password imagej log

[jburel]

https://forum.image.sc/t/opening-image-from-omero-in-imagej-creates-log-file-with-plain-text-password/38621

[imagesc-bot]

This issue has been mentioned on Image.sc Forum. There might be relevant details there:

https://forum.image.sc/t/opening-image-from-omero-in-imagej-creates-log-file-with-plain-text-password/38621/3

[dominikl]

I'm not aware of any change with that respect either. I'll try to find out what's going on there.

[dominikl]

Can replicate the issue. Just before the Bioformats import dialog opens, a log window pops up displaying the login credentials. I turned the debug mode on to get some more information (creds replaced by xxx):

...
UI for displaying ROIS annotations not implemented yet!
Created new BrowseFacility
setKeyUp: -1
location=[OMERO] open=[omero:server=workshop.openmicroscopy.org
user=xxx
port=4064
pass=xxx
groupID=5
iid=49206] view=Hyperstack windowless=false crop=false 
runPlugIn: loci.plugins.LociImporter
runUserPlugIn: loci.plugins.LociImporter, arg=
Bio-Formats: parse core options
Bio-Formats: display option dialogs
Bio-Formats: loci.plugins.in.UpgradeDialog: prompt
Bio-Formats: loci.plugins.in.LocationDialog: skip
Bio-Formats: loci.plugins.in.IdDialog: skip
Bio-Formats: loci.plugins.in.MainDialog: prompt
GenericDialog font: false java.awt.Font[family=Dialog,name=Dialog,style=plain,size=12]
Created new ROIFacility
Created new DataManagerFacility
out> OmeroReader initializing omero:server=workshop.openmicroscopy.org
user=xxx
port=4064
pass=xxx
groupID=5
iid=49206

out> OmeroReader.initFile(omero:server=workshop.openmicroscopy.org
user=xxx
port=4064
pass=xxx
groupID=5
iid=49206)
...

Maybe it comes from the OmeroReader?

[imagesc-bot]

This issue has been mentioned on Image.sc Forum. There might be relevant details there:

https://forum.image.sc/t/omero-imagej-plugin-shows-password-in-log-window/39114/2

[joshmoore]

@jburel @dominikl : https://github.com/ome/omero-insight/blob/master/src/main/java/org/openmicroscopy/shoola/env/ui/TaskBarManager.java#L358 looks to be the culprit:

            buffer.append("location=[OMERO] open=[omero:server=");
            buffer.append(lc.getServer().getHost());
            buffer.append("\nuser=");
            buffer.append(lc.getUser().getUsername());
            buffer.append("\nport=");
            buffer.append(lc.getServer().getPort());
            buffer.append("\npass=");
            buffer.append(lc.getUser().getPassword());
            buffer.append("\ngroupID=");
            buffer.append(ctx.getGroupID());
            buffer.append("\niid=");

[jburel]

I think it is elsewhere that it is written in the log. This is the way to pass info the plugin. I am looking into the problem

[jburel]

https://github.com/ome/omero-blitz/blob/master/src/main/java/loci/ome/io/OmeroReader.java#L223 is the source of the problem when using imageJ in debug mode.

[manerotoni]

Just a question: Why is ImageJ seeing the password at all? ImageJ is calling omero-insight and I hope that omero-insight runs the communication of passwords using a secure and encrypted connection. Somehow the password seems to be exchanged as plain-text.

[jburel]

insight communicates with the server using a secure and encrypted connection. ImageJ does not use encryption to communicate with insight/Bio-Formats, passing online a single string with all the necessary parameters. Though it's important to not print this string, it's less of an issue since it stays within the local client. Passwords were not sent to the server in plaintext.

I have pushed a fix for review that will prevent the string from being logged locally. We will have a new version out as soon as possible

[imagesc-bot]

This issue has been mentioned on Image.sc Forum. There might be relevant details there:

https://forum.image.sc/t/imagej-omero-plugins-shows-password-in-log-window/39864/1

[jburel]

https://github.com/ome/omero-insight/pull/137