Hiding the Stacktrace in Soap Faults
If you have publicly-facing web services, it's likely that you don't want to expose the inner workings of your application to the consumers of the application. In the application that I'm currently working on, there are times we want return a generic "An unexpected exception has occurred." message and times that we want to return the actual exception to the client (for validation / policy-related exceptions). In both of these scenarios, we do not want to return the stack trace that indicates where the exception occurred.
There are many ways to implement this functionality, but the good news is that this is the provided behavior (by default) of a .Net web services project. The bad news is that it's probably not immediately obvious that this behavior is occurring because it is only the default behavior if the request is coming from another machine. If you consume the service from a client on the same machine (more than likely, this is the case when you are testing) then the stacktrace will be visible.
The secret to controlling this behavior is the customErrors tag (and the mode attribute) in your web.config file. A customErrors tag with mode="On" will remove the stacktrace from the soap fault (even on the local machine), a tag with mode="Off" will add the stacktrace to the soap fault (even for remote clients), and a value of mode="RemoteOnly" will add the stacktrace for local requests and remove it for remote clients (this is the default).
It was a big surprise to me that this tag controlled the stacktrace of web services. This is a common configuration tag, but I had never seen it used with web services.
The code to remove the stack trace (for both local and remote clients) is:
1: <configuration>
2: <system.web>
3: <customErrors mode="On" />
4: </system.web>
5: </configuration>
For more information on working with soap faults, take a look at the Using Soap Faults article on MSDN.