+ Start a Discussion
Tim__mTim__m 

Force.com Sites, Webservice, Security

Hey all,

 

I have a Force.com site that needs to expose an apex webservice. This webservice needs to be consumed by external resources and the by the Force.com site that exposes it. I'm really trying to stick to SOA here. Note: The Force.com site is public, no username or password needed. So this was simple enough to do until I tried to use SSL. If I set the endpoint of my public webservice to http://myforcedomain.sandboxdev.cs3.force.com/sitename/services/soap/class/myservice I can call the service from outside and from inside BUT if I set the endpoint to https I get the below exception when I try to call the service from inside but not outside...

 

System.CalloutException: IO Exception: java.security.cert.CertificateException: No subject alternative DNS name matching myforcedomain.sandboxdev.cs3.force.com found

 

I have only tested in a sandbox (not dev) and without using custom web address for the force.com site. What would happen if I used a custom web address? I ask because if I can get this all to work it will be going into production where custom web address are used.

 

So my question is, how do i deal with the security certificate issue when calling from inside?  Is it safe to not use SSL when calling a public apex webservice from a public visualforce controller class?

 

 

Best Answer chosen by Admin (Salesforce Developers) 
RyanGuestRyanGuest

The SSL certificates used by Sites in sandbox aren't accepted by all browsers and web service clients. Production sites and developer edition sites using the Force.com domain will not give you this problem.

 

SSL isn't currently supported with a custom web address in Sites.

All Answers

RyanGuestRyanGuest

The SSL certificates used by Sites in sandbox aren't accepted by all browsers and web service clients. Production sites and developer edition sites using the Force.com domain will not give you this problem.

 

SSL isn't currently supported with a custom web address in Sites.

This was selected as the best answer
Tim__mTim__m

Thanks Ryan!

 

I was aware that SSL isn't supported with custom web address but I was not aware of the SSL cert differences with sandbox orgs and production/dev orgs. I did move my app to a dev account and everything works over SSL. Thanks again for the help.

Richard Clarke - Artisan ConsultingRichard Clarke - Artisan Consulting

Hi, this is only partly related to your post, but I am also trying to create an APEX web service which is exposed publically to external systems, and I want it consumed without authentication.  How do I do that?  Everything I have tried so far only works if I establish a session first and put the sessionId in the SOAP header.  Which I want to avoid.  Thanks  Richard

richard.clarke@fuseit.com

Tim__mTim__m

Hi Richard,

The trick is to use Salesforce Sites to expose your service. Just add your apex class that is the service to the allowed apex classes in the public site profile. Then modify the endpoint in your wsdl to use your site domain.

 

Hope that helps.

 

Tim -