Speaker: Dragan Panjkov;
In this session we will speak about SharePoint apps – new approach for development in new SharePoint. We will explain rationale behind Apps, basic concepts and various hosting options. We will also show you how to build your first app for SharePoint 2013.
5. 4 questions for architects
• How will the users be using the solution?
• How will the solution be deployed into production and
managed?
• What are the quality attribute requirements for the solution
(security, performance, concurrency, localization, and
configuration)
• How can the solution be designed to be flexible and
maintainable over time?
7. apps…
• …are not executed in SharePoint App pool
• …are in most of the cases not even running on SP Server
• …can have full trust, with user’s approval (OAuth)
• …can access SharePoint Data
• …can access outer world non-SharePoint Data
• …can use any external resources
• …can be executed in it’s own chrome, as app parts, or as
SharePoint extensions
8. why apps
• Isolated (safe!)
• Multi-tenant
• Multiple development possibilities (even non-MS stack)
• Easier to deploy (no SharePointisms by deployment)
• Easier to maintain (lifecycle – versioning, upgrades)
• Manageable (Office Store, Corporate Catalog)
• Cloud ready!
12. sp app design - a choice of three approaches
Developer-Hosted App
SharePoint
“Bring your own server hosting infrastructure” Your Hosted Site
Cloud-based Apps Web
Developers will need to isolate tenants
Get remote events from
SharePoint
Use CSOM/REST + Azure Auto-Provisioned App Azure
OAuth to work with SP
Windows Azure + SQL Azure SharePoint (from
provisioned invisibly as apps are Web WebDeploy,
installed DacPac)
SharePoint-hosted App
Parent
Provision an isolated sub web on a parent Web
web
• Reuse web elements App Web
(lists, files, out-of-box web parts)
• No server code allowed; use client
(from WSP)
JavaScript for logic, UX
animated
13. Comparing SharePoint Hosted vs. Cloud
Hosted Apps
SharePoint Hosted Cloud Hosted
App Scope SharePoint Site Site or Tenancy
Architecture Web Site Multi-Tenant App
Developer Skillset SharePoint + HTML/JS Full Stack
UI Technologies SharePoint + HTML/JS Any Web Stack
Server Code None Any
Storage Lists and Doc Libs Any
Key Limitations No Server Code Hosting Expertise Required
14. Choosing between Cloud-Hosted and
SharePoint-Hosted.
Cloud Hosted Apps SharePoint Hosted Apps
Preferred hosting model for almost all Good for smaller apps & resource
types of apps storage
Full power of web – choose your SharePoint-based; no server-side code
infrastructure & technology
May require your own hosting Automatically hosted in SharePoint
May require you own handling of Inherent multitenancy & isolation
multitenancy & permission management
15. App Shapes for SharePoint
Full page
Implement complete app experiences
to satisfy business scenarios
Parts
Create app parts that can interact
with the SharePoint experience
UI Command extensions
Add new commands to the ribbon and item
menus
16. App identity
• Challenge with SPS2010
• Farm solutions – too much privileges - risk of
RunWithElevatedPrivileges
• Sandbox solutions – no RunWithElevatedPrivileges – always under
user context
• In SharePoint 2013 apps have their own identity and specific
permissions
• Installing user either grants or denies permissions to host web
• Permission is explicitly given for a specific scope
• App identity is passed around using oAuth tokens
17. App rights
• Default rights : Read, Write, Manage and Full Control
• Not possible to customize
• Apps are granted permissions to a scope and all children of the
scope
• Defined in declarative XML
18. App scopes
• SPSite – site collection
• SPWeb – site
• SPList
• Tenancy
• Other scopes (and rights) for performing search queries,
accessing taxonomy data, user profiles, etc...
19. sharepoint apps: authentication and trust
main SharePoint site app1 SharePoint site
http://intranet.contoso.com http:// tenant-apphash1.contosoapps.com /sites/web/appguid
http://apps-87e90ada14c175.contosoapps.com/sites/web/014c9c59-5d9c-4a59-a5ce-2116a4c90296
20. Azure Access Control Service (ACS)
• ACS required with oAuth implementation in SharePoint 2013
• How is the ACS server configured as the authentication server?
• Automatically done for sites in Office 365 Preview
• On-premise farms, a trust to ACS must be configured. Possible to avoid
when using Server-to-server (S2S) trust
21. SharePoint 2013 Remote API
_api is new alias for _vti_bin/client.svc
Server
Client REST CSOM
OData
JSON
JavaScript Silverlight .Net CLR
Library Library Library
Custom Client Code
22. REST URLs in SharePoint 2013
• CSOM URLs can go through _api folder
• Replace
• http://sharepoint/_vti_bin/client.svc/web
• With
• http://sharepoint/_api/web
• Example REST URLs targeting SharePoint sites
• _api/web/lists
• _api/web/lists/List1
• _api/web/?$select=title,id
• /_api/web/lists/getByTitle('Consultants')/Items
• ....
23. Provider Hosted – S2S
• High trust applications used on-premise
• Can assert any user’s identity
• Requires configuration to establish trust between SharePoint
farm and S2S app
• Needs to be done for every S2S app
24. Configure S2S
• App Isolation is configured
• Disable App Principal check
• Generate Public/Private certificate pair
• Generate Client Id
• Set up Security Token Issuer
• Register App Principal
• Update Web.config and ensure user profiles exist
• http://www.binarywave.com/blogs/eshupps/Lists/Posts/Post.asp
x?ID=267
28. Autohosting is for team apps
• Team apps
• Resource tracking
• Team processes
• Event receivers
• Individual productivity
• Document assembly, etc.
30. From Developer to End User
Office and SharePoint
Dev center Integrated
Office Store TRIAL/
submission PURCHASE Office
Store
End users
TRIAL/
PURCHASE
Developer
Vendor/ SharePoint
Direct
IT projects App Catalog
IT admin
33. Infrastructure configuration for SP Apps
1) Wild card DNS entry for app domain
2) Apps service application and subscription service created in
environment hosting SP apps
3) SharePoint application for routing the incoming requests to
app DNS entry
4) App catalog created for SharePoint applications to enable end
users to utilize apps
SharePoint farm
http://*.apps
192.168.x.x
34. DNS configuration on-premises
• Define wildcard DNS entry for apps
• *.apps.contoso.com or something similar
• Configure app address in SP side
using Central Admin or PowerShell
• One address per farm
35. App configuration for on-premises farm
• Ensure that App service application and subscription service are created
and running in farm
• Subscription service is used to provide unique Site Collection ID for App
Urls
main SharePoint site app1 SharePoint site
tenant-
http://sp/sites/web http:// /sites/web/appguid
apphash1.contosoapps.com
http://apps-87e90ada14c175.contosoapps.com/sites/web/014c9c59-5d9c-4a59-a5ce-2116a4c90296
• Apps will be hosted on own domain, within their own frame
• Leverages web browser same-origin policy for script isolation
• URL naming – each app has unique URL – one app – one = URL
• http://default-appUID.apps.contoso.com
• appUID – combination of site collection ID and particular SPWeb where app is
installed
36. get app to site collection
• All site content provides functionality to
add apps
• Both market place and corporate
catalog visible from single place
• Users can add Apps to be available
• Apps can request permissions,
depending on implementation
Why suddenly apps – my feeling in februaryChoice of words – angry birds – sharepoint enterprise platform?Let’s look at the reasons
How will the users be using the application?How will the application be deployed into production and managed?What are the quality attribute requirements for the application (security, performance, concurrency, localization, and configuration)How can the application be designed to be flexible and maintainable over time?
Permission rights indicate what an app is permitted to do within a scope. SharePoint supports four rights levels for content (there are others for things like search, term store, etc.):Read-OnlyWriteManageFull ControlUnlike SharePoint user roles, these rights levels are not customizableIf an app is granted permission to a scope, the permission applies to all children of the scopeIf an app is granted perms to an SPWeb, the app is also granted perms to each SPList in the SPWeb, and all SPListItems in each list, but NOT each subweb
An app uses permission requests to specify the permissions that it needsThe requests specify both the rights and scope which are neededScopes indicate where in the SharePoint hierarchy a permission request applies. SharePoint supports four different content scopes:SPSite—site collectionSPWeb—websiteSPList—listTenancy—the tenancy scope is at http://<sharepointserver>/<content>/<tenant>/There are also scopes for things like performing search queries, accessing taxonomy data, user profiles, etc.
Permission rights indicate what an app is permitted to do within a scope. SharePoint supports four rights levels for content (there are others for things like search, term store, etc.):Read-OnlyWriteManageFull ControlUnlike SharePoint user roles, these rights levels are not customizableIf an app is granted permission to a scope, the permission applies to all children of the scopeIf an app is granted perms to an SPWeb, the app is also granted perms to each SPList in the SPWeb, and all SPListItems in each list, but NOT each subweb