Authorization Plugin and DicomWeb

Google Groups archive
1

Hi,

I am wondering if the Authorization Plugin works together with Dicom Web.

I am starting an Orthanc like this:

docker run -p 8042:8042 -e ORTHANC__DICOM_WEB__ENABLE=true -e ORTHANC__DICOM_WEB__ROOT=/dicom-web/ -e ORTHANC__DICOM_WEB__ENABLE_WADO=true -e ORTHANC__DICOM_WEB__WADO_ROOT=/wado -e ORTHANC__AUTHENTICATION_ENABLED=false -e VERBOSE_ENABLED=true -e AUTHORIZATION_PLUGIN_ENABLED=true -e ORTHANC__AUTHORIZATION=‘{ “WebService” : “http://host.docker.internal:5080/api/v1/orthanc-auth”, “TokenGetArguments” : [ “user” ], “TokenHttpHeaders” : [ “token”, “auth-token”, “authorization” ], “UncheckedResources” : [ “/plugins/explorer.js”, “/system” ], “UncheckedLevels” : [ “system” ]}’ osimis/orthanc:latest

When I do normal call e.g. on
http://localhost:8042/instances/cb410da2-95d4cb28-dca00e2b-e5ada931-6ca114b4
the Authorization Plugin works, it jumps into my code and I can verify the token.

However, on
http://localhost:8042/wado?objectUID=1.2.276.0.50.192168001099.8252157.14547392.157&requestType=WADO
I just get 200 with the image:

How can I configure the Authorization Plugin so that it also secures my Dicom Web requests?

Regards,
Felix

Desktop-screenshot.png

2

I found it out myself, it worked after removing:
“UncheckedResources” : [ “/plugins/explorer.js”, “/system” ], “UncheckedLevels” : [ “system” ]}
Don’t understand why though…

3

Strange, WADO is treated as system call.
But I need the DicomUID in my token verification. Is there any way to configure the Authorization Plugin so that the WADO call also gives the StudyInstanceUid?

4

Hello,

Strange, WADO is treated as system call.

All the callbacks registered by Orthanc plugins are considered as system calls, because Orthanc cannot know anything about the internals of the plugins that extend its core.

But I need the DicomUID in my token verification. Is there any way to configure the Authorization Plugin so that the WADO call also gives the StudyInstanceUid?

Your Web service for authorization should make a reverse call to “/tools/lookup” URI in the REST API of Orthanc to identify the DICOM instance given its SOP Instance UID, then query its parent study.

For instance, if “1.3.46.670589.11.0.0.11.4.2.0.8743.5.5396.2006120114290050504” is the SOP Instance UID that is queried by WADO, here is a sequence of 2 calls to find the Study Instance UID of this instance:

$ curl https://demo.orthanc-server.com/tools/lookup -d ‘1.3.46.670589.11.0.0.11.4.2.0.8743.5.5396.2006120114290050504’
[
{
“ID” : “e5dca4e6-df508be3-33c2e526-386ca449-101f5a04”,
“Path” : “/instances/e5dca4e6-df508be3-33c2e526-386ca449-101f5a04”,
“Type” : “Instance”
}
]

$ curl -s https://demo.orthanc-server.com/**instances/e5dca4e6-df508be3-33c2e526-386ca449-101f5a04**/study | grep StudyInstanceUID
“StudyInstanceUID” : “2.16.840.1.113669.632.20.1211.10000357775”,

Sébastien-

5

Hello Sebastian, thanks for your reply.

However as you can see on the picture, we don’t have any UID, not even the InstanceUID in the object returned by the Authorization Plugin.
I was testing with the following call: http://localhost:8042/wado?objectUID=1.2.276.0.50.192168001099.8252157.14547392.157&requestType=WADO

The Uri field returned by the Authorization Plugin just gives “/wado”, but not the query parameters after which we would need…

Regards

MicrosoftTeams-image (16).png

6

OK, I understand. You mean that what follows the “?” in your URI is not transmitted to the authentication Web service.

This means that the authentication plugin is not suitable for your use case, and that you must create a C/C++ plugin by yourself that would implement the filtering. Check out “OrthancPluginRegisterIncomingHttpRequestFilter2()”:
https://sdk.orthanc-server.com/group__Callbacks.html#ga49e34b40e43b222031540ea305246e3f

https://book.orthanc-server.com/developers/creating-plugins.html