The Sakai Framework Five Models Marked Down from Six

1
The Sakai FrameworkFive Models(Marked Down from
Six)

• Mark J. Norton, Nolaria Consulting

2
Disclaimer!

• Current documentation on Sakai services is
  lacking. It is either missing, inadequate, and
  (in some cases) misleading.
• The information included here represents personal
  research into the Sakai code base as of Sakai
  2.2.
• It is not intended to be the final, official word.

3
Sakai Architecture
Charon Portal
Tool
This presentation will focus on how the framework
services are group into various models
Application Service
Framework Services
4
Service Models in Sakai

• While Sakai has many services that perform a
  variety of functions, five models emerge as being
  important to understanding how Sakai operates
• Entities
• Users
• Security

• Sites
• Content Hosting

Lets start with the Entity Model
5
The Entity Model
6
Overview

• Resources in Sakai
• Entity
• Edit
• Entity Producer
• Entity Manager

7
Resources in Sakai

• It would be useful to be able to work with
  resources at a very abstract, general level.
• The Entity model provides this capability with
  the Entity and Edit interfaces.
• It allows us to treat managed data objects in
  Sakai in a uniform way.
• This is done by using Entity as a base interface
  definition.

8
Examples of Sakai Entities

• The following APIs extend Entity
• Alias
• Assignment
• AssignmentContent
• AuthZGroup
• Calendar
• CalendarEvent
• ContentResource
• ContentCollection

• Digest
• Message
• MessageChannel
• Preferences
• Site
• Group
• User

9
The Entity Model

• Entities (previously referred to as resources),
  provide a way to organize managed data objects in
  Sakai.
• Entity and Edit APIs
• Entity Producer
• Entity Manager
• Read vs. Edit mutability

Sakai 2.2 Package Id org.sakaiproject.entity.api
10
The Entity

• Entities are intended to be a base API that is
  extended by other interfaces.
• It provides basic capabilities to be shared by
  all Sakai data objects
• Reference
• URL
• Id
• Properties
• XML Marshalling

11
Stuff that all Things Should Have

• Reference
• A string reference for this thing that includes
  the entity producer name. Used to create URLs.
• URL
• Having a URL for all entities allow them to be
  externally addressable.
• Id
• Having an Id for all entities allows them to be
  efficiently accessed internally.
• Properties
• Metadata about this thing. Interface extensions
  defined property names.

12
The Base Entity API
public interface Entity String
getUrl() String getUrl(String
rootProperty) String getReference() String
getReference(String rootProperty) String
getId() ResourceProperties getProperties() Ele
ment toXml(Document doc, Stack stack)
Note that this is a read only interface .
13
The Edit API
public interface Edit extends Entity public
boolean isActiveEdit() public ResourcePropertiesE
dit getPropertiesEdit()
Edit extends Entity to provide editing
capability. This is a hold-over from the way
CHEF was originally designed, ie, separating
editing and access. Some recent services combine
these abilities.
14
The Entity Producer

• The entity producer is the basis for a service
  manager that creates entities.
• It provides a way to determine if archiving and
  importing is supported.
• Provides a way to get entities.
• Entity creation is deferred to the higher level
  service object!

15
Entity Producer API
public interface EntityProducer boolean
willArchiveMerge() String archive(String siteId,
Document doc, Stack stack, String archivePath,
List attachments) String merge(String siteId,
Element root, String archivePath, String
fromSiteId, Map attachmentNames, Map
userIdTrans, Set userListAllowImport) boolean
parseEntityReference(String reference, Reference
ref) String getEntityDescription(Reference
ref) ResourceProperties getEntityResourceProperti
es(Reference ref) String getEntityUrl(Reference
ref) Collection getEntityAuthzGroups(Reference
ref) HttpAccess getHttpAccess()
This interface is simplified for Sakai 2.2 and
removes some higher level dependencies, such as
Site.
16
The Entity Manager

• The API for the Entity Manager.
• Sakai provides an implementation of this in
  EntityManagerComponent.
• Allows an Entity Producer to be registered.
• Provides ways to get a Reference object given a
  reference string.
• A cover is provided.

17
The Entity Manager API
public interface EntityManager List
getEntityProducers() void registerEntityProducer(
EntityProducer manager, String referenceRoot) Ref
erence newReference(String refString) Reference
newReference(Reference copyMe) List
newReferenceList() List newReferenceList(List
copyMe) boolean checkReference(String ref)
checkReference is new for Sakai 2.2 return true
if this is a valid entity reference.
18
Resource Properties

• Properties are a way of associating additional
  information with an entity.
• This is commonly called metadata.
• Unlike the Entity class, Resource Properties are
  mutable.
• The Resource Properties interface has a lot of
  convenience methods to access common properties.

19
Base Resource Properties API
public interface ResourceProperties extends
Serializable public Iterator getPropertyNames()
public String getProperty(String name) public
List getPropertyList(String name) public String
getPropertyFormatted(String name) public boolean
isLiveProperty(String name) public boolean
getBooleanProperty(String name) public long
getLongProperty(String name) public Time
getTimeProperty(String name) public User
getUserProperty(String name) public String
getTypeUrl() public Element toXml(Document doc,
Stack stack) public void addProperty(String
name, String value) public void
addPropertyToList(String name, String
value) public void addAll(ResourceProperties
other) public void addAll(Properties
props) public void clear() public void
removeProperty(String name) public void
set(ResourceProperties other)
Typed, generic property access.
More
20
Property Convenience Methods
public interface ResourceProperties extends
Serializable public String getNamePropCreator()
public String getNamePropModifiedBy() public
String getNamePropCreationDate() public String
getNamePropDisplayName() public String
getNamePropCopyrightChoice() public String
getNamePropCopyrightAlert() public String
getNamePropCopyright() public String
getNamePropContentLength() public String
getNamePropContentType() public String
getNamePropModifiedDate() public String
getNamePropIsCollection() public String
getNamePropCollectionBodyQuota() public String
getNamePropChatRoom() public String
getNamePropTo() public String getNamePropDescript
ion() public String getNamePropCalendarType() pu
blic String getNamePropCalendarLocation() public
String getNamePropReplyStyle()
21
References

• References provide the ability to create an
  immutable object that wraps an entitys
  references and context including
• Container
• URL, Reference String, Id
• Realms
• Types

22
Reference API
public interface Reference void
addSiteContextAuthzGroup(Collection rv) void
addUserAuthzGroup(Collection rv, String id) void
addUserTemplateAuthzGroup(Collection rv, String
id) String getContainer() String
getContext() String getDescription() Entity
getEntity() String getId() ResourceProperties
getProperties() Collection getRealms() String
getReference() String getSubType() String
getType() String getUrl() boolean
isKnownType() boolean set(String type, String
subType, String id, String container, String
context) EntityProducer getEntityProducer()
Note the connections to the Sakai Security Model.
This allows collections of entities to be
created and accessed as an AuthZ group.
23
Using Entities

• In general, all persisted data objects in Sakai
  should extend Entity.
• Create a unique container id.
• Service managers should extend EntityProvider.
• Register your provider with the EntityManager.

24
Future Work

• The entity model is being referred to as the
  Sakai Entity Bus.
• It is being carefully reviewed by Sakai
  architects to ensure that it is both simple and
  powerful.
• It will provide the bedrock needed for
  improvements to many Sakai services.

25
The User Model
26
Overview

• User and User Edit
• User Directory Service
• User Directory Provider
• User Metadata (Sakai Person)
• Authentication
• Preferences

27
The User Model

• Sakai provides a model of a user in the system.
• User objects are split into an immutable base
  object and extended to allow editing in the
  UserEdit object.
• Users are entities, which allows us to treat them
  as Sakai managed objects.

Sakai 2.2 Package Id org.sakaiproject.user.api
28
New for Sakai 2.2

• Authentication is now part of the User module, in
  terms of grouping services.
• User Preferences is also considered part of the
  User Model.
• SakaiPerson may be part of this later and provide
  support for standards-based user metadata.

29
User Relationships
30
The User

• The User Interface (including UserEdit) provides
  access to
• Creation and modification times.
• Email address
• Display name
• Sort name
• First and last name
• User type

31
The User API
public interface User extends Entity,
Comparable public User getCreatedBy() public
User getModifiedBy() public Time
getCreatedTime() public Time getModifiedTime()
public String getEmail() public String
getDisplayName() public String
getSortName() public String getFirstName() publi
c String getLastName() public boolean
checkPassword(String pw) public String
getType()
Note the use of other interfaces that are
extended.
32
The UserEdit API
public interface UserEdit extends User,
Edit public void setId(String id) public void
setEmail(String email) public void
setFirstName(String name) public void
setLastName(String name) public void
setPassword(String pw) public void
setType(String type)
33
The UserDirectoryService

• The main service for finding users is called the
  UserDirectory service.
• The default implementation is against a directory
  service, such as LDAP (hence the name).
• This service is responsible for managing and
  persisting Users in Sakai.

34
UserDirectoryService

• The User Directory Service provides ways to
• Find a particular user given an id.
• Get collections of users.
• Get special users (like anonymous)
• Authenticate a user (or re-authenticate).

35
UserDirectoryService API
public interface UserDirectoryService extends
EntityProducer public User getUser(String
id) public List getUsers(Collection ids) public
User getCurrentUser() public Collection
findUsersByEmail(String email) public boolean
allowUpdateUser(String id) public UserEdit
editUser(String id) public void
commitEdit(UserEdit user) public void
cancelEdit(UserEdit user) public User
getAnonymousUser() public List
getUsers() public List getUsers(int first, int
last) public int countUsers() public List
searchUsers(String criteria, int first, int
last) public int countSearchUsers(String
criteria) public boolean allowAddUser(String
id) public UserEdit addUser(String id) public
User addUser(String id, ) public UserEdit
mergeUser(Element el) public boolean
allowRemoveUser(String id) public void
removeUser(UserEdit user) public User
authenticate(String id, String password) public
void destroyAuthentication() public String
userReference(String id)
Note that any changes made to a User instance
must be explicitly committed by calling this
method.
36
The UserFactory

• The UserFactory can be used as an alternative to
  addUser().
• This has a single method (newUser()) that returns
  an empty UserEdit.
• Setters can be used to initialize its values and
  then persisted using commitEdit().

37
The User Provider

• Providers are a way to look someplace else for
  information.
• If a UserProviderService exists, it will be
  accessed to provide information about a user.
• Several implementations of the user provider
  exists, including one against LDAP.

38
UserDirectoryProvider
public interface UserDirectoryProvider boolean
authenticateUser(String id, UserEdit edit, String
password) boolean updateUserAfterAuthentication()
void destroyAuthentication() boolean
userExists(String id) boolean getUser(UserEdit
edit) void getUsers(Collection users) boolean
findUserByEmail(UserEdit edit, String
email) boolean authenticateWithProviderFirst(Stri
ng id) boolean createUserRecord(String id)
39
Sakai Person

• Sakai Person provides support for person metadata
  based on the EduPerson standard.
• This code currently lives in the common module
  and is being used by some tools at Indiana.
• It may be part of an expanded user model in the
  future.

40
Authentication

• How do we know who the current user is? We
  authenticate them.
• Evidence is provided, usually
• Username and Password
• But other credentials are possible
• Smartcard, dongle, other devices
• Biometrics fingerprints, retina scan
• Certificates

41
Evidence

• Sakai uses a base class called Evidence that is
  extended to include specific kinds of evidence
• ExternalTrustedEvidence
• IdPwEvidence
• An evidence object is passed to the
  authentication service to determine if the user
  is a valid Sakai user.

42
Authentication Service

• The authentication service has a single method
  that takes a piece of evidence and validates the
  user.

Authentication authenticate(Evidence e) throws
AuthenticationException
An AuthenticationException is thrown if this user
doesnt authenticate against evidence provided.
43
Preferences

• Sakai provides a preference service based on
  properties.
• The Preference Service allows preferences to be
  created against a particular user id and
  persisted.

44
The Preferences API
String getId() ResourceProperties
getProperties(String key) Collection getKeys()
45
PreferencesEdit
ResourcePropertiesEdit getPropertiesEdit(String
key)
46
The PreferencesService
Preferences getPreferences(String id) boolean
allowUpdate(String id) PreferencesEdit
add(String id) PreferencesEdit edit(String
id) void commit(PreferencesEdit edit) void
cancel(PreferencesEdit edit) void
remove(PreferencesEdit edit)
47
The Security Model
48
Overview

• An Abstract Security Model
• The Sakai Security Model
• Secure Application Development
• Integration and Provisioning
• Security APIs
• Implementation using AuthzGroups
• AuthzGroup Service and Group Provider

49
Security Issues

• Hacking data
• Unauthorized access
• Accidental access
• Backdoors
• Spoofing
• Development related issues

50
Mission Statement

• Determine if a user is allowed to perform an
  operation on a specified object managed by Sakai.
• Allow authorizations to be collected by defining
  a role for a user in a group.
• Support group membership.

51
An Abstract Security Model
Group
Role
Collection
The Authorization Triple
Person
Function
Entity
52
Authentication

• Authenticating a user is the first step in system
  security.
• Recall the evidence-based authentication manager
  presented earlier.
• Authentication can expire, forcing
  re-authentication even during an active session.

53
Authorization

• Once a user is logged into the system, further
  operations are dependent on
• What context they are in.
• What role in a site or group they have.
• What tool they are working with.
• What tool function they want to perform.
• What kind of object is being manipulated.

54
Dependent Services

• Authorization is dependent on other models and
  services
• Person
• Group
• Role
• Tool
• Function
• Site
• Resource or Entity

For the most part, authorization only cares about
identifying each of these things. That means
that each must have a unique identifier that can
be used to access and reference it. This is why
the entity bus is important!
55
Performance and Scalability

• A good authorization system will perform well
  even in a large environment
• Thousands of users
• Millions of objects
• We could just store triples.
• Eventually, though, the sheer number of
  combinations catches up with you.

56
Group-based Authorization

• By grouping people and objects, we can control
  access to entities or collections by a users
  role in a group.
• The trick is to do this in a manner that also
  scales well, is easy to use, and simple to
  understand.

57
Creating Secure Applications
Lets have a look at how we would go about
creating applications that are secure. Well
need to consider four things

• Defining and Registering Functions
• The Application Service
• Testing Authorization in the App Service
• Handling Security Violations

58
Well-Formed Sakai Applications
Tool Code
Tool code handles events and generates the user
interface using a presentation technology like
JSF.
Data managed by the service is abstracted into an
application service with a well-defined
interface. This includes allows() methods.
Application Service API
Application Service Impl
The implementation is responsible for authorizing
the current user for a function on a particular
entity. This is done in the group associated
with the current context.
Framework Services
59
Registering Functions

• Functions are the operations that should be
  secured
• Sakai recommends that you register your security
  functions in your application service.
• This can be done in the tool registration file or
  by calling the FunctionManager

public static final String OBJECT_UPDATE
myapp.object.update FunctionManager.registerFun
ction(MyAppService.OBJECT_UPDATE)
60
Function Manager API
void registerFunction(String function) List
getRegisteredFunctions() List getRegisteredFuncti
ons(String prefix)

• The Function Manager allows functions to be
  registered with Sakai.
• Lists of functions can be retrieved with an
  optional prefix. If convention is followed, it
  allows functions to be associated with an
  application.

61
Checking Permissions

• Each application service should create a set of
  allow methods that test the current user for
  permission to perform a specified operation.
• This is done in the context of a tool placement
  in a particular site.
• Always done against a collection of objects in a
  site.

public boolean allowObjectUpdate ()
62
The Sakai Security APIs

• Security Service
• The security service allows authorization
  questions to be resolved without worrying about
  groups and roles.
• Security Advisor
• An advisor mechanism is provided to allow
  policies to be defined that could potentially
  override underlying defaults.

Sakai 2.2 Package Id org.sakaiproject.authz.api
63
Lock Terminology

• The Security Service uses a Key/Unlock
  terminology that is left over from the days when
  resources were actually locked (via a database).
• The mechanism has changed, but the terms remain.
• Unlock test is allowed
• Key grant permission

64
Security Service API
public interface SecurityService public boolean
unlock(String lock, String reference) public
boolean unlock(User user, String lock, String
reference) public List unlockUsers(String lock,
String reference) public boolean
isSuperUser() public void addKey(String
userOrGroup, String lockOrRole, String
resourceOrGroup, boolean allow) public void
removeKey(String userOrGroup, String lockOrRole,
String resourceOrGroup, boolean allow) void
pushAdvisor(SecurityAdvisor advisor) SecurityAdvi
sor popAdvisor() boolean hasAdvisors() void
clearAdvisors()
65
SecurityAdvisor API
public interface SecurityAdvisor SecurityAdvice
isAllowed(String userId, String function, String
reference)
Security advisors allow policies to be defined
that are queried before the defaults established
by authzGroups. Because these are stacked, an
order can be established.
66
SecurityAdvice Constants
public class SecurityAdvice SecurityAdvice
ALLOWED new SecurityAdvice("allowed") SecurityA
dvice NOT_ALLOWED new SecurityAdvice("not
allowed") SecurityAdvice PASS new
SecurityAdvice("pass")
These are defined as an inner class in
SecurityAdvisor.
67
Sakai Security Implementation

• Sakai Security is implemented using AuthzGroups.
• These allow users to be grouped together within a
  specific context with well defined group roles.
• AuthZGroups were previously called Realms.

68
Authorization Groups

• A user may be a member of a particular
  authorization group.
• All users in an AuthZGroup are required to have a
  role.
• Each group has a set of permissions.
• The ability to perform a particular function may
  be specified by a role or membership of a user in
  a group.

69
Group Relationships
70
AuthZGroup

• AuthZGroup provides basic capabilities
• Membership
• Roles
• Provider Support
• Membership can be accessed either as a list of
  Users or Member objects.

71
AuthZGroup Membership API
public interface AuthzGroup extends Edit,
Comparable, Serializable void addMember(String
userId, String roleId, boolean active, boolean
provided) public Member getMember(String
userId) public Set getMembers() public Set
getUsers() public Set getUsersHasRole(String
role) public Set getUsersIsAllowed(String
function) void removeMember(String userId) void
removeMembers()
More
72
AuthZGroup Role API
public interface AuthzGroup extends Edit,
Comparable, Serializable Role addRole(String
id) throws IdUsedException Role addRole(String
id, Role other) throws IdUsedException public
Role getRole(String id) public Set
getRoles() public Set getRolesIsAllowed(String
function) public Role getUserRole(String
userId) boolean hasRole(String userId, String
role) void removeRole(String role) void
removeRoles() void setMaintainRole(String
role) public String getMaintainRole()
More
73
AuthZGroup Misc. API
public interface AuthzGroup extends Edit,
Comparable, Serializable Time
getCreatedTime() String getDescription() User
getModifiedBy() Time getModifiedTime() public
String getProviderGroupId() void
setProviderGroupId(String id) boolean
isAllowed(String userId, String function) public
boolean isEmpty() boolean keepIntersection(AuthzG
roup other)
74
Role

• Besides having a name and description, roles
  enable a set of functions to be allowed or
  disallowed.
• Roles only have meaning with respect to
  authorization (AuthZGroups).
• They are used purely as a way to group
  permissions in an authzGroup.

75
Role API
public interface Role extends Comparable,
Serializable String getId() String
getDescription() boolean isAllowed(String
function) Set getAllowedFunctions() void
setDescription(String description) void
allowFunction(String lock) void
allowFunctions(Collection functions) void
disallowFunction(String lock) void
disallowFunctions(Collection functions) void
disallowAll() boolean allowsNoFunctions()
Largely focused on what functions are defined for
this role.
76
Member

• Member is a relationship object between a User
  and an AuthZGroup.
• It includes a role.
• Supports the concept of active and inactive
  members.

77
Member API
public interface Member extends Comparable,
Serializable String getUserId() Role
getRole() boolean isProvided() boolean
isActive() void setActive(boolean active)
78
AuthZGroupService

• The AuthZGroup Service provides full support for
  managing AuthZGroups including creation.
• Provisions are made for joining and un-joining
  groups.
• Answers access questions between a user and a
  group or set of groups.

79
AuthZGroupService API
public interface AuthzGroupService extends
EntityProducer List getAuthzGroups(String
criteria, PagingPosition page) int
countAuthzGroups(String criteria) AuthzGroup
getAuthzGroup(String id) boolean
allowUpdate(String id) void save(AuthzGroup
azGroup) boolean allowAdd(String id) AuthzGroup
addAuthzGroup(String id) AuthzGroup
addAuthzGroup(String id, AuthzGroup other, String
maintainUserId) boolean allowRemove(String
id) void removeAuthzGroup(AuthzGroup
azGroup) void removeAuthzGroup(String id) String
authzGroupReference(String id) AuthzGroup
newAuthzGroup(String id, AuthzGroup other, String
maintainUserId)
More
80
AuthZGroupService API (cont)
public interface AuthzGroupService extends
EntityProducer void joinGroup(String
authzGroupId, String role) void
unjoinGroup(String authzGroupId) boolean
allowJoinGroup(String id) boolean
allowUnjoinGroup(String id) boolean
isAllowed(String userId, String function, String
azGroupId) boolean isAllowed(String userId,
String function, Collection azGroups) Set
getUsersIsAllowed(String function, Collection
azGroups) Set getAuthzGroupsIsAllowed(String
userId, String ftn, Collection azGroups) Set
getAllowedFunctions(String role, Collection
azGroups) String getUserRole(String userId,
String azGroupId) Map getUsersRole(Collection
userIds, String azGroupId) void
refreshUser(String userId)
Note that authorization is replicated here, but
specified against groups.
81
Security or AuthzGroup Service?

• Given the power of the AuthzGroup Service, should
  that be used instead of the Security Service?
• In general, the Security Service should be used
  for applications, since it provides higher level
  policies to be defined and queried.
• Some framework services are implemented against
  the authzGroup Service because they need tighter
  integration.

82
GroupProvider

• The group provider allows groups and roles to be
  defined by another source of information.
• Providers are somewhat limited at this time and
  do not allow authorization to be moved out of
  Sakai.
• Permissions are cached by Sakai.

83
GroupProvider API
public interface GroupProvider String
getRole(String id, String user) Map
getUserRolesForGroup(String id) Map
getGroupRolesForUser(String userId) String
unpackId(String id)
Usually, roles need to be mapped to Sakai roles.
Support for compound user ids.
84
The Content Model
85
Overview

• Content Resource
• Content Collection
• Content Hosting Service
• Locking
• Group Awareness

86
The Content Hosting Model

• Content Hosting provides a way to manage content
  in Sakai.
• Collections contain Resources.
• Resources may have attachment.
• Resources may have properties.
• Locks can be made against resources.

87
Content Hosting Model
Sakai 2.2 Package Id org.sakaiproject.content.api
88
ContentResource API
public interface ContentResource extends
Entity public int getContentLength() public
String getContentType() public byte
getContent() throws ServerOverloadException publi
c InputStream streamContent() throws
ServerOverloadException
89
ContentResourceEdit API
public interface ContentResourceEdit extends
ContentResource, Edit public void
setContentLength(int length) public void
setContentType(String type) public void
setContent(byte content)
90
ContentCollection API
public interface ContentCollection extends
Entity public List getMembers() public List
getMemberResources() public long
getBodySizeK()
91
ContentCollectionEdit API
public interface ContentCollectionEdit extends
ContentCollection, Edit // No API methods
defined.
92
The Content Hosting Service

• Most of the functionality is represented in the
  Content Hosting Service.
• Methods are provided to work with
• Resources
• Collections
• Attachments
• Properties
• Locks

It also provides support for a special collection
referred to as a drop box. This collection
provides additional security access functions and
a drop box name.
93
ContentHostingService API
public interface ContentHostingService extends
EntityProducer public boolean
allowAddCollection(String id) public
ContentCollection addCollection(String id,
ResourceProperties properties) public
ContentCollectionEdit addCollection(String
id) public boolean allowGetCollection(String
id) public void checkCollection(String
id) public ContentCollection getCollection(String
id) public int getCollectionSize(String
id) public List getAllResources(String
id) public boolean allowUpdateCollection(String
id) public ContentCollectionEdit
editCollection(String id) public boolean
allowRemoveCollection(String id) public void
removeCollection(String id) public void
removeCollection(ContentCollectionEdit
edit) public void commitCollection(ContentCollecti
onEdit edit) public void cancelCollection(Content
CollectionEdit edit) public String
getContainingCollectionId(String id) public int
getDepth(String resourceId, String
baseCollectionId) public boolean
isRootCollection(String id) public Map
getCollectionMap() public void
eliminateDuplicates(Collection resourceIds)
Collection Methods
More
94
ContentHostingService API
public boolean allowAddResource(String
id) public ContentResource addResource(String
id, String type, byte content,
ResourceProperties properties, int
priority) public ContentResource
addResource(String name, String collectionId, int
limit, String type, byte content,
ResourceProperties properties, int
priority) public ContentResourceEdit
addResource(String id) public boolean
allowUpdateResource(String id) public
ContentResource updateResource(String id, String
type, byte content) public ContentResourceEdit
editResource(String id) public boolean
allowGetResource(String id) public void
checkResource(String id) public ContentResource
getResource(String id) public boolean
allowRemoveResource(String id) public void
removeResource(String id) public void
removeResource(ContentResourceEdit edit) public
boolean allowRename(String id, String
new_id) public String rename(String id, String
new_id) public boolean allowCopy(String id,
String new_id) public String copy(String id,
String new_id) public String copyIntoFolder(String
id, String folder_id) public String
moveIntoFolder(String id, String
folder_id) public void commitResource(ContentResou
rceEdit edit) public void commitResource(ContentRe
sourceEdit edit, int priority) public void
cancelResource(ContentResourceEdit edit) public
List findResources(String type, String
primaryMimeType, String subMimeType)
Resource Methods
More
95
ContentHostingService API
Attachment Methods
public boolean allowAddAttachmentResource() publi
c boolean isAttachmentResource(String id) public
ContentResource addAttachmentResource(String
name, String type, byte content,
ResourceProperties properties) public
ContentResource addAttachmentResource(String
name, String site, String tool, String type,
byte content, ResourceProperties props) public
ContentResourceEdit addAttachmentResource(String
name) public boolean allowGetProperties(String
id) public ResourceProperties getProperties(Strin
g id) public boolean allowAddProperty(String
id) public ResourceProperties addProperty(String
id, String name, String value) public boolean
allowRemoveProperty(String id) public
ResourceProperties removeProperty(String id,
String name) public ResourcePropertiesEdit
newResourceProperties()
Property Methods
More
96
ContentHostingService API
public String getUuid(String id) public String
resolveUuid(String uuid) public String
getUrl(String id) public String
getReference(String id) String
getSiteCollection(String siteId) String
archiveResources(List resources, Document doc,
Stack stack, String archivePath) public boolean
isPubView(String id) public boolean
isInheritingPubView(String id) public void
setPubView(String id, boolean pubview) Collectio
n getLocks(String id) public void
lockObject(String id, String lockId, String
subject, boolean system) public void
removeLock(String id, String lockId) public
boolean isLocked(String id) public boolean
containsLockedNode(String id) public void
removeAllLocks(String id) public void
createDropboxCollection() public void
createDropboxCollection(String siteId) public
String getDropboxCollection() public String
getDropboxCollection(String siteId) public
boolean isDropboxMaintainer() public boolean
isDropboxMaintainer(String siteId) public String
getDropboxDisplayName() public String
getDropboxDisplayName(String siteId)
Misc. Methods
Locking Methods
Dropbox Collection Methods
97
Content Hosting Implementation

• Content Hosting is implemented using two
  approaches currently
• File system (recommended)
• Database
• Neither allow external administrative access, but
  do provide quota support.
• WebDAV support is included.

98
Group Awareness

• Group (Section) awareness is being added to the
  content hosting service for Sakai 2.2.
• Two objects are added
• GroupAwareEntity
• GroupAwareEdit

99
GroupAwareEntity
Collection getGroups() AccessMode getAccess()
100
GroupAwareEdit
void addGroup(Group group) throws
PermissionException void removeGroup(Group
group) throws PermissionException void
setAccess(AccessMode access)
101
Resource Locking

• Content hosting includes a lock manager that
  allows long term locks to be applied to resources
  and collections.
• It consists of the following objects
• Lock
• LockService

102
The Lock API
String getId() void setId(String id) boolean
isActive() void setActive(boolean active) Date
getDateAdded() void setDateAdded(Date
dateAdded) Date getDateRemoved() void
setDateRemoved(Date dateRemoved) String
getQualifier() void setQualifier(String
qualifier) String getReason() void
setReason(String reason) String getAsset() void
setAsset(String asset) boolean isSystem() void
setSystem(boolean system)
The Lock identifier
Active flag.
Time added or removed.
Qualifiers, if any.
Reason for lock.
Asset being locked.
103
The Lock Service API
void lockObject(String assetId, String qualifier,
String reason, boolean sys) void
removeLock(String assetId, String
qualifierId) Collection getLocks(String
assetId) boolean isLocked(String assetId) void
removeAllLocks(String qualifier)
104
Content Hosting vs. Repositories

• Content Hosting is not really intended to be an
  interface to a remote repository.
• Work around repositories is starting to emerge
  Twin Peaks, Sakaibrary, etc.
• Repositories are optimized differently than
  Content Hosting, though content managed by CH
  could be including a repository service.

105
The Site Model
106
Overview

• Site
• Site Page
• Tool Configuration
• Group
• Site Service

107
The Site Model

• Sites are a way of breaking up a Sakai
  installation so that
• Users can have a private work space (MyWorkSite).
• Classes can have their own content.
• Projects can facilitate work.
• Etc.

Sakai 2.2 Package Id org.sakaiproject.site.api
108
Site Model Diagram
109
The Site Object

• The Site object includes
• Information
• Tools
• Layouts for a Sakai Site
• A list of pages
• Layout is done using pages.

110
Site API - Information
public interface Site extends Edit, Comparable,
Serializable, AuthzGroup String
getTitle() String getShortDescription() String
getDescription() String getIconUrl() String
getIconUrlFull() String getInfoUrl() String
getInfoUrlFull() void setTitle(String
title) void setIconUrl(String url) void
setInfoUrl(String url) void setShortDescription(S
tring description) void setDescription(String
description) String getType() boolean
isType(Object type) void setType(String type)
More
111
Site API - Membership
public interface Site extends Edit, Comparable,
Serializable, AuthzGroup boolean
isJoinable() String getJoinerRole() void
setJoinable(boolean joinable) void
setJoinerRole(String role) Collection
getGroups() Collection getGroupsWithMember(String
userId) Collection getGroupsWithMemberHasRole(St
ring userId, String role) boolean
hasGroups() Group addGroup() void
removeGroup(Group group)
More
112
Site API - Pages
public interface Site extends Edit, Comparable,
Serializable, AuthzGroup List getPages() List
getOrderedPages() SitePage getPage(String
id) SitePage addPage() void removePage(SitePage
page) ToolConfiguration getTool(String
id) Collection getTools(String toolIds)
Support for pages.
Support for tools.
More
113
Site API - Miscellaneous
public interface Site extends Edit, Comparable,
Serializable, AuthzGroup User
getCreatedBy() User getModifiedBy() Time
getCreatedTime() Time getModifiedTime() String
getSkin() void loadAll() void setSkin(String
skin) boolean isPublished() boolean
isPubView() Group getGroup(String id) void
setPublished(boolean published) void
regenerateIds() void setPubView(boolean
pubView)
Support for skinning.
Support for publishing.
114
Site Pages

• Each page can have a layout type (single or dual
  columns, etc.)
• A page can have one or more tool, each with its
  own ToolConfiguration.
• A page may be separately skinned.
• A page may be designed a pop-up, but this is not
  currently used.

115
SitePage API
public interface SitePage extends Edit,
Serializable public String getTitle() public
void setTitle(String title) public String
getSkin() public String getSiteId() public
boolean isPopUp() public void setPopup(boolean
popup) public int getLayout() public void
setLayout(int layout) public String
getLayoutTitle() public List getTools() public
List getTools(int col) Collection
getTools(String toolIds) public
ToolConfiguration getTool(String id) public Site
getContainingSite() public ToolConfiguration
addTool() public ToolConfiguration addTool(Tool
reg) public void removeTool(ToolConfiguration
tool) public void moveUp() public void
moveDown()
Layout management
Tool management
Ordering of pages
116
Tool Configuration

• A Tool configuration provides
• Layout hints
• A skin
• Site Id
• Layout order
• Since tools tend to take up screen real estate,
  only one or two tools tend to be configured onto
  a site page.

117
ToolConfiguration API
public interface ToolConfiguration extends
Placement, Serializable public String
getLayoutHints() public void setLayoutHints(Strin
g hints) public int parseLayoutHints() public
String getSkin() public String
getPageId() public String getSiteId() public
SitePage getContainingPage() public void
moveUp() public void moveDown() public int
getPageOrder()
118
Site Service

• The Site Service provides
• Access to sites and collections of sites.
• A site access security model.
• Support for group membership.
• Various references.
• Convenience methods to directly access things
  like tool configuration, etc.

119
SiteService API - Sites
public interface SiteService extends
EntityProducer Site getSite(String id) throws
IdUnusedException Site getSiteVisit(String id)
Site addSite(String id, String type) Site
addSite(String id, Site other) void
removeSite(Site site) throws PermissionException
List getSites(SelectionType type, Object ofType,
String criteria, Map propertyCriteria, SortType
sort, PagingPosition page) int
countSites(SelectionType type, Object ofType,
String criteria, Map propertyCriteria) String
merge(String toSiteId, Element e, String
creatorId) void save(Site site) throws
IdUnusedException, PermissionException void
saveSiteMembership(Site site) void
saveGroupMembership(Site site) void
saveSiteInfo(String id, String description,
String infoUrl)
More
120
SiteService API - Security
public interface SiteService extends
EntityProducer void setSiteSecurity(String
siteId, Set updateUsers, Set visitUnpUsers, Set
visitUsers) void setUserSecurity(String userId,
Set updateSites, Set visitUnpSites, Set
visitSites) boolean allowAccessSite(String
id) boolean allowUpdateSite(String id) boolean
allowUpdateSiteMembership(String id) boolean
allowUpdateGroupMembership(String id) boolean
allowAddSite(String id) boolean
allowRemoveSite(String id) boolean
allowViewRoster(String id) boolean
allowUnjoinSite(String id) boolean
isUserSite(String site) boolean
isSpecialSite(String site)
More
121
SiteService API - Miscelaneous
public interface SiteService extends
EntityProducer String siteReference(String
id) String sitePageReference(String siteId,
String pageId) String siteToolReference(String
siteId, String toolId) String siteGroupReference(
String siteId, String groupId) String
getSiteUserId(String site) String
getSiteSpecialId(String site) String
getSpecialSiteId(String special) String
getSiteDisplay(String id) ToolConfiguration
findTool(String id) SitePage findPage(String
id) String getSiteSkin(String id) List
getSiteTypes() void join(String id) void
unjoin(String id)
122
Groups

• With the release of Sakai 2.1, a site could have
  more than one group associated with it.
• These are largely used for sections.
• Groups extend AuthzGroups and add a bit more
  descriptive information.

123
Group API
String getTitle() void setTitle(String
title) String getDescription() void
setDescription(String description) public Site
getContainingSite()
This allows groups to have a title and
description that is independent of AuthzGroup
naming. This is useful when you want the group
to appear as Chemistry 101 Lab 2, rather than
sci-chem101-L002
124
Questions?