1

we want to disable the WSDL generation of sharepoint webservices. e.g.

http://baseaddress/_vti_bin/lists.asmx?wsdl

To enable this we have done the following:

C:\Program Files\Common Files\microsoft shared\Web Server Extensions\15\ISAPI\web.config added entry

<system.web> <webServices> <protocols> <remove name="Documentation /> </protocols> </webservices> </system.web>

Adding the above entry, stops users from accessing this url: http://baseaddress/_vti_bin/lists.asmx but if a user append ?wsdl at the end of url, the WSDL still get generated.

Then we have updated the following entry in the same web.config file:

<location path="wswsdl.aspx"> <system.web> <authorization> <deny users="*"/> </authorization> </system.web> </location>

i have also changed all the endpoints with httpGetEnabled="false" from httpGetEnabled="true" but still no effect

however the wsdl is still getting generated, is there anything further we can do to disable wsdl generation please?

Baahubali
  • 4,604
  • 6
  • 33
  • 72

1 Answers1

1

From this thread, you can remove/disable web service protocols.

As a test, try in your C:\Program Files\Common Files\microsoft shared\Web Server Extensions\15\ISAPI\web.config:

<configuration>
    <system.web>
        <webServices>
            <protocols>
                <remove name="HttpGet"/>
                <remove name="HttpPost"/>
            </protocols>
        </webServices>
    </system.web>
</configuration>

From this thread, you would need at least an iireset to apply those changes.

If removing those protocols is too much, you can instead remove an handler:

<handlers>
  <remove name="WebServiceHandlerFactory-Integrated" />
</handlers>

If the ?wsdl is still accessible, you might consider implementing a custom HTTP module to intercept the incoming request and block it if it contains the '?wsdl' query string.

  • Open Visual Studio and create a new Class Library project targeting the .NET Framework version that your SharePoint installation uses.
  • Add a reference to the System.Web assembly.
  • Add a new class to the project called DisableWSDLModule and replace its contents with the following code:
using System;
using System.Web;

namespace DisableWSDL
{
    public class DisableWSDLModule : IHttpModule
    {
        public void Init(HttpApplication context)
        {
            context.BeginRequest += new EventHandler(OnBeginRequest);
        }

        private void OnBeginRequest(object sender, EventArgs e)
        {
            HttpApplication application = (HttpApplication)sender;
            HttpContext context = application.Context;

            if (context.Request.Url.Query.Contains("?wsdl"))
            {
                context.Response.StatusCode = 403;
                context.Response.StatusDescription = "Forbidden";
                context.Response.Write("WSDL generation is disabled.");
                context.Response.End();
            }
        }

        public void Dispose()
        {
        }
    }
}

Try and:

  • Build the project and obtain the resulting DLL file from the bin folder.

  • Deploy the DLL to the SharePoint server by copying it to the C:\inetpub\wwwroot\wss\VirtualDirectories\{your-web-application-port}\bin folder. If the 'bin' folder does not exist, create it.

  • Modify the web.config file in the SharePoint web application folder (C:\inetpub\wwwroot\wss\VirtualDirectories\{your-web-application-port}\web.config) to register the custom HTTP module.
    Add the following entry inside the <system.webServer><modules> section

    <add name="DisableWSDLModule" type="DisableWSDL.DisableWSDLModule, [Your DLL name], Version=1.0.0.0, Culture=neutral, PublicKeyToken=[Your PublicKeyToken]" />

Replace [Your DLL name] and [Your PublicKeyToken] with the appropriate values for your compiled DLL.
You can obtain the PublicKeyToken using the sn.exe tool or by examining the DLL properties in Windows Explorer.

After an iireset, any incoming request containing the '?wsdl' query string should be blocked with a 403 Forbidden response.

That would be a workaround, to disable WSDL generation for your SharePoint web services.

The web services I want to disable WSDL for are not for a custom application. They are the ones that come default with SharePoint. These web services are SharePoint web services.

Then try:

  1. Create a custom HTTP module as described in above. This module will intercept incoming requests and block them if they contain the '?wsdl' query string.

  2. Deploy the custom HTTP module's DLL to the SharePoint server's Global Assembly Cache (GAC) by copying it to the C:\Windows\assembly folder. This will make the module available to all SharePoint web applications.

  3. Modify the web.config files of the SharePoint web applications for which you want to disable WSDL generation. You can find these files in the C:\inetpub\wwwroot\wss\VirtualDirectories\{your-web-application-port} folders.

  4. Add the following entry inside the <system.webServer> section of each web.config file:

    <add name="DisableWSDLModule" type="DisableWSDL.DisableWSDLModule, [Your DLL name], Version=1.0.0.0, Culture=neutral, PublicKeyToken=[Your PublicKeyToken]" />

    Replace [Your DLL name] and [Your PublicKeyToken] with the appropriate values for your compiled DLL. You can obtain the PublicKeyToken using the sn.exe tool or by examining the DLL properties in Windows Explorer.

Finally, as usual, iireset.

VonC
  • 1,262,500
  • 529
  • 4,410
  • 5,250
  • The above settings are already there and i have added another one which is ``, and i have been doing `iisreset` but the only change that happens is that the user cannot access the asmx file but ?wsdl is still accessible. – Baahubali May 05 '23 at 02:16
  • @Baahubali OK. I have edited the answer to propose a workaround. – VonC May 05 '23 at 12:19
  • what is your web application? is that sharepoint central administration or a custom web applicatin that has been deplohed in sharepoint? – Baahubali May 06 '23 at 08:16
  • @Baahubali the term "web application" refers to a SharePoint web application, not the SharePoint Central Administration or a custom web application deployed in SharePoint. Each web application has its own web.config file, located in the corresponding IIS virtual directory (C:\inetpub\wwwroot\wss\VirtualDirectories\{your-web-application-port}). The suggestion provided above aim to disable WSDL generation for web services in a specific SharePoint web application. If you have multiple web applications, you would need to apply the changes to each web application's `web.config` file individually. – VonC May 06 '23 at 08:49
  • the web services i want to disable wsdl for are not for a custom application. they are the ones that come default with sharepoint. these web services are sharepoint web services. – Baahubali May 08 '23 at 00:49
  • @Baahubali OK, I have updated my answer (last section) accordingly. – VonC May 08 '23 at 10:06
  • the custom solution implementation has resolved the issue. thank you – Baahubali May 11 '23 at 07:29