It could just be coincidence that recently i’ve solved 2 tricky SharePoint dev problems using HTTPModules, or it could be a case of once you find a good solution to something, you try and shoehorn apply it to all other problems…. either way, I thought it would be worth going over the examples and why this approach is useful to developers who work with ‘product’ apps such as SharePoint.

Quick overview of HTTModule and HTTPHandler can be found here.

The benefits of using HTTPModules

A HTTPModule works well with 3rd party products as you do not have access to the source code and / or you are not able to change core files. You need some other way of hooking into the page event lifecycle. Of course there are many available ways of doing this already (Event Hooks, SharePoint Event Handlers, etc.) but sometimes these just don’t cut it.

See below for examples.

Example 1 – Custom Authorization Provider for SharePoint 2010

I’m working on a project where SharePoint will be a repository for storing wiki & blog sites and a few other web based structures, while the main application itself exists independent of SharePoint. This app has it’s own custom Authentication and Authorization processes which store all user session data in a custom database.

The Authentication piece of this is very interesting too as we are using a custom Claims Provider for SharePoint 2010 but that’s another blog post.

For the Authorization piece, we need a way to intercept each page request to the SharePoint environment and verify that the user has sufficient permissions to access this resource. Obviously, we don’t want to have to make this webservice call for each page request (or fractions of pages – some SharePoint pages i have seen can make over 30 separate authorization calls for different page controls on first load!!) so we need a way to verify user access level initially and then cache this for a period.

The initial road i went down here was to produce our own custom ‘AccessDenied.aspx’ page which all users would automatically reach if they attempt to access a resource they do not have permissions to. This worked really well as we could wait for the pipeline to finish processing and intercept the process at the very end when we were sure the auth had failed.

The problem with this is you can’t touch SharePoint default files. MS get very cross on support calls if you dare and tell you to go away until you put the system back the way it was. So i can’t hack into the ‘accessdenied’ page

This is where the HTTPModule came in. I initially thought I could jump in at the ‘AuthorizeRequest’ event of every page call so i could provide seamless authorization to the user. But because of the number of times this would be called (not just for pages but for page elements), I was very concerned about the detrimental effect this code might have on overall load times. I settled on combining both earlier ideas -  I can detect when the context URL contains ‘/_layouts/accessdenied.aspx’, insert some custom code for these requests only then redirect if the user passes our auth check!

Authorization Caching

The solution to the user auth caching is to add the user to the relevant SharePoint group with access level set, but in tandem, write a secure cookie (encrypted using machine key of server) to the client machine which has a hard expiration of 20 minutes (hard expiration to stop hackers indefinitely extending the life of a sliding session by maintaining an open connection by periodically pinging server).

Example 2 – Override Core SharePoint JavaScript functions

The majority of SharePoint’s javascript is called from a file called ‘core.js’ which is included in the MasterPages as a script link. The MS recommended approach is to create a custom Master page and change this link, but what if the page you want to modify is also a core SharePoint file (in this case ‘versions.aspx) and you can’t touch it to change the Master Page link? HTTPModule again! Detect this URL and forward the user on to your version of this page which calls the customised javascript file. Et voila.

Of course it’s never that simple – i had a lot of messing to do with relative URLs to get it to work but the principal is there.

Downsides to using HTTPModules

As the HTTPModule code will be called for every request through the page pipeline, poorly designed code can have a massive effect on performance. Think very carefully about what extra processing you are adding before doing it.

SharePoint branding without accessibility requirements

If a SharePoint site has to be branded but is not required to meet any accessibility standard, the next consideration is whether the proposed branding style is radically different from the default look of SharePoint (or any of its associated built-in styles).

If the branding is exactly the same except for a change of colour, a new site theme should be created or an existing theme should be copied and modified.

If there are small structure and colour changes required to a built-in style for a SharePoint, the built-in SharePoint style should be copied and modified.

If the branding of the proposed SharePoint site is quite different from any of the built-in styles, a new branding will have to be created from scratch.

An example of changes that would qualify as regarding a complete build of master pages would be a custom navigation menu.

General considerations when creating a completely new branding for SharePoint

If the design of the site is going to be radically different from built-in SharePoint sites, the best practice is to create static web pages of the site design. This is the case for both accessible and non-accessible site designs.

The static pages should work well across a variety of browsers and pass accessibility testing if this is a requirement for the final SharePoint branding. This task of creating the static web pages could be done by an external party such as a web design agency. There are guidelines that should be followed when creating static pages for a branding for SharePoint that are outside the scope of this document.

Once these static pages have been created, these static pages will need to be cut up into separate ASP.NET files that SharePoint will use as the layout. This is a developer task.

Custom development of code and website files are also required when creating a new SharePoint branding.

Sites with accessibility requirements will require a lot more coding than those without. The development required really depends on the requirements of the site content.

SharePoint Designer

SharePoint designer is a free programme from Microsoft that can be used to customize the appearance of SharePoint whether it is WSS only or MOSS. Although some parts of the designer may be useful such as the workflow wizard, it is not suitable for any significant branding of SharePoint.

Accessibility standards overview

Website accessibility standards are specified by the Web Accessibility Initiative (WAI) which is a sub group of the W3C. The most common accessibility level to aim for is Double-A.

The main goals to achieve Double-A conformance is to produce clean HTML where the layout is controlled by CSS.

Aside from producing reasonably clean HTML, other considerations for accessible sites include providing:

• alternate text for images
• alternate content for media such as flash or navigation that depends on JavaScript
• meaningful titles for links on the page

Some of the standards for accessibility are the responsibility of the content editor such as providing alternate means of accessing content.

There are programs such as Total Validator which can automatically validate a web page against an accessibility level.

Considerations when branding MOSS SharePoint sites

With MOSS 2007 the following can be achieved:

• Colour scheme changes
• Major layout and appearance changes, making the site unrecognisable as a SharePoint
• Sites that conform to accessibility guidelines (though not without considerable effort)

The first consideration when branding a MOSS sites is whether the site has to conform to accessibility guidelines.

By default, SharePoint does not come close to conforming to accessibility guidelines but it can be re-worked with a variety of techniques to produce accessible content with (at least) 3 caveats.

These caveats are:

• Accessibility can only be achieved when a user is accessing a site in a read-only style mode
• Many advanced features of SharePoint cannot be used. These include:
  • Almost all web parts
  • Web part zones (a type of layout that allows flexibility in placement of modules)
  • Built-in brandings and themes that come with SharePoint
  • The default content editor
• It takes lots of work! Custom development is almost certainly required.

The NSU Safe network site is an example of a SharePoint site that conforms to Double-A compliancy.

There are 2 notable frameworks that have been created to assist with making SharePoint accessible.

The Accessibility Kit for SharePoint (AKS)

There is an accessibility framework produced by a HiSoft in association with Microsoft. The framework is currently at version 2.0 at this time.

The kit includes more accessible versions of the built-in SharePoint themes and layouts though using any of these is a token gesture towards accessibility.

From investigation, a lot of development is still required to create an accessible site and the AKS does not provide much help towards this.

The Alternative Rendering Framework (ARF)

ARF is an open source framework to assist with creating accessible SharePoint sites. One of the core concepts of the framework is to keep using SharePoint lists and document libraries as the data store for a site but providing an alternative method for customizing the display of this data.

The ARF has proved very useful for creating accessible sites is used in the NSU Safe Network site.

This article is only relevant for WSS 3.0 and MOSS 2007.

When there is a requirement to customise the appearance of a SharePoint site, the first consideration is the version being used.

Branding WSS sites

If the SharePoint version is WSS (free to install if you have Windows Server 2003), colour and image changes are possible along with minor layout changes. It is not possible to use WSS to produce an accessible SharePoint site.

The default theme of SharePoint looks like the following

Other built-in themes that have different colours and images only are available

Microsoft released 10 new themes for SharePoint in March 2009 and one of these could be used. Again, the structure of the site is the same and only colour and images have changed.

Here’s a wee link I discovered on Andrew Woodward (MVP’s) blog. Its a free webinar on SharePoint and SQL Server 2008 Reporting Services.

Here’s the blurb from the site:

Put the Pedal to the Metal
Reporting through SharePoint – Webinar

Date:    Thursday, May 7th

Time:    2 to 3 pm Eastern (1 to 2 pm Central)

There is no charge for this webinar

SharePoint guru Coskun "Cujo" Cavusoglu will be your driver and discuss how Microsoft SQL Server 2008 Reporting Services has two gears: Native and SharePoint Integrated. Native mode is like driving on a highway (smooth and fast) but there is a speed limit. Incorporating Reporting Services into MOSS via SharePoint Integrated mode enables users to put the pedal to the metal and speed through tasks.

We will explore how the integration works and how to get the most out of your investment if you set up Reporting Services in SharePoint Integrated mode. You will learn the functionalities that didn’t make it to the integrated mode, or unsupported scenarios, that you should be fully aware of before putting the foot to the floor. Both pros and cons will be discussed.

Just come across the Ramp up site on MSDN. Its basically a training area for SharePoint which is always useful to those new to the world of features and solutions! Here’s some blurb from the Ramp Up site:

Ramp Up is a free, online, community-based learning program, with a number of different tracks that will help you build your portfolio of professional development skills. Ramp Up has a solid foundation of premium technical content from subject-matter gurus, and provides easy-to-access content in a variety of forms that guide you in learning the important skills. Join Ramp Up (it’s free!) and help advance your career – click on a track now to start!