From what I understand: If you don’t have a MEX endpoint / WSDL, your service is basically non-discoverable. Only people who have knowledge of your data contract should be able to consume your service.
Does this assertion hold water, or are there ways for malicious denizens of the internet to figure out how to invoke/consume services that have no MEX endpoint?
EDIT: As Andrew pointed out, this strategy should not be considered to be truly secure. I’m wondering more along the lines of if it is safe from random abuse during a QA phase with external consumers.
Depends on your definition of secure. It’s a case of security by obscurity, which might be fine for your personal to do list service, but unacceptable for a financial app.
SOAP etc is not /that/ complicated, so it’s not impossible that a hacker could guess some inputs, although depending on the service, it could be very unlikely (even mathematically unfeasible). However if you distribute a client that could be reverse engineered, or if someone manages to packet sniff legitimate use of your service, then they could almost certainly exploit it?