I have a custom salesfoce webservice, but to access that webservice we need to login from salesforce enterprise wsdl. but i dont want to add that wsdl file. Is there any way to add login function on custom webservice or login with out that wsdl webservice???
Yes, see SOAP request to APEX webservice without requiring authentication.
go into the site detail page in setup, click Public Access Settings,
and then add the Apex Class there. This is effectively granting your
anonymous running user account (guest license) the ability to directly
access this class.
There are more detailed instructions at Public Web Services via Apex and Force.com Sites.
Note that your data exposed via this web service will no longer be secure.
As you mention, you need to authenticate, the login method is not included in the custom apex WSDL, you have lots of choices, depending on exactly what sort of app you're building.
Add either the enterprise or partner WSDL to your app and call login from there.
Use an interactive OAuth flow which will result in you getting an access token & instance Url, which you can then use with the apex WSDL.
Use a programamtic OAuth flow (username/password), again resulting in an access token * instance Url which you can then use with the apex WSDL.
if you have a web based app, you can create a custom link/tab in salesforce to pass you an existing serverUrl/sessionId info.
For the OAuth flows, you would pass the received access token in your apex requests as the sessionId (just like if you got it from login), and you would combine the host name from the instance URL with the path from the apex WSDL to set the endpoint URL of your stub.
Related
I have a logic app which triggers my HTTP endpoint every 15 minutes. Then the endpoint connects to SharePoint using Rest API and gets the data from specific list which is then added to my db.
But to get the data from SharePoint, i need access token. Do i need to write logic to get access token in the endpoint itself? or is there any to pass access token from my logic app while triggering my endpoint ?
As first answer. Yes, implement logic to get access token in HTTP Endpoint using SharePoint Online REST API.
Through such guides may be 1, 2, 3, 4. I think not exists any ways to pass access token from Azure logic app to your endpoint.
As second answer I can suggest to use SharePoint CSOM object model. To using it just install SharePoint Online Client Components SDK on computer where is your HTTP endpoint located and add Microsoft.SharePoint.Client.dll Microsoft.SharePoint.Client.Runtime.dll libraries as references. There exists good SharepointOnlineCredentials class to give credentials to requests.
Or other ways - you can re-architecture your solution:
Azure Logic Apps if I understood correctly must ask you to set connection to SharePoint by out-of-box features. See this article. I think you can get list items from SharePoint by actions in Azure Logic App and pass data to your HTTP endpoint without any additional access token requests just as method arguments.
If you have access to HTTP Endpoint from SharePoint then you can send data from SharePoint to your endpoint directly, not from Azure logic apps. You can do it from list items form pages, from site workflows or may be some Flow templates.
If you don't have access to HTTP Endpoint from SharePoint then you can create Azure hosted web service and call its methods from SharePoint by any ways. This web service will pass data to your HTTP endpoint as method arguments without any additional authentication. Web service call will be done from JavaScript on list item form save, from SharePoint workflow. May be here to get access token to this Azure web service will be easier then from your HTTP Endpoint to SP.
Are you using Azure SQL Database ? If yes then create connection between SharePoint Online and Azure SQL Database through Business Connectivity Services BCS. Like here or here or here. This allow user get, create, update items in your database inline in SharePoint list by out-of-box features.
Create periodically running code (Console App, PowerShell script, Windows Service). Schedule it on some server in your company. That code will use CSOM SharePoint object model and connect to SharePoint more easier through SharepointOnlineCredentials class, get data and connect to your HTTP Endpoint directly or to your database.
If your database is MS SQL Server located on-premise then you can use this guide to create Business Connectivity Services content types between SharePoint Online and on-premise SQL Server.
You can go some extravagant ways: =)
SharePoint by some ways can send emails with data from list items to some inbox and your HTTP endpoint can get these emails, parse data and perform following steps.
May be you can create Sql Server Integration Service (SSIS) package on some company local MS SQL Server that will send data from SharePoint on periodically basis to your database directly or to your HTTP endpoint directly.
Other ways...
"But to get the data from SharePoint, i need access token. Do i need to write logic to get access token in the endpoint itself?"
Correct, you do need a bearer access token. Where are you hosting the code for your HTTP endpoint? If you can put it in Azure as a Function or web API, then you can implement app-only permissions which will give you the necessary access token.
There are 2 options for doing so:
Granting access via Azure AD App-Only
Granting access using SharePoint App-Only
The first one is a bit more involved, because it requires a client secret AND a self-signed security certificate, but it will allow you permissions to any O365 API. The 2nd one is simpler and will only require the app/client ID and secret, but only allows permissions to the SharePoint Rest API.
The MSDN documentation linked above uses a PowerShell script to generate the security cert, but I prefer Bob German's instructions for manually creating/exporting one. He also includes instructions for registering an Azure AD application for your Azure function in his tutorial.
I have various RESTful Web Servicesin App Engine, which are secured Google Account authentication:
<security-constraint>
<web-resource-collection>
<web-resource-name>Authentication required</web-resource-name>
<url-pattern>/api/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
</security-constraint>
Upon hitting these Web Services via a browser client, I'm redirected to the Google Accounts login screen where I authenticate myself first before proceeding with the REST call.
However I now need to run these web service via a command line scripts as part of automated IC run. Therefore I do not want to be prompted for a browser login every time. Preferably I would like to put the Google username and password in a encrypted file on the IC server and let it call the Web Services without any human intervention. As far as I can see there are several options:
manually logging in via the browser and then saving the access token to be used in the command line script. However when the token expire I would have issues.
obtain a access token via Service Account p12 authentication. This seems to only work for accessing Google APIs such as BigQuery and Cloud Storage, not your own code.
wrap my Web Service within a Remote API which I have yet to experiment with.
Based on my current understanding, it seems there is no way for a Google Account authenticated custom written Web Service to be accessed by a non-human user. Is this correct?
Since you are interested in interacting with RESTful web-services programmatically (without human intervention), we are essentially talking about securing a REST API.
There is a plethora of resources on this matter throughout the internet but the gist of it is:
you should use SSL and sessions or OAuth to secure your endpoints.
Depending on how far you are in the current project, you could consider making use of Cloud Endpoints, there you'll have the option to use OAuth2 (and have DDoS protection), as well.
Hope this helps.
I managed to get this to work in the end by:
Switching off the web.xml security-constraint so that the API doesn't redirect to Google Login.
Modifying my API to take in a Oauth2 token in the Authorization header instead.
Validating the token based on the code sample here: https://github.com/googleplus/gplus-verifytoken-java
I didn't go with Cloud Endpoints, but Jersey + Dropwizard components instead. Dropwizard has built in Oauth2Provider which I simply implemented a Authenticator class and it works.
I have a webapp which has jsps. am not using any struts or mvc framework. We have JAX-RS service build using Apache CXF.
Now i want to do following
Allow user to login with username and password.
For all subsequent calls to webservice, same authentication info should be used.
Logged in user has some details (profile photo, full name), which i want to keep it constant across session.
Also, its role are defined. Based on role(s) only certain jax-rs calls will be allowed.
Roles are also used in JSP to restrict access to functionality.
Web services can be accessed outside so authentication and authorization info should be used.
As far as i understand, We should not use session in jax-rs services. What is the best way to handle above situation ?
The best way depends on how you estimate it.
My way of doing this is to
Run Rest service and JSP on the same instance
Use web.xml and CXF to set up security policy, which allows user/pw authentication and authorization, ROLES binded to both jax-rs urls and JSP urls.
Based on 2, jax-rs services can be called directly outside, but user/pw is required as you specified.
Hope this can help you a bit.
Think cxf security validation as any other http or https validation. you have to intercept the request and pass it to the rest service. You can use any of the tools like siteminder, else can write CXF interceptor to do your own security validation. In the interceptor you can call SSO kind of token generator server in case you have the infrastucture or call the DB if your architecture is built that way. You can use caching to reduce the resource hits and can look at custom or hibernate cache. enabling Https has to be done in server configuration. If you have certificate , you can use the same else you can generate your own using openssl.
I have the following scenario:
I have an application (html files + javascripts hosted in a webserver)
There is a SOAP web service that we need to develop.
Web service will be called from java script (AJAX calls).
User will access the application in intranet scenario. Users are validated against active drectory.
Requirement states that user need to be logging in using logged in users network credentials. There should not be a login screen shown to user.
Web service interfaces need to be invoked with logged in users credentials. A login inteface of web service specifically needs to be called as first call.
I have a specific question on how to pass user credential to web service.
I am planning to configure Integrated windows authentication (NTLM) for web application to avoid login screen.
However I do not know a way to capture and send user id and password to login interface of web service.
Most of the questions and answers around this topic has been for microsoft technlogies. Any specific ideas?
Further research and several blog posts pointed me to Kerberos authentication and a single sign on framework. With NTLM i cannot delegate credentials to web service. However with Kerberos i can. I will be using SPNEGO and delegate the credentials after authentication. Please refer to below link for further details.
http://spnego.sourceforge.net/
everyone.
I have a problem securing my REST web service. It's part of Java EE web application. To secure the pages I used login-config tag and set up "FORM" authentication. Now I don't know how to secure web services, because "FORM" is not appropriate for it and I can't have two login-config tags for app. I considered splitting into 2 apps, but don't think it's a good idea. Any suggestions?
This has info on how to create secured web services using NetBeans: http://netbeans.org/kb/docs/websvc/wsit.html
Many web service providers use an api key to authenticate access to the service. You may want to consider doing something similar for your service.
It is pretty common for the REST API to have a separate subpath - that way you can specify the auth constraint just to the URL's specific to your application and for the URI's corresponding to your REST API implement authentication using jersey OAuth filter or something else.
In case your app is all written in Jersey and you would like to expose exactly the same URI's for REST clients as well as browser (and differentiate just based on the requested media type), you can have a "login" URL (for displaying a login page) and only that you could protect using FORM authentication. Then again you would add Jersey OAuth filter (or other auth filter) which would not kick in unless there is OAuth header in the request, and another filter where you would check if ContainerRequest.getUserPrincipal() is null. If it is null, you could return Response.seeOther(UriBuilder.fromPath("/login").queryParam("redirect", request.getAbsolutePath()).build()).build() - that will redirect to the login (for oauth this would not kick in, since either the oauth request would succeed, or the previous filter would fail and return Unauthorized or Bad Request status codes). In the login resource you can use the redirect query parameter to redirect back to the original page once successfully logged in.