• pathworks
  • NEWBIE
  • 0 Points
  • Member since 2006

  • Chatter
    Feed
  • 0
    Best Answers
  • 0
    Likes Received
  • 0
    Likes Given
  • 5
    Questions
  • 25
    Replies
I seem to be a bit inept today, so I'm sure I'm doing something wrong.  But...when I try to update a custom field on Lead using the Partner API (now that I'm using the correct endpoint), I get an error that the field does not exist.
 
"common.exception.ApiQueryException: No such column 'AMBI_Pathworks_ID' on entity 'lead'."
 
However, if I go to the Setup->Customize->Lead->Fields screen, I can see that there is a custom field of type text, with that exact name = AMBI_Pathworks_ID.
 
Here's my code, which is pretty straightforward.  Do I have some sort of namespace problem?  I think this is exactly like a sample I found.
 
                 MessageElement [] updateFields = new MessageElement[1];
                 updateFields[0] = new MessageElement(new QName("AMBI_Pathworks_ID"), newTask.getId());
                 SObject leadUpdate = new SObject(type, new String [] {}, id, updateFields);
                 binding.update(new SObject [] {leadUpdate});
Thanks again for the help,
Dan
 
Using the API, can I query for the Name of an arbitrary object, given only its id?
 
I'm trying to workaround the bug in the HYPERLINK formula where I cannot pass a text field (such as {!Name}) to my application (because of the lack of URL encoding).  Therefore, I'm trying to pass only the object id.  This could be for any object type.  I then plan to retrieve the name using the API.
 
Is there a generalized way to do this?  It could be for any object type (custom or not).  I tried having the "object type" passed in on the query string, and doing a
 
QueryResult [] qr = binding.query("select Name from " + objecttype + " where id = '" + id + "');
 
However, the returned SObject type does not have a Name property, and I can't dynamically cast it to something that does, as it could be any custom object. 
 
I'm currently tinkering which trying to grab it from the raw XML, maybe by using the getSerializer() method...but am not sure how much luck I'll have.
 
Thanks,
Dan
 

Message Edited by pathworks on 08-02-2006 10:19 AM

I need to generate a hyperlink that passes some short text data on the query string - formula would be something like this: HYPERLINK("http://www.aaaaa.com/somewhere?name= & {!Lead_Name}", "My Link").
 
How do I URL encode the {!Lead_Name}?  I did a quick test, and if the lead is named "A&B", the result is /somewhere?name=A&B.  This is clearly wrong - should be ...?name=A%26B.  The value of parameter "name" has been corrupted to "A", and a second parameter B has been added, effectively.  How should I get around this so parameters are encoded properly and not corrupted?
 
Thanks in advance,
Dan
 
I need to use a formula field to build a hyperlink, part of which must be the current user's organization id.  Something like this:  HYPERLINK("urlhere/instance/" & {!OrgId}).
 
In both the Simple and Advanced formula editors, there is no choice for OrgId as a field.  It is also not available as a function.  I get an error if I try to include it using {!OrgId} or any other syntax I can think of.
 
Less important, but also odd: I don't see an equivalent of the API 7.0 Server URL either.  I just see GETSESSIONID().   Seems you should have access to the same fields as when defining a custom link.  or web tab.  I need to use the session id to go back and validate a single-sign-on request, and am currently having to hard-code na1.ambientsoftware.com, which is not a good thing.
 
- Dan
 
 
We are providing a composite offering for AppExchange, integrating our own on-demand offering (hosted separately).
 
I have the doc from salesforce about doing single sign on with a composite offering using a web tab.  Basically, it recommends you pass the username, API session token, and API server url to your application.
 
I've built a mapping from sales force user name to accounts in our own application - so given the user name I can log them in.  That's simple.  But...I am not currently doing anything to validate that the single-sign-on request is secure and cannot be spoofed.  How are others solving this problem?  Anybody can post an HTTP request that includes the same parameters - spoofing the user name, session id, and/or url.  The only thing I can imagine is that I'm supposed to make a request to the salesforce url passed (and maybe I should check that it ends in salesforce.com, or somehow validate it is not a 3rd party site?), use the session token to prove that somebody is authenticated, and then make an API request that tells me who the session is for (so I can compare it with the username on the URL and make sure that was not hacked). That's the only route I see.  I don't know what SForce call will tell me who the current user is based on the session token, but I hope it exists.
 
More detail (from a previous email) - which may clarify my question:
 
I understand how the session id that is passed to us is secure from the point of view of making calls back to salesforce.

However, the point of single-sign-on is to allow a second application (in this case, us) to effectively "automatically log the user in" based on trusting a primary application (in this case, salesforce) to assert that a user is authenticated as a particular principal.

I don't see how the tokens passed to us allow us to assure that salesforce has authenticated the user indicated in a secure way.  As stated above, we are going to log them in to our application as that user and give them full access to their data - so we have to know that it is really them, as asserted by salesforce, but in an environment where any machine or person can make arbitrary HTTP requests to our site (since we are not deployed behind a proxy at salesforce, etc.).

For a concrete example, imagine that a bank is signing up to become an AppExchange partner.  They will offer account balances and wire transfers as a tab in salesforce.  On their side, they would do some work to associate a salesforce login name (e.g. bob@companyname.com) with a bank account number or social security number.  Obviously, security is critical - when the tab is clicked on and the accounts page is displayed, it better be the current salesforce user's data!

Now, when salesforce's web tab passes the username, session id, and server url to the bank's web site, the bank has to be able to validate these tokens and "trust" that salesforce has securely authenticated the user.  Once it does that, it can then show the data from the external banking system, and allow operations on that data such as wire transfers.  I know of three methods to do this - one is to use private/public keys to encode the tokens - another is to have the second application make a return call to the originator of the tokens (similar to a kerberos model) - and a third is to put the second server behind a proxy at the same site as the first server (which is not feasible in this case).

Given salesforce's approach, what steps should the bank's application take to validate the tokens?  The username is what indicates the account to use.  However, anybody can make an HTTP request and pass a username - so it's not secure to simply check that.  The session id is interesting, but to prove that it is valid you would have to go back to a salesforce server (i.e. the token originator) to validate that is in active session.  What server serves as the token originator - perhaps that is what the server URL parameter is for?  That gave me the idea that you can use the server URL combined with the session id to verify that the session is valid on that salesforce server.  (However, in this case - how do we make sure that the URL isn't pointing to some non-salesforce server designed to provide bogus validation?)  Once we've determined that the session is indeed valid on a salesforce server, we know that there has been an authenticated session.  However, how do we know it is for the user passed on the URL?  Somebody could just as easily authenticate with the SForce API to salesforce.com, get a valid session token and server URL, and then pass that to our application along with a completely different username.

Somebody must have already built a solution for this....?
 
I seem to be a bit inept today, so I'm sure I'm doing something wrong.  But...when I try to update a custom field on Lead using the Partner API (now that I'm using the correct endpoint), I get an error that the field does not exist.
 
"common.exception.ApiQueryException: No such column 'AMBI_Pathworks_ID' on entity 'lead'."
 
However, if I go to the Setup->Customize->Lead->Fields screen, I can see that there is a custom field of type text, with that exact name = AMBI_Pathworks_ID.
 
Here's my code, which is pretty straightforward.  Do I have some sort of namespace problem?  I think this is exactly like a sample I found.
 
                 MessageElement [] updateFields = new MessageElement[1];
                 updateFields[0] = new MessageElement(new QName("AMBI_Pathworks_ID"), newTask.getId());
                 SObject leadUpdate = new SObject(type, new String [] {}, id, updateFields);
                 binding.update(new SObject [] {leadUpdate});
Thanks again for the help,
Dan
 
Using the API, can I query for the Name of an arbitrary object, given only its id?
 
I'm trying to workaround the bug in the HYPERLINK formula where I cannot pass a text field (such as {!Name}) to my application (because of the lack of URL encoding).  Therefore, I'm trying to pass only the object id.  This could be for any object type.  I then plan to retrieve the name using the API.
 
Is there a generalized way to do this?  It could be for any object type (custom or not).  I tried having the "object type" passed in on the query string, and doing a
 
QueryResult [] qr = binding.query("select Name from " + objecttype + " where id = '" + id + "');
 
However, the returned SObject type does not have a Name property, and I can't dynamically cast it to something that does, as it could be any custom object. 
 
I'm currently tinkering which trying to grab it from the raw XML, maybe by using the getSerializer() method...but am not sure how much luck I'll have.
 
Thanks,
Dan
 

Message Edited by pathworks on 08-02-2006 10:19 AM

I need to generate a hyperlink that passes some short text data on the query string - formula would be something like this: HYPERLINK("http://www.aaaaa.com/somewhere?name= & {!Lead_Name}", "My Link").
 
How do I URL encode the {!Lead_Name}?  I did a quick test, and if the lead is named "A&B", the result is /somewhere?name=A&B.  This is clearly wrong - should be ...?name=A%26B.  The value of parameter "name" has been corrupted to "A", and a second parameter B has been added, effectively.  How should I get around this so parameters are encoded properly and not corrupted?
 
Thanks in advance,
Dan
 
I need to use a formula field to build a hyperlink, part of which must be the current user's organization id.  Something like this:  HYPERLINK("urlhere/instance/" & {!OrgId}).
 
In both the Simple and Advanced formula editors, there is no choice for OrgId as a field.  It is also not available as a function.  I get an error if I try to include it using {!OrgId} or any other syntax I can think of.
 
Less important, but also odd: I don't see an equivalent of the API 7.0 Server URL either.  I just see GETSESSIONID().   Seems you should have access to the same fields as when defining a custom link.  or web tab.  I need to use the session id to go back and validate a single-sign-on request, and am currently having to hard-code na1.ambientsoftware.com, which is not a good thing.
 
- Dan
 
 
We are providing a composite offering for AppExchange, integrating our own on-demand offering (hosted separately).
 
I have the doc from salesforce about doing single sign on with a composite offering using a web tab.  Basically, it recommends you pass the username, API session token, and API server url to your application.
 
I've built a mapping from sales force user name to accounts in our own application - so given the user name I can log them in.  That's simple.  But...I am not currently doing anything to validate that the single-sign-on request is secure and cannot be spoofed.  How are others solving this problem?  Anybody can post an HTTP request that includes the same parameters - spoofing the user name, session id, and/or url.  The only thing I can imagine is that I'm supposed to make a request to the salesforce url passed (and maybe I should check that it ends in salesforce.com, or somehow validate it is not a 3rd party site?), use the session token to prove that somebody is authenticated, and then make an API request that tells me who the session is for (so I can compare it with the username on the URL and make sure that was not hacked). That's the only route I see.  I don't know what SForce call will tell me who the current user is based on the session token, but I hope it exists.
 
More detail (from a previous email) - which may clarify my question:
 
I understand how the session id that is passed to us is secure from the point of view of making calls back to salesforce.

However, the point of single-sign-on is to allow a second application (in this case, us) to effectively "automatically log the user in" based on trusting a primary application (in this case, salesforce) to assert that a user is authenticated as a particular principal.

I don't see how the tokens passed to us allow us to assure that salesforce has authenticated the user indicated in a secure way.  As stated above, we are going to log them in to our application as that user and give them full access to their data - so we have to know that it is really them, as asserted by salesforce, but in an environment where any machine or person can make arbitrary HTTP requests to our site (since we are not deployed behind a proxy at salesforce, etc.).

For a concrete example, imagine that a bank is signing up to become an AppExchange partner.  They will offer account balances and wire transfers as a tab in salesforce.  On their side, they would do some work to associate a salesforce login name (e.g. bob@companyname.com) with a bank account number or social security number.  Obviously, security is critical - when the tab is clicked on and the accounts page is displayed, it better be the current salesforce user's data!

Now, when salesforce's web tab passes the username, session id, and server url to the bank's web site, the bank has to be able to validate these tokens and "trust" that salesforce has securely authenticated the user.  Once it does that, it can then show the data from the external banking system, and allow operations on that data such as wire transfers.  I know of three methods to do this - one is to use private/public keys to encode the tokens - another is to have the second application make a return call to the originator of the tokens (similar to a kerberos model) - and a third is to put the second server behind a proxy at the same site as the first server (which is not feasible in this case).

Given salesforce's approach, what steps should the bank's application take to validate the tokens?  The username is what indicates the account to use.  However, anybody can make an HTTP request and pass a username - so it's not secure to simply check that.  The session id is interesting, but to prove that it is valid you would have to go back to a salesforce server (i.e. the token originator) to validate that is in active session.  What server serves as the token originator - perhaps that is what the server URL parameter is for?  That gave me the idea that you can use the server URL combined with the session id to verify that the session is valid on that salesforce server.  (However, in this case - how do we make sure that the URL isn't pointing to some non-salesforce server designed to provide bogus validation?)  Once we've determined that the session is indeed valid on a salesforce server, we know that there has been an authenticated session.  However, how do we know it is for the user passed on the URL?  Somebody could just as easily authenticate with the SForce API to salesforce.com, get a valid session token and server URL, and then pass that to our application along with a completely different username.

Somebody must have already built a solution for this....?
 
***** I'm not sure how to adjust the formatting so this post isn't garbled, please comment with help? *****

I've been trying to create a lead, and figured starting with the sample code was a good idea. As such, I copied the lead creation and login code from the Samples object and strung them together. When I got the above error, I figured I was doing something wrong, so I modified the samples slightly to force creation of a sample user to be used when converting a lead. Here's the code.

Samples::getUnconvertedLead:
QueryResult qr = null;

//if ( qr.getSize() == 0 ) { // No leads where found that have not been

// converted, so....
// we will create a lead and then run the query again
System.out.println( "No unconverted leads found, will create one for you..." );
createLeadSample();
qr = binding.query( "Select Id, FirstName, LastName from Lead where ConvertedDate = Null" );
// }

I then use the samples, entry 19 (convert lead), and I get the following error :
6315 [main] DEBUG org.apache.axis.transport.http.HTTPSender - Enter: HTTPSender::invoke
6388 [main] DEBUG org.apache.axis.transport.http.HTTPSender - XML sent:
6388 [main] DEBUG org.apache.axis.transport.http.HTTPSender - ---------------------------------------------------
6392 [main] DEBUG org.apache.axis.transport.http.HTTPSender - POST /services/Soap/c/6.0 HTTP/1.0
Content-Type: text/xml; charset=utf-8
Accept: application/soap+xml, application/dime, multipart/related, text/*
User-Agent: Axis/1.3
Host: na1-api.salesforce.com
Cache-Control: no-cache
Pragma: no-cache
SOAPAction: ""
Content-Length: 668

9TmIvTqotGCN_c.GekBT1DE0RYoHessVxfIQUK.vzwUz2lK0tHP_nOJgFrqHAnK.l2E6Thcgy0imJXvtVPjFMhhD2wYHcrlK4SNdGN37zi4=
6446 [main] DEBUG org.apache.axis.transport.http.HTTPSender - HTTP/1.0 500 Internal Server Error
6449 [main] DEBUG org.apache.axis.transport.http.HTTPSender - Server sfdc
6450 [main] DEBUG org.apache.axis.transport.http.HTTPSender - Cache-Control private
6451 [main] DEBUG org.apache.axis.transport.http.HTTPSender - Content-Type text/xml; charset=utf-8
6452 [main] DEBUG org.apache.axis.transport.http.HTTPSender - Date Fri, 28 Oct 2005 01:57:06 GMT
6454 [main] DEBUG org.apache.axis.transport.http.HTTPSender -
no Content-Length
6455 [main] DEBUG org.apache.axis.transport.http.HTTPSender -
XML received:
6455 [main] DEBUG org.apache.axis.transport.http.HTTPSender - -----------------------------------------------
6657 [main] DEBUG org.apache.axis.transport.http.HTTPSender -
soapenv:Server
common.exception.ApiException: Must send a concrete entity type.


INVALID_TYPE
Must send a concrete entity type.
-1
-1



6658 [main] DEBUG org.apache.axis.transport.http.HTTPSender - Exit: HTTPDispatchHandler::invoke

Failed to create lead succesfully, error message was:
null

***

This doesn't seem to be the desired behavior, so I figured I'd ask what's wrong with the samples that's causing this.