changeset 3500:0d248cc63ded

Security: If remote HTTP access is enabled, HTTP authentication automatically gets enabled
author Sebastien Jodogne <s.jodogne@gmail.com>
date Fri, 23 Aug 2019 21:32:16 +0200
parents d8f7c3970e25
children 27b53c61aa99
files NEWS OrthancServer/OrthancConfiguration.cpp OrthancServer/OrthancConfiguration.h OrthancServer/main.cpp Resources/Configuration.json
diffstat 5 files changed, 34 insertions(+), 7 deletions(-) [+]
line wrap: on
line diff
--- a/NEWS	Fri Aug 23 17:31:43 2019 +0200
+++ b/NEWS	Fri Aug 23 21:32:16 2019 +0200
@@ -4,6 +4,7 @@
 Maintenance
 -----------
 
+* Security: If remote HTTP access is enabled, HTTP authentication automatically gets enabled
 * Log an explicit error if uploading an empty DICOM file using REST API
 * Fix compatibility of LSB binaries with Ubuntu >= 18.04
 
--- a/OrthancServer/OrthancConfiguration.cpp	Fri Aug 23 17:31:43 2019 +0200
+++ b/OrthancServer/OrthancConfiguration.cpp	Fri Aug 23 21:32:16 2019 +0200
@@ -611,13 +611,13 @@
   }
 
 
-  void OrthancConfiguration::SetupRegisteredUsers(HttpServer& httpServer) const
+  bool OrthancConfiguration::SetupRegisteredUsers(HttpServer& httpServer) const
   {
     httpServer.ClearUsers();
 
     if (!json_.isMember("RegisteredUsers"))
     {
-      return;
+      return false;
     }
 
     const Json::Value& users = json_["RegisteredUsers"];
@@ -626,13 +626,17 @@
       throw OrthancException(ErrorCode_BadFileFormat, "Badly formatted list of users");
     }
 
+    bool hasUser = false;
     Json::Value::Members usernames = users.getMemberNames();
     for (size_t i = 0; i < usernames.size(); i++)
     {
       const std::string& username = usernames[i];
       std::string password = users[username].asString();
       httpServer.RegisterUser(username.c_str(), password.c_str());
+      hasUser = true;
     }
+
+    return hasUser;
   }
     
 
--- a/OrthancServer/OrthancConfiguration.h	Fri Aug 23 17:31:43 2019 +0200
+++ b/OrthancServer/OrthancConfiguration.h	Fri Aug 23 21:32:16 2019 +0200
@@ -185,7 +185,8 @@
 
     void GetListOfOrthancPeers(std::set<std::string>& target) const;
 
-    void SetupRegisteredUsers(HttpServer& httpServer) const;
+    // Returns "true" iff. at least one user is registered
+    bool SetupRegisteredUsers(HttpServer& httpServer) const;
 
     std::string InterpretStringParameterAsPath(const std::string& parameter) const;
     
--- a/OrthancServer/main.cpp	Fri Aug 23 17:31:43 2019 +0200
+++ b/OrthancServer/main.cpp	Fri Aug 23 21:32:16 2019 +0200
@@ -821,11 +821,27 @@
       httpServer.SetRemoteAccessAllowed(lock.GetConfiguration().GetBooleanParameter("RemoteAccessAllowed", false));
       httpServer.SetKeepAliveEnabled(lock.GetConfiguration().GetBooleanParameter("KeepAlive", defaultKeepAlive));
       httpServer.SetHttpCompressionEnabled(lock.GetConfiguration().GetBooleanParameter("HttpCompressionEnabled", true));
-      httpServer.SetAuthenticationEnabled(lock.GetConfiguration().GetBooleanParameter("AuthenticationEnabled", false));
       httpServer.SetTcpNoDelay(lock.GetConfiguration().GetBooleanParameter("TcpNoDelay", true));
 
-      lock.GetConfiguration().SetupRegisteredUsers(httpServer);
+      if (httpServer.IsRemoteAccessAllowed())
+      {
+        // Starting with Orthanc 1.5.8, enabling remote access forces user authentication.
+        httpServer.SetAuthenticationEnabled(true);
+      }
+      else
+      {
+        httpServer.SetAuthenticationEnabled(lock.GetConfiguration().GetBooleanParameter("AuthenticationEnabled", false));
+      }
 
+      bool hasUsers = lock.GetConfiguration().SetupRegisteredUsers(httpServer);
+
+      if (httpServer.IsAuthenticationEnabled() &&
+          !hasUsers)
+      {
+        LOG(WARNING) << "HTTP authentication is enabled, but no user is declared, "
+                     << "check the value of configuration option \"RegisteredUsers\"";
+      }
+      
       if (lock.GetConfiguration().GetBooleanParameter("SslEnabled", false))
       {
         std::string certificate = lock.GetConfiguration().InterpretStringParameterAsPath(
--- a/Resources/Configuration.json	Fri Aug 23 17:31:43 2019 +0200
+++ b/Resources/Configuration.json	Fri Aug 23 21:32:16 2019 +0200
@@ -139,7 +139,10 @@
    * Security-related options for the HTTP server
    **/
 
-  // Whether remote hosts can connect to the HTTP server
+  // Whether remote hosts can connect to the HTTP server. For security
+  // reasons, starting with Orthanc 1.5.8, as soon as this option is
+  // set to "true", authentication is enabled, and you have to declare
+  // an user in "RegisteredUsers" to access the HTTP server.
   "RemoteAccessAllowed" : false,
 
   // Whether or not SSL is enabled
@@ -149,7 +152,9 @@
   // SSL is enabled)
   "SslCertificate" : "certificate.pem",
 
-  // Whether or not the password protection is enabled
+  // Whether or not the password protection is enabled. Starting with
+  // Orthanc 1.5.8, password protection is automatically enabled as
+  // soon as "RemoteAccessAllowed" is set to "true".
   "AuthenticationEnabled" : false,
 
   // The list of the registered users. Because Orthanc uses HTTP