Thursday, October 02, 2014

Saturday, March 15, 2014

2014-03-15 Saturday - Research: Launching Applications via Custom Protocols

This weekend I'm researching options for integrating a client's custom application so that it can be launched by users from within a browser.  These are the links to the resources that I've found to be of the most interest - hopefully this will be use some use to someone else in the future.

Microsoft Windows / IE Related Notes

Understanding Protocols

  • In most cases, the invoked URL is injected to replace the %1 parameter in the registered \Shell\Open\Command.
  • Windows 7 and later also support protocol invocation via the IExecuteCommand::DelegateExecute COM mechanism, instead of using the Shell Open Command. Some browsers do not yet properly support DelegateExecute because they first look for a Shell Open Command in the registry before passing a URL to ShellExecute.
  • Thanks to their simplicity, and to the fact that the Windows ShellExecuteEx function can easily be used to launch such protocols, all major Windows web browsers (IE, Firefox, Chrome, Safari, Opera) support Application Protocols. However, there are some important differences in behavior between browsers.
  • despite their simplicity, Application Protocols have nevertheless been the source of a large number of vulnerabilities over the years, and thus nearly all browsers (except Safari) will prompt the user before launching the specified program.
  • In Internet Explorer 7 and later on Windows Vista and later, launching an application to handle an Application Protocol URL will also consult the Protected Mode Elevation policy for the target executable. By default, this policy is that the user will be prompted for permission to launch the program at the Medium Integrity Level:
  • Another behavior to be aware of is that some callers will decode or encode URLs before passing them along to the target program. For historical reasons, Internet Explorer performs a single percent-decoding pass on the URL before calling ShellExecute; by default IE9 and IE10 still perform this decoding unless the protocol’s registry key contains a REG_DWORD named UseOriginalUrlEncoding with value 0x1. However, the Windows Shell’s Start > Run command performs no such decoding pass.
  • On Windows 8, Apps may use their manifest to register to handle Application Protocols. Protocol activation APIs are more cleanly implemented in Metro-style apps
  • The msProtocols object was removed for the IE10 release preview. Instead use the msLaunchUri api to launch a protocol,
  • Web developers often ask if there’s some way to detect whether the client has a given protocol available. Generally, the answer is no, this isn’t possible

ShellExecuteEx function


  • lpParameters: Type: LPCTSTR Optional. The address of a null-terminated string that contains the application parameters. The parameters must be separated by spaces. If the lpFile member specifies a document file, lpParameters should be NULL.
  • lpVerb: Type: LPCTSTR A string, referred to as a verb, that specifies the action to be performed. The set of available verbs depends on the particular file or folder. Generally, the actions available from an object's shortcut menu are available verbs. This parameter can be NULL, in which case the default verb is used if available. If not, the "open" verb is used. If neither verb is available, the system uses the first verb listed in the registry. The following verbs are commonly used:

How to handle URI activation (Windows Store apps using C#/VB/C++ and XAML)

  • Windows allows an app to register to become the default handler for a certain URI scheme name. Both desktop and Windows Store apps can register to be a default handler for a URI scheme name
  • Any app or website can use your URI scheme name, including malicious ones. So any data that you get in the URI could come from an untrusted source. You should never perform a permanent action based on the parameters that you receive in a URI.
  •  If you are creating a new URI scheme name for your app, be sure to follow the guidance in RFC 4395. This ensures that your name meets the standards for URI schemes.

ProtocolActivatedEventArgs class

  • Provides data when an app is activated because it is the app associated with a URI scheme nam
  • JavaScript:  This type appears as WebUIProtocolActivatedEventArgs
    • The received URI is eventArgs.Uri.AbsoluteUri
Application.OnActivated method

How to handle file activation (Windows Store apps using C#/VB/C++ and XAML)

Association launching sample

File type and URI associations model

Guidelines for file types and URIs (Windows Store apps)

Guidelines and Registration Procedures for New URI Schemes

About URL Monikers

  • A moniker is a COM object that identifies an object and provides services to allow other components to obtain a pointer to that object. The system-provided moniker class supports asynchronous binding to a Uniform Resource Locator (URL).
  • Monikers connect to and activate objects, whether they are in the same machine or across a network. For example COM uses monikers to establish a network connection. They are also used to identify, connect to, and run OLE compound document link objects. In this case, the link source acts as the moniker provider and the container holding the link object acts as the moniker client.
  • Monikers are used as the basis for linking in OLE. After a moniker is bound to an object, the moniker's IMoniker interface can be used to locate, activate, and access the bound object without having any other specific information on where the actual object is located. The COM moniker architecture provides a convenient programming model for working with URLs. The moniker architecture supports extensible and complete name parsing, as well as printable names. Because URLs frequently refer to resources across high-latency networks, binding a moniker to a URL synchronously impacts performance. This is because the process has to wait for responses from the network before completing the binding. For this reason, the URL moniker class supports asynchronous as well as synchronous binding. For more information, see Creating and Using URL Monikers.

Creating and Using URL Monikers

  • szExtraInfo,Behavior of this field is moniker-specific. For URL monikers, this string is appended to the URL when the bind operation is started. Like other OLE strings, this value is a Unicode string that the client should allocate using CoTaskMemAlloc. The URL moniker frees the memory later.
  • szCustomVerb,BSTR specifying a protocol-specific custom action to be performed during the bind operation (only if dwBindVerb is set to BINDVERB_CUSTOM).

BINDINFO structure

Asynchronous Pluggable Protocols

About Asynchronous Pluggable Protocols

  • A URL follows the syntax described in RFC 1738, which specifies a protocol scheme followed by a scheme-specific portion (:).
  •  Uniform Resource Locators (URL)
  • Internet Explorer uses two mechanisms for registering new URL protocol handlers. The first method is to register a URL protocol and its associated application so that all attempts to navigate to a URL using that protocol launch the application (for example, registering applications to handle mailto: or news: URLs). The second method uses the Asynchronous Pluggable Protocols API, which allows you to define new protocols by mapping the protocol scheme to a class.
  • An asynchronous pluggable protocol handler is an apartment-threaded COM object that handles any calls made to the protocol scheme for which it is registered
  • When a client application makes a request, Urlmon looks up the protocol scheme in the registry and creates an instance of the protocol handler registered for that protocol scheme. If the protocol scheme was successfully mapped to the class identifier (CLSID) of a protocol handler, CoCreateInstance is called with that class asking for an IClassFactory interface. An instance of the protocol handler is obtained with IClassFactory::CreateInstance.
  • To register a custom URL protocol, add a key for the protocol scheme of the custom URL protocol to the registry under HKEY_CLASSES_ROOT\PROTOCOLS\Handler\protocol_scheme. Under that key, the string value, CLSID, must be set to the CLSID of the protocol handler.
  • The protocol handler cannot use any Windows messaging to switch back to the thread it was instantiated on, since the protocol handler must work on non-GUI threads.
  • A pluggable MIME filter is an asynchronous pluggable protocol that receives data through a stream, performs some operation on the data, and returns a data stream. The output data might be in a different format from the original stream.

Asynchronous Pluggable Protocol Overviews

Registering an Application to a URL Protocol

URL Monikers Overviews and Tutorials

Handling MIME Types in Windows Internet Explorer

MIME Type Detection in Windows Internet Explorer
- MIME type Detection Algorithm discussion

FindMimeFromData function

Auto-Launching apps using file and URI associations for Windows Phone 8

Launcher.LaunchFileAsync(IStorageFile) | launchFileAsync(IStorageFile) method

Understanding the Protected Mode Elevation Dialog

Custom URL Protocol for Invoking Application

Custom HyperLinks Using a Generic Protocol Handler

Custom Hyperlinks Using Asynchronous Pluggable Protocols

A windows 8 trick: Protocol activation of apps (and the nick app)

Using protocol handlers as a ultra thin layer of integration
- see

Firefox Related Notes

Web-based protocol handlers

Register protocol

  • Protocols are registered in the appxmanifest for the project
  • On Windows, protocol registration is done by the operating system

Linux Related Notes

[Ubuntu] Using a custom protocol handler in Firefox to run a shell script?

Make a link in the Android browser start up my app?
- DO NOT use your own custom scheme

Launch custom android application from android browser
- Per Google Engineer: Use an with a element.

Android Intents with Chrome
- ...Android lets you launch apps directly from a web page via an Android Intent.
- intent anchor and embed that into the page so the user can launch the app. Flexible approach...and the ability to pass extra information into the app via Intent Extras.

Intents and Intent Filters (see: Extras)
- Key-value pairs that carry additional information required to accomplish the requested action. Just as some actions use particular kinds of data URIs, some actions also use particular extras
- ...add extra data with various putExtra() methods, each accepting two parameters: the key name and the value...create a Bundle object with all the extra data, then insert the Bundle in the Intent with putExtras()

How to launch external applications using custom protocols (rock:// instead of http://)
- python example..
- see last line (beginning with @="\"python\") python...handler script
- also see: Registering a Protocol on Linux

Apple OS X References

Launching External Applications using Custom Protocols under OSX

How do I configure custom URL handlers on OS X?

Misc. References

6.6 System state and capabilities Custom scheme and content handlers
- Application URL is a trick so that you can launch any application on your local computer from your browser
- Both Chromium and Google Chrome do not allow the browser or it's extensions to access local files, so you cannot create an extension that would call a program already on your machine
- In order for this to work, it requires you to add a new registry key to the Windows Registry to register a new URL Protocol.

Chrome doesn’t handle custom protocols correctly - (still ?)
- see: This can be adjusted in Chrome's Local State file.
- see JavaScript example...
- servlet based approach would have security issues...

Saturday, January 04, 2014

2014-01-03 Saturday - Oracle Fusion Middleware Notes

I'm doing some research on various Oracle Fusion Middleware technologies, in preparation for a new client engagement.

This posting will be a placeholder for any interesting resources found, notes from various documentation sources, observations (my own, and links to others), and my experiences working with the various tools and technologies:

12c (12.1.2) > Oracle Data Integrator > 16 Using Web Services
  • "The WADL structure (for RESTful services) is not supported by Oracle Data Integrator."

12c (12.1.2)  > Oracle Data Integrator > Appendix B Using Groovy Scripting with Oracle Data Integrator

Oracle Enterprise Pack for Eclipse 12c ( Release Notes
  • "Oracle Enterprise Pack for Eclipse no longer depends on Spring IDE. Users updating existing OEPE installations through Eclipse Update will need to first uninstall Oracle Spring Tools."

Mark Rittman (of Rittman Mead Consulting) posted a blog entry on January 2nd, 2014, entitled:
Rittman Mead and Oracle Data Integrator 12c – Thoughts and Experiences So Far


Free Oracle WebLogic Server 12c (12.1.2) Zip Distribution and Installers for Developers

Oracle Enterprise Pack for Eclipse (

Selected/relevant Oracle Blogs

Thursday, January 02, 2014

2014-01-02 Thursday - Packt Publishing $5 eBook Bonanza

Packt Publishing has an amazing $5 eBook/Video deal running until January 3rd.

I picked-up 47 eBooks to add as references to my Amazon Kindle:

Oracle Service Bus 11g Development Cookbook
Oracle SOA Suite 11g R1 Developer's
WS-BPEL 2.0 for SOA Composite Applications with Oracle SOA Suite 11g
Oracle SOA Infrastructure Implementation Certification Handbook (1Z0-451)
Oracle SOA BPEL Process Manager 11gR1 – A Hands-on Tutorial
Applied SOA Patterns on the Oracle Platform
Oracle SOA Governance 11g Implementation
Oracle ADF Enterprise Application Development – Made Simple, Second Edition (Pre-Order     25 Jan 2014)
Oracle SOA Suite 11g Administrator's Handbook
Getting Started with Oracle WebLogic Server 12c: Developer’s Guide
Oracle SOA Suite 11g Developer's Cookbook
Getting Started with Oracle SOA B2B Integration: A Hands-On Tutorial
Oracle SOA Suite 11g Performance Tuning Cookbook
Oracle BPM Suite 11g Developer's cookbook
Oracle JDeveloper 11gR2 Cookbook
Oracle Data Guard 11gR2 Administration Beginner's Guide
jQuery UI 1.10: The User Interface Library for jQuery
Getting Started with Oracle Event Processing 11g
Oracle Hyperion Interactive Reporting 11 Expert Guide
Oracle JRockit: The Definitive Guide
jQuery Game Development Essentials
HTML5 Game Development with ImpactJS
HTML5 and CSS3 Responsive Web Design Cookbook
Mastering Web Application Development with AngularJS
Responsive Web Design by Example
HTML5 Enterprise Application Development
Learning jQuery - Fourth Edition
Object-Oriented JavaScript - Second Edition
jQuery UI Cookbook
Linux Shell Scripting Cookbook, Second Edition
Enterprise Application Development with Ext JS and Spring
Java 7 Concurrency Cookbook
Oracle Goldengate 11g Complete Cookbook
Oracle GoldenGate 11g Implementer's guide
Getting Started with Oracle Data Integrator 11g: A Hands-On Tutorial
Oracle Enterprise Manager 12c Administration Cookbook
Oracle Database 11gR2 Performance Tuning Cookbook
Mastering Apache Cassandra
Apache Camel Developer's Cookbook
Developing Web Applications with Oracle ADF Essentials
PowerShell 3.0 Advanced Administration Handbook
Eclipse 4 Plug-in Development by Example Beginner's Guide
F# for Quantitative Finance
Android Security Cookbook
Unity Android Game Development by Example Beginner's Guide
Unity Multiplayer Games
Node Cookbook Second Edition

Wednesday, January 01, 2014

2014-01-01 Wednesday - TIOBE Software Index for December 2013

TIOBE Software Programming Language Index for Dec 2013!

A few surprising findings.  The top five, in order, are:
#1 - C
#2 - Java
#3 - Objective-C
#4 - C++
#5 - C#

Transact-SQL made a big move up from #21 in 2012, to #9.

COBOL at #24

Scala is at #31

Thursday, December 26, 2013

2013-12-26 Thursday - SOA ~ API Service Bus? Enterprise Governance Value?

Let me preface this posting with one important caveat: This was written from the perspective of having spent several years working within a very large multi-national software development  effort, within a highly regulated industry, with over 150+ developers, across multiple large-scale enterprise application domains, integrating with many different externally contracted service providers - as well as dozens of internal applications (bespoke systems, as well as heavily  customized COTS packaged software)

The buzz-trend headlines of today's pundits assume we should move toward a Point-to-Point API strategy for integrations both within and without the enterprise.

An oft repeated line of argument that arises when pundits relish their prognostications of the death-knell of Service Oriented Architecture (SOA), revolves around the notion that the world-wide-web doesn't have a centralized service bus - and therefore, by inference, any corporation that has the temerity to think that they might need to provision an Enterprise Service Bus (ESB) - is implementing something that is foolishly wasteful,  extremely heavy-weight, and probably overkill.

This argument is probably quite right in many cases.

However, within any enterprise-level organizations of appreciable size - with many different applications disbursed across the organization (both politically and geographically) - there are common and recurring application infrastructure capabilities that will end up being re-implemented again-and-again within the endpoints of any Point-to-Point integration strategy, if there isn't some enterprise-class service bus capability established.

For example, does it make sense for every individual application to implement their own approach to:
- retry logic for guaranteed delivery
- exception handling
- monitoring/reporting/alerting
- caching
- fail-over routing
- implementing fan-in and fan-out patterns, with the inherent brittle dependency of canonical
mapping to each up-or-down stream application
- managed file transfers
- job scheduling
- data encryption (at-rest, and in-motion)
- complex event processing
- message queue management

The outcome of an absence of any enterprise service bus capability, cannot help but result in some trade-off decisions that have significant negative consequences for long-term maintenance, organizational agility, and software development costs.

Integration strategies within many large-scale enterprise organizations must often adhere to a much higher threshold of rigor (such as audit traceability and monitoring) - and Point-to-Point integration strategies often result in duplication of code in places that could be more centralized maintained, managed, and provisioned via a service bus (note: I'm not saying One ESB to Rule Them All - an ESB might be logical, virtual, distributed, and quite often federated).

I'm not saying Point-to-Point is a necessarily a bad integration strategy in all cases, or that an ESB is a necessary component of an enterprise-class integration strategy. But to ignore the concerns raised above, or to burden application architectures with what should be common and reusable enterprise-level shared infrastructure-like capabilities - that results in the re-implementation and redundant maintenance of such common functionality - is something that should be questioned, and strongly challenged.

The challenge/questioning of whether there is a need for Enterprise Governance is another aspect of this discussion that is often dismissed as a needless overhead to the software development process. In my experience, this is most often argued most passionately by folks who have taken the idea of Agile to an unhealthy extreme - and who seem to use it as a justification for their genetic lack of enthusiasm for documenting their work. However, within any highly regulated industry, Enterprise Governance certainly has a proper and necessary place. The trick is to do it with the lightest touch possible. Without Enterprise Governance, without a guiding vision that has continuity (i.e. from a permanent Enterprise Architecture team) beyond the typically high turn-over of all-too-often mostly outsourced development teams  - development can become a Wild West, decision making is almost invariably short-sighted, tactical, and representative of silo thinking - without any broader / longer term strategic thinking evident -and becomes a function of the strongest personalities on a development team (at best) - and  (at worst) without any cross-application team communications of decisions, tools selection is made within a vacuum...devoid of any guidance from policies, standards, or specifications.

Some possible signs that your Enterprise Governance process may be out of control:
  1. You have more than [z] developers on staff, and you have no Enterprise Governance process, where [z] is greater than the size of a small garage start-up.
  2. You have no Policies, Standards, or Specifications established to guide your development teams.
  3. Your governance process stipulates the creation of [n]X additional artifacts than your design/development process produces.
  4. Your governance process stipulates [y]X more review checkpoints than performed in your design/development process.
  5. One or more of your developers has stated the following: "The code is the {design|documentation}"
  6. One or more of your developers has stated the following; "We don't need to write unit tests"
  7. Your code base has a high cyclomatic complexity rating
  8. Your design/development process does not include frequent peer reviews.
  9. You have no visibility into code metrics
  10. You don't have an automated Continuous Integration build process established
  11. You are not running static code anlaysis tools during your Continuous Integration build process.
  12. You have no reserve capacity in your development group to review and address the technical debt that is accumulating (as found by various static code analysis tools, e.g. Sonar task executed by Jenkins/Hudson)