SOAP vs REST

SOAP

  • Simple Object Access Protocol

  • Web Service API

  • Synchronous request response architecture

  • XML

  • Standards based

  • WSDL (Web Service Description Language) (a package to define all the methods) needs to be downloaded and saved to the server.

    • The structure of the web services that clients can call

    • An XML file describing the endpoints.

    • A contract between the server and the client

    • Also defines the operations that Salesforce supports

    • And a definition of the data that will be passed back to the client

  • System to system

  • State maintained

  • Supports gZip compression

  • Built in security

    • OAuth or Session ID (OLD)

  • Can build Custom SOAP Web Services

  • Standard Salesforce WSDL

  • SOA (Service Oriented Architecture) Callout (eg bring data into external systems)

    • Synchronous

  • Web Service API

    • Anything referring to Web Service relates to SOAP.

  • Custom Web Service is inbound

    • Your client application submits a service request to the Web Service via the API

  • Callouts are outbound.

    • Callouts require a remote site setting.

    • The domains you want to allow communication to.

  • Layers

    • Application Layer

      • HTTP, SOAP, SSL, FTP etc

    • Transport Layer

      • TCP, UDP

    • Internet Layer

      • IP, ICMP

    • Link Layer

      • Ethernet, DSL, PPP etc

    • Gee this is all stuff I learned in my university days in the early 90s

  • Process

    • Insert records into Salesforce

    • Convert CSV data to XML

    • Send request for 200 records

    • Salesforce parses the request

    • Saves the records to the database

    • Return the success or failure response message to the client

    • This all happens synchronously.

    • Individual records be rolled back if exceptions.

      • Eg 198 records may be successful, 2 may have errors.

  • First call passes the username and password

Enterprise WSDL

  • Strongly Typed

  • For a specific org - has all of the customisations in that org

  • Changes if the org changes (eg custom fields added)

Partner WSDL

  • Loosely typed

  • Can be used against any org (eg used by partners)

  • Static - only changes based on API version?

REST

 

Synchronous vs Asynchronous

  • Sync

    • Eg a transaction

    • Wait for a reply

    • Within the Salesforce limits

  • Async

    • Check back later if it’s done

Callouts

  • Ajax Toolkit (see Old Stuff also)

    • Callouts via Apex with a Visualforce Controller

    • VF page requests data from VF Controller.

    • Controller does the callout to get the data.

    • Look wow, this would have been mindbreaking revolutionary stuff back in 2003 but now it’s just something you do regularly.

  • SOAP callouts

  • REST callouts

  • See Outbound Messaging

Security

How to encrypt data and authenticate between systems

SSL and TLS is the handshake that takes place between a client and a server. It doesn’t do the encryption itself (really?) it agrees on the shared secret and encryption that is going to be used.

SSL

  • Secure Transport over HTTP (HTTPS)

    • Implemented at the Application Layer

    • Network Segments are encrypted end-to-end in the transport layer (TLS)

  • One way SSL is enabled by default.

    • Salesforce calls out to another application

    • The application sends back a certificate

    • Salesforce verifies the certificate

  • Two way SSL needs self-signed or CA-signed certificates

    • Both the client and server present a certificate to prove their identity to the other party

  • For the exam only, not reality now with many different options available…

    • Apex code ignores profile based security.

    • Can respect or ignore record level security.

  • Two way SSL is mutual authentication

Inbound

  • External system connecting to Salesforce

  • Create separate user and give them a separate profile

  • Restrict that profile to only the fields / objects required to be used by the external system.

  • Uses the OAuth username-password flow or SSO.

TLS

  • Transport Layer Security

  • You upload your certificate to Salesforce

  • You can download salesforce client certificate to authenticate on your web server.