orthanc-book: Sphinx/source/plugins/authorization.rst annotate

annotate Sphinx/source/plugins/authorization.rst @ 921:33e8cb14142f

auth plugin fix

author	Alain Mazy <am@osimis.io>
date	Fri, 17 Mar 2023 17:15:08 +0100
parents	1d9e0aa08fdd
children	11d7d30ca273

rev	line source
96 750f7ab733c1 start documentation of authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: diff changeset	1 .. _authorization:
750f7ab733c1 start documentation of authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: diff changeset	2
750f7ab733c1 start documentation of authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: diff changeset	3
851 f282da89c1c1 auth plugin not deprecated anymore Alain Mazy <am@osimis.io> parents: 761 diff changeset	4 Advanced authorization plugin
f282da89c1c1 auth plugin not deprecated anymore Alain Mazy <am@osimis.io> parents: 761 diff changeset	5 =============================
96 750f7ab733c1 start documentation of authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: diff changeset	6
750f7ab733c1 start documentation of authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: diff changeset	7 .. contents::
750f7ab733c1 start documentation of authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: diff changeset	8
98 b56083f38695 authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: 97 diff changeset	9 This official plugin by Osimis extends Orthanc with an advanced
97 20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	10 authorization mechanism. For each incoming REST request to some URI,
20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	11 the plugin will query a Web service to know whether the access is
98 b56083f38695 authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: 97 diff changeset	12 granted to the user. If access is not granted, the HTTP status code is
b56083f38695 authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: 97 diff changeset	13 set to ``403`` (Forbidden).
96 750f7ab733c1 start documentation of authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: diff changeset	14
98 b56083f38695 authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: 97 diff changeset	15 The `source code of this plugin
449 2922fb1bd65e fix links Sebastien Jodogne <s.jodogne@gmail.com> parents: 361 diff changeset	16 <https://hg.orthanc-server.com/orthanc-authorization/file/default>`__ is
361 84e3a2612c36 links to hg Sebastien Jodogne <s.jodogne@gmail.com> parents: 274 diff changeset	17 freely available under the terms of the AGPLv3 license.
97 20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	18
96 750f7ab733c1 start documentation of authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: diff changeset	19
921 33e8cb14142f auth plugin fix Alain Mazy <am@osimis.io> parents: 920 diff changeset	20 How to get it ?
33e8cb14142f auth plugin fix Alain Mazy <am@osimis.io> parents: 920 diff changeset	21 ---------------
33e8cb14142f auth plugin fix Alain Mazy <am@osimis.io> parents: 920 diff changeset	22
33e8cb14142f auth plugin fix Alain Mazy <am@osimis.io> parents: 920 diff changeset	23 The source code is available on `Mercurial <https://hg.orthanc-server.com/orthanc-authorization/>`__.
96 750f7ab733c1 start documentation of authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: diff changeset	24
921 33e8cb14142f auth plugin fix Alain Mazy <am@osimis.io> parents: 920 diff changeset	25 Binaries are included in:
96 750f7ab733c1 start documentation of authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: diff changeset	26
921 33e8cb14142f auth plugin fix Alain Mazy <am@osimis.io> parents: 920 diff changeset	27 - The `osimis/orthanc Docker image <https://hub.docker.com/r/osimis/orthanc>`__
33e8cb14142f auth plugin fix Alain Mazy <am@osimis.io> parents: 920 diff changeset	28 - The `Windows Installer <https://www.orthanc-server.com/download-windows.php>`__
33e8cb14142f auth plugin fix Alain Mazy <am@osimis.io> parents: 920 diff changeset	29 - The `MacOS packages <https://orthanc.osimis.io/osx/stable/orthancAndPluginsOSX.stable.zip>`__
96 750f7ab733c1 start documentation of authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: diff changeset	30
920 1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	31 Release notes are available `here <https://hg.orthanc-server.com/orthanc-authorization/file/tip/NEWS>`__.
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	32
921 33e8cb14142f auth plugin fix Alain Mazy <am@osimis.io> parents: 920 diff changeset	33 Compilation instructions are available below.
33e8cb14142f auth plugin fix Alain Mazy <am@osimis.io> parents: 920 diff changeset	34
96 750f7ab733c1 start documentation of authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: diff changeset	35
750f7ab733c1 start documentation of authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: diff changeset	36 Usage
750f7ab733c1 start documentation of authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: diff changeset	37 -----
750f7ab733c1 start documentation of authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: diff changeset	38
750f7ab733c1 start documentation of authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: diff changeset	39 .. highlight:: json
750f7ab733c1 start documentation of authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: diff changeset	40
921 33e8cb14142f auth plugin fix Alain Mazy <am@osimis.io> parents: 920 diff changeset	41 Once Orthanc is installed, you must change the :ref:`configuration file
96 750f7ab733c1 start documentation of authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: diff changeset	42 <configuration>` to tell Orthanc where it can find the plugin: This is
750f7ab733c1 start documentation of authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: diff changeset	43 done by properly modifying the ``Plugins`` option. You could for
750f7ab733c1 start documentation of authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: diff changeset	44 instance use the following configuration file::
750f7ab733c1 start documentation of authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: diff changeset	45
750f7ab733c1 start documentation of authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: diff changeset	46 {
750f7ab733c1 start documentation of authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: diff changeset	47 "Name" : "MyOrthanc",
750f7ab733c1 start documentation of authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: diff changeset	48 [...]
750f7ab733c1 start documentation of authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: diff changeset	49 "Plugins" : [
750f7ab733c1 start documentation of authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: diff changeset	50 "/home/user/OrthancAuthorization/Build/libOrthancAuthorization.so"
97 20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	51 ],
20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	52 "Authorization" : {
920 1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	53 "WebServiceRootUrl" : "http://localhost:8000/",
878 2e3493d618ad auth 0.3.0 Alain Mazy <am@osimis.io> parents: 851 diff changeset	54 "WebServiceUsername": "my-user",
920 1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	55 "WebServicePassword": "my-password"
97 20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	56 }
96 750f7ab733c1 start documentation of authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: diff changeset	57 }
750f7ab733c1 start documentation of authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: diff changeset	58
750f7ab733c1 start documentation of authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: diff changeset	59 Orthanc must of course be restarted after the modification of its
750f7ab733c1 start documentation of authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: diff changeset	60 configuration file.
750f7ab733c1 start documentation of authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: diff changeset	61
97 20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	62
20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	63 Web Service
20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	64 -----------
20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	65
20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	66 This section describes how a Web service suitable for the
20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	67 authorization plugin can be designed.
20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	68
20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	69
20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	70 Incoming request
20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	71 ^^^^^^^^^^^^^^^^
20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	72
20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	73 For each HTTP/REST request that Orthanc receives, the plugin will
20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	74 issue a set of HTTP ``POST`` requests against the Web service that is
20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	75 specified in the configuration file (in the basic configuration file
20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	76 above, the Web service listening at ``http://localhost:8000/`` is
20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	77 used). The body of each of those ``POST`` requests is a JSON file
20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	78 similar to the following one::
20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	79
20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	80 {
20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	81 "dicom-uid" : "123ABC",
20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	82 "level" : "patient",
20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	83 "method" : "get",
878 2e3493d618ad auth 0.3.0 Alain Mazy <am@osimis.io> parents: 851 diff changeset	84 "orthanc-id" : "6eeded74-75005003-c3ae9738-d4a06a4f-6beedeb8",
920 1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	85 "server-id": "my-id"
97 20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	86 }
20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	87
20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	88 In this example, the user is accessing an URI that is related to some
98 b56083f38695 authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: 97 diff changeset	89 DICOM resource, namely a patient whose DICOM identifier is
b56083f38695 authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: 97 diff changeset	90 ``123ABC``. In such a case, the following fields will be set in the
b56083f38695 authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: 97 diff changeset	91 JSON body:
97 20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	92
20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	93 * The ``level`` field specifies which type of resource the user is
20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	94 accessing, according to the :ref:`DICOM model of the real world
20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	95 <model-world>`. This field can be set to ``patient``, ``study``,
20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	96 ``series``, or ``instance``.
20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	97 * The ``method`` field specifies which HTTP method is used by the
98 b56083f38695 authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: 97 diff changeset	98 to-be-authorized request. It can be set to ``get``, ``post``,
b56083f38695 authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: 97 diff changeset	99 ``delete``, or ``put``.
97 20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	100 * The ``dicom-uid`` field gives the :ref:`DICOM identifier
98 b56083f38695 authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: 97 diff changeset	101 <dicom-identifiers>` of the resource that is accessed. If the
97 20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	102 resource is a patient, this field contains the ``PatientID`` DICOM
20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	103 tag. For a study, it contains its ``StudyInstanceUID``. For a
20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	104 series, it contains its ``SeriesInstanceUID``. For an instance, it
20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	105 contains its ``SOPInstanceUID``.
20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	106 * The ``orthanc-id`` field gives the :ref:`Orthanc identifier
20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	107 <orthanc-ids>` of the resource.
920 1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	108 * The ``server-id`` field contains the value of the ``WebServiceIdentifier``
878 2e3493d618ad auth 0.3.0 Alain Mazy <am@osimis.io> parents: 851 diff changeset	109 configuration or ``null`` if this configuration is not defined. This allows
2e3493d618ad auth 0.3.0 Alain Mazy <am@osimis.io> parents: 851 diff changeset	110 the WebService to identity which Orthanc instance is calling it (new in v 0.3.0).
97 20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	111
20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	112 When the user accesses a lower-level resource in the DICOM hierarchy
20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	113 (a study, a series or an instance), the authorization plugin will
20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	114 issue one separate call to the Web service for each level of the
20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	115 hierarchy. For instance, here are the 3 successive requests that are
20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	116 issued when accessing some series::
20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	117
20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	118 {
20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	119 "dicom-uid" : "123ABC",
20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	120 "level" : "patient",
20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	121 "method" : "get",
20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	122 "orthanc-id" : "6eeded74-75005003-c3ae9738-d4a06a4f-6beedeb8"
20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	123 }
20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	124 {
20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	125 "dicom-uid" : "1.3.51.0.1.1.192.168.29.133.1681753.1681732",
20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	126 "level" : "study",
20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	127 "method" : "get",
20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	128 "orthanc-id" : "6e2c0ec2-5d99c8ca-c1c21cee-79a09605-68391d12"
20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	129 }
20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	130 {
20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	131 "dicom-uid" : "1.3.12.2.1107.5.2.33.37097.2012041612474981424569674.0.0.0",
20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	132 "level" : "series",
20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	133 "method" : "get",
20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	134 "orthanc-id" : "6ca4c9f3-5e895cb3-4d82c6da-09e060fe-9c59f228"
20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	135 }
20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	136
20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	137 It the user is accessing a URI that is not directly related to an
20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	138 individual DICOM resource, the JSON body will look as follows::
20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	139
20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	140 {
20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	141 "level" : "system",
20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	142 "method" : "get",
20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	143 "uri" : "/changes"
20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	144 }
20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	145
20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	146 In such a situation, the following fields are set:
20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	147
20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	148 * The ``level`` field is always set to ``system``.
20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	149 * The ``method`` field is the same as above.
20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	150 * The ``uri`` field provides the URI that was accessed by the user.
20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	151
20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	152 Important note: The plugin will transparently parse the URIs of
20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	153 the core :ref:`REST API of Orthanc <rest>`, of the :ref:`Web viewer
20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	154 plugin <webviewer>`, of the :ref:`DICOMweb plugin <dicomweb>`, and of
20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	155 the :ref:`whole-slide imaging plugin <wsi>`. Unrecognized URIs (such
20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	156 as those introduced by other plugins) will be handled as a ``system``
20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	157 call. It is possible to introduce parsing support for more plugins by
20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	158 modifying the ``DefaultAuthorizationParser`` C++ class in the source
20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	159 code of the plugin.
20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	160
20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	161
20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	162 Expected answer
20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	163 ^^^^^^^^^^^^^^^
20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	164
20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	165 The Web service must answer by sending a JSON file that tells whether
20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	166 the access is granted or not to the user. Here is a sample answer::
20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	167
20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	168 {
20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	169 "granted": true,
20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	170 "validity" : 5
20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	171 }
20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	172
20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	173 Here is a description of these two fields:
20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	174
20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	175 * ``granted`` tells whether access to the resource is granted
20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	176 (``true``) or not granted (``false``). In the case the user is
98 b56083f38695 authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: 97 diff changeset	177 accessing a DICOM resource, the access to all the levels of the
b56083f38695 authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: 97 diff changeset	178 hierarchy above this resource must be granted (logical conjunction
b56083f38695 authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: 97 diff changeset	179 over the levels).
97 20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	180 * ``validity`` tells the authorization plugin for how many seconds the
20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	181 result of the Web service must be cached. If set to ``0`` second,
20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	182 the cache entry will never expire.
20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	183
20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	184 Note: The source code of the plugin contains a `basic example
449 2922fb1bd65e fix links Sebastien Jodogne <s.jodogne@gmail.com> parents: 361 diff changeset	185 <https://hg.orthanc-server.com/orthanc-authorization/file/default/Resources/TestService.js>`__
97 20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	186 of such a Web service written in node.js.
20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	187
20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	188
20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	189 Authentication tokens
20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	190 ^^^^^^^^^^^^^^^^^^^^^
96 750f7ab733c1 start documentation of authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: diff changeset	191
98 b56083f38695 authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: 97 diff changeset	192 It is obviously desirable to limit access to the resources depending
b56083f38695 authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: 97 diff changeset	193 on the user that is logged in. Real-life Web framework such as Django
b56083f38695 authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: 97 diff changeset	194 would send the identity of the authenticated user either as an HTTP
b56083f38695 authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: 97 diff changeset	195 header, or as an additional argument for ``GET`` requests. The
b56083f38695 authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: 97 diff changeset	196 authorization plugin allows to forward these authentication tokens to
b56083f38695 authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: 97 diff changeset	197 the Web service.
b56083f38695 authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: 97 diff changeset	198
b56083f38695 authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: 97 diff changeset	199 To configure the authentication plugin to use some HTTP header, one
b56083f38695 authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: 97 diff changeset	200 must provide the option ``TokenHttpHeaders`` the configuration file of
b56083f38695 authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: 97 diff changeset	201 Orthanc as follows::
b56083f38695 authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: 97 diff changeset	202
b56083f38695 authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: 97 diff changeset	203 {
b56083f38695 authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: 97 diff changeset	204 "Name" : "MyOrthanc",
b56083f38695 authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: 97 diff changeset	205 [...]
b56083f38695 authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: 97 diff changeset	206 "Authorization" : {
b56083f38695 authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: 97 diff changeset	207 "WebService" : "http://localhost:8000/",
920 1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	208 "TokenHttpHeaders" : [ "token" ]
98 b56083f38695 authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: 97 diff changeset	209 }
b56083f38695 authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: 97 diff changeset	210 }
b56083f38695 authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: 97 diff changeset	211
b56083f38695 authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: 97 diff changeset	212 .. highlight:: text
b56083f38695 authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: 97 diff changeset	213
b56083f38695 authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: 97 diff changeset	214 In such a situation, if some HTTP client issues the following call::
b56083f38695 authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: 97 diff changeset	215
920 1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	216 # curl -H 'token: my-token' http://localhost:8042/patients/6eeded74-75005003-c3ae9738-d4a06a4f-6beedeb8
98 b56083f38695 authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: 97 diff changeset	217
b56083f38695 authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: 97 diff changeset	218 .. highlight:: json
b56083f38695 authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: 97 diff changeset	219
b56083f38695 authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: 97 diff changeset	220 Here is the JSON body the Web service would receive::
96 750f7ab733c1 start documentation of authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: diff changeset	221
98 b56083f38695 authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: 97 diff changeset	222 {
b56083f38695 authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: 97 diff changeset	223 "dicom-uid" : "123ABC",
b56083f38695 authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: 97 diff changeset	224 "level" : "patient",
b56083f38695 authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: 97 diff changeset	225 "method" : "get",
b56083f38695 authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: 97 diff changeset	226 "orthanc-id" : "6eeded74-75005003-c3ae9738-d4a06a4f-6beedeb8",
920 1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	227 "token-key" : "token",
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	228 "token-value" : "my-token"
98 b56083f38695 authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: 97 diff changeset	229 }
b56083f38695 authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: 97 diff changeset	230
b56083f38695 authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: 97 diff changeset	231 .. highlight:: text
b56083f38695 authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: 97 diff changeset	232
b56083f38695 authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: 97 diff changeset	233 Note how the key and the value of the authentication token stored as a
b56083f38695 authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: 97 diff changeset	234 HTTP header are forwarded to the Web service.
b56083f38695 authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: 97 diff changeset	235
b56083f38695 authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: 97 diff changeset	236 The same mechanism can be used if the authentication token is provided
b56083f38695 authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: 97 diff changeset	237 as some ``GET`` argument by setting the ``TokenGetArguments``
b56083f38695 authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: 97 diff changeset	238 configuration option::
97 20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	239
98 b56083f38695 authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: 97 diff changeset	240 # curl http://localhost:8042/patients/6eeded74-75005003-c3ae9738-d4a06a4f-6beedeb8?hello=world
b56083f38695 authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: 97 diff changeset	241 {
b56083f38695 authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: 97 diff changeset	242 "dicom-uid" : "123ABC",
b56083f38695 authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: 97 diff changeset	243 "level" : "patient",
b56083f38695 authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: 97 diff changeset	244 "method" : "get",
b56083f38695 authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: 97 diff changeset	245 "orthanc-id" : "6eeded74-75005003-c3ae9738-d4a06a4f-6beedeb8",
920 1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	246 "token-key" : "token",
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	247 "token-value" : "my-token"
98 b56083f38695 authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: 97 diff changeset	248 }
b56083f38695 authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: 97 diff changeset	249
b56083f38695 authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: 97 diff changeset	250 Note 1: It is allowed to provide a list of HTTP tokens or a list
b56083f38695 authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: 97 diff changeset	251 of ``GET`` arguments in the configuration options. In this case, the
b56083f38695 authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: 97 diff changeset	252 authorization plugin will loop over all the available authentication
b56083f38695 authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: 97 diff changeset	253 tokens, until it finds one for which the access is granted (logical
b56083f38695 authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: 97 diff changeset	254 disjunction over the authentication tokens).
b56083f38695 authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: 97 diff changeset	255
b56083f38695 authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: 97 diff changeset	256 Note 2: The cache entry that remembers whether some access was
b56083f38695 authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: 97 diff changeset	257 granted in the past, depends on the value of the token.
b56083f38695 authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: 97 diff changeset	258
b56083f38695 authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: 97 diff changeset	259 Note 3: The support of authentication tokens provided as ``GET``
b56083f38695 authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: 97 diff changeset	260 arguments requires a version of Orthanc that is above 1.2.1.
97 20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	261
20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	262
20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	263 Full configuration
20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	264 ------------------
20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	265
98 b56083f38695 authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: 97 diff changeset	266 .. highlight:: json
b56083f38695 authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: 97 diff changeset	267
920 1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	268 The full list of configuration is available `here <https://hg.orthanc-server.com/orthanc-authorization/file/tip/Plugin/DefaultConfiguration.json>`__.
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	269
98 b56083f38695 authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: 97 diff changeset	270 Here is the list of all the configuration options::
97 20b9ecb43eed doc Sebastien Jodogne <s.jodogne@gmail.com> parents: 96 diff changeset	271
98 b56083f38695 authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: 97 diff changeset	272 {
920 1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	273 "Authorization" : {
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	274 // The Base URL of the auth webservice. This is an alias for all 3 next configurations:
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	275 // // "WebServiceUserProfileUrl" : " ROOT /user/get-profile",
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	276 // // "WebServiceTokenValidationUrl" : " ROOT /tokens/validate",
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	277 // // "WebServiceTokenCreationBaseUrl" : " ROOT /tokens/",
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	278 // // "WebServiceTokenDecoderUrl" : " ROOT /tokens/decode",
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	279 // You should define it only if your auth webservice implements all 3 routes !
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	280 // "WebServiceRootUrl" : "http://change-me:8000/",
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	281
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	282 // The URL of the auth webservice route implementing user profile (optional)
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	283 // (this configuration was previously named "WebService" and its old name is still accepted
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	284 // for backward compatibility)
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	285 // "WebServiceUserProfileUrl" : "http://change-me:8000/user/profile",
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	286
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	287 // The URL of the auth webservice route implementing resource level authorization (optional)
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	288 // "WebServiceTokenValidationUrl" : "http://change-me:8000/tokens/validate",
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	289
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	290 // The Base URL of the auth webservice route to create tokens (optional)
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	291 // "WebServiceTokenCreationBaseUrl" : "http://change-me:8000/tokens/",
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	292
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	293 // The URL of the auth webservice route implementing token decoding (optional)
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	294 // "WebServiceTokenDecoderUrl": "http://change-me:8000/tokens/decode"
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	295
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	296 // The username and password to connect to the webservice (optional)
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	297 //"WebServiceUsername": "change-me",
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	298 //"WebServicePassword": "change-me",
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	299
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	300 // An identifier added to the payload of each request to the auth webservice (optional)
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	301 //"WebServiceIdentifier": "change-me"
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	302
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	303 // The name of the HTTP headers that may contain auth tokens
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	304 //"TokenHttpHeaders" : [],
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	305
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	306 // the name of the GET arguments that may contain auth tokens
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	307 //"TokenGetArguments" : [],
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	308
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	309 // A list of predefined configurations for well-known plugins
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	310 // "StandardConfigurations": [ // new in v 0.4.0
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	311 // "osimis-web-viewer",
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	312 // "stone-webviewer",
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	313 // "orthanc-explorer-2"
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	314 // ],
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	315
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	316 //"UncheckedResources" : [],
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	317 //"UncheckedFolders" : [],
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	318 //"CheckedLevel" : "studies",
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	319 //"UncheckedLevels" : [],
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	320
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	321 // Definition of required "user-permissions". This can be fully customized.
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	322 // You may define other permissions yourself as long as they match the permissions
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	323 // provided in the user-profile route implemented by the auth-service.
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	324 // You may test your regex in https://regex101.com/ by selecting .NET (C#) and removing the leading ^ and trailing $
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	325 // The default configuration is suitable for Orthanc-Explorer-2 (see TBD sample)
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	326 "Permissions" : [
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	327 ["post", "^/auth/tokens/decode$", ""],
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	328 ["post", "^/tools/lookup$", ""], // currently used to authorize downloads in Stone (to map the StudyInstanceUID into an OrthancID. Not ideal -> we should define a new API that has the resource ID in the path to be able to check it at resource level) but, on another hand, you do not get any Patient information from this route
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	329
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	330 // elemental browsing in OE2
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	331 ["post", "^/tools/find$", "all\|view"],
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	332 ["get" , "^/(patients\|studies\|series\|instances)/([a-f0-9-]+)$", "all\|view"],
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	333 ["get" , "^/(patients\|studies\|series\|instances)/([a-f0-9-]+)/(studies\|study\|series\|instances)$", "all\|view"],
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	334 ["get" , "^/instances/([a-f0-9-]+)/(tags\|header)$", "all\|view"],
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	335 ["get" , "^/statistics$", "all\|view"],
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	336
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	337 // create links to open viewer or download resources
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	338 ["put", "^/auth/tokens/(viewer-instant-link\|meddream-instant-link)$", "all\|view"],
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	339 ["put", "^/auth/tokens/(download-instant-link)$", "all\|download"],
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	340
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	341 // share a link to open a study
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	342 ["put", "^/auth/tokens/(stone-viewer-publication\|meddream-viewer-publication\|osimis-viewer-publication)$", "all\|share"],
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	343
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	344 // uploads
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	345 ["post", "^/instances$", "all\|upload"],
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	346
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	347 // monitor jobs you have created
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	348 ["get" , "^/jobs/([a-f0-9-]+)$", "all\|send\|modify\|anonymize\|q-r-remote-modalities"],
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	349
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	350 // interacting with peers/modalities/dicomweb
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	351 ["post", "^/(peers\|modalities)/(.*)/store$", "all\|send"],
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	352 ["get" , "^/(peers\|modalities)$", "all\|send\|q-r-remote-modalities"],
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	353 ["post", "^/modalities/(.*)/echo$", "all\|send\|q-r-remote-modalities"],
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	354 ["post", "^/modalities/(.*)/query$", "all\|q-r-remote-modalities"],
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	355 ["get", "^/queries/([a-f0-9-]+)/answers$", "all\|q-r-remote-modalities"],
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	356 ["post", "^/modalities/(.*)/move$", "all\|q-r-remote-modalities"],
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	357 ["get" , "^/DICOM_WEB_ROOT/servers$", "all\|send\|q-r-remote-modalities"],
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	358 ["get" , "^/DICOM_WEB_ROOT/(servers)/(.*)/stow$", "all\|send"],
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	359
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	360 // modifications/anonymization
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	361 ["post", "^/(patients\|studies\|series\|instances)/([a-f0-9-]+)/modify(.*)$", "all\|modify"],
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	362 ["post", "^/(patients\|studies\|series\|instances)/([a-f0-9-]+)/anonymize(.*)$", "all\|anonymize"],
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	363
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	364 // deletes
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	365 ["delete" , "^/(patients\|studies\|series\|instances)/([a-f0-9-]+)$", "all\|delete"],
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	366
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	367 // settings
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	368 ["put", "^/tools/log-level$", "all\|settings"],
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	369 ["get", "^/tools/log-level$", "all\|settings"]
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	370 ]
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	371 }
98 b56083f38695 authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: 97 diff changeset	372 }
b56083f38695 authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: 97 diff changeset	373
920 1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	374 The following options have been described above: ``WebServiceRootUrl``,
98 b56083f38695 authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: 97 diff changeset	375 ``TokenGetArguments``, and ``TokenHttpHeaders``. Here are the
b56083f38695 authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: 97 diff changeset	376 remaining options:
b56083f38695 authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: 97 diff changeset	377
893 8b48d42665c4 auth 0.4.0 Alain Mazy <am@osimis.io> parents: 878 diff changeset	378 * ``StandardConfigurations`` is a helper configuration to pre-populate
8b48d42665c4 auth 0.4.0 Alain Mazy <am@osimis.io> parents: 878 diff changeset	379 ``UncheckedResources``, ``UncheckedFolders``, ``TokenGetArguments``,
8b48d42665c4 auth 0.4.0 Alain Mazy <am@osimis.io> parents: 878 diff changeset	380 and ``TokenHttpHeaders`` of well-known plugins.
8b48d42665c4 auth 0.4.0 Alain Mazy <am@osimis.io> parents: 878 diff changeset	381 Allowed values are ``osimis-web-viewer``, ``stone-webviewer``.
8b48d42665c4 auth 0.4.0 Alain Mazy <am@osimis.io> parents: 878 diff changeset	382
8b48d42665c4 auth 0.4.0 Alain Mazy <am@osimis.io> parents: 878 diff changeset	383 * ``CheckedLevel`` may replace ``UncheckedLevels`` when authorization
8b48d42665c4 auth 0.4.0 Alain Mazy <am@osimis.io> parents: 878 diff changeset	384 is checked only at one level of the DICOM hierarchy. This is the most
8b48d42665c4 auth 0.4.0 Alain Mazy <am@osimis.io> parents: 878 diff changeset	385 common use-case.
8b48d42665c4 auth 0.4.0 Alain Mazy <am@osimis.io> parents: 878 diff changeset	386
98 b56083f38695 authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: 97 diff changeset	387 * ``UncheckedResources`` specifies a list of resources for which the
b56083f38695 authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: 97 diff changeset	388 authentication plugin is not triggered, and to which access is
b56083f38695 authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: 97 diff changeset	389 always granted.
b56083f38695 authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: 97 diff changeset	390
b56083f38695 authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: 97 diff changeset	391 * ``UncheckedFolders`` is similar to ``UncheckedResources`` for folders:
b56083f38695 authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: 97 diff changeset	392 Access to all the URIs below the unchecked folders is always granted.
b56083f38695 authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: 97 diff changeset	393
b56083f38695 authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: 97 diff changeset	394 * ``UncheckedLevels`` allows to specify which levels of the
b56083f38695 authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: 97 diff changeset	395 :ref:`DICOM hierarchy <model-world>` are ignored by the authorization
b56083f38695 authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: 97 diff changeset	396 plugin. This can be used to reduce the number of calls to the Web
b56083f38695 authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: 97 diff changeset	397 service. Think for instance about an authorization mechanism that
b56083f38695 authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: 97 diff changeset	398 simply associates its studies to a set of granted users: In this case,
b56083f38695 authorization Sebastien Jodogne <s.jodogne@gmail.com> parents: 97 diff changeset	399 the series and instance levels can be ignored.
274 c310a795c133 auth-token in search params amazy parents: 98 diff changeset	400
c310a795c133 auth-token in search params amazy parents: 98 diff changeset	401
893 8b48d42665c4 auth 0.4.0 Alain Mazy <am@osimis.io> parents: 878 diff changeset	402 Here is a minimal configuration for the :ref:`Stone Web viewer <stone_webviewer>`::
8b48d42665c4 auth 0.4.0 Alain Mazy <am@osimis.io> parents: 878 diff changeset	403
8b48d42665c4 auth 0.4.0 Alain Mazy <am@osimis.io> parents: 878 diff changeset	404 {
8b48d42665c4 auth 0.4.0 Alain Mazy <am@osimis.io> parents: 878 diff changeset	405 // disable basic authentication since it is replaced by the authorization plugin
8b48d42665c4 auth 0.4.0 Alain Mazy <am@osimis.io> parents: 878 diff changeset	406 "AuthenticationEnabled": false,
8b48d42665c4 auth 0.4.0 Alain Mazy <am@osimis.io> parents: 878 diff changeset	407
8b48d42665c4 auth 0.4.0 Alain Mazy <am@osimis.io> parents: 878 diff changeset	408 "Authorization" : {
920 1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	409 "WebServiceTokenValidationUrl" : "http://localhost:8000/shares/validate",
893 8b48d42665c4 auth 0.4.0 Alain Mazy <am@osimis.io> parents: 878 diff changeset	410 "StandardConfigurations": [
8b48d42665c4 auth 0.4.0 Alain Mazy <am@osimis.io> parents: 878 diff changeset	411 "stone-webviewer"
8b48d42665c4 auth 0.4.0 Alain Mazy <am@osimis.io> parents: 878 diff changeset	412 ],
8b48d42665c4 auth 0.4.0 Alain Mazy <am@osimis.io> parents: 878 diff changeset	413 "CheckedLevel" : "studies"
8b48d42665c4 auth 0.4.0 Alain Mazy <am@osimis.io> parents: 878 diff changeset	414 }
8b48d42665c4 auth 0.4.0 Alain Mazy <am@osimis.io> parents: 878 diff changeset	415 }
8b48d42665c4 auth 0.4.0 Alain Mazy <am@osimis.io> parents: 878 diff changeset	416
920 1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	417 .. _orthanc-explorer-authorization:
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	418
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	419 Integration with the Orthanc Explorer 2
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	420 ---------------------------------------
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	421
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	422 More info to come soon.
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	423
893 8b48d42665c4 auth 0.4.0 Alain Mazy <am@osimis.io> parents: 878 diff changeset	424
274 c310a795c133 auth-token in search params amazy parents: 98 diff changeset	425 .. _orthanc-explorer-authorization:
c310a795c133 auth-token in search params amazy parents: 98 diff changeset	426
c310a795c133 auth-token in search params amazy parents: 98 diff changeset	427 Integration with the Orthanc Explorer
c310a795c133 auth-token in search params amazy parents: 98 diff changeset	428 -------------------------------------
c310a795c133 auth-token in search params amazy parents: 98 diff changeset	429
c310a795c133 auth-token in search params amazy parents: 98 diff changeset	430 Starting from Orthanc 1.5.8, you can pass authorization tokens in the url
c310a795c133 auth-token in search params amazy parents: 98 diff changeset	431 search params when opening the Orthanc explorer i.e.
c310a795c133 auth-token in search params amazy parents: 98 diff changeset	432 http://localhost:8042/app/explorer.html?token=1234. This token will be
c310a795c133 auth-token in search params amazy parents: 98 diff changeset	433 included as an HTTP header in every request sent to the Orthanc Rest API.
c310a795c133 auth-token in search params amazy parents: 98 diff changeset	434 It will also be included in the url search params when opening the Orthanc
c310a795c133 auth-token in search params amazy parents: 98 diff changeset	435 or Osimis viewer.
c310a795c133 auth-token in search params amazy parents: 98 diff changeset	436
c310a795c133 auth-token in search params amazy parents: 98 diff changeset	437 Only 3 tokens name will be recognized and forwarded: ``token``, ``auth-token``
c310a795c133 auth-token in search params amazy parents: 98 diff changeset	438 and ``authorization``.
c310a795c133 auth-token in search params amazy parents: 98 diff changeset	439
c310a795c133 auth-token in search params amazy parents: 98 diff changeset	440 Please note that the Orthanc Explorer has not been designed to handle
c310a795c133 auth-token in search params amazy parents: 98 diff changeset	441 the authorization so, when an authorization is not granted, it will simply
c310a795c133 auth-token in search params amazy parents: 98 diff changeset	442 display an empty page or an error message.
920 1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	443
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	444
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	445 Compilation
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	446 -----------
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	447
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	448 .. highlight:: bash
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	449
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	450 The procedure to compile this plugin is similar of that for the
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	451 :ref:`core of Orthanc <binaries>`. The following commands should work
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	452 for most UNIX-like distribution (including GNU/Linux)::
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	453
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	454 $ mkdir Build
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	455 $ cd Build
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	456 $ cmake .. -DSTATIC_BUILD=ON -DCMAKE_BUILD_TYPE=Release
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	457 $ make
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	458
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	459 The compilation will produce a shared library ``OrthancAuthorization``
1d9e0aa08fdd auth plugin Alain Mazy <am@osimis.io> parents: 893 diff changeset	460 that contains the authorization plugin.

Mercurial > hg > orthanc-book

annotate Sphinx/source/plugins/authorization.rst @ 921:33e8cb14142f