Mercurial > hg > orthanc
comparison OrthancServer/main.cpp @ 3534:cac8ffcb9cef
forcing AuthenticationEnabled to false is considered as insecure if remote access is allowed
| author | Sebastien Jodogne <s.jodogne@gmail.com> |
|---|---|
| date | Fri, 04 Oct 2019 19:16:12 +0200 |
| parents | 2090ec6a83a5 |
| children | 41365091a41e |
comparison
equal
deleted
inserted
replaced
| 3533:2090ec6a83a5 | 3534:cac8ffcb9cef |
|---|---|
| 822 httpServer.SetRemoteAccessAllowed(lock.GetConfiguration().GetBooleanParameter("RemoteAccessAllowed", false)); | 822 httpServer.SetRemoteAccessAllowed(lock.GetConfiguration().GetBooleanParameter("RemoteAccessAllowed", false)); |
| 823 httpServer.SetKeepAliveEnabled(lock.GetConfiguration().GetBooleanParameter("KeepAlive", defaultKeepAlive)); | 823 httpServer.SetKeepAliveEnabled(lock.GetConfiguration().GetBooleanParameter("KeepAlive", defaultKeepAlive)); |
| 824 httpServer.SetHttpCompressionEnabled(lock.GetConfiguration().GetBooleanParameter("HttpCompressionEnabled", true)); | 824 httpServer.SetHttpCompressionEnabled(lock.GetConfiguration().GetBooleanParameter("HttpCompressionEnabled", true)); |
| 825 httpServer.SetTcpNoDelay(lock.GetConfiguration().GetBooleanParameter("TcpNoDelay", true)); | 825 httpServer.SetTcpNoDelay(lock.GetConfiguration().GetBooleanParameter("TcpNoDelay", true)); |
| 826 | 826 |
| 827 // Let's assume that the HTTP server is secure | |
| 828 context.SetHttpServerSecure(true); | |
| 829 | |
| 827 bool authenticationEnabled; | 830 bool authenticationEnabled; |
| 828 if (lock.GetConfiguration().LookupBooleanParameter(authenticationEnabled, "AuthenticationEnabled")) | 831 if (lock.GetConfiguration().LookupBooleanParameter(authenticationEnabled, "AuthenticationEnabled")) |
| 829 { | 832 { |
| 830 httpServer.SetAuthenticationEnabled(authenticationEnabled); | 833 httpServer.SetAuthenticationEnabled(authenticationEnabled); |
| 831 | 834 |
| 832 if (httpServer.IsRemoteAccessAllowed() && | 835 if (httpServer.IsRemoteAccessAllowed() && |
| 833 !authenticationEnabled) | 836 !authenticationEnabled) |
| 834 { | 837 { |
| 835 LOG(WARNING) << "====> Remote access is enabled while user authentication is explicitly disabled, " | 838 LOG(WARNING) << "====> Remote access is enabled while user authentication is explicitly disabled, " |
| 836 << "make sure this does not affect the security of your setup <===="; | 839 << "your setup is POSSIBLY INSECURE <===="; |
| 840 context.SetHttpServerSecure(false); | |
| 837 } | 841 } |
| 838 } | 842 } |
| 839 else if (httpServer.IsRemoteAccessAllowed()) | 843 else if (httpServer.IsRemoteAccessAllowed()) |
| 840 { | 844 { |
| 841 // Starting with Orthanc 1.5.8, it is impossible to enable | 845 // Starting with Orthanc 1.5.8, it is impossible to enable |
| 865 * default user, and Orthanc Explorer shows a warning | 869 * default user, and Orthanc Explorer shows a warning |
| 866 * message about an "Insecure setup". This convention is | 870 * message about an "Insecure setup". This convention is |
| 867 * used in Docker images "jodogne/orthanc", | 871 * used in Docker images "jodogne/orthanc", |
| 868 * "jodogne/orthanc-plugins" and "osimis/orthanc". | 872 * "jodogne/orthanc-plugins" and "osimis/orthanc". |
| 869 **/ | 873 **/ |
| 870 LOG(ERROR) << "====> HTTP authentication is enabled, but no user is declared. " | 874 LOG(WARNING) << "====> HTTP authentication is enabled, but no user is declared. " |
| 871 << "Creating a default user: Review your configuration option \"RegisteredUsers\". " | 875 << "Creating a default user: Review your configuration option \"RegisteredUsers\". " |
| 872 << "Your setup is INSECURE <===="; | 876 << "Your setup is INSECURE <===="; |
| 873 | 877 |
| 874 context.SetDefaultUser(true); | 878 context.SetHttpServerSecure(false); |
| 875 | 879 |
| 876 // This is the username/password of the default user in Orthanc. | 880 // This is the username/password of the default user in Orthanc. |
| 877 httpServer.RegisterUser("orthanc", "orthanc"); | 881 httpServer.RegisterUser("orthanc", "orthanc"); |
| 878 } | 882 } |
| 879 else | 883 else |
| 880 { | 884 { |
| 881 LOG(WARNING) << "HTTP authentication is enabled, but no user is declared, " | 885 LOG(WARNING) << "HTTP authentication is enabled, but no user is declared, " |
| 882 << "check the value of configuration option \"RegisteredUsers\""; | 886 << "check the value of configuration option \"RegisteredUsers\""; |
| 883 } | 887 } |
| 884 } | |
| 885 else | |
| 886 { | |
| 887 // This setup is secure | |
| 888 context.SetDefaultUser(false); | |
| 889 } | 888 } |
| 890 | 889 |
| 891 if (lock.GetConfiguration().GetBooleanParameter("SslEnabled", false)) | 890 if (lock.GetConfiguration().GetBooleanParameter("SslEnabled", false)) |
| 892 { | 891 { |
| 893 std::string certificate = lock.GetConfiguration().InterpretStringParameterAsPath( | 892 std::string certificate = lock.GetConfiguration().InterpretStringParameterAsPath( |