'Best practice: WebLogic SOAP service -- should WSDL be visible?

I am going to deploy a SOAP web service on a WebLogic server.

The endpoint of the service is something like:

http://myserver.mycompany.com:1234/MyService-0.0.1-SNAPSHOT/MyServiceService

However, if (using a browser), I navigate to either

http://myserver.mycompany.com:1234/MyService-0.0.1-SNAPSHOT/MyServiceService?WSDL
-- or --
http://myserver.mycompany.com:1234/MyService-0.0.1-SNAPSHOT/MyServiceService?xsd=1

I can see the WSDL or schema file, respectively, for the service.

My group does not deploy a lot of web services (we're a back-office group and use Oracle Middleware to automate what little services we do provide), so a question has come up regarding whether exposing the WSDL file and schema file is "best practice".

Is it OK for these files to be visible, or should access to them be shutdown somehow? Conversely, is it even possible to restrict access to them, or would that interfere with clients trying to access the service?

web-servicessoapwsdlweblogic


Solution 1:[1]

This is an old question, but anyway. It depends, but in my projects it was considered a bad practice to do so. You should always do Contract first, don't base your WSDL on your code or most likely you will end up with a WSDL that is somehow dependent on the programming language used for the implementation.

I don't know how Weblogic behaves but I remember that Jboss (5) used to generate the WSDL from the code any way and serve that. Even when we did Contract (WSDL) first development. So you would end up with little differences in these WSDLs which may cause problems. Exchange of the WSDL and the XML Schema files should be done by other means. It is possible to restrict access to any URI on Weblogic.

Another aspect is, that if you don't remove these, we found the developers on the clientside will start pointing their development-tools and implementation to these endpoints to get the WSDLs. This will most likely also cause problems and at least (a lot) unnecessary downloads of these files. As most frameworks will (need to) read the WSDL every time they instantiate the client-code. By not providing these endpoints, you keep the clients from these bad practices.

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1 M.Huetter

Related Questions

Using WireMock with SOAP Web Services in Java

How to call a REST web service API from JavaScript?

How to call a REST web service API from JavaScript?

send json parameters to webservices

401: Unauthorized Exception occurred with an apache axis client(java) to invoke a webservice(.net) with an NTLM Authentication Technique

JQuery AJAX call to SOAP Web Service - Access denied. Working in SOAP UI

Request format is unrecognized for URL unexpectedly ending

Developing a Spring REST service with OData interface

How can I make Spring WebServices log all SOAP requests?

how to use Service,ServiceLocator,portType,porttypeProxy and stub to create a java client

WCF + Xml-Rpc don't work

How to set headers in Soap Request Java

passing an array to web-service php nusoap

How to perform periodic task with Flask in Python

What is P99 latency?