view Sphinx/source/users/webdav.rst @ 1123:292479b06402

security: authentication wrt RemoteAccess
author Alain Mazy <am@orthanc.team>
date Thu, 19 Dec 2024 08:17:02 +0100
parents dda28dfd7d9d
children
line wrap: on
line source

.. _webdav:

Accessing Orthanc from the file explorer using WebDAV
=====================================================

.. contents::

Since release 1.8.0, the content of an Orthanc server can be
**mapped/mounted as a network share** thanks to `WebDAV
<https://en.wikipedia.org/wiki/WebDAV>`__. Thanks to this feature, you
can easily browse the DICOM instances that are stored by Orthanc using
the built-in file explorer of your operating system. It is possible to
download, upload or delete DICOM instances as well.

Orthanc creates a so-called **virtual filesystem** that indexes the
same DICOM resources according to different views (data can be
accessed by patients, by studies, by date, or by DICOM UIDs).


.. _webdav_screenshots:

Screenshots
-----------

The screenshots below are generated using the `test virtual machines
<https://developer.microsoft.com/en-us/microsoft-edge/tools/vms/>`__
that are provided by Microsoft.

Here is the layout of the WebDAV server of Orthanc 1.8.0:

.. image:: ../images/webdav-win7-sample.png
           :align: center
           :width: 512

As can be noticed, Orthanc exposes a full hierarchy of DICOM
resources. These resources are transparently mapped to the database of
Orthanc. The same resource will appear at multiple locations of this
virtual filesystem, but in practice, it is stored only once. One can
choose the best way to access the information depending on the use
case.

Uploading a full folder containing a DICOM study (such as a CD or a
DVD containing a DICOMDIR) is as simple as a drag-and-drop onto the
``/uploads/`` folder:

.. image:: ../images/webdav-win7-upload.png
           :align: center
           :width: 512

As soon as the DICOM files have been dragged-and-dropped, they are
progressively ingested by Orthanc. Once a DICOM file has been
ingested, it is automatically removed from the ``/uploads/`` folder.

Note that it is not possible to rename any file, as this is a virtual
filesystem that is permanently and transparently reconstructed out of
the content of the Orthanc database.

NB: Starting with Orthanc 1.8.2, ZIP archives can also be added to the
``/uploads/`` folder. Orthanc will automatically decompress the ZIP
archive and upload any DICOM file it contains.


Server configuration
--------------------

Options
^^^^^^^

Three configuration options can be used to configure the WebDAV
server:

* ``WebDavEnabled`` to enable/disable WebDAV.

* ``WebDavDeleteAllowed`` to turn on/off the possibility of deleting
  DICOM resources using WebDAV. This can be disabled for security
  reasons.

* ``WebDavUploadAllowed`` to turn on/off the possibility of uploading
  DICOM resources using WebDAV.


Security
^^^^^^^^

As WebDAV is an application layer above HTTP, you should pay attention
to :ref:`protect your HTTP server <security_http>`. At the minimum,
you should enable HTTP Basic Authentication (check out configuration
option ``RegisteredUsers``). The client will have to provide her
credentials when mapping the WebDAV share.

If you want to control which user can see which resource, you should
protect your network share by creating **access control lists**
through a :ref:`Lua script <lua-filter-rest>`, through the
:ref:`advanced authorization plugin <authorization>`, or through
:ref:`your own plugin <creating-plugins>`
(cf. ``OrthancPluginRegisterIncomingHttpRequestFilter2()``).

The HTTP methods that are used by WebDAV are ``GET`` (for read-only
accesses), ``PUT`` (for uploads), and ``DELETE`` (for deletions). The
access control lists can be focused on these methods.

Finally, it is highly recommended to enable :ref:`HTTPS encryption
<https>`, which might need additional configuration on some operating
systems (see below for Microsoft Windows 10).


Client configuration
--------------------

Nautilus on Ubuntu 18.04
^^^^^^^^^^^^^^^^^^^^^^^^

It is quite straightforward to use the WebDAV server using Nautilus on
Ubuntu:

.. image:: ../images/webdav-nautilus-1.png
           :align: center
           :width: 512

Obviously, adapt the IP address and HTTP port number to your setup.
Once the share is connected, it is readily accessible:
                   
.. image:: ../images/webdav-nautilus-2.png
           :align: center
           :width: 512

**Important:** If you use :ref:`HTTPS encryption <https>`, which is
recommended for security reasons, replace the prefix ``dav://`` by
``davs://``.


Microsoft Windows 7
^^^^^^^^^^^^^^^^^^^

First of all, make sure to adapt the value of the registry key
``BasicAuthLevel``, :ref:`as explained below <webdav_windows_fix>`.
Otherwise, you might not be able to connect.

This section illustrates how to use WebDAV on a Microsoft Windows 7
operating system. Obviously, the procedure is very similar for more
recent versions of Microsoft Windows, and many tutorials are available
on Internet.

WebDAV has a `known performance issue
<https://oddballupdate.com/2009/12/fix-slow-webdav-performance-in-windows-7/>`__
on barebone Microsoft Windows 7. To fix this issue, first open the 
"Internet Properties" configuration panel:

.. image:: ../images/webdav-win7-config5.png
           :align: center
           :width: 512

Then simply uncheck the "Automatically detect settings" checkbox in
the "LAN settings" panel:

.. image:: ../images/webdav-win7-config6.png
           :align: center
           :width: 384

Once this is done, in order to map Orthanc as a network share on
Microsoft Windows 7, first open the File Explorer, and right-click on
"Computer":

.. image:: ../images/webdav-win7-config1.png
           :align: center
           :width: 512

This will open the "Add Network Location Wizard". Click on "Next" to
choose the (only) available option:

.. image:: ../images/webdav-win7-config2.png
           :align: center
           :width: 384

Now enter the IP address and the HTTP port of your Orthanc server, and
don't forget to add the ``/webdav/`` suffix:

.. image:: ../images/webdav-win7-config3.png
           :align: center
           :width: 384

Give a name to your network share:
                   
.. image:: ../images/webdav-win7-config4.png
           :align: center
           :width: 384

At the "Completing the Add Network Location Wizard", click on
"Finish". You'll then be able to use the network share as depicted in
the :ref:`screenshots above <webdav_screenshots>`.

**Important:** For some reason, Microsoft Windows 7 sometimes "`gets
lost
<https://docs.microsoft.com/en-us/troubleshoot/windows-client/networking/cannot-automatically-reconnect-dav-share>`__"
after an upload and cannot access Orthanc anymore. In such situations,
you'll have to delete the network share and repeat the steps above
again.

Note that you can find additional information `in the thread about
WebDAV on the discussion forum
<https://groups.google.com/g/orthanc-users/c/Iq-Ftv5xGjA/m/68kNcbanAgAJ>`__.


Secure access using Microsoft Windows 10
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

First of all, make sure to adapt the value of the registry key
``BasicAuthLevel``, :ref:`as explained below <webdav_windows_fix>`.

Depending on your security settings, Microsoft Windows 10 might also
impose the use of HTTPS in the Orthanc server. First, you must
obviously configure :ref:`HTTPS security in Orthanc <https>`.

In order to connect successfully to Orthanc WebDAV server using basic
authentication and SSL with self-signed certificate.

1) download the ``.pem`` certificate

2) Open "Control Panel" → "Manage Computer Certificates"

3) Right click on "Certificates - Local Computer → Trusted Root
   Certification Authorities → Certificates" and choose "All Tasks →
   Import..."

4) Select the ``.pem`` certificate (you might need to enforce
   displaying ``*.*`` files in the dialog box, for the ``.pem``
   extension is not part of the standard certificate extensions)

5) Choose "Place all certifications in the following store: Trusted
   Root Certification Authorities"

6) A dialog box should pop up with "The import was successful"

When done, you can test the WebDAV connection :

1) Right click on the Explorer namespace root ("This PC", in Windows 10)

2) Choose "Map Network Drive"

3) Click the link named "Connect to a Web site that you can use..."

4) Choose custom network location

5) Type the WebDAV address like: ``https://10.10.10.107:8042/webdav/``

6) If all goes well, you should be prompted for the basic auth credentials.

When this is done, the WebDAV location should be mounted at the top of
the Explorer namespace (next to the C: drive, etc...). Something to
try if the mount fails:


Tips for other operating systems
--------------------------------

.. _webdav_windows_fix:

Microsoft Windows 7, 8.x or 10
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

If you cannot access WebDAV from Microsoft Windows (with version above
7), as a first step, change the value of the registry key
``BasicAuthLevel`` within the system registry to value ``2`` (by
default, it comes with value ``1`` that prevents WebDAV access). Here
are the steps:

- Open ``regedit.exe``
  
- Open the ``HKLM\SYSTEM\CurrentControlSet\Services\WebClient\Parameters`` key
  
- Create the ``BasicAuthLevel`` DWORD value if needed
  
- Set the ``BasicAuthLevel`` DWORD value to ``2``

This should *not* be required, but was enabled on the PC that was used
to test the mounting procedure. `Details here
<http://techgenix.com/EnableBasicAuthforWebDAVonWindows7/>`__

Note that you can find additional information `in the thread about
WebDAV on the discussion forum
<https://groups.google.com/g/orthanc-users/c/Iq-Ftv5xGjA/m/68kNcbanAgAJ>`__.



Microsoft Windows Server 2012
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

1. **Install Desktop Experience**: Server manager > Add Features >
   User Interfaces and Infrastructure > Desktop Experience

2. **Start and set to Automatic WebClient Service**: Services >
   WebClient > Properties > Set from Manual to Automatic then start it
   
`Link to the original post <https://groups.google.com/d/msgid/orthanc-users/3b3c3af1-0413-471e-8f31-0a358632fd6an%40googlegroups.com?utm_medium=email&utm_source=footer>`__



Debugging WebDAV
----------------

As of release 1.8.0, the WebDAV server of Orthanc has been tested
against the following WebDAV clients: Nautilus, `davfs2
<https://en.wikipedia.org/wiki/Davfs2>`__, Microsoft Windows XP,
Microsoft Windows 7, and Microsoft Windows 10.

It is obviously impossible for us to test against all the possible
platforms. If you encounter an issue using your WebDAV client, you
should send us a trace generated by the `wsgidav reference server
<https://github.com/mar10/wsgidav/>`__ so that we can identify what is
the non-respect of Orthanc wrt. the WebDAV standard.

.. highlight:: bash

On Ubuntu, here are the commands to generate a useful log::

  $ sudo pip install wsgidav cheroot
  $ mkdir -p /tmp/webdav/hello
  $ echo "foo" > /tmp/webdav/hello/world
  $ wsgidav -v -v --auth anonymous --host=0.0.0.0 --port=8042 --root=/tmp/webdav/ | tee /tmp/wsgidav.log

Connect your WebDAV client to ``http://localhost:8042/``, and do some
basic operations (access ``/hello/world``, create a file, create a
folder, and delete a file). Then, stop the ``wsgidav`` server and
publish the content of the ``/tmp/wsgidav.log`` logfile on the
`Orthanc Users discussion group
<https://groups.google.com/g/orthanc-users>`__.