1

I am building an enterprise browser based application, which works on a dedicated PC with a touch screen (think of it as a Kiosk, sort of). So, the application itself is built on NodeJS and the user makes choices on the browser and inserts their Smart Card. Since JavaScript can't directly read and decrypt the Smart Card data, a Java program running on this PC detects the inserted Smart Card and reads the data. Now, the problem is to send this Smart Card details (name, address etc..) to the JS code. I'm not really sure how to solve this, the following are a few ideas:

  1. The Java Smart Card reader, after reading the data, outputs it to as a keyboard input. The JS code then listens to this specific keyboard event and reads all the data. Kind of like how a bar-code scanner works.
  2. The Java Smart Card reader and the browser are connected to a cloud and have a WebSocket channel established. The Java program after reading the data, pushes it to the cloud server and the cloud server then pushes it to the Browser via WebSockets.
  3. Run the Java Smart Card reader as a web-server (localhost) with a self-signed SSL certificate. Add a local domain name to the server in the hosts file. Now, the browser can directly talk to the Java web-server through a Http API.
  4. Run the Java Smart Card reader with gRPC (localhost) and connect the browser to it via gRPC-web. (I have no experience in gRPC, but maybe this is possible?)

Each of the above have their own pitfalls. I'm not sure how other Kiosk based systems work, so any suggestions or improvements on the above ideas would be great.

user2354302
  • 1,833
  • 5
  • 23
  • 35
  • For Certificate operations using USB Smartcard from Browser, refer to [Signer.Digital Browser Extension API](https://stackoverflow.com/a/63173083/9659885) – Bharat Vasant Aug 02 '22 at 11:03

1 Answers1

0

The best solution here would probably be to host a WebSocket using Jetty in your java application at 127.0.0.1 and have your javascript connect to that directly. No cloud server would be needed as WebSockets aren't bound to the same origin policy or cross origin resource sharing.

Another potential solution is to have an embedded browser in your java program using javafx's webkit or other java browser implementation and share data through that. This is less than ideal because javafx's webkit has it's own weird quirks and commercial embedded browsers for java cost thousands.

I would use the websocket solution.

Infinite Recursion
  • 131
  • 3
  • Oh, that good. Wasn't aware that CORS doesn't apply to WS. This seems like a security gap, and maybe the future releases on browsers might actually extend CORS policies to apply to WS. Would you happen to know if using gRPC is a suitable solution (I've edited my question too) – user2354302 Mar 07 '21 at 19:17
  • Some people do consider no CORS a security vulnerability but it's relatively simple to block out requests from domains you don't want. It gives the programmer more flexibility IMO. – Infinite Recursion Mar 07 '21 at 20:43
  • Also, I'm not really sure what grpc is, but I wrote a pretty well documented example of how to use websockets in jetty a while ago. I can link the github if you want. – Infinite Recursion Mar 07 '21 at 20:43
  • Thank you, I happen to know some WS myself with Netty. Having said that, this doesn't give a newer solution, since I'd still have to make a self-signed certificate to access "wss" from "https" and then also connect to it (localhost). The only step that I avoid is adding the entry in the hosts file. – user2354302 Mar 08 '21 at 09:02