FHIR
FHIR copied to clipboard
LinuxForHealth
Cannot disable Basic Auth
Describe the bug
Setting security.basic.enabled to "false" does not disable Basic Authentication
Environment
Which version of LinuxForHealth FHIR Server?
Docker image ghcr.io/linuxforhealth/fhir-server:5.0.0-rc2
To Reproduce
Steps to reproduce the behavior:
Use the following fhir-server-config.json
{
"__comment": "FHIR Server configuration",
"fhirServer": {
"core": {
"tenantIdHeaderName": "X-FHIR-TENANT-ID",
"datastoreIdHeaderName": "X-FHIR-DSID",
"originalRequestUriHeaderName": "X-FHIR-FORWARDED-URL",
"checkReferenceTypes": true,
"conditionalDeleteMaxNumber": 10,
"__comment": "The Server Registry Resource Provider is a server-wide setting. The default is false, and the CI changes to true in the build and test.",
"serverRegistryResourceProviderEnabled": false,
"disabledOperations": ""
},
"security": {
"cors": true,
"basic": {
"enabled": false
},
"certificates": {
"enabled": false
},
"oauth": {
"enabled": false,
"regUrl": "https://<host>:9443/oauth2/endpoint/oauth2-provider/registration",
"authUrl": "https://<host>:9443/oauth2/endpoint/oauth2-provider/authorize",
"tokenUrl": "https://<host>:9443/oauth2/endpoint/oauth2-provider/token",
"openEhrUrl": "https://<host>:9443/endpoint/open-ehr",
"smart": {
"enabled": true,
"scopes": [
"openid",
"profile",
"fhirUser",
"launch/patient",
"patient/*.*",
"offline_access"
],
"openehr": {
"openEhrUrl": "https://<host>:9443/endpoint/open-ehr/url/test"
},
"capabilities": [
"sso-openid-connect",
"launch-standalone",
"client-public",
"client-confidential-symmetric",
"permission-offline",
"context-standalone-patient",
"permission-patient"
]
}
}
},
"audit": {
"serviceClassName": "org.linuxforhealth.fhir.audit.impl.NopService",
"serviceProperties": {}
},
"persistence": {
"factoryClassname": "org.linuxforhealth.fhir.persistence.jdbc.FHIRPersistenceJDBCFactory",
"common": {
"__comment": "Configuration properties common to all persistence layer implementations",
"updateCreateEnabled": true
},
"jdbc": {
"__comment": "Configuration properties for the JDBC persistence implementation",
"enableCodeSystemsCache": true,
"enableParameterNamesCache": true,
"enableResourceTypesCache": true
},
"datasources": {
"default": {
"type": "postgresql",
"currentSchema": "fhirdata",
"jndiName": "jdbc/fhir_default_default",
"searchOptimizerOptions": {
"from_collapse_limit": 12,
"join_collapse_limit": 12
}
}
}
},
"term": {
"remoteTermServiceProviders": [{
"__comment": "Configuration for public SNOMED-CT endpoint",
"enabled": true,
"base": "https://snowstorm-fhir.snomedtools.org/fhir",
"supports": [{
"system": "http://snomed.info/sct"
}]
}]
},
"operations": {
"erase": {
"enabled": true,
"allowedRoles": ["FHIROperationAdmin", "FHIRUsers"]
}
}
}
}
Enabled http endpoint on port 8080 in server.xml
GET Request on http://localhost:8080/fhir-server/api/v4/Patient requires basic authentication. Failed with 401 without it.
Expected behavior 200 OK
Additional context Add any other context about the problem here.
Thanks @sidharthramesh we need to beef up our documentation here. The fhir-server-config.json security section is more about advertising what security is enabled (e.g. for building the server's CapabilityStatement which is hosted from the /metadata endpoint).
One reason for this to be disconnected from the actual enforcement on the server is that often times we'll use a gateway in front of the server and so, for example, you might have OAuth enforced at that level but you still want the server to say its secured by OAuth.
To actually disable basic auth you can add the linked snippet under configDropins/overrides: https://github.com/LinuxForHealth/FHIR/issues/1020#issuecomment-1086238043
