0

I have a utility Web service hosted on IIS 7.0 on our site. This service is consumed by desktop clients, and since it's a utility service, the users should be able to access it without entering credentials, so the authentication type is set to Anonymous in IIS.

Now the problem is the service URL is accessible by public, and entering it in the Web browser directs the users to this page:

enter image description here

Even though this doesn't give users any useful information that could be potentially dangerous, it still would be nice if I could hide the page from public access. So is there a way to prevent users from accessing this page but still expose the service itself to public? I know IIS 7 enables URL redirection but I don't know if the request sent from VS when adding a service reference is actually any different from the request sent from the Web browser when entering the URL. Any help is appreciated.

Edit

An option, as discussed in the comments section, is to access the service by creating a ChannelFactory during runtime, but that'd require exposing the contracts to the client, which is what I'm trying to avoid.

Arian Motamedi
  • 7,123
  • 10
  • 42
  • 82
  • 1
    http://stackoverflow.com/questions/4360834/hiding-my-wcf-service – Jonesopolis Jul 03 '13 at 18:10
  • @Jonesy thanks for the link, but the answer on that question basically turns off the service detection, I still need to be able to reference it from within Visual Studio. – Arian Motamedi Jul 03 '13 at 18:15
  • Do you need the service reference? Can you just add it dynamically? – Jonesopolis Jul 03 '13 at 18:16
  • @Jonesy by "dynamically" you mean creating a `ChannelFactory`? But in that case I would have to expose the contracts to the client, right? – Arian Motamedi Jul 03 '13 at 18:21
  • Yes you would need to – Jonesopolis Jul 03 '13 at 18:24
  • Well that is another issue. So there's no solution to my original answer? – Arian Motamedi Jul 03 '13 at 18:26
  • I suppose that you could save the WSDL file (using ?wsdl in the URL), as well as the includes that it references, somewhere (probably in source control along with the source code for the service). You can provide the WSDL files internally, or give them to select external parties. Obviously, when the interface to the service changes you will need to regenerate these files and redistribute them to the clients. You should still be able to use the "Add Service Reference" functionality in Visual Studio by [pointing it to a local WSDL file](http://stackoverflow.com/a/1677983/207976). – Dr. Wily's Apprentice Jul 03 '13 at 20:24

1 Answers1

1

I guess what you want to disable is the HTML page. Do it using ServiceDebug element.

<system.serviceModel>
    <behaviors>
        <serviceBehaviors>
            <behavior>
                <serviceDebug httpHelpPageEnabled="false" />
            </behavior>
        </serviceBehaviors>
    </behaviors>
</system.serviceModel>

EDIT: To Disable WSDL:

<serviceMetadata httpGetEnabled="false" />
YK1
  • 7,327
  • 1
  • 21
  • 28
  • This still exposes the structure of the service though... but is definitely better than seeing that page. +1 for now, will mark it as the answer if no one can come up with a way to completely prevent the users from seeing the page – Arian Motamedi Jul 03 '13 at 21:21
  • @PoweredByOrange: `This still exposes the structure of the service though` - do you want to loose the ability to `add service reference`? – YK1 Jul 04 '13 at 04:50
  • That's the thing, I don't want to lose that option. – Arian Motamedi Jul 04 '13 at 04:51
  • @PoweredByOrange: Then what you mean by `exposes the structure`? Clients can `add service reference` only when service exposes metadata either via `WSDL` or `mex` endpoint. What do you want to do? – YK1 Jul 04 '13 at 04:55
  • That was my original question: is there a way to tell IIS to only expose the metadata if the request is coming from a "visual studio reference" source, and ignore the requests sent from the Web browser. – Arian Motamedi Jul 04 '13 at 05:18
  • @PoweredByOrange: Sure - you can disable `WSDL`but keep the `mex` endpoint. That way, your service is exposed only to `Visual Studio` and `svcutil.exe` - but not from web browser. However, `anybody` with `VS` or `svcutil.exe` would be able to `add reference` to your service and examine the structure. – YK1 Jul 04 '13 at 05:31
  • How would I disabled `WSDL` then? – Arian Motamedi Jul 04 '13 at 05:37
  • @PoweredByOrange: Updated answer - use the `` element in the `` tag. – YK1 Jul 04 '13 at 05:42
  • We discussed this in the comments section above. The problem with this is that I can't use the `Add a service reference` option in VS, need to create a `FactoryChannel` during runtime which requires exposing the contracts to the client. Initially I thought this would be a problem but actually makes more sense. – Arian Motamedi Jul 04 '13 at 06:06
  • @PoweredByOrange: you should be able to `add service reference` if you have a `mex` `` in addition to your service `` - http://stackoverflow.com/questions/7285717/why-do-i-need-both-mex-endpoint-and-httpgetenable – YK1 Jul 04 '13 at 06:30