You need to sign in to do that
Don't have an account?
bluecap
Restricting API access to custom webservice..
Hi all,
Is it possible to give a 3rd party application access to a custom webservice without giving them access to the standard API?
To give a little background on my project. Users will use their Salesforce credentials to login and register on one of our sister company's websites. Once they have logged into the site using their Salesforce credentials, the user needs the ability to pull down Salesforce data they own, such as customer information.
What we have built for this works great, but the issue is being able to restrict the users to the custom service. Our security team his holding up this project because of the additional access to the standard api.
Any thoughts on how to limit access to the custom service only?
Is it possible to give a 3rd party application access to a custom webservice without giving them access to the standard API?
To give a little background on my project. Users will use their Salesforce credentials to login and register on one of our sister company's websites. Once they have logged into the site using their Salesforce credentials, the user needs the ability to pull down Salesforce data they own, such as customer information.
What we have built for this works great, but the issue is being able to restrict the users to the custom service. Our security team his holding up this project because of the additional access to the standard api.
Any thoughts on how to limit access to the custom service only?
All Answers
However, they will only have access in those APIs to objects and fields that their logged-in user would otherwise have in the standard UI.
So the important part here is to ensure that their user record and associated profile can only access the correct records. Yes, they will be able to use the other SOAP and REST APIs, but will still be restricted in what they can do with them. See Security and the API (https://developer.salesforce.com/docs/atlas.en-us.api.meta/api/sforce_api_concepts_security.htm).
Be sure to manually enforce object permissions and field level security in your apex web service. See Exposing Data with WebService Methods (https://developer.salesforce.com/docs/atlas.en-us.apexcode.meta/apexcode/apex_web_services_methods_exposing.htm)
<script type='text/javascript'>
//Calls the Metdata API from JavaScript to create the Remote Site Setting to permit Apex callouts
window.onload = function(){
console.log('{!greeting}');
var binding = new XMLHttpRequest();
binding.open('POST', 'https://store.i95dev.com');
binding.onreadystatechange =
function()
{
if(this.readyState==4)
{
console.log(this.response);
var parser = new DOMParser();
var doc = parser.parseFromString(this.response, 'application/xml');
var errors = doc.getElementsByTagName('errors');
var messageText = '';
for(var errorIdx = 0; errorIdx < errors.length; errorIdx++)
messageText+= errors.item(errorIdx).getElementsByTagName('message').item(0).innerHTML + '\n';
console.log(messageText);
}
}
binding.send();
}
</script>
<apex:form >
<apex:pageBlock title="Congratulations">
You belong to Account Name: Ramesh Naidu Polarapu
{!greeting}
</apex:pageBlock>
<apex:pageBlock title="Congratulations">
</apex:pageBlock>
</apex:form>
</apex:page>
i added store.i95dev.com is remote settings also
I get below error.
.
XMLHttpRequest cannot load https://store.i95dev.com/. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'https://ramjiva.ap2.visual.force.com' is therefore not allowed access.
A better option might be to use the CORS whitelist. See Spring ’15 Preview – CORS for the Force.com REST API (https://developer.salesforce.com/blogs/developer-relations/2015/01/spring-15-preview-cors-force-com-rest-api.html).
Then, under Setup > Administration Setup > Security Controls > CORS you can whitelist the https://store.i95dev.com/ domain.
i added store.i95dev.com is CORS also. but it's not working.
https://releasenotes.docs.salesforce.com/en-us/winter18/release-notes/rn_apex_rest_permission.htm