Recipes by Category

App Distribution (2) Bundle logic, interface and services for distribution. App Logic (37) The Apex programming language, workflow and formulas for logic. Collaboration (5) The Salesforce Chatter collaboration platform. Database (29) Data persistence, reporting and analytics. Integration (33) Web Service APIs and toolkits for integration. Security (9) Platform, application and data security. Tools (4) tooling User Interface (36) Visualforce MVC and metadata-drive user interfaces. Web Sites (12) Public web sites and apps with optional user registration and login.
Beta Feedback
Cookbook Home » Verifying Password

Verifying Password

Post by Richard.Vanhook  (2011-09-30)

Status: Unverified
Level: intermediate


Your app contains a significant action, like signing a document or escalating an issue, that requires you make certain the currently logged in user is in fact who they say they are.


Prompt the user to re-enter their password and verify password via a callout to the web service API.


  • You'll need to create a remote site setting for the login URL. If you're org is on na1, then you'll need the following URL as a remote site setting:
  • Below code uses web service API so it's as if the user is logging into Data Loader or IDE. Accordingly, if tokens are required, users will need to append their token to password.


Here is the code for a simple Visualforce page that prompts a user to enter password and then prints a message stating the password was correct or incorrect. Use this code as a template.

Visualforce Page

<apex:page controller="VerifyPassword">
	<apex:sectionHeader title="Verify Password"/>
	<apex:pageMessages />
	<apex:form >
		<apex:pageBlock title="" mode="view">
		    <apex:pageBlockButtons >
		        <apex:commandButton value="Verify" action="{!doVerify}"/>
		    <apex:pageBlockSection title="My Content Section" columns="1">
				<apex:pageBlockSectionItem >
					<apex:outputLabel value="Username" for="username"/>
					<apex:outputText value="{!username}" id="username"/> 
				<apex:pageBlockSectionItem >
					<apex:outputLabel value="Password" for="password"/>
					<apex:inputSecret value="{!password}" id="password"/> 


Here's the corresponding controller code:
You'll need to create a remote site setting for the login url.  If you're org is on na1, then you'll need the following URL as a remote site setting:
public class VerifyPassword {

	public final String LOGIN_DOMAIN = 'test'; //other options: test, prerellogin.pre

	public String username {get{ return UserInfo.getUsername(); }}
	public transient String password {get;set;}

	public PageReference doVerify(){
		HttpRequest request = new HttpRequest();
		request.setEndpoint('https://' + LOGIN_DOMAIN + '');
		request.setHeader('Content-Type', 'text/xml;charset=UTF-8');
		request.setHeader('SOAPAction', '""');

		//basically if there is a loginResponse element, then login succeeded; else there
		//  would be soap fault element after body
		final Boolean verified = (new Http()).send(request).getBodyDocument().getRootElement()
		  .getChildElement('loginResponse','') != null;

		if(verified) ApexPages.addMessage(new ApexPages.Message(ApexPages.Severity.CONFIRM, 'Correct password!'));
		else 	     ApexPages.addMessage(new ApexPages.Message(ApexPages.Severity.ERROR, 'Incorrect password!'));

		return null;

	public static String buildSoapLogin(String username, String password){
		XmlStreamWriter w = new XmlStreamWriter();
		w.writeStartElement('', 'login', '');
		w.writeNamespace('', '');
		w.writeStartElement('', 'username', '');
		w.writeStartElement('', 'password', '');
		String xmlOutput = 
			  '<Envelope xmlns=""><Body>' 
			+ w.getXmlString() 
			+ '</Body></Envelope>';
		return xmlOutput;


Recipe Activity - Please Log in to write a comment

The code works for me in Sandbox environment and thanks for that. But I still got two questions:
1. How to write a test case for it? I can create a new user in test method and runas that user. But it will not pop the user info into So the outbound call will probably fail. 
2. In production environment, should the LOGIN_DOMAIN be prelogin.pre or login? prelogin.pre is a little bit strange to me. 

by a093000000YHM5O  (2014-06-02)


voted as verified by Harshit Pandey  (2013-02-18)

Works for me 

by Harshit Pandey  (2013-02-18)



by Shashank Singh  (2011-11-22)

Hi, Amn att,  please set the "remote site url" as "", and that will be OK, please have a try. Hope that will be a little help to you~~

by zhiyan zhang  (2011-10-24)

Hi Richard,
I am getting error as  below... I dont understand what is test?
System.CalloutException: Unauthorized endpoint, please check Setup->Security->Remote site settings. endpoint =


Class.VerifyPassword.doVerify: line 37, column 47 External entry point

And unable to log in via data loader... pls help!!!

by Amn patt  (2011-10-14)

Pat_Patterson, API call endpoint URLs are agnostic of My Domain so test/prod/prerel etc should work.

by integrateforsuccess  (2011-10-05)

Hi Richard - nice recipe! Just one nit - on line 9 of the controller, the default LOGIN_DOMAIN should probably be 'login', since you mention 'test' as another option. Also, if you have configured 'My Domain', '' is another possibility for LOGIN_DOMAIN.

by Pat_Patterson  (2011-09-30)


Vote to Verify a Recipe

Verifying a recipe is a way to give feedback to others and broaden your own understanding of the capabilities on When you verify a recipe, please make sure the code runs, and the functionality solves the articulated problem as expected.

Please make sure:
  • All the necessary pieces are mentioned
  • You have tested the recipe in practice
  • Have sent any suggestions for improvements to the author

Please Log in to verify a recipe

You have voted to verify this recipe.