I am working on a salesforce feature, where we are trying to expose a single web Service method in a custom class to a "Partner" so they can generate leads.
The class/method has been created/tested and functions as expects, so we are working on implementation.
I have been poring over all of Salesforce's Web Service documentation and cookbook recipes, but everything I see only talks about using either the Enterprise or Partner WSDL files, which would give them more access then I believe should be required.
If I import the WSDL file that is generated off the class itself, I have access to the methods, but I can't seem to find any way to log in (using their examples as reference).
I have 2 basic questions here.
Do I really need to give full access to my instance to expose a single method?
What is the bare minimum I need to provide?
The WSDL itself is just a definition of the web service and does not control actual access to your org. To get access to your org, a session id must be included in each request to the web service. Session ids are tied to a given user in your org, so you can also control what they can access by giving them their own profile and locking down access to only what they need to get to. The profiles are associated with objects/fields, not the web services themselves, think about what they will need to access in terms of data, because they could always use that same session to access other web services. There are also Apex class-level access controls on the profile, but this doesn't stop them from doing the same data operations through the SOAP APIs, so make sure you have their profile only expose what they need access to and that will be enforced everywhere.
As far as obtaining the session id, it somewhat depends on how you are interfacing with them and what their application is like. In general, the recommended way is to use OAuth (called "Remote Access" in Salesforce Help), which will make it so usernames and passwords don't have to be used in their application, but are rather sent directly to Salesforce by the end user. There are a few different flows to choose from depending on the app and are explained in Help. The REST API doc has a nice intro to using OAuht to get the session id (aka "token" in OAuth). Speaking of REST, you might even consider using the new Apex REST API, which allows you to make similar custom web services from Apex, but with REST interfaces.
The Partner and Enterprise APIs also have a login() method, which is convenient since it is also SOAP-based, but is losing favor because the app has to directly handle the username and password. If you do this option, you would login with either the Partner and Enterprise API, get the session id, and then switch over to your custom web service. So, yes, for this option you would have to consume both your WSDL and either the Partner or Enterprise WSDL, and just ignore the other methods, but again, the methods just being there does not mean they can access them (e.g. if you remove Delete from their profile for a given object type, they would not be able to use the delete() method for it).
What you provide, and what they can do are 2 separate things, if you give them a users credentials, then they can do anything the user can do regardless of which WSDL they use. So you'll want to create a user with restricted permissions that has the bare minimum rights to do what you want.
Once you've got that, it doesn't matter if you give them the enterprise, partner or a custom WSDL.
If you give them the apex class WSDL, then they'll need some way to login, which could be login from the partner WSDL, one of the OAuth2 flows, or a webtab or custom link. (depending on the exact scenario).
Finally, have you seen the web2lead feature, that allows for leads to be created in your salesforce account without needing a WSDL or credentials.
Related
I am working on a cross platform app that will be created using C++-> mobile devices, and using Perl-> Desktop PCs (like Windows /Linux/Mac OS).
Now, since the app will be downloadable, I have concerns regarding the ability of hackers to obtain the source code of my app.
Specifically, the app will connect to my central database-- at the minimum, I want that hackers are not able to obtain my database connection details. Ideally, I would want no part of the code to be hacked.
Basically, the user can update some of his information using this app-- if hackers get hold of this data they can easily change any unfortunate user's data. One thing that I have thought of is that the user will have to initially authenticate with OAuth/OAuth2 ( using his email ID #yahoo/#hotmail/#gmail)-- and only after that the app will actually show the admin interface. But at any rate, at some point the app will connect to the central database-- which is why I dont want the database's access details to be compromised.
Many organisations make such apps, so they must be facing this type of problem themself? I would like to know how I can protect my app (ideally entire code), and atleast the db credentials.
The simple answer is you do not expose your database. Ever.
Add a service layer (could be HTTP-based but doesn't have to be) on top that will deal with authentication and authorisation. Your app then logs in using the user's credentials and acts on their behalf. Your service layer exposes an API which your application talks to, but your service makes and controls all calls to the DB.
You already mention OAuth - that's a perfectly acceptable way of adding authentication to such an API.
You cannot.
On the bright side you can put security on your server. The connecting client provides credentials that they are a given user. The server generates the SQL command after proving the request is allowed. Backers can do anything your app can do, but your app becomes incapable of behaving badly to your database.
The previous answers are absolutely correct. You want a server based service layer that provides the authentication/authorization code and interacts with the database. However, it isn't always a perfect world and if you are stuck with the requirement that these applications must act as a database client you want to limit the exposure as much as possible. Typically this is done by having the client use a specific account which has not been granted any access to the general database. You then create specific stored procedures that can only do the operations and queries that are required of the application. This prevents anyone finding the credentials in the code from doing anything in the database that isn't intended, but you still have the problem that anyone can impersonate someone else by reviewing the code. There isn't a way to prevent that without a server side component. This might be okay for a closed/trusted group of users, but I wouldn't release anything to the general public with this method.
If you can do it, use OAuth2 and allow a trusted third party handle authentication. Twitter, Facebook and GitHub are all relatively paranoid about security; and the other poster is correct: never expose direct db access as part of the app the user has access to; put it behind a service of its own.
Good luck! :)
I'm working on an app and websites. They have related information such as users, contracts, etc. What is the reason for designing an API and not connecting directly to the database?
Edit:
I'm just starting development and have no experience with web services. Please be as thorough as possible.
Sites such as Facebook, Google, and Twitter could never let third party apps connect directly to their database: it's an enormous security risk. (Would you be comfortable if Facebook allowed anyone to access their database, including private user information and messages?)
APIs serve as a gate through which third party apps can get the kinds of information they are permitted to access.
There are several reasons why you would use an API instead of using direct access.
The first 2 that come to mind:
Using an API allows you to write the client code without knowing any details of the specific implementation, so if you change your database structure or location for instance, you need only rewrite the API wrapper code, not everywhere its referenced.
It allows you to have different levels of authentication. As mentioned in another answer, it is not ideal for all users of an application to have access to every other users data.
I need to develop/design Coldfusion Web Service which uses few object calls and functions.
What is good source of samples to develop in terms of OOP?
What is best way to secure the web service?
how to authenticate external/internal users, any sample?
FYI, This web service is going to be used by multiple department.
thanks
A
OOP examples are all over the web. I don't have any handy, so I'll skip that part, and go straight to authentication and security.
First, authentication. There are several possible answers depending on what kind of users you are authenticating. For example, if you are authenticating users connnecting via a 3rd parth tool -- like a desktop or phone app posting to Twitter -- I would say that OAuth is a good solution. There is a good library for both publishing and consuming OAuth integrations at oauth.riaforge.com. If you are looking for someting lighter weight, we used a simple token creation scheme for a webservice that was only consumed by partner services. Basically, the partner service sends what amounts to a username and password pair, a token is created with a "last used" timestamp, and every time the webservice interacts after that, we do a check against the token store.
Security is, similarly, very dependent on your end goals. However, there are a few basic principles I've always tried to follow. First, build your basic CFCs as you normally would for constructing your objects. Entry points should be public, helper functions private, etc. This includes building an object to handle whatever authntication model you choose. On top of that, build your public API. These should all simply be access functions. They are called by outside applications, call the security object, then call the appropriate objects and methods to achieve the goal of the call. This way, you never have to bake the security layer into your base functionality calls, but you also have an easy way to include security. Remember, a single API call does not have to reflect a single base call -- you can build more complex routines if needed.
So, to recap.
Authentication
OAuth
Temporary Token Generation
Security
private/public (not remote) base layer
private/public (not remote) authentication layer
remote API layer
Several web service APIs have you sign up for an API key. For example, UPS Web services requires a key, which is included in calls to their service -- In addition to the username and password.
What is this key used for by the provider? Perhaps UPS is the only one to require both API key and username/password?
One idea is that they use it to limit or measure API usage, but it seems to me that a setting in the users profile could easily do the same thing -- especially since you generally have to get an account w/ username and password to get the API in the first place.
There are two predominant use cases. The first is to measure, track and restrict API usage. If someone is building a service that allows third parties to access it, the service provider may want to control (or at least know) who has access so that they can try and prevent things like denial of service attacks. On the measure and track side, interesting information can be obtained such as knowing which applications are popular for accessing the service or which features people use the most.
The other use case is related to security and authentication. It is unwise for a service provider to have third party applications and services require users to give up their username and password for the primary service. This is a huge exposure. That is why many services are standardizing on protocols such as OAuth, which provides delegated access via authorization to a user's data. While not foolproof, it is definitely preferable to distributing user credentials to unknown, and untrusted, parties.
Most of the time it is to monitor how developers are using the web-api. If they somehow disagree with your usage of the api it provides a means for them to shut it/you down without hurting the other users. And the statistics per user/app are always valuable.
I've used the flickr api - in that situation the key is yours, but the login data might be those of people using your app, so the api key is the only way to differentiate between the apps.
Usually it used to get stats on how much application performing queries to API.
I think asking username/password with API key is ambigious in some cases, but it is a way how it is implemented - so we can't do something with it.
They ask for API key because you could have more than one API under same account - in case you have more than one site which are use same API.
They could use it to signify which version of the API you are trying to use. Perhaps in Version 1.0, there is a method that takes a POST on www.UPS.com/search and there is another one in version 2.0 at the same address, but takes a different parameter set, or even returns data in a different format/style. Your program was built on V1.0 and expects a certain API contract. They want to be able to create V2.0 without interfering with their customer's products.
That's just a guess, but it sounds good to me.
I think Gracenote does a similar thing for cddb. I forget the details, but I remember something about some token.
(They have/had really draconian rules about using their service too.)
Simon reminded me what the gracenote thing was. Gracenote and Fedex and other webservices have lots of developers writing apps for the software. So the developers get a token to put into their apps, but the end users have their own user name and password. It lets the services keep an eye on abusing programs, etc. That is probably te primary reason. (like a browser or a webbot informing the webserver who/what it is)
Originally, Blogger required you to apply for an API key (a la Google Maps) and used it to restrict access to the API. As Blogger evolved into Metaweblog, the requirement for the API became less important, and Blogger no longer requires you to apply for a key. As noted by others, it can still be used for tracking purposes.
In our situation, our clients want it for:
Tracking/analytics - figuring out who's doing what and building what products. Because a number of users are desktop apps, just looking at referrers isn't always enough.
Permissions - which resources should a user have access to? How can a user build apps that have access to specified resources?
Licensing/legal - enforcing that users have read and accepted ToU/licensing information.
Security - passing around usernames/passwords is a really bad idea.
We don't exactly comply with the XML-RPC spec, but the concepts are nearly identical. A client comes in over HTTP/HTTPS with an XML payload. We respond with an XML payload answering the request. This is primarily machine to machine, so no human to type a username/password. Our construct runs within apache tomcat. We would like to authenticate the request and since not every service is available to every client, we need to authorize the request as well. We have both subscription and per use charging models so it is necessary to log everything.
What would you recommend for both server and client?
HTTP BASIC/DIGEST works fine for most machine to machine tasks, and it handled by the server so your API is unaffected.
It doesn't work as well for interactive uses because it's difficult to "log out" the user without closing the browser.
Otherwise you'll most likely need to alter your APIs to include authentication information and have your methods authenticate that within your code.
Or you could use the classic "login", set a cookie, keep a session technique.
But, frankly, for machine to machine work, HTTP BASIC is the easiest.
edit, regarding comments.
HTTP BASIC is simply a protocol used to present the artifacts necessary for authentication, and it works well for machine to machine web services.
HOW IT IS IMPLEMENTED is dependent on you and your application. Using Java, you can use container authentication and that will provide authentication as well as role mapping. The user -> role mapping is handled in either a data file or database. The URLs protected, and what roles are valid for each URL, is managed by web.xml.
If you continue to add different roles to different URLs, then, yes, you'll need to redeploy that application.
However, if you're just adding new users, then you simply update your file or database. And if you're adding new logic, and this new URLs, then you have to redeploy anyway. If you have a ROLE structure with a fine enough granularity, you won't have to be messing with the web.xml until you actually add new methods. For example you could, at the extreme, create a role per method, and assign them individually to users. Most don't need to go that far.
If you don't want to use container authentication, then write a Servlet Filter to implement your vision of mapping user and roles to URLs. You can still use the HTTP BASIC protocol for your clients, even if you implement your own facility.
If you're looking for an overall generic Java security framework, I defer to google -- there are several, I've not used any of them. I've had good luck with container authentication and writing our own.
#Will
I second the HTTP Basic suggestion, and can testify that it integrates fairly well with Spring Security, which I implemented on top of a legacy application that rolled its own DB-based authentication/authorization logic.