Mercurial > hg > orthanc
changeset 3534:cac8ffcb9cef
forcing AuthenticationEnabled to false is considered as insecure if remote access is allowed
author | Sebastien Jodogne <s.jodogne@gmail.com> |
---|---|
date | Fri, 04 Oct 2019 19:16:12 +0200 |
parents | 2090ec6a83a5 |
children | 41365091a41e |
files | OrthancExplorer/explorer.html OrthancExplorer/explorer.js OrthancServer/OrthancRestApi/OrthancRestSystem.cpp OrthancServer/ServerContext.cpp OrthancServer/ServerContext.h OrthancServer/main.cpp |
diffstat | 6 files changed, 20 insertions(+), 20 deletions(-) [+] |
line wrap: on
line diff
--- a/OrthancExplorer/explorer.html Fri Oct 04 17:41:43 2019 +0200 +++ b/OrthancExplorer/explorer.html Fri Oct 04 19:16:12 2019 +0200 @@ -652,7 +652,8 @@ <h1>Insecure setup</h1> <p> Your Orthanc server is accepting remote connections, but is - using the default username and password. Please carefully read + using the default username and password, or has user + authentication explicitly turned off. Please carefully read your logs and review your configuration, especially options <tt>RemoteAccessAllowed</tt>, <tt>AuthenticationEnabled</tt>, and <tt>RegisteredUsers</tt>.
--- a/OrthancExplorer/explorer.js Fri Oct 04 17:41:43 2019 +0200 +++ b/OrthancExplorer/explorer.js Fri Oct 04 19:16:12 2019 +0200 @@ -395,8 +395,8 @@ } // New in Orthanc 1.5.8 - if ('IsDefaultUser' in s && - s.IsDefaultUser) { + if ('IsHttpServerSecure' in s && + !s.IsHttpServerSecure) { $('.warning-insecure').show(); } else { $('.warning-insecure').hide();
--- a/OrthancServer/OrthancRestApi/OrthancRestSystem.cpp Fri Oct 04 17:41:43 2019 +0200 +++ b/OrthancServer/OrthancRestApi/OrthancRestSystem.cpp Fri Oct 04 19:16:12 2019 +0200 @@ -60,7 +60,7 @@ result["ApiVersion"] = ORTHANC_API_VERSION; result["Version"] = ORTHANC_VERSION; result["DatabaseVersion"] = OrthancRestApi::GetIndex(call).GetDatabaseVersion(); - result["IsDefaultUser"] = context.IsDefaultUser(); // New in Orthanc 1.5.8 + result["IsHttpServerSecure"] = context.IsHttpServerSecure(); // New in Orthanc 1.5.8 { OrthancConfiguration::ReaderLock lock;
--- a/OrthancServer/ServerContext.cpp Fri Oct 04 17:41:43 2019 +0200 +++ b/OrthancServer/ServerContext.cpp Fri Oct 04 19:16:12 2019 +0200 @@ -240,7 +240,7 @@ haveJobsChanged_(false), isJobsEngineUnserialized_(false), metricsRegistry_(new MetricsRegistry), - isDefaultUser_(false) + isHttpServerSecure_(true) { { OrthancConfiguration::ReaderLock lock;
--- a/OrthancServer/ServerContext.h Fri Oct 04 17:41:43 2019 +0200 +++ b/OrthancServer/ServerContext.h Fri Oct 04 19:16:12 2019 +0200 @@ -220,7 +220,7 @@ bool saveJobs_; std::auto_ptr<MetricsRegistry> metricsRegistry_; - bool isDefaultUser_; + bool isHttpServerSecure_; public: class DicomCacheLocker : public boost::noncopyable @@ -404,14 +404,14 @@ return *metricsRegistry_; } - void SetDefaultUser(bool isDefaultUser) + void SetHttpServerSecure(bool isSecure) { - isDefaultUser_ = isDefaultUser; + isHttpServerSecure_ = isSecure; } - bool IsDefaultUser() const + bool IsHttpServerSecure() const { - return isDefaultUser_; + return isHttpServerSecure_; } }; }
--- a/OrthancServer/main.cpp Fri Oct 04 17:41:43 2019 +0200 +++ b/OrthancServer/main.cpp Fri Oct 04 19:16:12 2019 +0200 @@ -824,6 +824,9 @@ httpServer.SetHttpCompressionEnabled(lock.GetConfiguration().GetBooleanParameter("HttpCompressionEnabled", true)); httpServer.SetTcpNoDelay(lock.GetConfiguration().GetBooleanParameter("TcpNoDelay", true)); + // Let's assume that the HTTP server is secure + context.SetHttpServerSecure(true); + bool authenticationEnabled; if (lock.GetConfiguration().LookupBooleanParameter(authenticationEnabled, "AuthenticationEnabled")) { @@ -833,7 +836,8 @@ !authenticationEnabled) { LOG(WARNING) << "====> Remote access is enabled while user authentication is explicitly disabled, " - << "make sure this does not affect the security of your setup <===="; + << "your setup is POSSIBLY INSECURE <===="; + context.SetHttpServerSecure(false); } } else if (httpServer.IsRemoteAccessAllowed()) @@ -867,11 +871,11 @@ * used in Docker images "jodogne/orthanc", * "jodogne/orthanc-plugins" and "osimis/orthanc". **/ - LOG(ERROR) << "====> HTTP authentication is enabled, but no user is declared. " - << "Creating a default user: Review your configuration option \"RegisteredUsers\". " - << "Your setup is INSECURE <===="; + LOG(WARNING) << "====> HTTP authentication is enabled, but no user is declared. " + << "Creating a default user: Review your configuration option \"RegisteredUsers\". " + << "Your setup is INSECURE <===="; - context.SetDefaultUser(true); + context.SetHttpServerSecure(false); // This is the username/password of the default user in Orthanc. httpServer.RegisterUser("orthanc", "orthanc"); @@ -882,11 +886,6 @@ << "check the value of configuration option \"RegisteredUsers\""; } } - else - { - // This setup is secure - context.SetDefaultUser(false); - } if (lock.GetConfiguration().GetBooleanParameter("SslEnabled", false)) {