Daniel,

Note that this (and similar) password solutions in Galaxy is not secure in any 
real way (especially if you're dealing with patient data or HIPPA):

The password (hidden or visible in a text field) is still transmitted in 
clear-text over the network (unless you're using HTTPS/SSL).
If your users are connecting over WiFi (and the wireless network is not 
encrypted) - it's very easy to find the password.
The password will also be saved in clear-text in the Galaxy database, and will 
be saved in the galaxy log files (as it will be passed to the program on the 
command line).

Of course, depending on your configuration and requirements, this solution 
might suffice,
but be aware that it provides a false sense of security, basically protecting 
only against people standing behind the user's back and looking at his monitor.

Just my two cents,
 -gordon

Kanwei Li wrote, On 04/04/2011 12:34 PM:
> Well, it could be modified to never return a value back to the
> interface after being set. Would that be sufficient?
> 
> On Mon, Apr 4, 2011 at 11:46 AM, Daniel Schmidt <danielschmid...@gmx.net> 
> wrote:
>> Hello all!
>>
>> Thanks alot K! Although I have to admit, that it seems too insecure, at
>> least for the tool I am currently working on. The password field is needed
>> to connect to a database, which contains (sensitive) patient data. Revealing
>> the password to someone else by accident when re-running a job could give
>> him or her access to data he or she should have never access to.
>> In spite of everything, thank you again!
>>
>> Daniel
>>
>>
>> Am 04.04.2011 17:17, schrieb Kanwei Li:
>>>
>>> Hi Daniel,
>>>
>>> I have attached a patch that does this below. You can use it by
>>> setting<param type="password">  However the security is lacking as you
>>> can see the string when you try to re-run the job and view source. Is
>>> this sufficient for your purposes?
>>>
>>> Thanks,
>>>
>>> K
>>>
>>> On Sat, Apr 2, 2011 at 11:01 AM, Daniel Schmidt<danielschmid...@gmx.net>
>>>  wrote:
>>>>
>>>> Hi all!
>>>>
>>>> Is there any way to use password input fields ("<input
>>>> type="password"...")
>>>> with tools? A tools XML definition file only seems to support text and
>>>> textarea fields. I already tried setting a tools parameter type to
>>>> "password", which unfortunately results in an "Unknown tool parameter
>>>> type
>>>> 'password'". Trying "password="True"" (like "area="True"") does not
>>>> result
>>>> in an error, but the text field is still just a normal text field.
>>>> I may be mistaken, as I am new to Python and Galaxy, but there already
>>>> seems
>>>> to be a PasswordField class and a TextField class, which both can be
>>>> found
>>>> in several files. Was the PasswordField class for tool parameters maybe
>>>> disabled for a reason?
>>>>
>>>> Thanks!
>>>> Daniel
>>>> ___________________________________________________________
>>>> Please keep all replies on the list by using "reply all"
>>>> in your mail client.  To manage your subscriptions to this
>>>> and other Galaxy lists, please use the interface at:
>>>>
>>>>  http://lists.bx.psu.edu/
>>>>
>>
> 
> ___________________________________________________________
> Please keep all replies on the list by using "reply all"
> in your mail client.  To manage your subscriptions to this
> and other Galaxy lists, please use the interface at:
> 
>   http://lists.bx.psu.edu/

___________________________________________________________
Please keep all replies on the list by using "reply all"
in your mail client.  To manage your subscriptions to this
and other Galaxy lists, please use the interface at:

  http://lists.bx.psu.edu/

Reply via email to