locked
How to prevent web method from showing on service description page? RRS feed

  • Question

  • Hello!

    I am wondering how I can prevent a web method from showing on the service description page (ie. You type in http://localhost/TestService.asmx and it shows you a list of services and allows you to test them). It is absolutely essential that the method is not accessible in that manner.

    How would I go about doing that?

    Thank you in advance for your help!
    Sunday, April 12, 2009 3:19 AM

Answers

  • You say that you don't want just anyone "off the internet" to be able to call your method by visiting http://localhost/TestService.asmx. But what do you think your code will be doing? Your code will be visiting the same URL in exactly the same way that you don't want others to be able to do! What's the difference between your code and the code you don't want to be able to call your method? What do you know that they do not know?

    The bit that you know that they don't know is called a "secret", and shared secrets are the basis of authentication. That's what you need to do. You need your service to be authenticated. When your code calls the service, it will provide a secret shared between your code and the service. The "random people off the internet" will not know the secret, so they won't be able to access the method.

    You can authenticate using Windows Authentication, or by using Basic Authentication over SSL. I believe you can also use a client-side certificate to authenticate, though I haven't tried that. You can restrict your service to being accessed by only those users you want to be able to access it. Anyone else will receive a "Forbidden" error.

    And, BTW, you can hide the entire service description page from everyone by removing the "Documentation" protocol from the list of available protocols under

    <system.web.services>
        <protocols>
            <remove name="Documentation"/>
        </protocols>
    </system.web.services>

    This is from memory, so please look it up.


    John Saunders
    Use File->New Project to create Web Service Projects
    Use WCF for All New Web Service Development, instead of old ASMX or obsolete WSE
    • Marked as answer by wwelchj Wednesday, April 15, 2009 12:17 AM
    Monday, April 13, 2009 12:46 AM
    Moderator
  • Thank you for your reply.

    Using

    <webServices>
    <protocols>
    <remove name="Documentation"/>
    </protocols>
    </webServices>
    works.

    Thanks once again.
    • Marked as answer by wwelchj Wednesday, April 15, 2009 12:17 AM
    Wednesday, April 15, 2009 12:16 AM

All replies

  • You want the method to not show up, yet you want clients to be able to call it? I don't see how that makes sense. Could you please tell us what you're trying to accomplish?

    Both the service description page, and .NET itself, base their understanding of the service from the WSDL file. If a method is described in the WSDL, then it will be available, and it will display in the service description page.


    John Saunders
    Use File->New Project to create Web Service Projects
    Use WCF for All New Web Service Development, instead of old ASMX or obsolete WSE
    Sunday, April 12, 2009 5:57 AM
    Moderator
  • What I would like is for the method to be callable from my code, but not for random people off the internet to be able to use the method by visiting http://localhost/TestService.asmx.

    The method gets some information about what "permissions" a particular group has to determine if they can access the particular resource. I know that it probably seems redundant because I suppose ASP.NET membership could be used, but, for now at least, this is the way I would like to do it.

    If someone can just visit http://localhost/TestService.asmx and click on "TestMethod" and type in information, then it is a major security problem.

    I hope that it makes more sense now as to what I am trying to accomplish.

    I appreciate your assistance.
    Sunday, April 12, 2009 6:17 PM
  • You say that you don't want just anyone "off the internet" to be able to call your method by visiting http://localhost/TestService.asmx. But what do you think your code will be doing? Your code will be visiting the same URL in exactly the same way that you don't want others to be able to do! What's the difference between your code and the code you don't want to be able to call your method? What do you know that they do not know?

    The bit that you know that they don't know is called a "secret", and shared secrets are the basis of authentication. That's what you need to do. You need your service to be authenticated. When your code calls the service, it will provide a secret shared between your code and the service. The "random people off the internet" will not know the secret, so they won't be able to access the method.

    You can authenticate using Windows Authentication, or by using Basic Authentication over SSL. I believe you can also use a client-side certificate to authenticate, though I haven't tried that. You can restrict your service to being accessed by only those users you want to be able to access it. Anyone else will receive a "Forbidden" error.

    And, BTW, you can hide the entire service description page from everyone by removing the "Documentation" protocol from the list of available protocols under

    <system.web.services>
        <protocols>
            <remove name="Documentation"/>
        </protocols>
    </system.web.services>

    This is from memory, so please look it up.


    John Saunders
    Use File->New Project to create Web Service Projects
    Use WCF for All New Web Service Development, instead of old ASMX or obsolete WSE
    • Marked as answer by wwelchj Wednesday, April 15, 2009 12:17 AM
    Monday, April 13, 2009 12:46 AM
    Moderator
  • Thank you for your reply.

    Using

    <webServices>
    <protocols>
    <remove name="Documentation"/>
    </protocols>
    </webServices>
    works.

    Thanks once again.
    • Marked as answer by wwelchj Wednesday, April 15, 2009 12:17 AM
    Wednesday, April 15, 2009 12:16 AM
  • Hi,

    Include a webform and

    Use following in web.config

    <webServices>
          <wsdlHelpGenerator href="DenyBrowsing.aspx" />
    </webServices>

    Wednesday, December 5, 2012 1:06 PM