+ Start a Discussion

Calling .Net webservice from apex code


We are building a managed package.

It calls a webserivice on .Net application and sends some data there (like name, phone, email etc)

While doing this call, we pass a token (which is generated in .Net application and stored in User object)


I have 2 questions:

1. When calling .Net webservice, do I need to encrypt just token Or we need to also encrypt the data we are sending

2. If we have to encryp the data also, when how do we make it available to end user of that data?




The token does not necessarily need to be encrypted, but it does need to be protected from access by any user. A protected custom setting is sufficient to meet this requirement, assuming no class in your managed package ever leaks the token. Encryption is still highly recommended, though.


Your data will automatically be encrypted by virtue of HTTPS connectivity, assuming your endpoint is configured to default to HTTPS and refuse HTTP. There is no need to go beyond this step of encrypting the data during the transmission stage. It may be considered desirable to encrypt the contents of the database that your .NET webservice accesses; it should be decrypted when accessed by a user that has been authenticated as having access to that resource. It is also suggested that the .NET service be hardened against SQL injection attacks, XSS attacks, and spoofing/replay attacks.


The full list of what the Security Review team is going to look for is listed on the Security Review Checklist page: http://wiki.developerforce.com/page/Requirements_Checklist. Best of luck to you and your team with securing your application.