AuthenticationEnabled & Lua Access Control not working

I have added following Lua Script

Hi Stephen,

I would recommend you to add a few print() statement to make sur your lua code is executed and it will help you understand how this works.

function IncomingHttpRequestFilter(method, uri, ip, username, httpHeaders)
– Only allow GET requests for non-admin users


if method == ‘GET’ then
return true
elseif username == ‘admin’ then
return true
return false

Yes, basic authentication is checked before calling the lua callback.
As soon as you have set AuthenticationEnabled: “true”, Orthanc will always check the Basic Auth first.

You can install a lua callback if AuthenticationEnabled is set to false but then, your username argument will be empty and you’ll have to check the httpHeaders yourself.

Hope this helps,


Thank you Alain to confirm that Orthanc calls Basic Auth first, making this code practically redundant. Your suggestion of httpHeaders sounds good.

Can you please give me an example on how to string.find / string.match the username through the httpHeaders ?

You should find str.find and str.match samples in these scripts:

Thank you. It helped.