Authorisation web service and the AC_AUTHENTICATION_ENABLED variable

Hi,

Is it possible to set up the Orthanc Server such that all normal web users are authorised using the AC_AUTHENTICATION_ENABLED mechanism and all REST API calls are authorised using the web service specified by the AUTHZ__WEBSERVICE variable? I would like it so that if the user has authenticated using the basic HTTP authentication then they can access all the information but if the request comes via the REST API then it uses the web service to authenticate.

If so, what do I need to specify in the AUTHZ_UNCHECKED_FOLDERS and AUTHZ_UNCHECKED_RESOURCES variables?

Thanks
Steve

Hello,

The “advanced authorization plugin” has been deprecated in favor of Python plugins:
https://book.orthanc-server.com/plugins/authorization.html

You can find a full example of a Python plugin that calls a Web service in order to authorize accesses in the Orthanc Book:
https://book.orthanc-server.com/plugins/python.html#python-authorization

In your specific case, you would register each “normal Web user” within the “RegisteredUsers” configuration option of Orthanc. You would then add a “virtual” user dedicated to make the accesses to the REST API, also in the “RegisteredUsers” option. Your full configuration would look like:

{
“Plugins” : [ “.” ],
“PythonScript” : “authorization.py”,
“AuthenticationEnabled” : true,
“RegisteredUsers” : {
“alice” : “mypassword”,
“rest” : “rest”
}
}

The “authorization.py” Python plugin could then look as follows:

import base64
import orthanc
import requests

def Filter(uri, **request):
print(‘User trying to access URI: %s’ % uri)

headers = request.get(‘headers’)
if headers != None:
authorization = headers.get(‘authorization’)
if (authorization != None and
authorization.startswith(‘Basic ‘)):
credentials = base64.b64decode(authorization[6:])
username = credentials.split(’:’) [0]
if username == ‘rest’:

Call the Web service only if user is “rest”

r = requests.post(‘http://localhost:8000/’, {
‘username’ : username,

Add other information from the “request” variable

})
return r.json() [‘granted’]

return True # Always grant access to “normal Web users”

orthanc.RegisterIncomingHttpRequestFilter(Filter)

HTH,
Sébastien-