+ Start a Discussion
FrankJSalinasFrankJSalinas 

Additional Security for Inbound Salesforce Webservice

We want to create a Apex Webservice that receives a set of training records for customers from an external system. Our security group want to ensure that only an authorized external system can access the webservice. The external system will use .NET or Java call the webservice.  What is the best security method to ensure to that only external systems that are authorized can send data to the Salesforce webservice? 
GautamKumarDrefGautamKumarDref
Hi Frank,

If you want to post some data to salesforce and for that you are creating a web service in apex, you need to give the external system an oauth token, that will ensure that the external system is authorized to send the data.

Please look into this article for more details

https://developer.salesforce.com/page/Digging_Deeper_into_OAuth_2.0_on_Force.com

Or, you can else use session id to authenticate if you aren't handling someone else's password.

https://www.salesforce.com/us/developer/docs/api_rest/Content/quickstart_oauth.htm

 
FrankJSalinasFrankJSalinas
Hi Gautam, thanks for your response. I think I need to further clarify though. I understand OAuth is good if it is a client trying to access the webservice and he is logged into a 3rd party app, but it wil be a a Java/.NET console app that will try to deliver a set of trainng records. Are you sure that OAuth should be used for this?
The reason I'm pursuing this question is becase our security folks think that webservices provide a potential security hole where that data can potentially be compromised if someone else has access to to a username/password that has access to this webservice. For example, someone else within our organization that finds this webservice and has API access. 
GautamKumarDrefGautamKumarDref
Hi Frank,

OAuth2.0 flow is a multistep process it first authorizes and then authenticates. Moreover, the access token needed by the external system is secure and necessary to communicate with salesforce. It will take care of the authentication and will generate a separate token for each distinct username password.

Moreover, since you are talking about making a console app, you can set the permissions for this app to a certain number of profiles only, so that only authorized users can use this app. And the class that you will be making for creating the web service will be an apex class. And for added security you can set the availability of this class to a profile.

Rest assured, OAuth2.0 is what salesforce uses and recommends which I would prefer over session id and is full proof and safe.