I have several PDF file stored in Salesforce, I need to send each PDF to each different external users (external users that don't have Salesforce access) in a secure way.
I see two ways:
Encrypt the PDF and send it encrypted to the user mail address, then send the password by SMS.
Allow the external users to access the PDF stored in Salesforce using a user-password but without having a Salesforce user.
Is there any solution for one of the two ways?
Thanks,
Jaime
Content Documents (the actual table name for what you see as Files / Chatter Files / Notes) might have an option for #2. The old school Documents and Attachments - unlikely.
You can password protect the links and / or make them expire after certain date. Read up https://help.salesforce.com/s/articleView?id=sf.content_delivery_create.htm&type=5
Here's ERD: https://developer.salesforce.com/docs/atlas.en-us.object_reference.meta/object_reference/sforce_api_erd_content.htm
Alternative could be the "sign" apps on AppExchange. Check Adobe Sign, Docusign (or whatever is the name). But I suspect they're just think integrations and docs are hosted in different cloud, your organisation might have security issues with that.
Related
Friends,
I need some help on Word API Authentication.
Scenario:
Our articles has meta data which contains who can work on the articles (User1, User2), we need to know user_name (window's id) who logged into the machine so that we can authenticate the users against article metadata without asking them to log-in each time.
Workflow:
Article Creator Process is responsible for creating the document. This process will create word document and will be transferred to the user.
Article processor is adding custom xml part into document such as User Name, Document ID etc.
Authentication Rule is simple here. If article metadata contains your name then only you can work else not.
We need to match article meta data name with user who is opening the document. So here we need to know who log-ed into the machine.
How we can get this information for Online and Offline ?
We don't want our desktop users to enter the credentials again and again. For desktop which is (90% users will use desktop) is should be pretty straight forward, get user name and match it with article metadata.
Appreciate any help on this, any alternative solutions to handle this are most welcome.
There is no way to find out the current user's username. You can get the unique ID of the user in terms of a GUID-like entity, though, so I suppose you could store the user GUID into the custom XML part instead. The GUID corresponds to the Microsoft account or OrgID identity of the user.
See https://msdn.microsoft.com/en-us/library/office/jj164035.aspx for more info, particularly the "To load a test license from your Visual Studio project" section that describes the structure of the validation token.
Alternatively, if you can trust your users (i.e., it's just identification, not authentication), have them type in their name once, and then store it in the browser's localStorage.
I have a SaaS which integrates with SalesForce. I have synced all the SF users to my database so that my local users have a SF user ID stored.
I need to have a custom link in SF which will bring the user to my site and log them in automatically. The wrong way to do this is to pass the SF user ID in the link and simply match the SF User ID to the one I've stored in the database. What is the right way to ensure the referred SF user should be authorized? Is there some token I can put in the link from SF that I can then verify against the SF API?
There are two approaches for this:
Create a canvas app that sends a signed request to your site. The signed request will include the current users session details. You can use these to verify that the user is indeed who they say they are. I.e. They haven't just made up an id and that they came from an active Salesforce session. See Verifying and Decoding a Signed Request. The advantage of this approach is that you can verify the request has been signed with your apps consumer secret.
Its an older approach that isn't really promoted by Salesforce any more as the canvas apps superseded it. Create what was known as a composite app. This was basically an iframe to your external site that could include the session id and server url in the query string (over SSL). With these details you could call back into Salesforce and get the User Id of the session owner.
Incidentally, the Salesforce StackExchange site is a great place to ask Salesforce specific questions.
I have a vb.net application that uses my gmail smtp server settings and my password to send me the users feedback through the email, (I don't want to show my email to the users)
The problem is I want to store these data securely in the vb.net application so that It's hard for any hackers/crackers through (reverse engineering or programs like cheat engine) to get my gmail account data.
Any ideas are welcome.
You cannot be 100% secure, you could store the email in a resource file and use an obsficator to make it much harder to get at the string but it is possible to break it (encrypted resource files and strings). However Even if you used a different email address and setup a forwarding rule the password for that account could still be comprimised. Anything you have access to in code a hacker could potentially break into as the key will be in clear text at some point.
You have a number of secure options:
Setup a webservice to receive your messages and email them onto you/log them to a database
Log your messages to a 3rd Party system (irc? news? some p2p network, IM system), and pick um the messages later.
Setup a Source Control/issue site for your system, google code/bitbucket/something else that has the ability to receive issues via an api.
I don't know if this makes any sense but what I'd do is let the program run an external PHP script that sends the mail.
Basically, if I'm understanding your question, you don't want the password in clear text in your .exe. Correct?
The solution is simply to ENCRYPT the string in your program, then decrypt it at runtime (pass your decrypted variable to your e-mail function).
Any two-way encryption will work. For example:
http://www.vbdotnetforums.com/security/1240-encrypt-password.html
As other people pointed out saving the password to your email in your application is unsafe because somebody might be able to crack your code and retrieve your password.
For logging errors, I suggest creating a very small PHP script and putting it on a PHP server. When an error occurs in your VB.NET application, the application can send data to this .php script. The script can save the data in a file or in a MySQL database.
All the things you need for sending data to PHP scripts can be found in "System. Net. WebRequest" namespace in VB.NET.
If you cannot use a PHP script, you may use a combination of IsolatedStorage ("System.IO.IsolatedStorage" namespace) and Cryptography ("System.Security.Cryptography" namespace) to save sensitive data. But, this is not completely secure to savvy attackers.
I have requirement to show the pdfs to the users via asp.net application. These pdfs are password protected using iTextSharp. The password is known within the application but not to the users. Lets say password is saved in a table for each file. I want to display the pdf to users without asking for the password from them or letting them to know the pdf. Is there anyway to do this?
UPDATE
My requirement is to protect those pdf files from others who has access to the destination folder (where pdfs are uploaded) by putting password protection.
If you want to give people access to these PDFs you either need to give the users the password or remove the password. That's the only two options. The last option can be implemented in several ways, however. For instance, you could JPG the PDFs which would obviously remove the password. You could also apply a NULL userPassword which would allow people to open but not edit the PDFs. Both of these things you could do on the fly and serve a dynamic PDF if needed.
If I'm not understanding you correctly explain a little more and we'll try to help you.
With the PDF format, there are two types of password: user and owner password.
You can use a tool like PDFTK to rebuild your PDF using only an owner password and disallowing any authoring operation.
Should the HTML5 database be used to store any form of private information?
Say we have the following scenario;
You're browsing a web-mail client, that uses the web database to store mail drafts after you've written some information you close the web browser. What's to stop me from getting access to this information?
If the webpage tries to clean out old information when opened a user-script could easily prevent the website from fully loading and then search through the database. Furthermore the names of databases and tables are easily available through the web-mail client's source.
W3C Draft
The only way an external party could access the user's database is via direct access to the user's computer, or if your web app has a security vulnerability (such as XSS - Cross Site Scripting). Otherwise standard browser security dictates that only scripts running in web pages from a certain domain can access databases that were created/stored on that same domain (same origin-policy), same thing that stops you making cross-domain Ajax requests, or reading other website's cookies, all of which can be overcome via an XSS attack.
To me, storing a draft email seems reasonably sensible, whereas things like credit card details, passwords etc. should be stored exclusively server-side. You'll need to make a call as to what should be stored where, based on what you're going to store.
Should the HTML5 database be used to store any kind of private information?
Depends on how sensitive the information is. I wouldn't want to leave credit card details lying around anywhere.
You're browsing a web-mail client, that uses the web database to store mail drafts after you've written some information you close the web browser. What's to stop me to get access to this information?
Assuming you don't have physical access to the computer (in which case the user needs to take relatively extreme security measures) and you don't run the email service (in which case you need to have access to emails) then standard browser security stops you.