Mercurial > hg > orthanc

changeset 3534:cac8ffcb9cef

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
forcing AuthenticationEnabled to false is considered as insecure if remote access is allowed
author Sebastien Jodogne <s.jodogne@gmail.com>
date Fri, 04 Oct 2019 19:16:12 +0200
parents 2090ec6a83a5
children 41365091a41e
files OrthancExplorer/explorer.html OrthancExplorer/explorer.js OrthancServer/OrthancRestApi/OrthancRestSystem.cpp OrthancServer/ServerContext.cpp OrthancServer/ServerContext.h OrthancServer/main.cpp
diffstat 6 files changed, 20 insertions(+), 20 deletions(-) [+]
line wrap: on
line diff
--- a/OrthancExplorer/explorer.html	Fri Oct 04 17:41:43 2019 +0200
+++ b/OrthancExplorer/explorer.html	Fri Oct 04 19:16:12 2019 +0200
@@ -652,7 +652,8 @@
       <h1>Insecure setup</h1>
       <p>
         Your Orthanc server is accepting remote connections, but is
-	using the default username and password. Please carefully read
+	using the default username and password, or has user
+	authentication explicitly turned off. Please carefully read
 	your logs and review your configuration, especially
 	options <tt>RemoteAccessAllowed</tt>, <tt>AuthenticationEnabled</tt>,
 	and <tt>RegisteredUsers</tt>.
--- a/OrthancExplorer/explorer.js	Fri Oct 04 17:41:43 2019 +0200
+++ b/OrthancExplorer/explorer.js	Fri Oct 04 19:16:12 2019 +0200
@@ -395,8 +395,8 @@
       }
 
       // New in Orthanc 1.5.8
-      if ('IsDefaultUser' in s &&
-          s.IsDefaultUser) {
+      if ('IsHttpServerSecure' in s &&
+          !s.IsHttpServerSecure) {
         $('.warning-insecure').show();
       } else {
         $('.warning-insecure').hide();
--- a/OrthancServer/OrthancRestApi/OrthancRestSystem.cpp	Fri Oct 04 17:41:43 2019 +0200
+++ b/OrthancServer/OrthancRestApi/OrthancRestSystem.cpp	Fri Oct 04 19:16:12 2019 +0200
@@ -60,7 +60,7 @@
     result["ApiVersion"] = ORTHANC_API_VERSION;
     result["Version"] = ORTHANC_VERSION;
     result["DatabaseVersion"] = OrthancRestApi::GetIndex(call).GetDatabaseVersion();
-    result["IsDefaultUser"] = context.IsDefaultUser();  // New in Orthanc 1.5.8
+    result["IsHttpServerSecure"] = context.IsHttpServerSecure();  // New in Orthanc 1.5.8
 
     {
       OrthancConfiguration::ReaderLock lock;
--- a/OrthancServer/ServerContext.cpp	Fri Oct 04 17:41:43 2019 +0200
+++ b/OrthancServer/ServerContext.cpp	Fri Oct 04 19:16:12 2019 +0200
@@ -240,7 +240,7 @@
     haveJobsChanged_(false),
     isJobsEngineUnserialized_(false),
     metricsRegistry_(new MetricsRegistry),
-    isDefaultUser_(false)
+    isHttpServerSecure_(true)
   {
     {
       OrthancConfiguration::ReaderLock lock;
--- a/OrthancServer/ServerContext.h	Fri Oct 04 17:41:43 2019 +0200
+++ b/OrthancServer/ServerContext.h	Fri Oct 04 19:16:12 2019 +0200
@@ -220,7 +220,7 @@
     bool saveJobs_;
 
     std::auto_ptr<MetricsRegistry>  metricsRegistry_;
-    bool isDefaultUser_;
+    bool isHttpServerSecure_;
 
   public:
     class DicomCacheLocker : public boost::noncopyable
@@ -404,14 +404,14 @@
       return *metricsRegistry_;
     }
 
-    void SetDefaultUser(bool isDefaultUser)
+    void SetHttpServerSecure(bool isSecure)
     {
-      isDefaultUser_ = isDefaultUser;
+      isHttpServerSecure_ = isSecure;
     }
 
-    bool IsDefaultUser() const
+    bool IsHttpServerSecure() const
     {
-      return isDefaultUser_;
+      return isHttpServerSecure_;
     }
   };
 }
--- a/OrthancServer/main.cpp	Fri Oct 04 17:41:43 2019 +0200
+++ b/OrthancServer/main.cpp	Fri Oct 04 19:16:12 2019 +0200
@@ -824,6 +824,9 @@
       httpServer.SetHttpCompressionEnabled(lock.GetConfiguration().GetBooleanParameter("HttpCompressionEnabled", true));
       httpServer.SetTcpNoDelay(lock.GetConfiguration().GetBooleanParameter("TcpNoDelay", true));
 
+      // Let's assume that the HTTP server is secure
+      context.SetHttpServerSecure(true);
+
       bool authenticationEnabled;
       if (lock.GetConfiguration().LookupBooleanParameter(authenticationEnabled, "AuthenticationEnabled"))
       {
@@ -833,7 +836,8 @@
             !authenticationEnabled)
         {
           LOG(WARNING) << "====> Remote access is enabled while user authentication is explicitly disabled, "
-                       << "make sure this does not affect the security of your setup <====";
+                       << "your setup is POSSIBLY INSECURE <====";
+          context.SetHttpServerSecure(false);
         }
       }
       else if (httpServer.IsRemoteAccessAllowed())
@@ -867,11 +871,11 @@
            * used in Docker images "jodogne/orthanc",
            * "jodogne/orthanc-plugins" and "osimis/orthanc".
            **/
-          LOG(ERROR) << "====> HTTP authentication is enabled, but no user is declared. "
-                     << "Creating a default user: Review your configuration option \"RegisteredUsers\". "
-                     << "Your setup is INSECURE <====";
+          LOG(WARNING) << "====> HTTP authentication is enabled, but no user is declared. "
+                       << "Creating a default user: Review your configuration option \"RegisteredUsers\". "
+                       << "Your setup is INSECURE <====";
 
-          context.SetDefaultUser(true);
+          context.SetHttpServerSecure(false);
 
           // This is the username/password of the default user in Orthanc.
           httpServer.RegisterUser("orthanc", "orthanc");
@@ -882,11 +886,6 @@
                        << "check the value of configuration option \"RegisteredUsers\"";
         }
       }
-      else
-      {
-        // This setup is secure
-        context.SetDefaultUser(false);
-      }
       
       if (lock.GetConfiguration().GetBooleanParameter("SslEnabled", false))
       {