Growth of Blackberry

This academic year, colleagues have noticed a growing number of blackberry smartphones around MMU. Our survey of students’ mobile devices, which will be published in conjunction with a number of other universities in 2011, has revealed blackberry as the most popular student smartphone (see Mobile Survey Highlights to the right). This growth appears in part to be linked to the appearance of keenly priced deals from providers like Virgin (15GBP per month for 24 months) and Orange (20GBP per month for 24 months) for the Curve 8520 with free handset, email and internet. We plan to interview our students to find out more.

So far, over 1,700 students have download our myMMU-mobile app for the iPhone; this has generated a lot of comments about when the native Blackberry version will be appearing. The question is: which blackberry operating system version to target?

To help us answer the question we have analyzed the hit logs from our myMMU SharePoint portal for this academic session. Whilst not a mobile site, we were surprised to see that it had been accessed from a number of different blackberry browsers. There are some hits from late model OS4 devices. The majority are from OS5 and only 2 of the 83,697 hits analyzed were from an OS6 device. As the attractive deals on blackberry handsets are for two years and for devices capable of running OS5 (but not OS6), we suspect that the platform to target for student users should be OS5, rather than the newer OS6. What do others think?

Graph showing hits by blackberry browser version
Blackberry hits by browser version

VLE Web services

Eagle-eyed readers may have spotted from our last post that two web services have been called more than any of the others:

Web Services Hits
Stats for web ser

The two most frequently-accessed web services are getWebCtAreas and getWebCtAnnouncements. These services are called by a custom web part from the main page of our myMMU SharePoint portal. They deliver a list of the user’s areas within the VLE and an aggregated feed of recent announcements from those areas. This post summarizes how this is achieved.

Screen shot of myMMU portal page
myMMU portal page

WebCT (Blackboard Learn 8 Vista Edition)

MMU has used WebCT Vista as its institutional VLE since 2006. User accounts and course areas are created in WebCT (as it is known by staff and students) from our student records system using a custom script that posts IMS Enterprise XML to WebCT’s System Integration API (SIAPI). Users logging in to WebCT directly are authenticated against the institution’s LDAP servers, but WebCT also supports Single-Sign-On (SSO) through an impersonation account, token and a get autosignon URL service.

The Web services developed for the myMMU portal use the autosignon URL feature in conjunction with two other SIAPI methods: one (get consortia_id) returns the user’s internal WebCT ID; the other (get mywebct_xml) returns the user’s WebCT home page as XML. Blackboard provide their clients with illustrative source code for a JSR168 portlet that uses these SIAPI services, and encourage development around it via their edugarage.com community developer site. We have used this code to help us write our .NET Window Communication Framework REST web services that return personalized RSS feeds.

To ensure privacy and security, the WebCT SIAPI only responds if supplied with a valid token generated using an MD5 hash on a shared secret that is combined with the ASCII count of calling parameters, which include a timestamp. For instance, a call to get the user’s home area as XML is as follows:

/systemIntegrationApi.dowebct?adapter=standard
&action=my_webct_xml
&webctid={user's internal webct ID}
&timestamp={seconds since unix epoch, 01/01/1970}
&glcid={internal code for root node of institution's course hierarchy}
&auth={md5 hash token}

Our Web service Architecture

The overall approach for the getWebCtAnnouncements web service is summarized in the diagram below:

System architecture for getWebCtAnnouncements web service
getWebCtAnnouncements overview

For WebCT announcements, the RSS item title concatenates the title of the course area with the header title of the announcement.

The getWebCtAreas web service is very similar. Instead of querying the database to create RSS items, each course area on which the user is enrolled is extracted from the homeareaXML and returned as an RSS item with any additional information (such as notification of new discussion postings or assessment gradings) returned within the RSS item description.

The two RSS feeds are consumed by a custom web part that is used twice on the myMMU portal page. The web part takes a mode parameter that determines whether it will display the RSS items in a single scrolling list (for announcements) or in two tabs (for areas: one for the current year’s and one for areas from previous year’s). Tab switching and scrolling item lists were created using jQuery libraries as part of a re-brand of myMMU undertaken by SharePoint Solutions Partner, Novotronix during summer 2010.

The web part generates the authentication token expected by our web services based on an MD5 hash of the calling parameters its supplies (user ID and timestamp) and a shared secret. The RSS returned by the web part is parsed and xhtml list items are created with appropriate ID and style attributes for the jQuery and CSS. The overall effect is maximum use of screen real estate for most recent VLE announcements and single sign on links to the user’s VLE course areas. Consultation with students identified simple VLE access as the most sought-after portal feature.

Our decision to deliver VLE functionality in SharePoint using web services lays foundations for two important flexibilities for the future:

  • the ability to switch the VLE from WebCT to Moodle; and
  • the ability to use VLE web services to deliver content to students’ mobiles

We now have personalized RSS feeds for VLE and financial information that operate using a simple but effective token architecture. We will be discussing mobile integration possibilities with our commercial partners: ULCC and oMbiel (see a recent press release), and intend to explore the possibility of a widget store that can support tokens (see our musings in an earlier post)

Easy Access Financial Info

LRT along with Financial and Legal Services (F&LS) have recently developed a new web application that allows students to see an overview of their financial information whenever they log in to the myMMU SharePoint portal. This has been designed to highlight urgent messages about overdue fees, provide an easy-to-understand breakdown of which fees are due, and allow students to request a detailed financial statement to be emailed to them.

Part of the need for such an application is to increase the flow of financial information between F&LS and individual students. Increasing student engagement and enhancing the student experience were key reasons for this development. By displaying this information on the front page of the portal, students are immediately made aware of any financial issues that may need urgent resolution. The development of this Portal initiative, along with current Credit Control procedures including telephone, texts, letters and emails, provides the student with up to date information.

This joint venture was created as a result of listening to students and delivering a concept that is easy to understand, informative and adds value to the wider University. The concept alerts students to fee status information every time they log in to check email or access the VLE. This application consists of a front-end implemented in SharePoint Web Parts, and a web services backend.

SharePoint Web Parts

Urgent News Overdue MessageThe message above is displayed on the front screen of the myMMU portal whenever there are overdue unpaid fees.  This is at the top of the page to make it as visible as possible. The red traffic light signals a problem and grabs the attention of the user, or if there are unpaid but not yet due fees an amber traffic light is displayed instead. No message is displayed on this page if there are no overdue fees.

Finance Webpart Showing Paid and Overdue FeesThe second part is more detailed information which displays fees by category. The traffic lights are used again to make it easy for users to see which fees are a problem. The button underneath the traffic lights allow students to request a financial statement, which generates an automatic email to students by F&LS through an overnight process.

Financial Web Services

All financial information is held within the University’s SAP finance system. Part of the challenge was to ensure complete security and privacy around personal financial data. Discussions between LRT and F&LS quickly agreed on a service-oriented approach in which nightly reports inside the SAP system would feed through summarised fee status information for each student in a database table. This table was visible to a web service written by the F&LS team.  A second web service would allow students to request a full financial statement be emailed to their registered email address. To accelerate development and testing, LRT decided to create proxy web services that would eventually call the financial web services but could return test data in the interim.

The following steps were taken in consultation with F&LS in order to meet security and privacy requirements:

  • Sensitive financial data were summarised by a process within SAP and exported to a table as student id and fee status indicators only, no value data was visible.
  • A database user with read-only access to the summarised table was set up to make queries for the finance web service
  • A token-based protocol, using a one-way hash of parameters with a timestamp and shared secret, was agreed to enable the financial web services to confirm they had been called by a legitimate user before responding
  • Firewall settings ensured that only trusted machines could access the financial web services

The token-based protocol was also used for the proxy web services, which forwarded calling parameters and tokens to the financial web services and returned responses received.

Usage Statistics

Since the service was launched on Wednesday 17th November 2010:

  • There have been 157627 hits to the finance web service on testapis (as of 4pm on 30th November 2010). Note that this does include all 30,000+ students, even students who aren’t first year students (who will not be able to see any financial info) will create a hit on testapis, which will return a null value.
  • There have been 790 requests for financial statements using the traffic lights webpart. Only first year students who have unpaid fees can request a statement, so this is a significant number of roughly ten thousand MMU students who are in their first year of study.
Web Services Hits
Hits for testapis web services

Services Architecture

The services are delivered to the student through MMU’s SharePoint portal, my.mmu.ac.uk. The front page gives students a short announcement when they login if any fees are overdue through a in-house custom “Urgent News” web part, with a link for more information. When a user clicks on this link they are taken to a different SharePoint page with another custom “Traffic Lights” web part with more detailed information.

The overall architecture is shown in the diagrams below:

Urgent News Architecture
Finance Webservice Architecture for Urgent News Web Part
Traffic Lights Architecture
Finance Webservice Architecture for Traffic Lights Web Part

These web parts call LRT’s proxy webservice on testapis.mmu.ac.uk with parameters containing student ID, the one-way hash authentication token, and return format. The return type can be XML, RSS, or Atom which allowed us to develop a single web service that could be consumed by the two web parts, and should make it easier to extend this service to different applications in future.

When testapis receives a request it checks the authentication token is valid. It checks the student records system to retrieve the student’s institution ID (which identifies students on the finance systems) and to check that the student is on the first year of their studies. This is shown as step 2 and 3 in the diagram. If the student is not a first year student, null is returned from the service, and nothing is displayed on the SharePoint page. The webservice uses C#.NET and REST architecture.

Testapis calls the finance webservice and forwards the authentication token, and the institution ID, queries the SAP database fee summary table, and returns this as XML as step 7 in the architecture diagrams. An example of this XML is below:

[codesyntax lang=”xml” lines=”normal”]

<getFinancialStandingResponse>
	<student>xxxxxxxx</student>
	<tuition>2</tuition>
	<accommodation>1</accommodation>
	<other>0</other>
	<responseDate>20.09.2010, Time : 10:56:10</responseDate>
</getFinancialStandingResponse>

[/codesyntax]

Testapis receives this – if the return format is XML it formats the date and removes the student ID, before passing the data back to the calling service in step 8 of the Traffic Lights diagram:

[codesyntax lang=”xml” lines=”normal”]

<getFeeStatus>
	<tuition>1</tuition>
	<accommodation>3</accommodation>
	<other>0</other>
	<updated>30/11/2010 04:37 GMT</updated>
</getFeeStatus>

[/codesyntax]

On the other hand if the requested format is RSS, testapis uses the abstract .NET SynchronisationFeed class to create a different feed item for each of the fee types – tuition, accomodation, and other. This contains a message that is readable and useful for students rather than the numbers indicated above:

[codesyntax lang=”xml” lines=”normal”]

<rss version="2.0">
	<channel>
		<title>Fee Status</title>
		<link>http://www.finance.mmu.ac.uk/students</link>
		<description>Information on your current MMU fee status</description>
		<item>
			<guid isPermaLink="false">2</guid>
			<link>http://www.finance.mmu.ac.uk/students</link>
			<title>Tuition Fees paid</title>
			<description>Processed invoices to-date already paid.  Thank you.</description>
			<updated>2010-11-30T04:37:00Z</updated>
		</item>
		<item>
			<guid isPermaLink="false">1</guid>
			<link>http://www.finance.mmu.ac.uk/students</link>
			<title>Urgent: Accommodation Fees Overdue!</title>
			<description>Invoices are overdue for payment (if applicable these will also include any invoices paid on your behalf by your employer/sponsor).  Please contact your Faculty Finance Office if you are paying your own fees and have not agreed an instalment plan.</description>
			<updated>2010-11-30T04:37:00Z</updated>
		</item>
		<item>
			<guid isPermaLink="false">3</guid>
			<link>http://www.finance.mmu.ac.uk/students</link>
			<title>Other Fees</title>
			<description>Financial status is not applicable at this moment.</description>
			<updated>2010-11-30T04:37:00Z</updated>
		</item>
	</channel>
</rss>

[/codesyntax]

The SynchronisationFeed is converted into RSS (or Atom depending on what format was requested) before being passed back to the caller in step 8 of the Urgent News. Finally the student (who is a fully enrolled first year) is shown the custom web parts below:

Urgent News Overdue Message

Finance Webpart Showing Paid and Overdue Fees
Our next step is to find appropriate ways to make this information available to students on their mobiles. We have previously considered the possibility of a token-based approach for delivering private and personalised information to W3C widgets (2010-09-14) and we hope to explore the potential of the approach for this sensitive data in consultation with F&LS colleagues.

Credits

Web Parts and XSLT coded by Ludovic Tolhurst-Cleaver & Mark Stubbs
XML schema developed by LRT & F&LS
Finance Web Service and Traffic Lights Graphics developed by F&LS
LRT Proxy Web Service developed by Alexander Lee

PC Availability inside MMU

MMU has a number of PC Drop-ins scattered throughout its five campuses where students use the computers for a variety of purposes. One problem students always have is finding a free computer, so we looked for a simple solution that displays how
many free pcs they would find in the various drop-ins; below is a screen shot from the myMMU student portal showing usage one Friday morning.

number of free pcs image

The success of our solution relied heavily on colleagues in Information Communications and Technology Services (ICTS) who needed to deploy the login and logout scripts and set the relevant group policy settings so that these scripts executed properly. LRT worked very closely with Matt Hicks from ICTS who identified the various polices that needed changing.

The availability count goes down every time a student logs into a computer and increases every time they logout, shutdown or power-down a PC. So while it will never be completely accurate, it does give students a good indication of which drop-in computer suite to head for.

The mechanics of the system are very simple; at is heart is a SQL database with three tables; usage, stu_services and PCHistory

Usage is the main table with the usage data and has just four columns

Inuse Yes or No
Location A short description of the room
Hostname The hostname of the PC
RID A unique room identifier

Stu_services is a table we use to feed our campusM mobile application and will be used for widgets we develop for the W2C project. It has five columns

RID A unique room identifier
Info Short description of Printers and scanners available
Category PC availability
Long longitude of the building containing the Drop-in
Lat latitude of the building containing the Drop-in

PCHistory contains snapshots of usage at points in the day and it has only three columns

Location A short description of the room
Free PCs The number of free PCs
Date Date and time of the snap shot

The computers in the Drop-ins run two small programs that update the usage table called Inuse.exe and Notinuse.exe. We query this table from a SharePoint WebPart to display the latest PC availability in our myMMU student portal, and publish the current PC availability using a REST web-service which is called by the campusM mobile application and will soon be consumed by our widgets and used to power large information screens.

The Programs
Both the inuse and notinuse are very small console programs that just update the sql database and the code is very simple

[codesyntax lang=”csharp” lines=”fancy”]

using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Data.SqlClient;
using System.Net;

namespace inuse
{
class Program
{
static void Main(string[] args)
{
// Get the hostname

string hostname = Environment.MachineName;

// Lets open the SQl connection

SqlConnection myConnection = new SqlConnection("user id=id;" +
"password=password;server=sqlserver;" +
"database=pcusage; " +
"Trusted_Connection=False;" +
"connection timeout=5");
try
{
myConnection.Open();
SqlCommand myCommand = new SqlCommand("UPDATE usage SET InUse = 'Yes' where hostname ='"+ hostname +"'",myConnection);
myCommand.ExecuteNonQuery();

}
catch (Exception e)
{
Console.WriteLine(e.ToString());
}

try
{
myConnection.Close();
}
catch (Exception e)
{
Console.WriteLine(e.ToString());
}

}
}
}

[/codesyntax]

The code for not-in-use is same expect it set the inuse variable to No

The reasoning for two programs that do very similar things was driven by two over riding needs.
Minimise the effect on the log on process
Make the logic of deploying the applications easy to follow

The programs will time out if they can’t connect to the database within 5 seconds, it then does a very quick update and exits

Having two programs helped no end in the deployment and testing phase

How did we deploy it?

Matt Hicks from ICTS worked out the details of the deployment phase. MMU is currently running Novell but we are in the process of moving to AD. For our Zen based management we did the following: –
Both of the programs, induse.exe and notinuse.exe were stored on a drive on a fileserver that students had read access to. Matt created a Zen workstation policy for those computers we wanted to monitor and in that policy created four schedules
• Login
• Logout
• Shutdown
• Power off
For the login event the inuse program was run.
And for the other events the notinuse program was run.

When we move fully to AD we will have to change the mode of deployment, so any AD experts out there please leave us a comment to tell us how we can do the same…

How do we display the information?

We display the available PCs in two places, the first one is on the Student portal as a Sharepoint Webpart and the second we make use of a web service that talks to our SQL database and feeds our CampusM application.

Again the code for the web part is very simple we just talk to the SQL server and display the results as a label within the web part

[codesyntax lang=”csharp” lines=”fancy”]

using System;
using System.Runtime.InteropServices;
using System.Web.UI;
using System.Web.UI.WebControls;
using System.Web.UI.WebControls.WebParts;
using System.Xml.Serialization;
using System.Data.SqlClient;

using Microsoft.SharePoint;
using Microsoft.SharePoint.WebControls;
using Microsoft.SharePoint.WebPartPages;

namespace freepcs
{
[Guid("")]
public class freepcs : System.Web.UI.WebControls.WebParts.WebPart
{
public freepcs()
{
}

private string mailerror(string error)
{
// Build the email subject string
System.Text.StringBuilder subject = new System.Text.StringBuilder();
subject.Append("My.mmu.ac.uk Web part error report from web part freepcs ");

// Get the current user
string whoami = System.Web.HttpContext.Current.User.Identity.Name;

// get the current date and time and convert to string to enable emailing
DateTime timenow = DateTime.Now;
String result = Convert.ToString(timenow);

// Build the email message string
System.Text.StringBuilder message = new System.Text.StringBuilder();
message.Append("User at the time of the error was : ");
message.AppendLine(whoami);
message.Append("Date and time of the problem was: ");
message.AppendLine(result);
message.Append("error message is : ");
message.AppendLine(error);

// Construct the message header
System.Collections.Specialized.StringDictionary messageHeader =
new System.Collections.Specialized.StringDictionary();
messageHeader.Add("to", "icts-help@mmu.ac.uk;mle-team@mmu.ac.uk");
messageHeader.Add("from", "webpart error@mmu.ac.uk");
messageHeader.Add("subject", subject.ToString());
messageHeader.Add("content-type", "text/plain");

// Send the email
Microsoft.SharePoint.Utilities.SPUtility.SendEmail(
SPContext.Current.Web, messageHeader, message.ToString());

string mailsent = "true";
return mailsent;
}

protected override void CreateChildControls()
{
base.CreateChildControls();
SqlConnection myConnection = new SqlConnection("user id=id;" +
"password=password;server=servername" +
"database=pcusage; " +
"connection timeout=10");
try
{
myConnection.Open();
SqlDataReader myReader = null;

SqlCommand myCommand = new SqlCommand("select Location, Sum(free) as 'Free', Sum(pool) as 'Pool' FROM (select Location, count(*) as 'free', 0 As 'pool' from usage where InUse='NO' Group BY Location UNION select Location, 0 as 'free', count(*) as 'pool' from usage Group BY Location) status GROUP BY Location", myConnection);

myReader = myCommand.ExecuteReader();

//String results = "

    *
            ";
            while (myReader.Read())
            {
            String location = myReader.GetString(0);
            int free = myReader.GetInt32(1);
            int pool = myReader.GetInt32(2);
            FreePCs.Text += "

          o " + location + " has " + free + " free from " + pool + " machines.

            ";
            }
            FreePCs.Text += "

            ";

            this.Controls.Add(FreePCs);
            }
            catch (Exception ex)
            {
            String mailsent = mailerror(ex.Message);

            Label Error = new Label();
            Error.Text = " Sorry I can't talk to the database holding the information of free computers at the moment, please try later";
            this.Controls.Add(Error);
            }
            finally
            {
            myConnection.Close();
            }

            }
            }
            }

[/codesyntax]

As well as showing the usage via our portal we also use campusM on mobile devices. We feed their systems by a web service that talks to our SQL database and returns some xml that is used by campus

The code for that is straightforward as well
The interface section of the web service can be seen below

[codesyntax lang=”csharp” lines=”fancy”]

using System;
using System.Collections.Generic;
using System.Linq;
using System.Runtime.Serialization;
using System.ServiceModel;
using System.Text;
using System.Xml;
using System.Xml.Serialization;
using System.ServiceModel.Web;

namespace WcfService4
{
// NOTE: If you change the interface name "IService1" here, you must also update the reference to "IService1" in Web.config.
[ServiceContract]
[XmlSerializerFormat]
public interface IService1
{

[OperationContract, WebGet(UriTemplate = "getPcAvailability", ResponseFormat = WebMessageFormat.Xml)]
PcAvailability getPcAvailability();
}

// Use a data contract as illustrated in the sample below to add composite types to service operations.
[XmlRoot (Namespace = "http://web services server", ElementName="rooms")]
public class PcAvailability
{
[DataMember(Name = "last-updated", Order = 1)]
[XmlElement(ElementName="last-updated", Order=1)]
public string lastUpdated { get; set; }

[DataMember(Order = 2)]
[XmlElement(ElementName="room", Order=2)]
public List rooms = new List();
}

[DataContract (Name="room", Namespace = "http://web services server ")]
public class Room
{
[DataMember (Order=1)]
[XmlAttribute]
public string free { get; set; }

[DataMember(Order = 2)]
[XmlAttribute]
public string seats { get; set; }

[DataMember(Order =3)]
[XmlAttribute]
public string location { get; set; }

[DataMember (Order =4)]
[XmlAttribute]
public string rid { get; set; }

[DataMember(Order =5)]
[XmlAttribute]
public string info { get; set; }
}
}

[/codesyntax]And the code that does the work is again very straightforward

[codesyntax lang=”csharp” lines=”fancy”]

using System;
using System.Collections.Generic;
using System.Linq;
using System.Runtime.Serialization;
using System.ServiceModel;
using System.Text;
using System.Data.SqlClient;

namespace WcfService4
{
// NOTE: If you change the class name "Service1" here, you must also update the reference to "Service1" in Web.config and in the associated .svc file.
public class Service1 : IService1
{
public PcAvailability getPcAvailability()
{
PcAvailability pcAvailabilty = new PcAvailability();
DateTime dt = DateTime.Now;
pcAvailabilty.lastUpdated = dt.ToShortTimeString() + " on " + dt.ToLongDateString();

SqlConnection myConnection = new SqlConnection("user id=ID;" +
"password=password;server=SQL Server;" +
"database=pcusage; " +
"connection timeout=10");
try
{
myConnection.Open();
SqlDataReader myReader = null;

//SqlCommand myCommand = new SqlCommand("select Location, Sum(free) as 'Free', Sum(pool) as 'Pool' FROM (select Location, count(*) as 'free', 0 As 'pool' from usage where InUse='NO' Group BY Location UNION select Location, 0 as 'free', count(*) as 'pool' from usage Group BY Location) status GROUP BY Location", myConnection);
SqlCommand myCommand = new SqlCommand("" +
"SELECT rid " +
", location " +
", info " +
", SUM(free) as 'free' " +
", SUM(pool) as 'pool' " +
"FROM " +
"( " +
"SELECT usage.rid as rid " +
", usage.Location as location " +
", stu_services.info as info " +
", count(*) as 'free' " +
", 0 as 'pool' " +
"FROM usage " +
"INNER JOIN stu_services " +
"ON usage.rid = stu_services.rid " +
"WHERE InUse='NO' " +
"GROUP BY usage.rid " +
", usage.Location " +
", stu_services.info " +
"UNION " +
"SELECT usage.rid as rid " +
", usage.location as location " +
", stu_services.info as info " +
", 0 as 'free' " +
", count(*) as 'pool' " +
"FROM usage " +
"INNER JOIN stu_services " +
"ON usage.rid = stu_services.rid " +
"GROUP BY usage.rid " +
", usage.Location " +
", stu_services.info " +
") status " +
"GROUP BY rid " +
", location " +
", info ", myConnection);

myReader = myCommand.ExecuteReader();

while (myReader.Read())
{
Room room = new Room();
room.location = myReader["location"].ToString().Trim();
room.free = myReader["free"].ToString();
room.seats = myReader["pool"].ToString();
room.rid = myReader["rid"].ToString().Trim();
room.info = myReader["info"].ToString().Trim();
pcAvailabilty.rooms.Add(room);
}
myReader.Close();
myConnection.Close();
}
catch (Exception ex)
{
Room room = new Room();
room.location = "Sorry, we currently have a problem showing PC availability";
pcAvailabilty.rooms.Add(room);
}

return pcAvailabilty;
}
}
}

[/codesyntax]The webservice returns the following XML

[codesyntax lang="xml" lines="no"]

<?xml version=”1.0″ encoding=”utf-8″ ?>
<rooms xmlns=”http://apis.mmu.ac.uk” xmlns:xsi=”http://www.w3.org/2001/XMLSchema-instance” xmlns:xsd=”http://www.w3.org/2001/XMLSchema”>
<last-updated>11:57 on 15 October 2010</last-updated>
<room free=”87″ seats=”149″ location=”MMUBS Drop-in” rid=”a4.000″ info=”4 B&W & colour printers” />
<room free=”43″ seats=”62″ location=”ART Drop-in” rid=”C104″ info=”B&W Colour Printers” />
</rooms>
[/codesyntax]

The format of the XML was first developed at Sheffield University in partnership with oMbiel and implemented the same way at MMU to enable us to use existing CampusM PC availability services

To make sure the data is reasonably accurate a SQL script is run at 3am to set all the PCs to not in use.

To allow our colleagues in ICTS to get a feel for how busy the drop-in computer suites are, a snap shot of the number of free PCs is taken every hour on the half hour and the results stored in the SQL table PCHistory. All the ICTS mangers have a spreadsheet that connects to this table allowing them to follow trends and identify under and over use of Drop-ins

JISC DVLE meeting

The W2C team headed off to Bolton for a meeting with sister projects in the JISC’s Distributed Virtual Learning Environment Programme. The morning provided an opportunity to hear what each project was working on. I failed to do justice to W2C in the 2 minutes allowed, but the slides used for my summary appear below.

I was struck by potential synergies with other projects (for instance Glasgow Met’s interest in communicating marks to Moodle and the OU’s interest in surfacing Moodle content in other places). Plenty to follow up!

Ross, Scott and Wilbert then gave neat summaries of Open Social, Wookie and IMS Basic LTI, and we got the chance to follow up our specific widget questions:

  • W2C: Is it possible to get the authenticated userId and Moodle courseId from the Moodle widget container?
    Scott: Yes
    W2C: Hurray!
  • W2C: Is it possible to devise a mechanism for distributing to widgets configuration data necessary to generate web-service authentication tokens without creating a security hole that could allow one user to read another’s details?
    Scott: the Moodle plug-in running the widget could hold the shared secret used for token generation and configure the widget properties on instantiation
    W2C: is it possible to do something similar for students who download widgets to their mobile?
    Scott: you could run a widget store that allocates a personalised token when the user registers to download the widget
    W2C: …. hmm … that sparks some ideas …

Some Security, Privacy and Authentication Ideas

W2C is developing a suite of web-services that will allow students to gain access to data about them and their studies, such as a personalised timetable, a personalised assignment hand-in schedule and preliminary marks. These web-services will need to be called with a student identifier in order to return data relevant to a particular student.

As a first principle of privacy those web-services should return no more data identifying the person than that already supplied. A personal timetable web-service called with a userID would not, therefore, return the name of the person for whom the timetable was generated.

Our current thinking on these web-services is that they will use an impersonation account that has sufficient privileges to return data on any student id they are called with, so another mechanism is needed to ensure that the call is from a trusted source. A common method of proving that the call is from a trusted source is to use a shared secret, known only by the server and trusted clients, to generate an authentication token which is supplied to prove the web-service call is legitimate. The authentication token is typically a one-way hash so the shared secret is never transferred over the wire. However, the client needs access to the shared secret in order to generate the authentication token.

MMU currently uses the shared secret/token generation approach to allow WebParts in SharePoint to make trusted calls to web-services to access personalised WebCT announcements with pre-authenticated single-sign-on links to a user’s WebCT areas. The shared secret (which is used to generate authentication tokens for any user) is stored in the WebPart’s configuration parameters and is therefore not visible to users.

W2C plans to use widgets running in Moodle to call institutional web-services for details of timetables, hand-ins, reading lists and marks. We understand from Scott’s answer that the Moodle plug-in for running the widgets can perform the same function as the SharePoint WebPart container and distribute the shared secret for the widget to use.

Distributing a shared secret that would work for any user should work well in Moodle as the shared secret would not be visible to users. However, the approach would not work if the widget were to be used outside the Moodle container (for instance on a student’s mobile device) as the shared secret used to generate tokens must be known wherever the widget runs; the transparent nature of the widget code would make it trivial to work out how to call the web-service for a different user. A variation on the approach is therefore needed which issues user-specific shared secrets to widgets so they can generate authentication tokens to make trusted calls to institutional web-services.

If a widget’s configuration parameters can be instantiated by the container on initialisation and the widget container has access to the ID of the user for whom the widget is being initialised, then we have a mechanism for generating these user-specific shared secrets. The approach would be as follows:

  1. Moodle Widget Container is supplied with a secret word (eg “bolton”) known to it and the web-services to be called
  2. Moodle Widget Container receives a request to instantiate a widget for the current user (eg “55500555”)
  3. Moodle Widget Container appends the shared secret to the user id (“5550055bolton”) and performs an MD5 hash to generate a personalised secret word (“6653e1e33cb96c21f19c53ad62330371”) which it makes available in the widget’s configuration preferences
  4. Widget appends the secret word from its configuration preferences to the user ID (“55500556653e1e33cb96c21f19c53ad62330371”) and performs an MD5 hash to generate an authentication token (“8d04021352a1a78ebab989ce5bee77d9”) which it uses to call a web-service to get a list of preliminary marks
    apis.mmu.ac.uk/srs/getMarks?person=55500555&token=8d04021352a1a78ebab989ce5bee77d9
  5. Web-service receives the request, appends the shared secret (“bolton”) to the person parameter (“55500555”) to produce “55500555bolton” and generates an MD5 hash from it (“6653e1e33cb96c21f19c53ad62330371”) which it appends to the user ID and generates a further MD5 hash (“8d04021352a1a78ebab989ce5bee77d9”) which it compares against the supplied token. They match, so the web-service returns the preliminary marks for that user.

So far this approach hasn’t given us anything over the approach we were using before, but if we create a widget store that has a registration mechanism that requires students to supply their userID to download a widget for use on their mobile, then the widget store will ideally pre-configure the widget preferences with the user-specific token for download. User 55500555 will therefore receive a widget pre-configured with userID “55500555” and secret word “6653e1e33cb96c21f19c53ad62330371” that will be used in the javascript to generate the token for calling the getMarks web-service.

OK, so what about the privacy holes that were worrying us before?

  • Someone intercepts the REST call to the web-service and tries to use the token with a different userID (“88800888”), eg getMarks?person=88800888&token=8d04021352a1a78ebab989ce5bee77d9
    Outcome: code for generating the token values in the web-service does an MD5 hash on “8880088bolton” to give “ada366a302275b46ccb34181d5afd4d6” which it appends to the person ID and does a further hash to give “a6ba82a8497026787a5b9ea96f515152” which doesn’t match the supplied token so the request is refused
  • Someone downloads the widget and changes the preferences file to try to access another student’s marks (say 88800888)
    Outcome: the widget appends the token from the preferences file to the supplied user id (“888008886653e1e33cb96c21f19c53ad62330371”) to generate the MD5 hash (“ec662ff5a55b5c8920163c7e3ecda9b5”) which it supplies to the getMarks web-service. The getMarks web-service generates its token value based on “88800888bolton” as above which fails to match the supplied to token so the request is refused

I suspect I need to think about this some more (ideally with your help), but if there isn’t a flaw in the thinking set out above (and *please* use the comments feature to tell me if there is!), and if the Moodle Widget Container can set widget configuration parameters dynamically, and if it is possible to create a widget app store that can customise widget configuration parameters based on user registration, then we might have the basis for a workable approach and it will have been worth getting soaked in Bolton today!

Developing web-services

MMU’s initiative to Enhance Quality and Assessment for Learning (http://www.blogs.mmu.ac.uk/eqal) includes a specific strand to raise “student satisfaction, engagement and success by providing a more seamless and personalised online experience of university activity” (http://www.blogs.mmu.ac.uk/eqal/C47/). This strand provides the project management framework for delivering MMU’s new VLE, extending its SharePoint Portal and developing mobile access to institutional systems. The W2C project will share our experience of adopting a service-oriented approach to the delivery and integration of these system enhancements.

The W2C development team are currently working on a number of REST web-services:

  • getWebCtAreas – to return a personalised RSS 2.0 feed of a user’s VLE areas, with single-sign-on links if called with a suitable security token
  • getWebCtAnnouncements – to return a personalised RSS 2.0 feed of announcements on a user’s VLE areas, with single-sign-on links if called with a suitable security token
  • getFeeStatus – to return a personalised set of “traffic light” indicators of payment status for a student’s tuition, accommodation and other fees if called with a suitable security token
  • getPcAvailability – to return a dynamic list of PC usage in the drop-in computer suites

The list will expand over the coming months, and will be the subject of further blog posts as we share our thoughts about security and data structures.

We expect these web-services to be consumed within:

  • our SharePoint Portal;
  • our new CampusM mobile application; and
  • the widgets we will be building within the W2C project.

We will share our experience of doing so via this blog.

Welcome to W2C: extending the VLE through Widgets, Web- and Cloud-services

MMU has recently (and publicly) reviewed its learning technologies and will be making significant investment in a new integrated VLE and Repository. The W2C project plans to enhance and extend this investment by opening up new development paths and will share with the sector the experience of pursuing them on an institutional scale.

The W2C project will demonstrate in particular the potential of Widgets, institutional Web-services and Cloud-sourced services for delivering an institutional vision of convenient, integrated and extensible learning systems.

MMU has recently (and publicly) reviewed its learning technologies and will be making significant investment in a new integrated VLE and Repository. The W2C project plans to enhance and extend this investment by opening up new development paths and will share with the sector the experience of pursuing them on an institutional scale.

The W2C project will demonstrate in particular the potential of Widgets, institutional Web-services and Cloud-sourced services for delivering an institutional vision of convenient, integrated and extensible learning systems.

It will do this by:

  • sharing as widely as possible our vision for learning systems, our scenarios and threshold user expectations that emphasise convenience, integration, personalisation and extensibility
  • sharing the business rationale for our recent decision to adopt a “core plus” model for our learning systems in which a core VLE and Repository is extended through widgets, web-services and cloud-sourced services
  • mapping the processes in which institutional data necessary for delivering key user requirements are created and maintained (using standards such as BPMN), suggesting change where necessary to maximise opportunities for interoperability and data re-use
  • developing, to open standards where possible, web-services for institutional systems that hold definitive data required to meet user requirements
  • developing or downloading open source widgets to consume our web-services
  • deploying the widgets and selected cloud-sourced services into our VLE
  • evaluating student and staff experience of using the widgets and cloud-sourced services in the VLE and on personal devices
  • evaluating teaching and administrative staff experience of working with usage data available from institutional systems and cloud-sourced services
  • summarising lessons learned from the widget/web-services/cloud-sourced services approach for delivering convenient, integrated, personalised and extensible learning systems
  • critiquing the value of the CETIS DLE model for explaining our approach and the e-Framework for guiding our web-services design
  • blogging project progress and encouraging feedback on our dynamic case study via blog comments and twitter (hashtag = #MMUW2C or follow @mmuw2c on Follow mmuw2c on Twitter)

We expect this activity to:

  • enhance the capability of our VLE to meet existing and emerging user requirements
  • enhance user satisfaction of our learning systems
  • heighten awareness about patterns of student engagement and success
  • facilitate discovery of learning resources that others have found useful
  • accelerate development of a community of practice for educational widgets
  • improve, by providing practice-informed feedback, key sources of information available to others in the sector contemplating similar endeavours.

The W2C project is funded by the JISC’s E-Learning Programme, under Strand B of the 03/10 Distributed Virtual Learning Environments call. It started on July 1, 2010 and will complete by December 2012. Further posts will provide more detailed information on timing of the deliverables listed above. Please check back regularly for details of project progress.