Force usage of sessionId when accessing REST service

Is there a way to force clients of REST service to use their sessionId to access a REST service ?
I can currently access this URL without any sessionId
https://ddddddd.force.com/services/apexrest/contacts/00sddd5/employees

I did add the Rest service class RESTClass… to the Public Access Settings of the tools Sites -> Apex Class Access.

http://www.salesforce.com/us/developer/docs/apexcode/index_Left.htm#CSHID=apex_rest_code_sample_basic.htm%7CStartTopic=Content%2Fapex_rest_code_sample_basic.htm%7CSkinName=webhelp

Apex class methods that are exposed through the Apex REST API don’t
enforce object permissions and field-level security by default. We
recommend that you make use of the appropriate object or field
describe result methods to check the current user’s access level on
the objects and fields that the Apex REST API method is accessing. See
Schema.DescribeSObjectResult and Schema.DescribeFieldResult. – Exposing Data with Apex REST Web Service Methods

Schema.DescribeFieldResult F = Employee_c.Termination_Date__c.getDescribe();

F.isAccessible() returns true if user is allowed to see this field

Boy-if we have to do this for all fields even if we use a utility, that is a pain.

TIA

Answer

The issue is that you would like to authenticate users before allowing access to the web service, but you are exposing the web service with public access. You will need to reduce the security to only internal users.

Attribution
Source : Link , Question Author : Vijay , Answer Author : tannershamrock

Leave a Comment