Mercurial > hg > orthanc

diff OrthancServer/main.cpp @ 3534:cac8ffcb9cef

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
forcing AuthenticationEnabled to false is considered as insecure if remote access is allowed
author Sebastien Jodogne <s.jodogne@gmail.com>
date Fri, 04 Oct 2019 19:16:12 +0200
parents 2090ec6a83a5
children 41365091a41e
line wrap: on
line diff
--- a/OrthancServer/main.cpp	Fri Oct 04 17:41:43 2019 +0200
+++ b/OrthancServer/main.cpp	Fri Oct 04 19:16:12 2019 +0200
@@ -824,6 +824,9 @@
       httpServer.SetHttpCompressionEnabled(lock.GetConfiguration().GetBooleanParameter("HttpCompressionEnabled", true));
       httpServer.SetTcpNoDelay(lock.GetConfiguration().GetBooleanParameter("TcpNoDelay", true));
 
+      // Let's assume that the HTTP server is secure
+      context.SetHttpServerSecure(true);
+
       bool authenticationEnabled;
       if (lock.GetConfiguration().LookupBooleanParameter(authenticationEnabled, "AuthenticationEnabled"))
       {
@@ -833,7 +836,8 @@
             !authenticationEnabled)
         {
           LOG(WARNING) << "====> Remote access is enabled while user authentication is explicitly disabled, "
-                       << "make sure this does not affect the security of your setup <====";
+                       << "your setup is POSSIBLY INSECURE <====";
+          context.SetHttpServerSecure(false);
         }
       }
       else if (httpServer.IsRemoteAccessAllowed())
@@ -867,11 +871,11 @@
            * used in Docker images "jodogne/orthanc",
            * "jodogne/orthanc-plugins" and "osimis/orthanc".
            **/
-          LOG(ERROR) << "====> HTTP authentication is enabled, but no user is declared. "
-                     << "Creating a default user: Review your configuration option \"RegisteredUsers\". "
-                     << "Your setup is INSECURE <====";
+          LOG(WARNING) << "====> HTTP authentication is enabled, but no user is declared. "
+                       << "Creating a default user: Review your configuration option \"RegisteredUsers\". "
+                       << "Your setup is INSECURE <====";
 
-          context.SetDefaultUser(true);
+          context.SetHttpServerSecure(false);
 
           // This is the username/password of the default user in Orthanc.
           httpServer.RegisterUser("orthanc", "orthanc");
@@ -882,11 +886,6 @@
                        << "check the value of configuration option \"RegisteredUsers\"";
         }
       }
-      else
-      {
-        // This setup is secure
-        context.SetDefaultUser(false);
-      }
       
       if (lock.GetConfiguration().GetBooleanParameter("SslEnabled", false))
       {