Strange behavior of webservices

[Alexander Inochkin]

Hi!

I found same strange behavior of ASP.NET. It is possible this is the bug.
Follow the steps:

I create the simple service, http://localhost/Test/service.asmx

When I go to this link in IE SP.NET shows me page what contains “Invokeâ€
button on it. I can test this service. OK. Late I move this service to
remote server. I can execute this service calling
http://remote_server/Test/service.asmx. This time I do not found “Invokeâ€
button and can’t test service from IE. OK. But when I change header tag
“Host†in http request from remote_server to localhost (I can do it
connecting to the SOAP Trace Utility on local machine, for example) I can
see “Invoke†button again and can test (invoke) method _on_ _the_ _remote_
server.

This behavior seems me very strange. I tested it on ASP.NET v 1.1.

Can you give me some explanation on it.

Thanks,
Alexander Inochkin.

 

[M.Posseth]

well i do not see the strangenes ,,,

the invoke button should only be availlabvle on the local machine for
testing purposes,,,, this is by design

If you are changing header tags etc etc thus fooling the system it believes
that it runs local the button might appear





--
Met vriendelijke groet
Kind regards,

Michel Posseth
Software Developer
Microsoft Certified Professional

 

[Alexander Inochkin]

So, I can access testing page (by testing mode) from _remote_ computer using
HTTP POST request omiting SOAP. I see here security violation...

 

[M.Posseth]

Well you can trigger a webservice with http post / get and SOAP

In version 1.0 of .NET Framework it was possible to test simple web services
through web browser. In version 1.1 the feature was disable for remote
sessions for obvious security reasons. It still works on localhost, but from
remotemachine you only get "The test form is only available for requests
from the local machine." message.

You can change that behaviour if you add following code to the <system.web>
section.

<webServices>
<protocols>
<add name="HttpPost" />
<add name="HttpGet" />
</protocols>
</webServices>You can similary turn off remote testing

<webServices>
<protocols>
<remove name="HttpPost" />
<remove name="HttpGet" />
</protocols>
</webServices>





hope this helps



--
Met vriendelijke groet
Kind regards,

Michel Posseth
Software Developer
Microsoft Certified Professional

 

[Alexander Inochkin]

Well you can trigger a webservice with http post / get and SOAP

In version 1.0 of .NET Framework it was possible to test simple web services
through web browser. In version 1.1 the feature was disable for remote
sessions for obvious security reasons. It still works on localhost, but from
remotemachine you only get "The test form is only available for requests
from the local machine." message.

No, it is not true! I can get "Invoke" button, when connect to remote server
and change "Host" in http request header to localhost: "Host: localhost".
It work! It is troble, I think!

 

[M.Posseth]

did you miss this section of my reply ??



You can similary turn off remote testing

<webServices>
<protocols>
<remove name="HttpPost" />
<remove name="HttpGet" />
</protocols>
</webServices>

Add the above section to the web config file and you will see that it wil
not work anymore

if the above does not work then you might have a problem

As i said before i do not see the big security issue in framework 1.0 it was
standard that everyone could test a simple service ( service that use no
complex datatypes ) over the web and i thought that it was handy .



--
Met vriendelijke groet
Kind regards,

Michel Posseth
Software Developer
Microsoft Certified Professional