Hoping someone well versed in salesforce security best practices can point me in the right direction.

I searched the previous posts in this forum and did not find quite the right thing.

I have a small java PC application that uses the Soap API to send various data to salesforce.

Currently I am storing the salesforce logon credentials in a local database used by the application.

The username / password to connect to this database is encrypted and never accessed in clear text in the code.

(Although, since the application is stand alone, everything needed to decrypt the database credentials is packaged with the application. It would not be easy to get the clear text credentials, but possible)

I was looking for different alternates to having to store the salesforce credentials in my applications database. 

The caveat in my case is that the user of my application is not even aware (nor should be) that the application is interacting with saleforce at all.  All the end user knows is that an entity (that they already have a relationship with) has asked them install this application in order to provide the entity (the owner of the salesforce org) with certain data from the user.

Is there a better way to do this that I haven't run across yet?  The other login alternatives I have seen OAuth, SAML seem to require additional steps by the user who installs my application that they would not be aware of.

Any help is much appreciated.

Thank you

Is there a way to be notified of the release date of a new final version of the SOAP API before it is put into production on salesforce?

Some type of early access program that allows people to test before it goes live?

Thanks

I am looking over http://www.salesforce.com/us/developer/docs/API/Content/implementation_consideration's

This brings out questions about how an application I have written might be impacted by all these implementation details of salesforce.

Any additional details / experiences that anyone could share would be greatly appreciated.

The client application that accesses salesforce through the API.

- Desktop application that sends a report and attaches it to the Account object.

- The application wakes up at certain intervals and performs the above.

- There will be many instances of this application installed on various PC's (a few hundred)

- All these applications will send reports at the same time, using the same salesforce logon.

- The end user of the application doesn't know anything about salesforce, they just know that a report is sent into a company that they have a relationship with (that company being the owner of the salesforce environment.

- Each instance of the application would make 3 round trip API request/responses each time it wakes up and performs it's task.

So this leads to the following questions: BOLD is content from document at URL above:

10 QueryLocator cursors are open when a client application, logged in as the same user, attempts to open a new one, then the oldest of the 10 cursors is released 

- How long is a QueryLocator open for a request? If 250 client applications are accessing data on salesforce at the same time (it won't be the same data) Am I going to run into client applications getting errors?  Is there a way to increase to allow more?

If one of the client applications calls logout(), it invalidates the session for all the client applications

- Right now, I don't specifically call logout() since I am only using one salesforce logon.  Is this best practice considering my applications parameters above?

Concurrent Usage Limits -  limit for number of calls with a duration of 20 seconds or longer - 25 is the limit

- How does this effect the 10 QueryLocator cursors open at one time requirement? Is the 20 seconds the time from when I send a request until a response is sent back?  If my interaction with Salesforce takes less than 20 seconds, do I not worry about this limit?

Total API limits in one 24 hour period

For Enterprise, lets say I have 40 sf licenses, so I have 40,000 available calls in a 24 hour period.  Correct?

Can all of those 40,000 occur within one of my 40 licenses or am I limited to 1,000 per license?

I can acquire higher total API limits by purchasing them from salesforce.  Correct?

Thanks for any responses providing a greater level of detail, lessons learned from past experience

I have a swing application where I use JAXWS to generate classes from a salesforce wsdl file.  Everything works fine in my NetBeans environment.

When I package up the software for release, the call to login to the salesforce web service gets the following exception:
url.toString() = file:/C:/Program%20Files/GST/LOB/bin/App.jarException in thread "AWT-EventQueue-0" java.lang.NoSuchMethodError: javax.xml.ws.WebFault.messageName()Ljava/lang/String;
    at com.sun.xml.ws.model.RuntimeModeler.processExceptions(RuntimeModeler.java:1162)
    at com.sun.xml.ws.model.RuntimeModeler.processDocBareMethod(RuntimeModeler.java:1330)
    at com.sun.xml.ws.model.RuntimeModeler.processMethod(RuntimeModeler.java:663)
    at com.sun.xml.ws.model.RuntimeModeler.processClass(RuntimeModeler.java:420)
    at com.sun.xml.ws.model.RuntimeModeler.buildRuntimeModel(RuntimeModeler.java:254)
    at com.sun.xml.ws.client.WSServiceDelegate.createSEIPortInfo(WSServiceDelegate.java:661)
    at com.sun.xml.ws.client.WSServiceDelegate.addSEI(WSServiceDelegate.java:649)
    at com.sun.xml.ws.client.WSServiceDelegate.getPort(WSServiceDelegate.java:343)
    at com.sun.xml.ws.client.WSServiceDelegate.getPort(WSServiceDelegate.java:326)
    at com.sun.xml.ws.client.WSServiceDelegate.getPort(WSServiceDelegate.java:308)
    at javax.xml.ws.Service.getPort(Unknown Source)
    at com.sforce.soap.enterprise.SforceService.getSoap(SforceService.java:74)
    at com.generatedsystems.afs.sf.SfConnector.doLogin(Unknown Source)
    at com.generatedsystems.afs.task.AFSTask.sendDataToSf(Unknown Source)
    at com.generatedsystems.afs.app.AFSExecutableTask.btn1ActionPerformed(Unknown Source)
    at com.generatedsystems.afs.app.AFSExecutableTask.access$200(Unknown Source)
    at com.generatedsystems.afs.app.AFSExecutableTask$3.actionPerformed(Unknown Source)
    at javax.swing.AbstractButton.fireActionPerformed(Unknown Source)
    at javax.swing.AbstractButton$Handler.actionPerformed(Unknown Source)
    at javax.swing.DefaultButtonModel.fireActionPerformed(Unknown Source)
    at javax.swing.DefaultButtonModel.setPressed(Unknown Source)
    at javax.swing.plaf.basic.BasicButtonListener.mouseReleased(Unknown Source)
    at java.awt.Component.processMouseEvent(Unknown Source)
    at javax.swing.JComponent.processMouseEvent(Unknown Source)
    at java.awt.Component.processEvent(Unknown Source)
    at java.awt.Container.processEvent(Unknown Source)
    at java.awt.Component.dispatchEventImpl(Unknown Source)
    at java.awt.Container.dispatchEventImpl(Unknown Source)
    at java.awt.Component.dispatchEvent(Unknown Source)
    at java.awt.LightweightDispatcher.retargetMouseEvent(Unknown Source)
    at java.awt.LightweightDispatcher.processMouseEvent(Unknown Source)
    at java.awt.LightweightDispatcher.dispatchEvent(Unknown Source)
    at java.awt.Container.dispatchEventImpl(Unknown Source)
    at java.awt.Window.dispatchEventImpl(Unknown Source)
    at java.awt.Component.dispatchEvent(Unknown Source)
    at java.awt.EventQueue.dispatchEvent(Unknown Source)
    at java.awt.EventDispatchThread.pumpOneEventForFilters(Unknown Source)
    at java.awt.EventDispatchThread.pumpEventsForFilter(Unknown Source)
    at java.awt.EventDispatchThread.pumpEventsForHierarchy(Unknown Source)
    at java.awt.EventDispatchThread.pumpEvents(Unknown Source)
    at java.awt.EventDispatchThread.pumpEvents(Unknown Source)
    at java.awt.EventDispatchThread.run(Unknown Source)

So javax.xml.ws.WebFault.messageName() method is not found.  When running in the jre, this class is in rt.jar and indeed that method does not exist in the class.  The correct method exists in a jar file called jaxws-api.jar.  My problem is that even after placing the jar first in my classpath, the jvm still seems to use the WebFault class from the rt.jar.  

After some digging, I think I found the problem, being that rt.jar is part of the delivered jre, the jvm will always choose that jar over one on my classpath.  So then I thought the proper solution was to use the system property java.endorsed.dirs to inform the jvm to use the jar I wanted it to.  This mechanism is described here: http://java.sun.com/javase/6/docs/technotes/guides/standards/

I implemented the setting of that property to my jar and the jvm is still using the WebFault from the rt.jar in the jre.

Am I missing something here?

Thanks for any help.

Using enterprise.wsdl

I have a standalone PC based java application, this application would be distributed to many different users PC's

The application sends files to sf accounts as attachements.

Right now, the sf username, password, and token are stored in a database within the application and used to login to saleforce when needed.

I was wondering if there is a better way to gain access without having to provide the password?  I looked at the OAuth documentation, doesn't fit my

need.  The end user of the application doesn't know that they are sending data to saleforce, just that they are sending a file to their financial institution.

Is there a different user type in salesforce that can somehow be tied to only allow access through the api and not the portal, something like that?

Wanted to be sure I haven't missed something.

Thanks

Hi all, I'm new to web services.   So I ask forgiveness up front if I ask something not so intelligent.

I've been struggling to get a web service client constructed for a few days now.

I am using JAX-WS to generated my classes from the enterprise.wsdl that I downloaded from my developer site.

The first thing I don't understand is that the classes that get generated are different from the classes in the example JAX-WS quickstart on the salesforce site.  Meaning much of the example code doesn't work.

I suppose this is because the wsdl has changed some since the time that JAX-WS example was created. 

Is that the reason for the differences?

The login works fine, no problems there.  From reading after I get the login response I must:

1. Set the new end point so that all other requests will go the the url that login sent back.

2. Set the session id that was sent back from login into the SessionHeader

3. Set that Header back into the binded object (Soap in my case) (SoapBindingStub in the examples case)

# 1 I think I've got: (from a tutorial someone here pointed me to, tutorial is from partner wsdl, but seems to work)

       Map requestContext = ((BindingProvider)binding).getRequestContext();
                requestContext.put(BindingProvider.ENDPOINT_ADDRESS_PROPERTY, lr.getResult().getServerUrl());

Different from the JAX-WS example code because I could not just call _setProperty on my binded object because it is not type SoapBindingStub but type Soap

#2 is easy enough

SessionHeader sh = new SessionHeader();       
sh.setSessionId(lr.getResult().getSessionId());

 # 3 has me stumped - in the JAX-WS example is it simply

    binding.setHeader(sforceURI, "SessionHeader", sh);

 Since my binded object is type Soap I have no setHeader method, in the tutorial that helped me earlier I found:

              JAXBContext jaxbContext;
                jaxbContext = JAXBContext.newInstance("sf");
                List<Header> headers = new ArrayList<Header>();
                headers.add(Headers.create((JAXBRIContext) jaxbContext, sh));
                WSBindingProvider wsBindingProvider = (WSBindingProvider) binding;
                wsBindingProvider.setOutboundHeaders(headers);

 But I cannot figure out what additonal jars I need to get this to complie.

So right now my code doesn't do #3 and when I do a query on the accounts table I get "Invalid Session ID found in SessionHeader: Illegal Session", which I assume is because I did not set the Header back into the binded object.

Any help on how to properly accomplish # 3 is greatly appreciated or anything else anyone can offer.

Thanks

New to web services, want to make sure I have all this straight.

- I grabbed the enterprise wsdl from my salesforce developer account

- Generated the java sources from that wsdl in NetBeans IDE, using jax-ws

- I am able to call login() successfully

- Then in the examples and documentation the SoapBindingStub.ENDPOINT_ADDRESS_PROPERTY on my Soap object needs to be set to the url of the server from the loginResult.

- I don't have SoapBindingStub as a generated class.  After looking around on the boards my guess is that this is because I used jax-ws instead of axis 1 to generate the classes.  Is that correct? 

- Regenerating the classes with axis 1 would generated the same class names from the examples. Correct?

- Since jax-ws doesn't appear to be the class generator used in posts and documentation here, it is going to be a struggle to attempt to figure out what axis 1 classes map to what jax-ws classes.  Correct?

Am I in the right jungle?  Thanks for your help.

From the API documentation:

"Multiple client applications can log in using the same username argument. However, this increases your risk of getting errors due to query limits.A user can have up to 10 query cursors open at a time. If 10 QueryLocator

cursors are open when a client application, logged in as the same user, attempts to open a new one, then the oldest of the 10 cursors is released. This results in an error in the client application."

I have a PC based application that posts reports into SalesForce using Enterprise API.  All the client applications login to SalesForce using the same username.  The nature of the application is that the reports are posted on a schedule, meaning all clients will login to SalesForce at the same time.

So from the snippet above from the API documentation (and reading some other posts) I have some questions that I was hoping someone could point me in the right direction on.

1. If more than 10 clients login at the same time, I am going to run into issues.  Is that a correct statement?

2. It appears that login allows more than one concurrent logon for the same username, since those login requests are coming from different places, I would expect that the session ids returned would be different across clients, therefore calling logout() on one client would have no effect on any other client.  Is that a correct assumption?

Thanks

Hoping someone well versed in salesforce security best practices can point me in the right direction.

I searched the previous posts in this forum and did not find quite the right thing.

I have a small java PC application that uses the Soap API to send various data to salesforce.

Currently I am storing the salesforce logon credentials in a local database used by the application.

The username / password to connect to this database is encrypted and never accessed in clear text in the code.

(Although, since the application is stand alone, everything needed to decrypt the database credentials is packaged with the application. It would not be easy to get the clear text credentials, but possible)

I was looking for different alternates to having to store the salesforce credentials in my applications database. 

The caveat in my case is that the user of my application is not even aware (nor should be) that the application is interacting with saleforce at all.  All the end user knows is that an entity (that they already have a relationship with) has asked them install this application in order to provide the entity (the owner of the salesforce org) with certain data from the user.

Is there a better way to do this that I haven't run across yet?  The other login alternatives I have seen OAuth, SAML seem to require additional steps by the user who installs my application that they would not be aware of.

Any help is much appreciated.

Thank you

Is there a way to be notified of the release date of a new final version of the SOAP API before it is put into production on salesforce?

Some type of early access program that allows people to test before it goes live?

Thanks

I am looking over http://www.salesforce.com/us/developer/docs/API/Content/implementation_consideration's

This brings out questions about how an application I have written might be impacted by all these implementation details of salesforce.

Any additional details / experiences that anyone could share would be greatly appreciated.

The client application that accesses salesforce through the API.

- Desktop application that sends a report and attaches it to the Account object.

- The application wakes up at certain intervals and performs the above.

- There will be many instances of this application installed on various PC's (a few hundred)

- All these applications will send reports at the same time, using the same salesforce logon.

- The end user of the application doesn't know anything about salesforce, they just know that a report is sent into a company that they have a relationship with (that company being the owner of the salesforce environment.

- Each instance of the application would make 3 round trip API request/responses each time it wakes up and performs it's task.

So this leads to the following questions: BOLD is content from document at URL above:

10 QueryLocator cursors are open when a client application, logged in as the same user, attempts to open a new one, then the oldest of the 10 cursors is released 

- How long is a QueryLocator open for a request? If 250 client applications are accessing data on salesforce at the same time (it won't be the same data) Am I going to run into client applications getting errors?  Is there a way to increase to allow more?

If one of the client applications calls logout(), it invalidates the session for all the client applications

- Right now, I don't specifically call logout() since I am only using one salesforce logon.  Is this best practice considering my applications parameters above?

Concurrent Usage Limits -  limit for number of calls with a duration of 20 seconds or longer - 25 is the limit

- How does this effect the 10 QueryLocator cursors open at one time requirement? Is the 20 seconds the time from when I send a request until a response is sent back?  If my interaction with Salesforce takes less than 20 seconds, do I not worry about this limit?

Total API limits in one 24 hour period

For Enterprise, lets say I have 40 sf licenses, so I have 40,000 available calls in a 24 hour period.  Correct?

Can all of those 40,000 occur within one of my 40 licenses or am I limited to 1,000 per license?

I can acquire higher total API limits by purchasing them from salesforce.  Correct?

Thanks for any responses providing a greater level of detail, lessons learned from past experience

I have a swing application where I use JAXWS to generate classes from a salesforce wsdl file.  Everything works fine in my NetBeans environment.

When I package up the software for release, the call to login to the salesforce web service gets the following exception:
url.toString() = file:/C:/Program%20Files/GST/LOB/bin/App.jarException in thread "AWT-EventQueue-0" java.lang.NoSuchMethodError: javax.xml.ws.WebFault.messageName()Ljava/lang/String;
    at com.sun.xml.ws.model.RuntimeModeler.processExceptions(RuntimeModeler.java:1162)
    at com.sun.xml.ws.model.RuntimeModeler.processDocBareMethod(RuntimeModeler.java:1330)
    at com.sun.xml.ws.model.RuntimeModeler.processMethod(RuntimeModeler.java:663)
    at com.sun.xml.ws.model.RuntimeModeler.processClass(RuntimeModeler.java:420)
    at com.sun.xml.ws.model.RuntimeModeler.buildRuntimeModel(RuntimeModeler.java:254)
    at com.sun.xml.ws.client.WSServiceDelegate.createSEIPortInfo(WSServiceDelegate.java:661)
    at com.sun.xml.ws.client.WSServiceDelegate.addSEI(WSServiceDelegate.java:649)
    at com.sun.xml.ws.client.WSServiceDelegate.getPort(WSServiceDelegate.java:343)
    at com.sun.xml.ws.client.WSServiceDelegate.getPort(WSServiceDelegate.java:326)
    at com.sun.xml.ws.client.WSServiceDelegate.getPort(WSServiceDelegate.java:308)
    at javax.xml.ws.Service.getPort(Unknown Source)
    at com.sforce.soap.enterprise.SforceService.getSoap(SforceService.java:74)
    at com.generatedsystems.afs.sf.SfConnector.doLogin(Unknown Source)
    at com.generatedsystems.afs.task.AFSTask.sendDataToSf(Unknown Source)
    at com.generatedsystems.afs.app.AFSExecutableTask.btn1ActionPerformed(Unknown Source)
    at com.generatedsystems.afs.app.AFSExecutableTask.access$200(Unknown Source)
    at com.generatedsystems.afs.app.AFSExecutableTask$3.actionPerformed(Unknown Source)
    at javax.swing.AbstractButton.fireActionPerformed(Unknown Source)
    at javax.swing.AbstractButton$Handler.actionPerformed(Unknown Source)
    at javax.swing.DefaultButtonModel.fireActionPerformed(Unknown Source)
    at javax.swing.DefaultButtonModel.setPressed(Unknown Source)
    at javax.swing.plaf.basic.BasicButtonListener.mouseReleased(Unknown Source)
    at java.awt.Component.processMouseEvent(Unknown Source)
    at javax.swing.JComponent.processMouseEvent(Unknown Source)
    at java.awt.Component.processEvent(Unknown Source)
    at java.awt.Container.processEvent(Unknown Source)
    at java.awt.Component.dispatchEventImpl(Unknown Source)
    at java.awt.Container.dispatchEventImpl(Unknown Source)
    at java.awt.Component.dispatchEvent(Unknown Source)
    at java.awt.LightweightDispatcher.retargetMouseEvent(Unknown Source)
    at java.awt.LightweightDispatcher.processMouseEvent(Unknown Source)
    at java.awt.LightweightDispatcher.dispatchEvent(Unknown Source)
    at java.awt.Container.dispatchEventImpl(Unknown Source)
    at java.awt.Window.dispatchEventImpl(Unknown Source)
    at java.awt.Component.dispatchEvent(Unknown Source)
    at java.awt.EventQueue.dispatchEvent(Unknown Source)
    at java.awt.EventDispatchThread.pumpOneEventForFilters(Unknown Source)
    at java.awt.EventDispatchThread.pumpEventsForFilter(Unknown Source)
    at java.awt.EventDispatchThread.pumpEventsForHierarchy(Unknown Source)
    at java.awt.EventDispatchThread.pumpEvents(Unknown Source)
    at java.awt.EventDispatchThread.pumpEvents(Unknown Source)
    at java.awt.EventDispatchThread.run(Unknown Source)

So javax.xml.ws.WebFault.messageName() method is not found.  When running in the jre, this class is in rt.jar and indeed that method does not exist in the class.  The correct method exists in a jar file called jaxws-api.jar.  My problem is that even after placing the jar first in my classpath, the jvm still seems to use the WebFault class from the rt.jar.  

After some digging, I think I found the problem, being that rt.jar is part of the delivered jre, the jvm will always choose that jar over one on my classpath.  So then I thought the proper solution was to use the system property java.endorsed.dirs to inform the jvm to use the jar I wanted it to.  This mechanism is described here: http://java.sun.com/javase/6/docs/technotes/guides/standards/

I implemented the setting of that property to my jar and the jvm is still using the WebFault from the rt.jar in the jre.

Am I missing something here?

Thanks for any help.

Hi all, I'm new to web services.   So I ask forgiveness up front if I ask something not so intelligent.

I've been struggling to get a web service client constructed for a few days now.

I am using JAX-WS to generated my classes from the enterprise.wsdl that I downloaded from my developer site.

The first thing I don't understand is that the classes that get generated are different from the classes in the example JAX-WS quickstart on the salesforce site.  Meaning much of the example code doesn't work.

I suppose this is because the wsdl has changed some since the time that JAX-WS example was created. 

Is that the reason for the differences?

The login works fine, no problems there.  From reading after I get the login response I must:

1. Set the new end point so that all other requests will go the the url that login sent back.

2. Set the session id that was sent back from login into the SessionHeader

3. Set that Header back into the binded object (Soap in my case) (SoapBindingStub in the examples case)

# 1 I think I've got: (from a tutorial someone here pointed me to, tutorial is from partner wsdl, but seems to work)

       Map requestContext = ((BindingProvider)binding).getRequestContext();
                requestContext.put(BindingProvider.ENDPOINT_ADDRESS_PROPERTY, lr.getResult().getServerUrl());

Different from the JAX-WS example code because I could not just call _setProperty on my binded object because it is not type SoapBindingStub but type Soap

#2 is easy enough

SessionHeader sh = new SessionHeader();       
sh.setSessionId(lr.getResult().getSessionId());

 # 3 has me stumped - in the JAX-WS example is it simply

    binding.setHeader(sforceURI, "SessionHeader", sh);

 Since my binded object is type Soap I have no setHeader method, in the tutorial that helped me earlier I found:

              JAXBContext jaxbContext;
                jaxbContext = JAXBContext.newInstance("sf");
                List<Header> headers = new ArrayList<Header>();
                headers.add(Headers.create((JAXBRIContext) jaxbContext, sh));
                WSBindingProvider wsBindingProvider = (WSBindingProvider) binding;
                wsBindingProvider.setOutboundHeaders(headers);

 But I cannot figure out what additonal jars I need to get this to complie.

So right now my code doesn't do #3 and when I do a query on the accounts table I get "Invalid Session ID found in SessionHeader: Illegal Session", which I assume is because I did not set the Header back into the binded object.

Any help on how to properly accomplish # 3 is greatly appreciated or anything else anyone can offer.

Thanks

New to web services, want to make sure I have all this straight.

- I grabbed the enterprise wsdl from my salesforce developer account

- Generated the java sources from that wsdl in NetBeans IDE, using jax-ws

- I am able to call login() successfully

- Then in the examples and documentation the SoapBindingStub.ENDPOINT_ADDRESS_PROPERTY on my Soap object needs to be set to the url of the server from the loginResult.

- I don't have SoapBindingStub as a generated class.  After looking around on the boards my guess is that this is because I used jax-ws instead of axis 1 to generate the classes.  Is that correct? 

- Regenerating the classes with axis 1 would generated the same class names from the examples. Correct?

- Since jax-ws doesn't appear to be the class generator used in posts and documentation here, it is going to be a struggle to attempt to figure out what axis 1 classes map to what jax-ws classes.  Correct?

Am I in the right jungle?  Thanks for your help.