Our organization has a data collection on their servers. A soap API has been implemented and the data can be accessed using the WSDL on SOAP UI. I am a front-end developer and when I make a POST request using XMLHttpRequest to get the query result, it throws CORS error: "Response to the preflight request doesn't pass access control". It is NOT possible to enable CORS on the data collection servers. I am using Liferay for the website front end and the back end.
Any suggestions how I can get the query results from the front end without enabling CORS on database servers(this is different than the Liferay backend server)? Or I can use a website backend to interact with the database? Or use third-party services like Kinvey?
I have had similar issues in the past. Like you, I wanted to create a basic webpage on my machine and that contained some Javascript to call an API. With this approach, I got the CORS issue you are seeing.
I then hosted my page on a web-server and I still got the CORS issue.
To resolve, I had to create a web app, which I wrote in Java. This back-end contained its own API. One of the resources in 'my' API was a simple wrapper to call the API of interest. I then modified the webpage I wrote (now all hosted in the same web app), to call my API, which in turn calls the API of interest.
Related
I have been following a tutorial showing how to build a custom Rest API in Javascript which is then deployed to Firebase Functions which can then be used to communicate with a Firestore Database.
Everything appears to be working fine but one thing is bothering me.
One of my end points is url-to-api/read which fetches all the records in the database.
How can I prevent anyone from simply adding that url into a browser and reading all the data.
I have tried various Firestore rules but none seem to make any difference, adding /read on to the end of the API URL still shows all the data in the browser.
Cloud Functions access Firebase using the Admin SDK, which means they bypass the security rules and have unrestricted access to the database.
It is up to you to protect what users can do in this case. For example, you can require that they pass their ID token along, and use that to determine their authorization as shown in these examples of implementing an authorized HTTP endpoint and implementing an authorized JSON API.
I am a bit confused. The requirement is that we need to create a REST API in Salesforce(Apex class) that has one POST method. Right now, I have been testing it with POSTMAN tool in 2 steps:
Making a POST request first with username, password, client_id, client_secret(that are coming from connected app in Salesforce), grant_type to receive access token.
Then I make another POST request in POSTMAN to create a lead in Salesforce, using the access token I received before and the body.
However, the REST API that I have in Salesforce would be called from various different web forms. So once someone fills out the webform, on the backend it would call this REST API in Salesforce and submits lead request.
I am wondering how would that happen since we can't use POSTMAN for that.
Thanks
These "various different web forms" would have to send requests to Salesforce just like Postman does. You'd need two POST calls (one for login, one to call the service you've created). It'll be bit out of your control, you provided the SF code and proven it works, now it's for these website developers to pick it up.
What's exactly your question? There are tons of libraries to connect to SF from Java, Python, .NET, PHP... Or they could hand-craft these HTTP messages, just Google for "PHP HTTP POST" or something...
https://developer.salesforce.com/index.php?title=Getting_Started_with_the_Force.com_Toolkit_for_PHP&oldid=51397
https://github.com/developerforce/Force.com-Toolkit-for-NET
https://pypi.org/project/simple-salesforce/ / https://pypi.org/project/salesforce-python/
Depending how much time they'll have they can:
cache the session id (so they don't call login every time), try to reuse it, call login again only if session id is blank / got "session expired or invalid" error back
try to batch it somehow (do they need to save these Leads to SF asap or in say hourly intervals is OK? How did YOU write the service, accepts 1 lead or list of records?
be smart about storing the credentials to SF (some secure way, not hardcoded). Ideally in a way that it's easy to use the integration against sandbox or production changing just 1 config file or environment variables or something like that
My goal is to create a REST API Integration from Salesforce to SAP application.
SUCCESS Through Chrome APP
1. All I need to do is retrieve values from sap application through the REST API. When I tried to use the Chrome APP 'Advanced Rest Client' and have passed the appropriate URL and Content with POST method I was able to retrieve the values from local server database.
For EG : If I pass request 92126 then I was able to get response 'SAN DIEGO' which is correct.
Here is the link (https://chrome.google.com/webstore/detail/advanced-rest-client/hgmloofddffdnphfgcellkdfbfbjeloo?hl=en-US) for Advanced REST Client.
PROBLEM from Salesforce :
I had created a remotesite setting
When I created this REST class in SAlesforce and tried invoking the End Point then it's throwing this error.
System.HttpResponse[Status=Service Unavailable, StatusCode=503]
As the web api url which is provided to us is in local sql server i.e hosted in private, as we know in Salesforce for making callouts the URLs must be in public. But the URL is in private only for the security reasons not hosted in public. We should achieve it, any way is there to achieve it? What change should be done in Salesforce or server to communicate to each other, and allows to make the callout?
It is most likely that you endpoint does not allow access from outside some ip range which you indicated by saying it's not public. Salesforce is a SaaS application hosted outside the domain that your service is on. In order for Salesforce to access that endpoint resource you need to whitelist Salesforce IP ranges, which can be found here.
Whitelisting allows Salesforce to access the resource. The only caveat is that because Salesforce is multi-tenant it means that any instance of Salesforce on the range that you whitelist would have access to your endpoint. If this is not ok, you might want to add some sort of header or sign the request to the call to that identifies your Salesforce instance uniquely from any other instance to validate that the call originated from your Salesforce org.
(I am linking to the article instead of pasting the IP ranges here because these may change in the future).
I am coding a webapp (E-commerce) for learning purpose using AngularJS + BootStrap and REST.
I have used Apache Wink for REST WS and and application is deployed on JBoss EAP 6.4. My application is working fine.
I can access the back end data using AJAX and webpages are getting populated properly. The issue is security of REST WAS. If I use REST URL directly on browser, without going through front end, JSON data gets populated and my data is exposed. What design changes should i do ?
Please note that initial operation on the website for e.g. browsing the products, adding them to cart etc are stateless. No user's identity is needed for these operations. I still need to secure my data for these interactions. Please suggest, how can I do it.
Sunil
If you want to lock down the services, you may require some type of authentication (for example user/pass) that returns a security token (over https). Then all subsequent function calls may require the security token to be passed in as a parameter (if the operation is sensitive). The token will require a session timeout.
However, if the data is also publically shown on the site, then there's not really a security risk in itself. IOW, how is this any different than them using the public website to get/update data? The rest services usually shouldn't require any additional level of security beyond what is already used on the website to protect the data.
I would like to consume SalesForce API using JavaScript that running in VF page that already authenticated. Is it possible to do that without another authentication just to get the security token to call REST API?
What would be the alternative to call SalesForce REST service in valid VF page using JavaScript?
Have a look at the Visualforce Remote Objects. It is only in developer preview at the moment but will provide JavaScript proxy objects for DML operations.
Alternatively, you might be better served by JavaScript Remoting or exposing apex web services that you call from your Javascript.