Hi Salim,
Actually, I think the documentation for UncheckedFolders
was not clear. I have updated the text now:
UncheckedFolders
specifies a list of root paths for which the authentication plugin is not triggered when receiving a GET request. This is actually mainly used to grant access to static resources e.g. HTML and JS resources from plugins like Orthanc Explorer 2.
So, in your system, all resources are accessible in GET which means /patients?expand
as well which is maybe not something you expect since it provides patient information to everyone - I assume you are blocking the traffic by another mean.
With your configuration file, I can see that the POST /instances is being checked at “user permission level”:
I0126 15:05:37.349101 HTTP-0 HttpServer.cpp:1262] (http) GET /instances
I0126 15:05:45.123997 HTTP-1 HttpServer.cpp:1262] (http) POST /instances
I0126 15:05:45.124133 HTTP-1 PluginsManager.cpp:161] (plugins) Testing whether anonymous user has any of the required permissions 'all|upload'
I0126 15:05:45.124216 HTTP-1 PluginsManager.cpp:161] (plugins) Testing whether anonymous user has any of the required permissions 'all|upload' -> not granted
But it is not being checked if I configure the resource
level validation only with this configuration:
"Authorization": {
//"WebServiceRootUrl": "http://orthanc-auth-service:8000/",
"WebServiceTokenValidationUrl" : "http://orthanc-auth-service:8000/tokens/validate",
It is not being checked because, the resource level validation are supposed to grant READ ONLY accesses e.g. when sharing a link to share a single study.
In your use case, as I understand it, you are trying to provide read only resource level authorization to the DICOMWeb interface (that is connected to the WAN) and user level authorization for LAN users and grant them full read/write access ?
For this scenario, I would strongly recommand running 2 Orthanc instances connected to the same DB and configure one for the WAN and one for the LAN. This makes things a lot easier to configure/understand/security check.
Hope this helps.
Alain.
Note: I will really try to improve the authorization plugin documentation …