Hi Authors,
I want to secure Orthanc more strictly by using Bearer token other than using Basic. I want to use the Bearer in Authorization Header, but Orthanc seems to use that Header for only basic. Of course I can use another header to pass the bearer, but that seems does not look naturally according to the Http standards. I saw in the source code
class MyIncomingHttpRequestFilter : public IIncomingHttpRequestFilter
{
private:
ServerContext& context_;
OrthancPlugins* plugins_;
It seems that there is a solution for developing plugin that return true in callback IsValidAuthorizationToken. But I did not find in the SDK. Can you please help to point out what is the callback I can develop ?
But the Orthanc still denied the request with my Bearer. Here are the detailed logs, but seems no evidents
I0916 11:28:02.207437 DicomServer.cpp:132] (dicom) Setting timeout for DICOM connections if Orthanc acts as SCP (server): 30 seconds (0 = no timeout)
I0916 11:28:02.207396 JobsEngine.cpp:125] (jobs) Worker thread 0 has started
I0916 11:28:02.207554 DicomServer.cpp:420] (dicom) Orthanc SCP will not use DICOM TLS
W0916 11:28:02.207650 main.cpp:1249] DICOM server listening with AET ORTHANC on port: 4242
I0916 11:28:02.207680 HttpServer.cpp:1579] (http) This Orthanc server uses CivetWeb as its embedded HTTP server
I0916 11:28:02.207691 HttpServer.cpp:2068] (http) The embedded HTTP server will use 50 threads
I0916 11:28:02.207706 HttpServer.cpp:1928] (http) HTTP keep alive is enabled
W0916 11:28:02.207716 HttpServer.cpp:1992] HTTP compression is enabled
I0916 11:28:02.207726 HttpServer.cpp:2081] (http) TCP_NODELAY for the HTTP sockets is set to true
I0916 11:28:02.207736 HttpServer.cpp:2101] (http) Request timeout in the HTTP server is set to 30 seconds
W0916 11:28:02.207748 main.cpp:1010] Remote access is allowed but “AuthenticationEnabled” is not in the configuration, automatically enabling HTTP authentication for security
W0916 11:28:02.207758 main.cpp:1036] ====> HTTP authentication is enabled, but no user is declared. Creating a default user: Review your configuration option “RegisteredUsers”. Your setup is INSECURE <====
I0916 11:28:02.207773 main.cpp:1113] Version of Lua: Lua 5.3
W0916 11:28:02.207783 main.cpp:1124] Remote LUA script execution is disabled
I0916 11:28:02.207806 HttpServer.cpp:2148] (http) Branching WebDAV bucket at: /webdav
I0916 11:28:02.207817 HttpServer.cpp:1624] (http) Starting embedded Web server using Civetweb
I0916 11:28:02.208571 OrthancWebDav.cpp:1705] Starting the WebDAV upload thread
W0916 11:28:02.208606 HttpServer.cpp:1769] HTTP server listening on port: 8042 (HTTPS encryption is disabled, remote access is allowed)
W0916 11:28:02.208634 main.cpp:876] Orthanc has started
I0916 11:28:02.208640 LuaScripting.cpp:841] Starting the Lua engine
I0916 11:28:02.208714 DicomServer.cpp:63] (dicom) DICOM server started
As indicated in the logs, you have to explicitly set “AuthenticationEnabled” to “false”, otherwise HTTP basic access authentication is automatically turned on for security reasons:
W0916 11:28:02.207748 main.cpp:1010] Remote access is allowed but “AuthenticationEnabled” is not in the configuration, automatically enabling HTTP authentication for security
