Is this possible to pass Authorization via Bearer than Basic in Authorization header ?

Hi Authors,
I want to secure Orthanc more strictly by using Bearer token other than using Basic. I want to use the Bearer in Authorization Header, but Orthanc seems to use that Header for only basic. Of course I can use another header to pass the bearer, but that seems does not look naturally according to the Http standards. I saw in the source code

class MyIncomingHttpRequestFilter : public IIncomingHttpRequestFilter
{
private:
ServerContext& context_;
OrthancPlugins* plugins_;

public:
MyIncomingHttpRequestFilter(ServerContext& context,
OrthancPlugins* plugins) :
context_(context),
plugins_(plugins)
{
}

virtual bool IsValidBearerToken(const std::string& token) ORTHANC_OVERRIDE
{
#if ORTHANC_ENABLE_PLUGINS == 1
return (plugins_ != NULL &&
plugins_->IsValidAuthorizationToken(token));
#else
return false;
#endif
}

It seems that there is a solution for developing plugin that return true in callback IsValidAuthorizationToken. But I did not find in the SDK. Can you please help to point out what is the callback I can develop ?

Thanks,
Chirs

Hello,

You are looking for the “OrthancPluginRegisterIncomingHttpRequestFilter2()” function in the C SDK:

https://sdk.orthanc-server.com/group__Callbacks.html#ga49e34b40e43b222031540ea305246e3f

This primitive is also available for Python plugins:

https://book.orthanc-server.com/plugins/python.html#forbid-or-allow-access-to-rest-resources-authorization-new-in-3-0

HTH,

Sébastien-

Hi Sebastien,

I tried with “OrthancPluginRegisterIncomingHttpRequestFilter2()” function in the C SDK, with the following definition

int32_t testFilter(OrthancPluginHttpMethod method,
const char *uri,
const char *ip,
uint32_t headersCount,
const char *const *headersKeys,
const char *const *headersValues,
uint32_t getArgumentsCount,
const char *const *getArgumentsKeys,
const char *const *getArgumentsValues)
{
return 1; // Allow all requests
}

OrthancPluginRegisterIncomingHttpRequestFilter2(context, testFilter);

But the Orthanc still denied the request with my Bearer. Here are the detailed logs, but seems no evidents

I0916 11:28:02.207437 DicomServer.cpp:132] (dicom) Setting timeout for DICOM connections if Orthanc acts as SCP (server): 30 seconds (0 = no timeout)
I0916 11:28:02.207396 JobsEngine.cpp:125] (jobs) Worker thread 0 has started
I0916 11:28:02.207554 DicomServer.cpp:420] (dicom) Orthanc SCP will not use DICOM TLS
W0916 11:28:02.207650 main.cpp:1249] DICOM server listening with AET ORTHANC on port: 4242
I0916 11:28:02.207680 HttpServer.cpp:1579] (http) This Orthanc server uses CivetWeb as its embedded HTTP server
I0916 11:28:02.207691 HttpServer.cpp:2068] (http) The embedded HTTP server will use 50 threads
I0916 11:28:02.207706 HttpServer.cpp:1928] (http) HTTP keep alive is enabled
W0916 11:28:02.207716 HttpServer.cpp:1992] HTTP compression is enabled
I0916 11:28:02.207726 HttpServer.cpp:2081] (http) TCP_NODELAY for the HTTP sockets is set to true
I0916 11:28:02.207736 HttpServer.cpp:2101] (http) Request timeout in the HTTP server is set to 30 seconds
W0916 11:28:02.207748 main.cpp:1010] Remote access is allowed but “AuthenticationEnabled” is not in the configuration, automatically enabling HTTP authentication for security
W0916 11:28:02.207758 main.cpp:1036] ====> HTTP authentication is enabled, but no user is declared. Creating a default user: Review your configuration option “RegisteredUsers”. Your setup is INSECURE <====
I0916 11:28:02.207773 main.cpp:1113] Version of Lua: Lua 5.3
W0916 11:28:02.207783 main.cpp:1124] Remote LUA script execution is disabled
I0916 11:28:02.207806 HttpServer.cpp:2148] (http) Branching WebDAV bucket at: /webdav
I0916 11:28:02.207817 HttpServer.cpp:1624] (http) Starting embedded Web server using Civetweb
I0916 11:28:02.208571 OrthancWebDav.cpp:1705] Starting the WebDAV upload thread
W0916 11:28:02.208606 HttpServer.cpp:1769] HTTP server listening on port: 8042 (HTTPS encryption is disabled, remote access is allowed)
W0916 11:28:02.208634 main.cpp:876] Orthanc has started
I0916 11:28:02.208640 LuaScripting.cpp:841] Starting the Lua engine
I0916 11:28:02.208714 DicomServer.cpp:63] (dicom) DICOM server started

40.png

Hello,

As indicated in the logs, you have to explicitly set “AuthenticationEnabled” to “false”, otherwise HTTP basic access authentication is automatically turned on for security reasons:

W0916 11:28:02.207748 main.cpp:1010] Remote access is allowed but “AuthenticationEnabled” is not in the configuration, automatically enabling HTTP authentication for security

Sébastien-

Thanks Sebatien a lots, it works with explicitly set “AuthenticationEnabled” to “false”

And also for those who encounter such this problem, here is my minimal configuration

{
“Plugins” : [
“.”
],
“RemoteAccessAllowed” : true,
“AuthenticationEnabled”: false
}

Should add RemoteAccessAllowed to true