search

LinuxForHealth / FHIR

The LinuxForHealth FHIR® Server and related projects
https://linuxforhealth.github.io/FHIR
Apache License 2.0
328 stars 157 forks source link

Cannot disable Basic Auth #4003

Open sidharthramesh opened 1 year ago

sidharthramesh commented 1 year ago

Describe the bug Setting security.basic.enabled to "false" does not disable Basic Authentication

Environment Which version of LinuxForHealth FHIR Server? Docker image ghcr.io/linuxforhealth/fhir-server:5.0.0-rc2

To Reproduce Steps to reproduce the behavior: Use the following fhir-server-config.json

{
  "__comment": "FHIR Server configuration",
  "fhirServer": {
    "core": {
      "tenantIdHeaderName": "X-FHIR-TENANT-ID",
      "datastoreIdHeaderName": "X-FHIR-DSID",
      "originalRequestUriHeaderName": "X-FHIR-FORWARDED-URL",
      "checkReferenceTypes": true,
      "conditionalDeleteMaxNumber": 10,
      "__comment": "The Server Registry Resource Provider is a server-wide setting. The default is false, and the CI changes to true in the build and test.",
      "serverRegistryResourceProviderEnabled": false,
      "disabledOperations": ""
    },
    "security": {
      "cors": true,
      "basic": {
        "enabled": false
      },
      "certificates": {
        "enabled": false
      },
      "oauth": {
        "enabled": false,
        "regUrl": "https://<host>:9443/oauth2/endpoint/oauth2-provider/registration",
        "authUrl": "https://<host>:9443/oauth2/endpoint/oauth2-provider/authorize",
        "tokenUrl": "https://<host>:9443/oauth2/endpoint/oauth2-provider/token",
        "openEhrUrl": "https://<host>:9443/endpoint/open-ehr",
        "smart": {
          "enabled": true,
          "scopes": [
            "openid",
            "profile",
            "fhirUser",
            "launch/patient",
            "patient/*.*",
            "offline_access"
          ],
          "openehr": {
            "openEhrUrl": "https://<host>:9443/endpoint/open-ehr/url/test"
          },
          "capabilities": [
            "sso-openid-connect",
            "launch-standalone",
            "client-public",
            "client-confidential-symmetric",
            "permission-offline",
            "context-standalone-patient",
            "permission-patient"
          ]
        }
      }
    },
    "audit": {
      "serviceClassName": "org.linuxforhealth.fhir.audit.impl.NopService",
      "serviceProperties": {}
    },
    "persistence": {
      "factoryClassname": "org.linuxforhealth.fhir.persistence.jdbc.FHIRPersistenceJDBCFactory",
      "common": {
          "__comment": "Configuration properties common to all persistence layer implementations",
          "updateCreateEnabled": true
      },
      "jdbc": {
          "__comment": "Configuration properties for the JDBC persistence implementation",
          "enableCodeSystemsCache": true,
          "enableParameterNamesCache": true,
          "enableResourceTypesCache": true
      },
      "datasources": {
          "default": {
              "type": "postgresql",
              "currentSchema": "fhirdata",
              "jndiName": "jdbc/fhir_default_default",
              "searchOptimizerOptions": {
                  "from_collapse_limit": 12,
                  "join_collapse_limit": 12
              }
          }
      }
    },
    "term": {
      "remoteTermServiceProviders": [{
        "__comment": "Configuration for public SNOMED-CT endpoint",
        "enabled": true,
        "base": "https://snowstorm-fhir.snomedtools.org/fhir",
        "supports": [{
            "system": "http://snomed.info/sct"
        }]
      }]
    },
    "operations": {
      "erase": {
        "enabled": true,
        "allowedRoles": ["FHIROperationAdmin", "FHIRUsers"]
      }
    }
  }
}

Enabled http endpoint on port 8080 in server.xml

GET Request on http://localhost:8080/fhir-server/api/v4/Patient requires basic authentication. Failed with 401 without it.

Expected behavior 200 OK

Additional context Add any other context about the problem here.

lmsurpre commented 1 year ago

Thanks @sidharthramesh we need to beef up our documentation here. The fhir-server-config.json security section is more about advertising what security is enabled (e.g. for building the server's CapabilityStatement which is hosted from the /metadata endpoint).

One reason for this to be disconnected from the actual enforcement on the server is that often times we'll use a gateway in front of the server and so, for example, you might have OAuth enforced at that level but you still want the server to say its secured by OAuth.

To actually disable basic auth you can add the linked snippet under configDropins/overrides: https://github.com/LinuxForHealth/FHIR/issues/1020#issuecomment-1086238043