Mercurial > hg > orthanc

diff OrthancServer/main.cpp @ 3506:d2b9981017c4

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
better handling of HTTP security
author Sebastien Jodogne <s.jodogne@gmail.com>
date Wed, 28 Aug 2019 15:19:04 +0200
parents 27b53c61aa99
children f07352e0375c
line wrap: on
line diff
--- a/OrthancServer/main.cpp	Wed Aug 28 12:21:23 2019 +0200
+++ b/OrthancServer/main.cpp	Wed Aug 28 15:19:04 2019 +0200
@@ -823,20 +823,32 @@
       httpServer.SetHttpCompressionEnabled(lock.GetConfiguration().GetBooleanParameter("HttpCompressionEnabled", true));
       httpServer.SetTcpNoDelay(lock.GetConfiguration().GetBooleanParameter("TcpNoDelay", true));
 
-      bool authenticationEnabled = lock.GetConfiguration().GetBooleanParameter("AuthenticationEnabled", false);
-      if (httpServer.IsRemoteAccessAllowed())
+      bool authenticationEnabled;
+      if (lock.GetConfiguration().LookupBooleanParameter(authenticationEnabled, "AuthenticationEnabled"))
       {
-        if (!authenticationEnabled)
+        httpServer.SetAuthenticationEnabled(authenticationEnabled);
+
+        if (httpServer.IsRemoteAccessAllowed() &&
+            !authenticationEnabled)
         {
-          LOG(WARNING) << "Remote access is allowed, automatically turning on HTTP authentication for security";
+          LOG(WARNING) << "Remote access is enabled while user authentication is disabled, "
+                       << "make sure this does not affect the security of your setup";
         }
-
-        // Starting with Orthanc 1.5.8, enabling remote access forces user authentication.
+      }
+      else if (httpServer.IsRemoteAccessAllowed())
+      {
+        // Starting with Orthanc 1.5.8, it is impossible to enable
+        // remote access without having explicitly disabled user
+        // authentication.
+        LOG(WARNING) << "Remote access is allowed but \"AuthenticationEnabled\" is not in the configuration, "
+                     << "automatically enabling HTTP authentication for security";          
         httpServer.SetAuthenticationEnabled(true);
       }
       else
       {
-        httpServer.SetAuthenticationEnabled(authenticationEnabled);
+        // If Orthanc only listens on the localhost, it is OK to have
+        // "AuthenticationEnabled" disabled
+        httpServer.SetAuthenticationEnabled(false);
       }
 
       bool hasUsers = lock.GetConfiguration().SetupRegisteredUsers(httpServer);