"The test form is only available for requests from the local machine."

Question

I created a Web Service in .Net and so the address of the service file has a nifty auto generated explanation about how it works. When I run the page from the machine it's hosted on it even has a form that I can use to submit test values to the service. However on remote machines it hides the form and gives the message as seen above.

Is there a point to this? I've seen other sites call this "more secure" but anyone could create their own forms easily making this nothing more than a nuisance if you ask me.

Answer 1

If you are publishing metadata and it's a public/unsecured web service, you are right, it would be easy enough for anyone to generate a simple client to hammer away at your web service. In that case, having the web client only generated on the local machine does seem like a nuisance.

If your service is private and secured, however, it would be a huge security hole, giving anyone with the name of the server and service an authenticated client to use to potentially access your data and do all kinds of harm.

I imagine the policy of generating the UI for ASMX Web services only on the server itself was an attempt to provide some nice tooling while eliminating accidental security holes. WCF has done away with this in any case, you can generate clients only if the metadata is published, and they need to implement the correct security in order to access the services.

Answer 2

You can work around this issue by modifying your web.config to include these nodes:

<configuration>
    <system.web>
     <webServices>
        <protocols>
            <add name="HttpGet"/>
            <add name="HttpPost"/>
        </protocols>
    </webServices>
    </system.web>
</configuration>

This will allow you to visit the .asmx web service via your browser. You can then invoke the web services right in your browser, pass arguments, and view the results.