I have a legacy system that needs some tiny improvements to enable the system to run without interruptions. I got recently a security notification from Salesforce that there are some upcoming changes coming with the Winter ‘21 release that is going to have an effect on my system. The Secure guest user record access is going to start to be compulsory. By turning this setting on as a test prevents my system from working properly right now. The system has currently been set up to use the Visualforce page to access APEX scripts that make some business logic and even update/insert some data to Salesforce. That Visualforce page has been called from another system that runs totally separately. As much as I follow the upcoming Salesforce release makes it impossible to insert/update data in the way I have been currently doing. I realized I need to secure this with some kind of authentication so I can keep my system working when the Secure guest user record access option has been ticked. I want to add a user authentication for my apex script. I created a new Connected App and did the following:
I have currently been using Salesforce Sandbox as a test. I created a new connected app and made a login call first. That all worked fine and returned me access token. I did make sure that I didn't have any sessions open when I called the apex script via the Visualforce page where I have defined a new apex:page. For some reason, my Visualforce page is always public and allows me access to everything without asking me any token.
After having done all this I can still get access to everything without doing any user authentications.
Can someone please advise me on this.
Here I am calling Visualforce page that in return calls APEX script:
HttpRequestMessage apiRequest = new HttpRequestMessage(HttpMethod.Post, restCallURL);
apiRequest.Headers.Accept.Add(new System.Net.Http.Headers.MediaTypeWithQualityHeaderValue("application/json"));
apiRequest.Headers.Add("Authorization", $"Bearer {authToken}"); //check Bearer
It works fine even without me setting a token to it.
This is how my Visualforce page looks like:
<apex:page controller="TestGatewayResource" sidebar="false" showheader="false" contenttype="text/plain" action="{!action1}">{!StringCodeReturned}</apex:page>
This is my test Apex script:
@RestResource(urlMapping='/test_defined_type/*')
global class TestGatewayResource
{
String StringCodeReturned = ""; // very simplified to give an idea what I am doing.
@HttpPost
global static String activate()
{
// makes some work by calling other classes and inserting/updating data to Salesforce
}
}
Edit: I added more background information to understand better my issue. I also added some code samples. Tyi I have no more experience than a week working with Salesforce trying to figure things out.
(too long for a comment)
Your question is confusing, what are you trying to do? Connected apps are for API access (REST, SOAP) but then you write about Visualforce page, that's for normal browser-based access.
As internal user you'll have access to all VF pages (well, if you're sysadmin or your profile has them assigned). No connected apps needed. If you're external user (guest) you can still access a VF page if it was exposed on a Site. No login needed = no OAuth2.
With API access you need to make login call first (few ways to do it, SOAP or there are ~9 OAuth2 options to choose from) and then you'd access apex REST services for example (again, if your profile allows).
If you want to do programmatic screenscraping (pull html of VF pages instead of calling APIs) that's doable too but you need to pass a session id as cookie instead of Authorization header. That's not an officially supported API though.
What are you trying to do? Can you post any code maybe?