Authorization plugin seems to forbide post /instances API

Hi there,

We may found a bug in the authorization plugin, we try to have a custom authorization only for the dicom web API, this last API will be the only one exposed to the internet while we want to keep other orthanc API “opened” for all user (as will be accessible only through a LAN)

we tried this configuration :

  "Authorization": {
    "WebServiceRootUrl": "http://orthanc-auth-service:8000/",
    "WebServiceUsername": "share-user",
    "WebServicePassword": "change-me",
    //    "CheckedLevel": "studies",
    "UncheckedLevels": [
      "system"
    ],
    "UncheckedFolders": [
      "/"
    ]
  },

Seems to work to access orthanc APIs but for some strange reason the POST call on /instances are always returned 403 and we don’t even see Orthanc trying to validate these request to the authorization backend.

Is there a specific protection for the instance creation endpoint ?

Best regards,

Salim

Hi Salim,

Actually, I think the documentation for UncheckedFolders was not clear. I have updated the text now:

UncheckedFolders specifies a list of root paths for which the authentication plugin is not triggered when receiving a GET request. This is actually mainly used to grant access to static resources e.g. HTML and JS resources from plugins like Orthanc Explorer 2.

So, in your system, all resources are accessible in GET which means /patients?expand as well which is maybe not something you expect since it provides patient information to everyone - I assume you are blocking the traffic by another mean.

With your configuration file, I can see that the POST /instances is being checked at “user permission level”:

I0126 15:05:37.349101           HTTP-0 HttpServer.cpp:1262] (http) GET /instances
I0126 15:05:45.123997           HTTP-1 HttpServer.cpp:1262] (http) POST /instances
I0126 15:05:45.124133           HTTP-1 PluginsManager.cpp:161] (plugins) Testing whether anonymous user has any of the required permissions 'all|upload'
I0126 15:05:45.124216           HTTP-1 PluginsManager.cpp:161] (plugins) Testing whether anonymous user has any of the required permissions 'all|upload' -> not granted

But it is not being checked if I configure the resource level validation only with this configuration:

"Authorization": {
    //"WebServiceRootUrl": "http://orthanc-auth-service:8000/",
    "WebServiceTokenValidationUrl" : "http://orthanc-auth-service:8000/tokens/validate",

It is not being checked because, the resource level validation are supposed to grant READ ONLY accesses e.g. when sharing a link to share a single study.

In your use case, as I understand it, you are trying to provide read only resource level authorization to the DICOMWeb interface (that is connected to the WAN) and user level authorization for LAN users and grant them full read/write access ?

For this scenario, I would strongly recommand running 2 Orthanc instances connected to the same DB and configure one for the WAN and one for the LAN. This makes things a lot easier to configure/understand/security check.

Hope this helps.

Alain.

Note: I will really try to improve the authorization plugin documentation …

1 Like

FYI, I have just completely reworked the documentation of this plugin.