SharePoint Development Models
Download
Report
Transcript SharePoint Development Models
SharePoint Saturday – Portland, OR
Conditions and Terms of Use
Microsoft Confidential
This training package is proprietary and confidential, and is intended only for uses described in the training materials. The contents of this
package are for informational and training purposes only and are provided "as is" without warranty of any kind, whether express or
implied, including but not limited to the implied warranties of merchantability, fitness for a particular purpose, and non-infringement.
Training package content, including URLs and other Internet Web site references, is subject to change without notice. Because Microsoft
must respond to changing market conditions, the content should not be interpreted to be a commitment on the part of Microsoft, and
Microsoft cannot guarantee the accuracy of any information presented after the date of publication. Unless otherwise noted, the
companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and
no association with any real company, organization, product, domain name, e-mail address, logo, person, place, or event is intended or
should be inferred.
Copyright and Trademarks
© 2015 Microsoft Corporation. All rights reserved.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in
this document. Except as expressly provided in written license agreement from Microsoft, the furnishing of this document does not give
you any license to these patents, trademarks, copyrights, or other intellectual property.
Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this
document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic,
mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.
For more information, see Use of Microsoft Copyrighted Content at
http://www.microsoft.com/about/legal/permissions/
Microsoft®, Internet Explorer®, Outlook®, SkyDrive®, Windows Vista®, Zune®, Xbox 360®, DirectX®, Windows Server®, Hyper-V®,
Windows AzureTM , Windows PowerShell®, MSDN®, Visual Studio®, Active Directory®, SharePoint®, SQL Server® and Windows® are
either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. Other Microsoft
products mentioned herein may be either registered trademarks or trademarks of Microsoft Corporation in the United States and/or
other countries. All other trademarks are property of their respective owners.
©2015 Microsoft Corporation. All rights reserved.
Presenter
Ivan Bondy
Developer
[email protected]
©2015 Microsoft Corporation. All rights reserved.
Agenda
Introduction to SharePoint Development Models
SSOM - Server Side Object Model
CSOM - Client Side Object Model
REST API
SharePoint Hosted Add-ins
Provider Hosted Add-ins
Remote Apps
2014 Microsoft Corporation
Development Models
SSOM – Server Side Object Model
CSOM – Client Side Object Model
REST API
Server Side Object Model (SSOM
Common SharePoint development model before
SharePoint 2013
Runs on SharePoint servers in the SharePoint
process
Extensive libraries covering all SharePoint features
Fully supported in SharePoint 2013 on premise
Not supported in Office 365
Server Side Object Model
Common use:
Web parts
Code behind in aspx pages
Timer jobs
Configuration and management
Pretty much most of the SharePoint customization
Issues with SSOM
Running on SP servers
Deployed by Farm Administrators
Service interruption during deployments
Tight dependency on SharePoint
Difficult to upgrade and modify
Not supported in Office 365
Evergreen and release cycle – old model
SP2007
Tightly coupled
SharePoint customizations
SP2010
•
•
•
•
•
SP2013
SP20XX
Specific upgrade project each time new version is introduced
Customizations have to be upgraded to get access on new capabilities in product
Will cause additional costs during each release cycle of customizations
Customization updates cause downtime each time something is changed
Complex ALM processes for ensuring quality of the code
CSOM in SharePoint 2010
CSOM Made Accessible through client.svc
SharePoint 2010 doesn't support direct access to client.svc
Calls to client.svc must go through supported entry points
Supported entry points are .NET, Silverlight and JavaScript
Managed CSOM easier to use than from
JavaScript
JavaScript-driven CSOM hard to use and more limited
Changes in SharePoint 2013
The client.svc service extended with REST
capabilities
client.svc now supports direct access from REST clients
client.svc accepts HTTP GET, PUT, POST requests
Implemented in accordance with OData protocol
CSOM Extended new APIs
New APIs for SharePoint Server functionality
New API for Windows Phone Applications
CSOM Libraries
Managed
JavaScript
Silverlight
SharePoint 2013 Remote API
_api is new alias for _vti_bin/client.svc
Server
Client
Execute
Query
OData
JavaScript
Library
Silverlight
Library
Custom Client Code
.Net CLR
Library
What is covered in the new CSOM?
New APIs with SharePoint Server functionality
Evergreen and release cycle – new model
SP2013
O16
O17
O18
Customizations will utilize services from
SharePoint and other services, but won’t
usually change out of the box services.
Loosly coupled
SharePoint customizations
•
•
•
•
•
You choose when and how applications are updated
Backwards compatibility for API level to move customizations cross versions
Customizations don’t block new capabilities from SharePoint
Customizations extend, not change SharePoint
Customizations can be updated with minimal impact on SharePoint
Changes to CSOM
In SharePoint 2013 Foundation
No Significant Changes to CSOM apart from REST support
Primary investment is adding REST support to existing API
In SharePoint 2013 Server
New APIs have been added with CSOM and REST support
Programming using CSOM
Your JavaScript Code
JavaScript OM
Browser
Managed
Client
Proxy
Proxy
Managed OM
Your C# and VB.NET Code
JSON Response
Server OM
XML Request
XML Request
Client.svc
Content
database
JSON Response
SharePoint Server
CSOM using Managed Code
CSOM using JavaScript
Why is REST Important?
Significant Industry Momentum
Simpler and Easier to Use
Much easier to use than SOAP-based Web service
Higher productivity when using JavaScript and jQuery
Results can be returned in JSON and ATOM format
Each query is submitted with a unique URL
Results can be cached by proxy servers
REST URLs in SharePoint 2013
CSOM URLS can go through _api folder
Simplifies URLs that need to be built
Removes client.svc file name from URL
You can replace this URL
http://contososerver/sites/site/_vti_bin/client.svc/web
With this URL
http://contososerver/sites/site/_api/web
Mapping Objects to Resources
Example REST URLs targeting SharePoint sites
_api/web/lists
_api/web/lists/getByTitle('Announcements')
_api/web/getAvailableWebTemplates(lcid=1033)
Returning ATOM XML vs. JSON
Response data format selected with ACCEPT header
XML can be easier to deal with from managed code
To get ATOM XML response use "application/atom+xml"
JSON is easier to deal with when using JavaScript
To get JSON response use "application/json;odata=verbose"
REST Query from Managed Code
Tips for making REST calls from managed code
Use the HttpWebRequest and HttpWebResponse objects
Query XML using XDocument.Descendants
REST Query Using JavaScript & jQuery
Updates and the Form Digest
Updates using REST require Form Digest
Form Digest is a special value created using cryptography
Form Digest is used to protect against replay attack
SharePoint pages have control holding Form Digest
Web service clients must acquire Form Digest separately
Form Digest can be acquired through _vti_bin/sites.asmx or
_api/contextinfo
Types of Add-in Experiences
Full-Page Add-in (required)
Web Parts Add-in (optional)
Custom Actions Add-in(optional)
Full-Page SharePoint Add-in
Client Web Part
A web part made entirely of HTML
Uses an HTML page as the source
Add-in Web Parts
Specific use of the Client Web Part
Used to render small bits of an app on the host site
Defined in the app manifest
Appears in web part picker when app is installed
Web Part Add-In
Add-in web part content displayed in a SharePoint page
SharePoint Custom Actions Add-in
Add-in are granted permissions
Add-in permissions are different from user permissions
Add-in permissions are granted as all or nothing at a specific scope
Unlike user permissions, add-in permissions have no permissions hierarchy
An add-in has a default set of permissions
Add-in has full control over app web but no default permissions to host web
Add-in can request permission using declarative XML within application manifest
Installing user either grants or denies permissions during installation
If installer denies permission request, SharePoint does not install the add-in
Add-in request the permissions they require to run
<AppPermissionRequests AllowAppOnlyPolicy="true">
<AppPermissionRequest Scope="http://sharepoint/content/sitecollection" Right="Read"/>
<AppPermissionRequest Scope="http://sharepoint/content/sitecollection/web/list" Right="Write">
<Property Name="BaseTemplateId" Value="101"/>
</AppPermissionRequest>
<AppPermissionRequest Scope="http://sharepoint/userprofilestore/feed" Right="Post"/>
<AppPermissionRequest Scope="http://exchange/calendars" Right="Schedule"/>
<AppPermissionRequest Scope="http://lync/contacts" Right="Read"/>
</AppPermissionRequests>
Add-in Permission Scope Defines
Product
Permission Provider
Target object - - where grant is requested
<AppPermissionRequest
Scope="http://sharepoint/content/sitecollection" Right="Read"
/>
Product
Permission
Provider
Target
Object
Capability
Installing User prompted to Deny or to Allow Access (grant)
Deny prevents add-in from being installed
Allow Access grants requested permissions to add-in as part of
installation
Authorization Policies
User-only policy (normal flow, SP 2010)
User + add-in policy (check succeeds only when
both have permission)
Add-in only policy (only checks add-in
permissions, regardless of user)
What is OAuth?
Internet protocol for creating and managing app identity
A cross-platform mechanism for authenticating and authorizing apps
An emerging Internet standard already used by Facebook, Google and Twitter
OAuth allows add-in identity to be recognized apart
from user identity
Add-in must be granted permissions independently of user permissions
By default, add-in is constrained in what it can do during and after installation
Add-in can request installing user to grant specific types of permissions
Add-in can be granted more permissions than current user has (i.e. elevation)
Provider Hosted
• Hosted using any technology on any
platform (incl. Azure)
• Recommended approach
SharePoint
Add-in
Hosted
Outside of
SharePoint
SharePoint Hosted
Provision an isolated subsite (SPWeb)
under the host web
• Reuse web elements
(lists, files, out-of-box web parts)
• No server code allowed; use client
JavaScript for logic
SharePoint
Add-in
Hosted in
SharePoint
Add-in components are SharePoint components
SharePoint lists, site columns, content types
CSOM and REST API
Client Web Part
Key Developer Skills
HTML5, CSS, JavaScript
jQuery, ASP.NET AJAX
CSOM and REST API
Silverlight
SharePoint-Hosted Add-in - Server-Side Code
Comparing Provider hosted to SharePoint hosted apps
SharePoint Hosted
Provider Hosted
SharePoint Site
Site or Tenancy
Web Site
Multi-Tenant App
Developer Skillset
SharePoint + HTML/JS
Full Stack
UI Technologies
SharePoint + HTML/JS
Any Web Stack
None
Any
Lists and Doc Libs
Any
No Server Code
Hosting Expertise Required
Add-in Scope
Architecture
Server Code
Storage
Key Limitations
Not tied to any SharePoint limitations
Windows Azure
ASP.NET MVC
Not just .NET Applications; Azure supports PHP, Node.js & Java
Long running processes via Worker Roles
Access to SQL Azure, Blobs, Tables, AppFabric & Service Bus
Other Hosting
Implement using any technology desired
Communicate w/ SharePoint using open standards (REST)
Obtain permissions using open standards (OAuth)
Great for extending on-premise apps to SharePoint
Identical process for creating Windows Azure apps
Difference depending on technology used to develop & host custom application
Leverage same SharePoint 2013 investments for
permissions (OAuth) & communication (REST / CSOM)
Deployment
Deploy application & SharePoint components separately
Scenario: SharePoint-ifying existing ISV offering
On Premise:
S2S – Server to server trust
Office 365
OAuth – Azure Active Directory (Azure Control Service)
A trusted connection between client add-in and SharePoint Web server
Eliminates need to involve Azure AD when running add-ins within private networks
Trust between servers configured using one or more SSL certificates
Add-in server code requires access to public/private key pair of SSL certificate
Requires creating S2S Security Token Service on SharePoint Web server(s)
Private Network Environment
S2S STS
1
3
2
4
SSL Cert
Public/Private
key pair (.pfx)
What are the developer responsibilities with an S2S
add-in?
Expose an endpoint to SharePoint to discover service metadata
Authenticate the user (can use Windows Authentication, FBA, etc.)
Create security tokens to send to SharePoint server
Details of creating the S2S security token
Security token is like OAuth token but differs from OAuth specification
Security token must contain add-in identity
Security token can optionally include user identity
Security token must be signed using private key of the SSL certificate
No UI hosted in SharePoint
Not hosted in SharePoint environment
Using CSOM\REST API to communicate with
SharePoint
Remote deployment pattern (Office Dev PnP)
Remote management
Can be hosted on:
Console
WPF
Windows forms
MVC application
PowerShell
Any other environment
Premier Support for Developers
aka.ms/OfficeDevPnP
Transform your code
Providing App Model Patterns for common scenarios
Open source and based on community contributions
Constantly evolving set of material for reuse
100+ Visual Studio projects
Common scenarios
Branding
Site provisioning
Remote event receivers
UX component
Taxonomy driven navigation
And much more…
Patterns and Practices Yammer Group - http://aka.ms/officedevpnpYammer