Mercurial > hg > orthanc
changeset 3500:0d248cc63ded
Security: If remote HTTP access is enabled, HTTP authentication automatically gets enabled
author | Sebastien Jodogne <s.jodogne@gmail.com> |
---|---|
date | Fri, 23 Aug 2019 21:32:16 +0200 |
parents | d8f7c3970e25 |
children | 27b53c61aa99 |
files | NEWS OrthancServer/OrthancConfiguration.cpp OrthancServer/OrthancConfiguration.h OrthancServer/main.cpp Resources/Configuration.json |
diffstat | 5 files changed, 34 insertions(+), 7 deletions(-) [+] |
line wrap: on
line diff
--- a/NEWS Fri Aug 23 17:31:43 2019 +0200 +++ b/NEWS Fri Aug 23 21:32:16 2019 +0200 @@ -4,6 +4,7 @@ Maintenance ----------- +* Security: If remote HTTP access is enabled, HTTP authentication automatically gets enabled * Log an explicit error if uploading an empty DICOM file using REST API * Fix compatibility of LSB binaries with Ubuntu >= 18.04
--- a/OrthancServer/OrthancConfiguration.cpp Fri Aug 23 17:31:43 2019 +0200 +++ b/OrthancServer/OrthancConfiguration.cpp Fri Aug 23 21:32:16 2019 +0200 @@ -611,13 +611,13 @@ } - void OrthancConfiguration::SetupRegisteredUsers(HttpServer& httpServer) const + bool OrthancConfiguration::SetupRegisteredUsers(HttpServer& httpServer) const { httpServer.ClearUsers(); if (!json_.isMember("RegisteredUsers")) { - return; + return false; } const Json::Value& users = json_["RegisteredUsers"]; @@ -626,13 +626,17 @@ throw OrthancException(ErrorCode_BadFileFormat, "Badly formatted list of users"); } + bool hasUser = false; Json::Value::Members usernames = users.getMemberNames(); for (size_t i = 0; i < usernames.size(); i++) { const std::string& username = usernames[i]; std::string password = users[username].asString(); httpServer.RegisterUser(username.c_str(), password.c_str()); + hasUser = true; } + + return hasUser; }
--- a/OrthancServer/OrthancConfiguration.h Fri Aug 23 17:31:43 2019 +0200 +++ b/OrthancServer/OrthancConfiguration.h Fri Aug 23 21:32:16 2019 +0200 @@ -185,7 +185,8 @@ void GetListOfOrthancPeers(std::set<std::string>& target) const; - void SetupRegisteredUsers(HttpServer& httpServer) const; + // Returns "true" iff. at least one user is registered + bool SetupRegisteredUsers(HttpServer& httpServer) const; std::string InterpretStringParameterAsPath(const std::string& parameter) const;
--- a/OrthancServer/main.cpp Fri Aug 23 17:31:43 2019 +0200 +++ b/OrthancServer/main.cpp Fri Aug 23 21:32:16 2019 +0200 @@ -821,11 +821,27 @@ httpServer.SetRemoteAccessAllowed(lock.GetConfiguration().GetBooleanParameter("RemoteAccessAllowed", false)); httpServer.SetKeepAliveEnabled(lock.GetConfiguration().GetBooleanParameter("KeepAlive", defaultKeepAlive)); httpServer.SetHttpCompressionEnabled(lock.GetConfiguration().GetBooleanParameter("HttpCompressionEnabled", true)); - httpServer.SetAuthenticationEnabled(lock.GetConfiguration().GetBooleanParameter("AuthenticationEnabled", false)); httpServer.SetTcpNoDelay(lock.GetConfiguration().GetBooleanParameter("TcpNoDelay", true)); - lock.GetConfiguration().SetupRegisteredUsers(httpServer); + if (httpServer.IsRemoteAccessAllowed()) + { + // Starting with Orthanc 1.5.8, enabling remote access forces user authentication. + httpServer.SetAuthenticationEnabled(true); + } + else + { + httpServer.SetAuthenticationEnabled(lock.GetConfiguration().GetBooleanParameter("AuthenticationEnabled", false)); + } + bool hasUsers = lock.GetConfiguration().SetupRegisteredUsers(httpServer); + + if (httpServer.IsAuthenticationEnabled() && + !hasUsers) + { + LOG(WARNING) << "HTTP authentication is enabled, but no user is declared, " + << "check the value of configuration option \"RegisteredUsers\""; + } + if (lock.GetConfiguration().GetBooleanParameter("SslEnabled", false)) { std::string certificate = lock.GetConfiguration().InterpretStringParameterAsPath(
--- a/Resources/Configuration.json Fri Aug 23 17:31:43 2019 +0200 +++ b/Resources/Configuration.json Fri Aug 23 21:32:16 2019 +0200 @@ -139,7 +139,10 @@ * Security-related options for the HTTP server **/ - // Whether remote hosts can connect to the HTTP server + // Whether remote hosts can connect to the HTTP server. For security + // reasons, starting with Orthanc 1.5.8, as soon as this option is + // set to "true", authentication is enabled, and you have to declare + // an user in "RegisteredUsers" to access the HTTP server. "RemoteAccessAllowed" : false, // Whether or not SSL is enabled @@ -149,7 +152,9 @@ // SSL is enabled) "SslCertificate" : "certificate.pem", - // Whether or not the password protection is enabled + // Whether or not the password protection is enabled. Starting with + // Orthanc 1.5.8, password protection is automatically enabled as + // soon as "RemoteAccessAllowed" is set to "true". "AuthenticationEnabled" : false, // The list of the registered users. Because Orthanc uses HTTP