	355 ["post", "^/modalities/(.*)/move$", "all\|q-r-remote-modalities"],
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	356 ["get" , "^/DICOM_WEB_ROOT/servers$", "all\|send\|q-r-remote-modalities"],
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	357 ["get" , "^/DICOM_WEB_ROOT/(servers)/(.*)/stow$", "all\|send"],
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	358
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	359 // modifications/anonymization
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	360 ["post", "^/(patients\|studies\|series\|instances)/([a-f0-9-]+)/modify(.*)$", "all\|modify"],
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	361 ["post", "^/(patients\|studies\|series\|instances)/([a-f0-9-]+)/anonymize(.*)$", "all\|anonymize"],
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	362
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	363 // deletes
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	364 ["delete" , "^/(patients\|studies\|series\|instances)/([a-f0-9-]+)$", "all\|delete"],
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	365
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	366 // settings
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	367 ["put", "^/tools/log-level$", "all\|settings"],
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	368 ["get", "^/tools/log-level$", "all\|settings"]
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	369 ]
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	370 }
98 b56083f38695 authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: 97 diff changeset	371 }
b56083f38695 authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: 97 diff changeset	372
920 1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	373 The following options have been described above: ``WebServiceRootUrl``,
98 b56083f38695 authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: 97 diff changeset	374 ``TokenGetArguments``, and ``TokenHttpHeaders``. Here are the
b56083f38695 authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: 97 diff changeset	375 remaining options:
b56083f38695 authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: 97 diff changeset	376
893 8b48d42665c4 auth 0.4.0 Alain Mazy <am@osimis.io> parents: 878 diff changeset	377 * ``StandardConfigurations`` is a helper configuration to pre-populate
8b48d42665c4 auth 0.4.0 Alain Mazy <am@osimis.io> parents: 878 diff changeset	378 ``UncheckedResources``, ``UncheckedFolders``, ``TokenGetArguments``,
8b48d42665c4 auth 0.4.0 Alain Mazy <am@osimis.io> parents: 878 diff changeset	379 and ``TokenHttpHeaders`` of well-known plugins.
8b48d42665c4 auth 0.4.0 Alain Mazy <am@osimis.io> parents: 878 diff changeset	380 Allowed values are ``osimis-web-viewer``, ``stone-webviewer``.
8b48d42665c4 auth 0.4.0 Alain Mazy <am@osimis.io> parents: 878 diff changeset	381
8b48d42665c4 auth 0.4.0 Alain Mazy <am@osimis.io> parents: 878 diff changeset	382 * ``CheckedLevel`` may replace ``UncheckedLevels`` when authorization
8b48d42665c4 auth 0.4.0 Alain Mazy <am@osimis.io> parents: 878 diff changeset	383 is checked only at one level of the DICOM hierarchy. This is the most
8b48d42665c4 auth 0.4.0 Alain Mazy <am@osimis.io> parents: 878 diff changeset	384 common use-case.
8b48d42665c4 auth 0.4.0 Alain Mazy <am@osimis.io> parents: 878 diff changeset	385
98 b56083f38695 authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: 97 diff changeset	386 * ``UncheckedResources`` specifies a list of resources for which the
b56083f38695 authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: 97 diff changeset	387 authentication plugin is not triggered, and to which access is
b56083f38695 authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: 97 diff changeset	388 always granted.
b56083f38695 authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: 97 diff changeset	389
b56083f38695 authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: 97 diff changeset	390 * ``UncheckedFolders`` is similar to ``UncheckedResources`` for folders:
b56083f38695 authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: 97 diff changeset	391 Access to all the URIs below the unchecked folders is always granted.
b56083f38695 authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: 97 diff changeset	392
b56083f38695 authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: 97 diff changeset	393 * ``UncheckedLevels`` allows to specify which levels of the
b56083f38695 authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: 97 diff changeset	394 :ref:`DICOM hierarchy <model-world>` are ignored by the authorization
b56083f38695 authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: 97 diff changeset	395 plugin. This can be used to reduce the number of calls to the Web
b56083f38695 authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: 97 diff changeset	396 service. Think for instance about an authorization mechanism that
b56083f38695 authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: 97 diff changeset	397 simply associates its studies to a set of granted users: In this case,
b56083f38695 authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: 97 diff changeset	398 the series and instance levels can be ignored.
274 c310a795c133 auth-token in search params amazy parents: 98 diff changeset	399
c310a795c133 auth-token in search params amazy parents: 98 diff changeset	400
893 8b48d42665c4 auth 0.4.0 Alain Mazy <am@osimis.io> parents: 878 diff changeset	401 Here is a minimal configuration for the :ref:`Stone Web viewer <stone_webviewer>`::
8b48d42665c4 auth 0.4.0 Alain Mazy <am@osimis.io> parents: 878 diff changeset	402
8b48d42665c4 auth 0.4.0 Alain Mazy <am@osimis.io> parents: 878 diff changeset	403 {
8b48d42665c4 auth 0.4.0 Alain Mazy <am@osimis.io> parents: 878 diff changeset	404 // disable basic authentication since it is replaced by the authorization plugin
8b48d42665c4 auth 0.4.0 Alain Mazy <am@osimis.io> parents: 878 diff changeset	405 "AuthenticationEnabled": false,
8b48d42665c4 auth 0.4.0 Alain Mazy <am@osimis.io> parents: 878 diff changeset	406
8b48d42665c4 auth 0.4.0 Alain Mazy <am@osimis.io> parents: 878 diff changeset	407 "Authorization" : {
920 1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	408 "WebServiceTokenValidationUrl" : "http://localhost:8000/shares/validate",
893 8b48d42665c4 auth 0.4.0 Alain Mazy <am@osimis.io> parents: 878 diff changeset	409 "StandardConfigurations": [
8b48d42665c4 auth 0.4.0 Alain Mazy <am@osimis.io> parents: 878 diff changeset	410 "stone-webviewer"
8b48d42665c4 auth 0.4.0 Alain Mazy <am@osimis.io> parents: 878 diff changeset	411 ],
8b48d42665c4 auth 0.4.0 Alain Mazy <am@osimis.io> parents: 878 diff changeset	412 "CheckedLevel" : "studies"
8b48d42665c4 auth 0.4.0 Alain Mazy <am@osimis.io> parents: 878 diff changeset	413 }
8b48d42665c4 auth 0.4.0 Alain Mazy <am@osimis.io> parents: 878 diff changeset	414 }
8b48d42665c4 auth 0.4.0 Alain Mazy <am@osimis.io> parents: 878 diff changeset	415
920 1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	416 .. _orthanc-explorer-authorization:
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	417
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	418 Integration with the Orthanc Explorer 2
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	419 ---------------------------------------
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	420
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	421 More info to come soon.
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	422
893 8b48d42665c4 auth 0.4.0 Alain Mazy <am@osimis.io> parents: 878 diff changeset	423
274 c310a795c133 auth-token in search params amazy parents: 98 diff changeset	424 .. _orthanc-explorer-authorization:
c310a795c133 auth-token in search params amazy parents: 98 diff changeset	425
c310a795c133 auth-token in search params amazy parents: 98 diff changeset	426 Integration with the Orthanc Explorer
c310a795c133 auth-token in search params amazy parents: 98 diff changeset	427 -------------------------------------
c310a795c133 auth-token in search params amazy parents: 98 diff changeset	428
c310a795c133 auth-token in search params amazy parents: 98 diff changeset	429 Starting from Orthanc 1.5.8, you can pass authorization tokens in the url
c310a795c133 auth-token in search params amazy parents: 98 diff changeset	430 search params when opening the Orthanc explorer i.e.
c310a795c133 auth-token in search params amazy parents: 98 diff changeset	431 http://localhost:8042/app/explorer.html?token=1234. This token will be
c310a795c133 auth-token in search params amazy parents: 98 diff changeset	432 included as an HTTP header in every request sent to the Orthanc Rest API.
c310a795c133 auth-token in search params amazy parents: 98 diff changeset	433 It will also be included in the url search params when opening the Orthanc
c310a795c133 auth-token in search params amazy parents: 98 diff changeset	434 or Osimis viewer.
c310a795c133 auth-token in search params amazy parents: 98 diff changeset	435
c310a795c133 auth-token in search params amazy parents: 98 diff changeset	436 Only 3 tokens name will be recognized and forwarded: ``token``, ``auth-token``
c310a795c133 auth-token in search params amazy parents: 98 diff changeset	437 and ``authorization``.
c310a795c133 auth-token in search params amazy parents: 98 diff changeset	438
c310a795c133 auth-token in search params amazy parents: 98 diff changeset	439 Please note that the Orthanc Explorer has not been designed to handle
c310a795c133 auth-token in search params amazy parents: 98 diff changeset	440 the authorization so, when an authorization is not granted, it will simply
c310a795c133 auth-token in search params amazy parents: 98 diff changeset	441 display an empty page or an error message.
920 1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	442
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	443
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	444 Compilation
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	445 -----------
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	446
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	447 .. highlight:: bash
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	448
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	449 The procedure to compile this plugin is similar of that for the
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	450 :ref:`core of Orthanc <binaries>`. The following commands should work
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	451 for most UNIX-like distribution (including GNU/Linux)::
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	452
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	453 $ mkdir Build
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	454 $ cd Build
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	455 $ cmake .. -DSTATIC_BUILD=ON -DCMAKE_BUILD_TYPE=Release
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	456 $ make
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	457
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	458 The compilation will produce a shared library ``OrthancAuthorization``
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	459 that contains the authorization plugin.

Mercurial > hg > orthanc-book

annotate Sphinx/source/plugins/authorization.rst @ 920:1d9e0aa08fdd