Mercurial > hg > orthanc
diff OrthancServer/main.cpp @ 3506:d2b9981017c4
better handling of HTTP security
author | Sebastien Jodogne <s.jodogne@gmail.com> |
---|---|
date | Wed, 28 Aug 2019 15:19:04 +0200 |
parents | 27b53c61aa99 |
children | f07352e0375c |
line wrap: on
line diff
--- a/OrthancServer/main.cpp Wed Aug 28 12:21:23 2019 +0200 +++ b/OrthancServer/main.cpp Wed Aug 28 15:19:04 2019 +0200 @@ -823,20 +823,32 @@ httpServer.SetHttpCompressionEnabled(lock.GetConfiguration().GetBooleanParameter("HttpCompressionEnabled", true)); httpServer.SetTcpNoDelay(lock.GetConfiguration().GetBooleanParameter("TcpNoDelay", true)); - bool authenticationEnabled = lock.GetConfiguration().GetBooleanParameter("AuthenticationEnabled", false); - if (httpServer.IsRemoteAccessAllowed()) + bool authenticationEnabled; + if (lock.GetConfiguration().LookupBooleanParameter(authenticationEnabled, "AuthenticationEnabled")) { - if (!authenticationEnabled) + httpServer.SetAuthenticationEnabled(authenticationEnabled); + + if (httpServer.IsRemoteAccessAllowed() && + !authenticationEnabled) { - LOG(WARNING) << "Remote access is allowed, automatically turning on HTTP authentication for security"; + LOG(WARNING) << "Remote access is enabled while user authentication is disabled, " + << "make sure this does not affect the security of your setup"; } - - // Starting with Orthanc 1.5.8, enabling remote access forces user authentication. + } + else if (httpServer.IsRemoteAccessAllowed()) + { + // Starting with Orthanc 1.5.8, it is impossible to enable + // remote access without having explicitly disabled user + // authentication. + LOG(WARNING) << "Remote access is allowed but \"AuthenticationEnabled\" is not in the configuration, " + << "automatically enabling HTTP authentication for security"; httpServer.SetAuthenticationEnabled(true); } else { - httpServer.SetAuthenticationEnabled(authenticationEnabled); + // If Orthanc only listens on the localhost, it is OK to have + // "AuthenticationEnabled" disabled + httpServer.SetAuthenticationEnabled(false); } bool hasUsers = lock.GetConfiguration().SetupRegisteredUsers(httpServer);