Apex Code Development You need to sign in to do that
Don't have an account?
FlyingCloud Callout to a web service that calls back into SF - how to handle the security?
I am an ISV and I am integrating a web service into the package I am creating. That web service will need to call back into the user's SF org. Is there a best practice for how to enable this without requiring the user to store his/her password? Is there a best practice paper for how this type of integration should be built?
Hi,
If you will make the Web Service call from the Apex class (i.e. the package that you are creating) then the Apex class can still handle any logic after the web service call is over.
Typically Web Service calls are synchronous in nature and Apex class would get the response instantly.
Is there something specific in your implementation that requires Web Service to call in User org?
If not the managed package that you are creating would itself reside in USer org and you will have all the necessary access in the user org to perform the logic after web service call is over.
- Satgur
All Answers
I think I want to create my web service to accept the session ID and server URL as part of the connection request and use some other account (like a hardcoded un/pw for the service itself (just to make sure it is secured). I've seen some posts concerned about passing the session ID around so I'm not sure if this approach is practical and if it would result in me having an issues with a security audit?
Hi,
When using callouts, it is a better practice to use sessionID instead of passing your u/pwd. In order to communicate securrely with your external service you can use the certificates. The best approach is to use the two-way SSL authentication.
In salesforce you can go to Your Name > Setup > Security Controls > Certificate and Key Management to generate the certificate.
You can go to http://www.salesforce.com/us/developer/docs/apexcode/index.htm and check the "Invoking Callouts Using Apex" chapter, in that under "Using Certificates" you will find the code examples which you can use with your certificates.
Hope this solves your issue. Dont forget to mark it as solved if it solves your issue.
Hi,
If you will make the Web Service call from the Apex class (i.e. the package that you are creating) then the Apex class can still handle any logic after the web service call is over.
Typically Web Service calls are synchronous in nature and Apex class would get the response instantly.
Is there something specific in your implementation that requires Web Service to call in User org?
If not the managed package that you are creating would itself reside in USer org and you will have all the necessary access in the user org to perform the logic after web service call is over.
- Satgur