[SalesForce] Authentication for custom Apex SOAP web service

I am in the process of creating a custom SOAP apex web service using webservice keyword so that external system can call this apex web service.
I am not using Apex REST.

From the class I can create WSDL and share it with the external system.
Apex REST clearly documents that it supports OAuth and Session ID authentication but no documentation for Apex SOAP Web service.

How can I secure this apex SOAP web service ?
What authentication mechanism is supported ?
How can external system connect to it securely ? Do they have to pass salesforce username/password/token?

Best Answer

You need to pass in a Session ID that has API access. You can get this Session ID any way you want, including SOAP login() (see Setup > Develop > API for the WSDL files), SAML authentication via Single-Sign On (SSO), the Session ID from a Workflow Outbound Message, or any of the OAuth flows (Web Server, Client, or Username-Password). You provide the Session ID through the SessionHeader provided by the WSDL.

You'll want to check the appropriate documentation for your chosen method of logging in. The SOAP login() and the OAuth Username-Password flows require directly handling the username and password, while the other methods handle the login through other means, such as logging in through a WebForm.

Related Solutions

[SalesForce] Possible Username-Password OAuth Authentication Flow security issues

Answering your questions in order:

In the interactive web server/user-agent flows, the user submits their credentials directly to Salesforce, and the app receives the short-lived access token and, optionally, a long-lived refresh token. The refresh token is scoped to that application, and may be revoked by the user or an admin at any time, without any impact on other applications. The admin can even set policy for refresh tokens, choosing to invalidate them after some period of inactivity etc. This is not true of username/password - the user shares their Salesforce credentials with the application. If, at a later time, the user decides that they do not trust that app, they needs to change their password at Salesforce, and update any other apps that might be holding the username and password.
The app is responsible for safely handling and, possibly, storing those credentials, which have much wider scope than the refresh token. It's not that the username/password flow is less secure than the interactive flows, it's that the responsibilities of the app are much greater, and the consequences, if the app does not fulfill those responsibilities, more severe.
They are not sent as URL parameters, but posted as application/x-www-form-urlencoded data - see this article.

I would advise you to consider one of the interactive flows, and store the refresh token, or even JWT Bearer Token flow, where the app creates a signed token, rather than username-password, which should be considered a last resort, when no other option is available.

[SalesForce] Making Apex Callouts to consume Custom Apex Web Service STEPS

You will need to set the endpoint for the client based on the LoginResult serverUrl.

The login call will go to login.salesforce.com. When it comes back the serverUrl will be something like https://na5.salesforce.com/services/Soap/u/34.0.

partnerSoapSforceCom.Soap partner = new partnerSoapSforceCom.Soap();
partnerSoapSforceCom.LoginResult lr = partner.login('user@example.com', 'SomePassword' + 'SomeSecurityToken');    

ARTaskWebService.AR_getActivitiesWebservice client = new ARTaskWebService.AR_getActivitiesWebservice();
client.SessionHeader = new ARTaskWebService.SessionHeader_element();
client.SessionHeader.sessionId = lr.sessionId;

// You may need to adjust this if using a custom Apex Soap service.
client.endpoint__x = lr.serverUrl;

Since your Apex class Soap class probably has an endpoint like https://na8.salesforce.com/services/Soap/class/AR_getActivitiesWebservice you may need to adjust this using the domain in the LoginResult serverUrl.

E.g. replace the na8 pod identifier in your current endpoint with na5 if that is what the serverUrl comes back with.

Best Answer

Related Solutions

[SalesForce] Possible Username-Password OAuth Authentication Flow security issues

[SalesForce] Making Apex Callouts to consume Custom Apex Web Service STEPS

Related Topic