Access control via Lua vs disabling authentication

Hi,
I’d like to run orthanc on the web for teaching purposes. The goal is to

  1. embed the Stone web viewer on an HTML page such that no authentication is required to see a study.
  2. Secure the orthanc webinterface such that only staff (i.e. RegisteredUser) can upload and delete images
  3. Prevent deletion from unregistered users via API

This script from the documentation seems to do exactly what I want. However, I am confused about how to used it with ORTHANC__AUTHENTICATION_ENABLED and ORTHANC__REMOTE_ACCESS_ALLOWED variables. From my understanding, I can set both values to true and still use the Stone Web Viewer without being asked for a username and password, is that correct? Because in practice, I am being asked about that wen I access a study.

Best and thank you in advance
Chris

Hi,

ORTHANC__REMOTE_ACCESS_ALLOWED must be set to true anyway if you want Orthanc to be accessible from external computer.

Once you set ORTHANC__AUTHENTICATION_ENABLED to true, all resources including e.g the index.html page of the stone viewer are accessible only for registered users => you need to provide credentials in every case. Orthanc checks for valid username/pwd in the registered users list before calling the Lua IncomingHttpRequestFilter function.

It’s actually difficult (or even impossible) to mix unauthenticated and authenticated access. There are a few options however:

  • use a reverse proxy in front of Orthanc that will inject authorization headers in the HTTP requests to Orthanc when the user is not authenticated → Orthanc will see it as an authenticated user.
  • use 2 Orthancs on the same DB, the “Admin” orthanc is protected by registered users and the “Public” orthanc has a lua IncomingHttpRequestFilter that allows only the GET requests.

HTH

Alain.

Thank you for your helpful response, Alain.

Chris