Title: The Sakai JSR168 Portlet Version 2
1The Sakai JSR-168 Portlet(Version 2)
- Charles Severance
- csev_at_umich.edu
- December 17, 2005
2New in Portlet Version 0.2
Announcements (sakai.announcements) Assignments
(sakai.assignment) Chat Room (sakai.chat) Discussi
on (sakai.discussion) Gradebook
(sakai.gradebook.tool) Email Archive
(sakai.mailbox) Membership (sakai.membership)
Message Forums (sakai.messageforums)
Preferences Tool (sakai.preferences)
Presentation (sakai.presentation) Profile
(sakai.profile) Resources (sakai.resources) Wiki
(sakai.rwiki) Tests Quizzes (sakai.samigo) Rost
er (sakai.site.roster) Schedule
(sakai.schedule) Site Info (sakai.siteinfo)
Syllabus (sakai.syllabus)
- Tree View
- Gallery View
- Proxy portlets
- Source in SVN
- Configurable via properties file
3Use Case (getting closer)
- Goal a bunch of Sakai Portlets that can be
scattered through out a portal at the portal
administrators discretion - it is almost as if
Sakai was in the portal. - Not quite there
- One weakness is the provisioning step - for the
proxy portlets they need provisioning. - Another weakness is the need to synchronize AUTHZ
between the portal and Sakai - give than none of
the AUTHZ in portals is standard at all, this is
a challenge - Even though portals may not have the
infrastructure to support a group-scoped
calendar, we may have to build one anyways.
4Sakai JSR-168 Portlet
- Web Services are used to login to Sakai establish
a session and retrieve a list of Sakai Sites,
Pages, and Tools - The portlet is 100 stock JSR-168
- Works in Pluto, uPortal, and GridSphere
5Three Variations
- Display the Sakai gallery - all of Sakai except
for the login and branding. - Retrieve the hierarchy of sites, pages and tools
display in a tree view with the portlet and show
selected tools/pages in an iframe within the
portlet - Proxy tool placement for a particular Sakai tool
such as sakai.preferences
6SakaiSite.getToolsDom
ltsitesgt ltportalgthttp//localhost8080/portallt/
portalgt ltservergthttp//localhost8080lt/servergt
ltgallerygthttp//localhost8080/gallerylt/galle
rygt ltsitegt lttitlegtMy
Workspacelt/titlegt ltidgtcsevlt/idgt
lturlgthttp//localhost8080/portal/worksite/csevlt/
urlgt ltpagesgt ltpagegt
ltidgtaf54f077-42d8-4922-80e3-59c158af2a9alt/id
gt lttitlegtHomelt/titlegt
lturlgthttp//localhost8080/portal/page/af54f07
7-42d8-4922-80e3-59c158af2a9alt/urlgt
lttoolsgt lttoolgt
ltidgtb7b19ad1-9053-4826-00f0-3a964cd20f7
7lt/idgt lttitlegtMessage of
the Daylt/titlegt
lttoolidgtsakai.motdlt/toolidgt
lturlgthttp//localhost8080/portal/tool/b7b19ad1-
9053-4826-00f0-3a964cd20f77lt/urlgt
lt/toolgt lttoolgt
ltidgt85971b6b-e74e-40eb-80cb-930583688
13clt/idgt lttitlegtMy
Workspace Informationlt/titlegt
lttoolidgtsakai.iframe.myworkspacelt/toolidgt
lturlgthttp//localhost8080/por
tal/tool/85971b6b-e74e-40eb-80cb-93058368813clt/url
gt lt/toolgt
lt/toolsgt lt/pagegt lt/pagesgt
lt/sitegt lt/sitesgt
New WS method is upwards compatible with
getSitesDom
7Sakai Gallery View
8How Gallery Works
/portal/gallery
Charon Portal
Sakai
uPortal, Pluto, or GridSphere
Web Svcs
Sakai Portlet
Login
9Sakai Tree View
10How Tree View Works
Charon Portal
/portal/page/FF96
Sakai
uPortal, Pluto, or GridSphere
ToolList
Web Svcs
Sakai Portlet
Login
11Sakai Proxy Tool
12Proxy Tool Selection
13How Proxy Portlet Works
/portal/page/FF96
Charon Portal
2
Sakai
uPortal, Pluto, or GridSphere
SiteList
Web Svcs
Sakai Portlet
Login
1
14Auto Login
- Automatic login (unchanged from previous version)
- The portlet can be configured system-wide to have
a designated Sakai host that people are to be
automatically logged into. - A shared secret between the portlet and the Sakai
system allows bypass of any Sakai log in. - There must be a Sakai account for each portal
account. But if the account exists and the
shared secrets match, integration is seamless - If the portal is fully provisioned and knows
first name, last name, and e-Mail,
SakaiPortalLogin can also auto-create users.
15How Normal Login Works
/portal/gallery
Charon Portal
2
Sakai
uPortal, Pluto, or GridSphere
Web Svcs
Sakai Portlet
SakaiLogin
1
(id,pw)
16How Auto Login Works
/portal/gallery
Charon Portal
2
Sakai
uPortal, Pluto, or GridSphere
Web Svcs
Sakai Portlet
Request.getRemoteUser csev
PortalLogin
Configuration sakai.secretabcdef sakai.hosthttp
//
1
(id,secret)
Configuration sakai.secretabcdeff
17How Normal Login Works
Charon Portal
Sakai
uPortal, Pluto, or GridSphere
Web Svcs
Sakai Portlet
Request.getRemoteUser csev
PortalLogin
Configuration sakai.secretabcdef sakai.hosthttp
//
(id,secret)
18Sakai Portlet Preferences
19Configuration
- Configured via both a properties file and portlet
ltinit-parmsgt - Default properties is in /WEB-INF/classes/org/saka
iproject/portlets/sakaiportlet.properties - This file can also be placed in the -Dsakai.home
directory as well - this will override the
default file - Portlet.xml ltinit-parmsgt override these
properties but out of the box, the portlet.xml
does not set these properties
20sakaiportlet.properties file
This sets parameters for sakai portlets
These values are overridden by any init-parms in
the portlet.xml or init-parms forced by the
portal sakai.host http//localhost8080 It
is convenient for testing to have the secret set
out of the box But in production, if you do not
want autologin, do not set this parameter and
autologin will be turned off sakai.secret
plug-xyzzy This is used to deal with
non-portable aspects across portals - such as
how to determine the current logged in user.
Leaving it null assumes that it is an Apache
Pluto based portal. portal.typegridsphere
portal.typeuportal
21Notes
- If you dont use auto-portal login, it is very
painful to use the proxy portlets
(sakai.calendar, etc) because they need to
establish login separately ( - There is a bug in 2.1 logging out from the
gallery. Actually it might be best to hide the
logout button as it is not really logical in a
mode where some higher level portal is doing
navigation. - Char does not work - need to figure out why.
Probably an interaction with presence
22TODO List
- Create group placed versions of the proxy
portlet - need to interoperate with the AUTHZ in
the Portal and in Sakai - Need to look very closely at how AUTHZ is done in
the portal and what APIs to call for each portal
- this will likely be a case statement - Need to look closely at preferences in the
portal, normally there are portlet-wide init
parms and user-scoped preferences. Is there an
intermediate level where an admin can set certain
prefs that end-users cannot override? This will
likely also be non portable. - Make tool placements in tree view look like page
placements - should this be in Charon or in the
Portlet? Effectively this is snatching some
Charon code to do the titles, etc. Would be
better to do this in Charon.
23Outline of (TBD) AUTHZ
- It is pretty clear that it is dangerous to depend
on the AuthZ of the Portal because all portals
will be different. - Build a service inside of Sakai which maps
Portlet Placements to Sakai Sites - Allow users with site.upd to effectively grant a
role to a portlet placement. - Another variant is to have folks auto-join
sites and get a role in the site that way.
24Current AUTHZ
Portlet
Calendar portlet placed by admin with ID FF12
Calendar portlet executed by hao - no placement
in pref - find placements
What calendars can hao see?
Site User Role AB23 csev maintain AB23 hao access
BC55 hao maintain BC55 marlon access
AB23 BC55
hao picks BC55 and it becomes his personal pref.
Calendar portlet executed by csev - no placement
in pref - find placements
What calendars can csev see?
AB23
Since there is only one csev sees it and it
becomes his pref
25TBD AUTHZ - Maintain case
Portlet
Calendar portlet placed by admin with ID FF12
Calendar portlet executed by hao - no placement
in pref - find placements
What calendars can hao see?
AB23 BC55 (site.upd)
hao picks BC55 and then is asked, would you
like this to be a group placement? If so, what
role do people get when they see this placement?
Hao says yes - access.
Site User Role AB23 csev maintain AB23 hao access
BC55 hao maintain BC55 marlon access
Does hao have site.upd in this site?
Yes
Grant Portlet FF12 access role in AB23.
Portlet Site Role FF12 AB23 access
hao sees the AB23 calendar and it becomes his
preference.
Sweet
26TBD AUTHZ - Access Case
Portlet
Portlet Site Role FF12 AB23 access
Calendar portlet placed by admin with ID FF12
Calendar portlet executed by csev - no placement
in pref - find placements
What is the placement portlet FF12?
Sakai notices the placement rule made by hao, and
also that csev does not have access, and adds
csev as access below.
csev is sent to the AB23 calendar and it becomes
his preference.
AB23
Site User Role AB23 csev maintain AB23 hao access
BC55 hao maintain BC55 marlon access BC55 csev acc
ess
27TBD AUTHZ - Maintain case(more detail)
Portlet
Calendar portlet placed by admin with ID FF12
Calendar portlet executed by hao - no placement
in pref - find placements
What is the placement portlet FF12?
Portlet Site Role
Null
Since there are no placements, lets check to see
if hao can see any calendars.
Site User Role AB23 csev maintain AB23 hao access
BC55 hao maintain BC55 marlon access
What calendars can hao see?
AB23 BC55 (site.upd)
Since hao has site.upd, he picks BC55 and
indicates that this placement gets the access
role.
Grant Portlet FF12 access role in AB23.
Portlet Site Role FF12 AB23 access
hao sees the AB23 calendar and it becomes his
preference.
Sweet
28Summary
- This is a nice step forward for the Sakai JSR-168
portlet - There is another step needed to truly meet the
ideal use case - This step needs some analysis by within-portal
security folks (I.e. I need help from the uPortal
and GridSphere experts to determine next steps) - This will meet a set of needs much better than
version 0.1 of the portlet. - The gallery and tree should work well
- Proxy portlets can be used in certain cases where
AUTHZ is well considered. - This version is safe from a security
perspective - it only allows users to do what
Sakai permits them to do.