Professional Documents
Culture Documents
SAP UI5
Bogdan MIHAI
Research Scientist, Performance and Insight Optimization
September 30th, October 2nd, 4th, 9th and 11th 2013 Internal
Web Programming using SAP UI5
From zero to hero in just 5 days
Bogdan MIHAI (bogdan-eugen.mihai@sap.com)
Performance and Insight Optimization
September 30th, October 2nd, 4th, 9th and 11th 2013
Agenda – part 1
Dual Combination Dual Column Dual Stacked Column Dual Stacked Column
(%)
5. Set the model on the dataset (same model that is set for the OData Table)
6. Instantiate a CVOM Donut Chart and set the dataset
• sap.viz.core.FlattenedDataset
http://veui5infra.dhcp.wdf.sap.corp:8080/snippix/snippets/43762
Most libraries require a starting // create the HTML control which will be a placeholder
var oHTML = new sap.ui.core.HTML({
point or a placeholder
id: "pieContainer“,
content: "<div id=pieContainer'
This HTML element can be style=\"height:500px;width: 500px\"></div>"
provided by using the UI5 HTML });
control //starts rendering when the placeholder is rendered
oHTML.attachAfterRendering(
5. Instantiate an HTML control as a placeholder for the chart with a div element as content
and a specific id (“flotContainer”)
• new sap.ui.core.HTML
© 2013 SAP AG. All rights reserved. Internal 18
Exercise 22 – jQuery flot / Part 2
6. Specify a CSS height and width for the div element within the <style> tags
7. Use the AfterRendering event to call the flot chart method
• chartHtml.attachAfterRendering(…)
9. Set the stack property for the series to true and show the bars with a width of 0.6
http://veui5infra.dhcp.wdf.sap.corp:8080/snippix/snippets/44852
OR OR
= =
button {
color: @sapUiTextColor; /* text color can be referenced multiple times*/
[...]
}
h2 {
color: @sapUiTextColor; /* text color can be referenced multiple times*/
[...]
}
jQuery.sap.require("sap.ui.core.theming.Parameters");
In some cases one needs to adjust only small parts of the theme. There are
two options to style specific elements:
1. One can add <style> or <link> tags in the HTML <head> tag to include new
styles
• These styles are always processed after the UI5 CSS from the themes
• As the last processed CSS wins in case of multiple same CSS rules, the custom CSS always
overwrites the standard UI5 CSS
• The parts to be overwritten can be determined using tools like Firebug in Firefox (or press F12 in all
other browsers)
• It is also important to know that the id given to a control is also the id that the topmost HTML element of
this control gets. Thus, this id can be used as a reference in CSS
• The CSS precedence rules may sometimes lead to the impression that UI5 CSS cannot be overridden.
It needs to be understood that the more specific selector wins.
USE THESE METHODS WITH CAUTION – MIGHT PRODUCE UNWANTED RESULTS WITH
FUTURE SAPUI5 THEME UPDATES!
© 2013 SAP AG. All rights reserved. Internal 27
4. Styling and Theming – Adjusting Styles
Example of custom
CSS via <style> tag
Example of
addStyleClass method
id of the button
Alternative solution:
http://veui5infra.dhcp.wdf.sap.corp:8080/snippix/snippets/37045
Blue Crystal Gold Reflection Mobile Visual Identity High Contrast Black
Demo-Link for Blue Demo-Link for Gold Demo-Link for Mobile Demo-Link for High
Crystal Reflection Visual Identity Contrast Black
Use webkit browser ( switch to “Light Shell” Use webkit browser
such as Google Chrome under: Home > Options such as Google Chrome
to view > Design ) to view
© 2013 SAP AG. All rights reserved. Internal 32
4. Styling and Theming – Theme Designer
1. 2.
3. 4. 5.
Steps in Theme Designer
© 2013 SAP AG. All rights reserved. Internal 35
4. Styling and Theming – Theme Designer
1.
2.
Get the resource bundle for a given language (if no locale is given, English is loaded
by default)
jQuery.sap.require("jquery.sap.resources");
var oBundle = jQuery.sap.resources({url : sUrl, locale: sLocale});
shell.view.js
With the ResourceModel, there is a wrapper for resource bundles that exposes the
localized texts as a model for data binding.
Example:
var oModel = new sap.ui.model.resource.ResourceModel({
bundleUrl: "myBundle.properties", // will use myBundle_en.properties
bundleLocale: "en“ // optional, default is current language, so better omit it
});
var oControl = new sap.ui.commons.Button({
id : "myButton",
text : "{i18n>MY_BUTTON_TEXT}“ // this points to a named model
});
// attach the resource model with the symbolic name "i18n"
sap.ui.getCore().setModel(oModel, "i18n");
2. Create a
• new sap.ui.model.resource.ResourceModel
with
• bundleUrl: "i18n/i18n.properties"
(the current language is automatically used)
4. Now use data binding to bind the translated text to the Button in the XMLView
5. Binding expression is: "{i18n>MSG_HELLO_WORLD}"
xml.view.xml
xml.controller.js
It can aggregate other Controls. This means it is a sort of container or layout Control when
the application can add the child controls to use - or a composite Control if the Control itself
decides what the child Controls are and just re-uses these available components.
It can also have associated Controls that are not part or children of this Control, but rather
loosely related.
A Control can fire well-defined events. Typically, these have a meaning that relates to the
Control's purpose and functionality and is on a semantically higher level than "click" or other
browser events. Examples would be triggerSearch in a SearchField or collapse in a Panel.
There are two approaches to develop UI5 Controls, either with tool support,
or just as part of a plain JS file. This section deals with creating custom
controls in JavaScript with the extend method.
Since an IDE is not needed to create new controls with the extend method
these controls have been named "Notepad Controls".
The extend() method is available on all Controls (and the base classes)
and is used to define a new subclass.
Creating a new control:
• sap.ui.core.Control.extend(sName, oDefinition);
Creating a new Control which inherits from Button:
• sap.ui.commons.Button.extend(sName, oDefinition);
The parameters to this function are the name and the definition of the new control
type. The definition part contains information about the control API, which
properties, aggregations, events, etc. the control has and the implementation of the
control methods.
Some methods such as the getters and setters for the properties and aggregations
or the methods for attaching/detaching event handlers are automatically created by
UI5.
The definition object for a custom control may contain metadata, public and private
methods, event handler and the renderer.
http://veui5infra.dhcp.wdf.sap.corp:8080/snippix/snippets/3357
© 2013 SAP AG. All rights reserved. Internal 49
Control Metadata
The metadata in the control definition consists of objects for the control
properties, events and aggregations.
Properties Example
After the metadata is defined, you can add any method implementations to your
new Control. The method names can be chosen freely, some method names must
be avoided though:
• Names of methods that are provided by a super class.
• Methods starting with set, get, insert, add, remove or indexOf may collide with
setters/getters for properties or aggregations you defined.
• Methods starting with attach, detach or fire may collide with methods created for
events.
There are some method names you may use but which have a special meaning:
• on...: Methods starting with "on" are event handlers that are automatically bound to
browser events.
• init: Is the name of the initialization function called right after Control instantiation.
• renderer: The name of the function that creates the HTML for the control.
init Method
The init() method is invoked by the UI5 core for each control instance right after
the constructor. Use this to set up things like internal variables or sub-controls of a
composite. This method is considered private and only to be called by the UI5 core.
onAfterRendering Method
The onAfterRendering() method is invoked after the controller's View is
re-rendered.
http://veui5infra.dhcp.wdf.sap.corp:8080/snippix/snippets/64805
© 2013 SAP AG. All rights reserved. Internal 56
Example with Charts
http://veui5infra.dhcp.wdf.sap.corp:8080/snippix/snippets/42676
© 2013 SAP AG. All rights reserved. Internal 57
Exercise – Notepad Controls
1. Open the SAPUI5 Developer Studio and go to the file „musicstore.view.js“ in the „training“
folder
3. Add a new column to the table and instantiate the new „Audioplayer“ control as row content:
oTable.addColumn(new sap.ui.table.Column({
label : new sap.ui.commons.Label({
text : "Listen"
}),
template : new AudioPlayer("audioPlayer",{
src : "{previewUrl}"
})
}));
4. Open the index.html in browser that can interpret the <audio> tag
(Chrome 6 and newer, Firefox 3.6 and newer, Safari 5.0 and newer, IE 9 and newer)
Additional Information
Security - http://sdn.sap.com/irj/sdn/security
Security Guides - http://service.sap.com/securityguide
Related SAP Notes - http://service.sap.com/notes http://service.sap.com/securitynotes
Released Platforms - http://service.sap.com/pam
Network Security - http://service.sap.com/securityguide
SAP Solution Manager - http://service.sap.com/solutionmanager
SAP NetWeaver - http://sdn.sap.com/irj/sdn/netweaver
This includes usage of proper authentication, authorization and encryption (e.g. SSO and
usage of https), as well properly securing and logging access to person-related data.
For more information regarding data protection and privacy, please see the security guide of
your server side framework.
The most prominent security issue of web applications within the last years and also the musts dangerous
one.
Once malicious code is running within your browser, it can be used to steal your session cookies, to
trigger requests within the current session, or even to exploit a known browser vulnerability to do native
code execution.
– Within the JavaScript Code of the application, which is processing server responses
– Within the JavaScript Code of the application, which is processing server responses
SAPUI5 can only prevent cross site scripting in the processing and rendering of controls. For that purpose
there is input validation on all typed Element properties and output encoding done in the renderer class of
Controls
– There are exceptions to this, for controls which are especially built to include arbitrary HTML (like sap.ui.core.HTML).
Application is responsible for proper output encoding of all content embedded into the HTML page itself,
as well as for encoding of JSON or XML data sent to the client and secure processing of this data.
– Access to this data is limited to JavaScript code running from the same domain as it has been stored.
– SAPUI5 offers helper functions to access the local storage on different browsers.
– By default SAPUI5 is not using the local storage, but it can be enabled for the history-capabilities.
WebGL
– WEBGL allows accessing the graphics API of the computer on a very low level, which may lead to low
level exploits.
– This is the main reason Internet Explorer has no support for WebGL at all, Microsoft recently stated,
that they are not going to support WebGL as they think it can not be implemented in a secure way.
WebSockets
– WebSockets offer great new possibilities for the client/server communication of web applications
– There have been many security issues rising while the first implementations were done by the browser
vendors
– As soon you are subscribing to the onMessage event, you can receive messages from any other
browser window.
The best security on the client and server doesn't help, if the data transport between client and server can
be read, intercepted or even modified by an attacker.
– HTTP communication is stateless and unencrypted
Encryption
– Sending the HTTP protocol over a SSL secured connection is not only standardized, but also required for SAP
applications.
– SAPUI5 fully supports usage of HTTPS, but there are some restrictions regarding the CDN version of SAPUI5 when
HTTPS is used.
o It is recommended to enable or at least to test SSL connections in an early stage of application development, as
usually switching to HTTPS causing some issues
Session Security
– Even if the data transport is secured using SSL, there are possibilities to hijack such a secure connection and sending
malicious requests from the client (Cross site request forgery - XSFR, and session fixation)
o SAPUI5 does only provide XSRF prevention for the data which is sent to the server by SAPUI5.
o This only happens in the OData Model, where a XSRF token is read from the server and used for subsequent write
requests.
o Application is responsible for using XSRF header or other mechanisms to prevent XSRF attacks
© 2013 SAP AG. All rights reserved. Internal 69
Input Validation
• Application point of view: Input validation of user input, must be done on the
server, optional on the client, can be achieved using two way data binding and
model types
• oInput.bindValue("/path", new sap.ui.model.type.Float())
Ensures only a Float value can be entered, otherwise a ParseError will be thrown
• oInput.bindValue("/path", new sap.ui.model.type.String({}, {maxLength: 20}))
• All data sent from the server must be properly output encoded according to the
context they are contained in
• When developing custom controls, the following two methods should be used
within the control renderer for HTML encoding:
• RenderManager.writeEscaped(sString)
Encodes the given string and writes it to the HTML output as content
• RenderManager.writeAttributeEscaped(sString, sString)
Encodes the given string and writes it to the HTML output as an attribute
• jQuery.sap.encodeCSS / encodeHTML / encodeJS / encodeURL / encodeXML
Encode the string for inclusion into CSS string / HTML Content / JS String / URL Parameter /
XML content literals or identifiers
If Modules are configured, our server side component instructs the browser to use a
ModifiedSince approach for detecting resource changes. This allows caching of the
content, but still requires the same number of requests as the unlaced mode
Modularization and Caching together form our development mode: you can modify
a small file and – ideally – the browser has to reload only that module. We do not
only use this internally for development, but also for our central installations. So
whenever we update our central installation (usually several times a day), the
browser should detect changes and reload the files.
Minimization means that unnecessary characters like whitespace, line breaks and
comments are removed from the source code. This considerably reduces the file
size.
During nightly build, we produce optimized versions of our libraries. These include
minimized versions of our JavaScript files, the CSS files are not minimized.
So instead of installing
sapui5.war, one can install sapui5-opt.war.
sapui5-light.zip, one can install sapui5-opt-light.zip
The ‘opt’ version currently can be found in the Nexus repository only, it is not
deployed to our central VMWare machines.
“opt” additionally contains the non-minimized debug version of all files. In the Ctrl-
Alt-Shift-P Dialog you can toggle the debug mode.
sap-ui-core.js
• loads library.js file for each used library.
• loads control behavior and rendering
files when control is instantiated.
only needed code is loaded
many requests
In
the „opt“ mode, both advantages are
combined: one request per library, but
every module/control is only parsed
when required (with sap-ui-core.js) sap-ui-core-all.js: 18 requests, 1,54 MB, 439ms
http://veui5infra.dhcp.wdf.sap.corp:8080/sapui5-internal/download/
With some configuration either in the web.xml or the server configuration, our
resource handler can be configured to use a different caching strategy (e.g. time-to-
life). This avoids the ModifiedSince requests.
When one doesn’t want to use the ModifiedSince requests, but still wants the
convenience of up-to-date checks, it is best practice to include some version-
specific into the requests URLs (cache buster). Our resource handler provides such
a unique id and also provides a way to automatically convert a static URL request
into a request with that ID.
Contact information:
Bogdan MIHAI
Research Scientist, Performance and Insight Optimization
bogdan-eugen.mihai@sap.com
+40 745 394 340