Restricting API access to custom webservice..

Hi all,

Is it possible to give a 3rd party application access to a custom webservice without giving them access to the standard API?

To give a little background on my project. Users will use their Salesforce credentials to login and register on one of our sister company's websites. Once they have logged into the site using their Salesforce credentials, the user needs the ability to pull down Salesforce data they own, such as customer information.

What we have built for this works great, but the issue is being able to restrict the users to the custom service. Our security team his holding up this project because of the additional access to the standard api.

Any thoughts on how to limit access to the custom service only?

November 19, 2015
·
Like
1
·
Follow
3

Best Answer chosen by bluecap

bluecap
Hi all - thank you for the reply. We decided on a custom authentication process that involves limiting access to the user logging to the custom services. Then we used a handful of portal users (cost based), assigned to a custom and very limited profile, and assigned a role that would not enherit sharing. After the the user logs in, the portal users take over handling the callouts. The portal user has limited access to data for a limited amount of time by adding the portal user to the public group of the original user. This is short winded, but if anyone has further questions, please let me know.

December 3, 2015
·
Like
0
·
Dislike
0

Daniel Ballinger
To access an Apex web service a users profile must have the "API Enabled" permission. This will also give them access to the Partner SOAP API and the REST API.

However, they will only have access in those APIs to objects and fields that their logged-in user would otherwise have in the standard UI.

So the important part here is to ensure that their user record and associated profile can only access the correct records. Yes, they will be able to use the other SOAP and REST APIs, but will still be restricted in what they can do with them. See Security and the API (https://developer.salesforce.com/docs/atlas.en-us.api.meta/api/sforce_api_concepts_security.htm).

Be sure to manually enforce object permissions and field level security in your apex web service. See Exposing Data with WebService Methods (https://developer.salesforce.com/docs/atlas.en-us.apexcode.meta/apexcode/apex_web_services_methods_exposing.htm)

November 19, 2015
·
Like
0
·
Dislike
0

Ramesh Naidu P
<apex:page controller="BundleProduct" tabStyle="BundleProduct__tab">
<script type='text/javascript'>


//Calls the Metdata API from JavaScript to create the Remote Site Setting to permit Apex callouts
window.onload = function(){

console.log('{!greeting}');
var binding = new XMLHttpRequest();
binding.open('POST', 'https://store.i95dev.com');

binding.onreadystatechange =
function()
{
if(this.readyState==4)
{
console.log(this.response);
var parser = new DOMParser();
var doc = parser.parseFromString(this.response, 'application/xml');
var errors = doc.getElementsByTagName('errors');
var messageText = '';
for(var errorIdx = 0; errorIdx < errors.length; errorIdx++)
messageText+= errors.item(errorIdx).getElementsByTagName('message').item(0).innerHTML + '\n';
console.log(messageText);
}
}
binding.send();

}

</script>
<apex:form >
<apex:pageBlock title="Congratulations">
You belong to Account Name: Ramesh Naidu Polarapu
{!greeting}
</apex:pageBlock>
<apex:pageBlock title="Congratulations">
</apex:pageBlock>
</apex:form>
</apex:page>

i added store.i95dev.com is remote settings also

I get below error.

.
XMLHttpRequest cannot load https://store.i95dev.com/. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'https://ramjiva.ap2.visual.force.com' is therefore not allowed access.

November 26, 2015
·
Like
0
·
Dislike
0

Ramesh Naidu P
Please assit me. for consuming extranal API

November 26, 2015
·
Like
0
·
Dislike
0

Daniel Ballinger
The browser will be blocking the XMLHttpRequest as a potential security problem with a cross domain request. See Same-origin policy (https://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy). Have a look at XMLHttpRequest cannot load, No 'Access-Control-Allow-Origin' is present (http://salesforce.stackexchange.com/q/51193/102). The solution presented there is to use a remote proxy.

A better option might be to use the CORS whitelist. See Spring ’15 Preview – CORS for the Force.com REST API (https://developer.salesforce.com/blogs/developer-relations/2015/01/spring-15-preview-cors-force-com-rest-api.html).
Then, under Setup > Administration Setup > Security Controls > CORS you can whitelist the https://store.i95dev.com/ domain.

November 26, 2015
·
Like
0
·
Dislike
0

Ramesh Naidu P

i added store.i95dev.com is CORS also. but it's not working.

November 30, 2015
·
Like
0
·
Dislike
0

Ramesh Naidu P
Please post sample working code . for consume external api consumsion in salesforce

November 30, 2015
·
Like
0
·
Dislike
0

This was selected as the best answer

AndyOgnenoff
Just leaving this here for future searches. This can be accomplished now with Winter 18 for custom Apex REST services.

https://releasenotes.docs.salesforce.com/en-us/winter18/release-notes/rn_apex_rest_permission.htm

October 19, 2017
·
Like
0
·
Dislike
0

You need to sign in to do that.

Need an account? Sign Up

Have an account? Sign In

Dismiss

Browse by Topic

Welcome to Support!

Show

sorted by

Restricting API access to custom webservice..

All Answers

You need to sign in to do that.