[SalesForce] Sending the username and password in REST call

I am making a REST call to an external system and the end point URL is defined as www.xyz.com/userid=XXX&Password=xyz. I need to set this as an endpoint when making a apex rest callout. Also I am using named credentials to set the end point URL and username/password.

But this is posing a security issue because userid and password should not be sent as part of the URL as it is visible to outside world. Also the external system understands userid and not username as parameter. How can I overcome this security issue. When talking to people I heard I should be sending the username and password in POST parameter of the body. Is this a fisible way? I do not want to change the code every time when the endpoint or username/password changes. I would like to use something like Named credentials for making changes instead of touching the code every time. Any ideas?

Best Answer

There is not a security ban on making rest calls with usernames and passwords for authentication to third party endpoints.

In general you want to avoid secrets written to server logs that log requests. But the issue with URLs that you refer to primarily refers to what appears in the URL bar of browsers -- e.g. clicking on a link with the username and password passed as parameters in the link, rather than making xhr or server-side callouts to third party servers.

This is because when the REST API is designed to accept auth data via URL parameters rather than headers, the endpoint is assumed to protect this information in the server logs. When the data is sent as part of routine browser APIs, the server may not be configured to protect this data.

Please check, however, that the REST endpoint responds with a content type header correctly set to application/xml or application/json.

If you have more questions, you can book an office hour to confirm that your API usage is secure.

Related Solutions

[SalesForce] Named Credentials – Merge Fields not Resolving

I was having the same issue, but I needed the username and password in the body of the request, I solved this by assigning the merge fields to string variables, then put the variables with all the other body content. You have to be aware that when you debug the variables or the body you will see the merge field '{!$Credential.UserName}' .... and not the actual value, the value is only replaced when the request is finally sent.

        Http h = new Http();
        HttpRequest req = new HttpRequest();
        req.setHeader('Content-Type', 'application/x-www-form-urlencoded');
        req.setMethod('POST');
        req.setEndpoint('callout:ePayData/api/transact.php');

        string username = '{!$Credential.UserName}';
        string password = '{!$Credential.Password}';

        string body = CreateRequestBody(acc);

        req.setBody('username='+ username + '&password=' + password + '&' + body);

        System.debug(req.getBody());
        HttpResponse res = h.send(req);
        String responseJson = res.getBody();

        System.debug(responseJson);

[SalesForce] Apex callout – POST Method

I am thinking below is the equivalent .We can declare the content type to be form url encoded and then simply use strings

HTTP auth = new HTTP();
String Body = 'userID=XXXX&password=YYYYY';
HTTPRequest r = new HTTPRequest();
r.setHeader('Content-Type','application/x-www-form-urlenco‌ded')
r.setEndpoint('http://xyz');
r.setMethod('POST');   
r.setBody(Body);   
HTTPResponse authresp=new HttpResponse();
authresp = auth.send(r);

Best Answer

Related Solutions

[SalesForce] Named Credentials – Merge Fields not Resolving

[SalesForce] Apex callout – POST Method

Related Topic