[OPEN-ILS-GENERAL] [OPEN-ILS-DEV] browser client update for 2014-04-23

Bill Erickson berick at esilibrary.com
Thu May 1 17:32:32 EDT 2014 

Hi John,

Comments inline...

On Thu, May 1, 2014 at 3:47 PM, John Morris <jmorris at beau.org> wrote:

> On Thu, 2014-05-01 at 09:18 -0400, Bill Erickson wrote:
>
> > JFYI, when all is said and done, it may be best to replace native Java
> > print dialog with a series of custom settings the user simply enters
> > directly into the browser print configuration interface.  Before we do
> > that, though, I'd like to settle on which exact settings we need to
> support
> > (which we have to do, regardless, for settings persistence).  IOW, if we
> > have to manage scaling externally (i.e. in the browser), there is an
> > argument for managing all of the settings directly within the browser.
>
> Ok, I haven't looked into the new web client yet so I'm probably about
> to say something really dumb.  But I have looked at and use web stuff in
> general and a thought occurred while reading this thread.
>
> I'm seeing one of three things:
>
> 1.  The web client isn't going to be as clean when printing patron
> tickets.  Currently it can silently print.  No pure HTML 5 solution can
> do that for reasons that should be fairly obvious: webpages can invoke
> the browser's print dialog via javascript but may not adjust settings or
> actually click the OK button.  I'm guessing this is why the interest in
> Java?
>

Correct.


>
> 2.  Java either CAN or CAN'T do the deed, either one of which is BAD.
> If it can't then the same problem exists.  And if it can it really must
> be reported as a security bug and thus will soon be fixed... hopefully
> before every dodgy scammer on the Internet finds the exploit.
>

What we're doing is not a hack nor is it a security exploit.

On the JavaScript side, we're using WebSockets to communicate with the Java
service.  WebSockets are allowed to attempt a connection to any host.  If
the host allows it, it's permitted by the browser.  This is just part of
the WebSockets specification.

The Java service is simply a small Java application which runs on the local
machine, not as a browser plugin, but as a standalone application.  Java,
like most languages (and unlike browsers), is free to do anything on the
desktop which the executing user can do.  It can write files, talk to
printers, etc.

The trick here is creating the Java application in such a way that the
browser can send and receive commands like it would when communicating with
any other server.  So, the Java application runs an embedded WebSockets
"server" (via Jetty) which accepts WebSockets connections directly from the
browser.

For Java security, the app has configurable trusted origin domains and
support for IP address black/white lists.  Jetty also has built-in
authentication mechanisms, which we may wish to investigate as well.


> Stackoverflow mentions that for Firefox you can manually set a config
> value that makes all printing silent but that would be generally
> horrible for so many reasons.  See a plugin for Chrome, a way to get
> ActiveX to do it for IE.... nothing web based though that isn't a brutal
> hack.
>

Well, some people use this with Firefox to good effect at patron self-check
kiosks.  When used in the right context, it doesn't seem so horrible.

-b

-- 
Bill Erickson
| Senior Software Developer
| phone: 877-OPEN-ILS (673-6457)
| email: berick at esilibrary.com
| web: http://esilibrary.com
| Equinox Software, Inc. / The Open Source Experts
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://libmail.georgialibraries.org/pipermail/open-ils-general/attachments/20140501/322909ba/attachment-0001.htm>

More information about the Open-ils-general mailing list