JMeter's ResourceLastAccessedTime GET request failed - authentication

I am trying to use JMeter to test our Web Application. We originally used LoadComplete to test our Web Application, but because LoadComplete is not able to run on a non-GUI mode, we were not able to use the max stat’s from our test server (strain our 8 CPU’s and 8GB’s of RAM). That is why I moving towards JMeter (https://blazemeter.com/blog/5-ways-launch-jmeter-test-without-using-jmeter-gui).
The test includes logging in, choosing a specific app, do a simple task through this app and then end the recording. The HTTP Requests, which are failing are printing Failed Access on their Response Data on the View Results Tree.
I used the HTTP(S) Test Script Recorder to record each HTTP request. My JMeter project is failing on a few different HTTP Requests, which includes oauthtoken Get Request that includes jessionid="item", a GET resourceLastAccessedTime Request, and a couple GET resourceLastAccessedTime Requests. I tried to follow blazementer's guidance for how to use JMeter for Login Authentication, because these requests seem to be involved with the authentication of each user after logging in and the problem I am getting on Response data for each of these requests on the View Results Tree it says Access denied. (https://docs.blazemeter.com/customer/portal/articles/1743663-how-to-use-jmeter-for-login-authentication-).
One of the steps is to "copy and paste" the Parameters from the Post request after you login to these requests. I can add these parameters to these requests right below where it says Send Parameters with the request, but our POST request only has two parameters (the login name and the password). Is there somewhere else to look for these parameters?
I tried a combination of a lot of different attempts, but I am still unsuccessful (meaning: I moved the Regular Expression Extractor to a few different HTTP requests and I moved which HTTP requests to put those parameters and I have not been successful yet).
Do you know of a URL that could be helpful for this?

Don't trust Test Script Recorder! It doesn't follow any logic while recording your requests. It just records requests processed through proxy as they are. In case you use parameters that can't be defined as constants, the best way would be to rewrite the script manually.
Be patient and spend some hours (only once!) to learn how to construct any test scenarios (even complex) manually using Jmeter GUI. It will save you a lot of time for debugging.
It seems like (just a guess) that your test scenario doesn't contain Cookie Manager item. Based on what you wrote above, it seems like after logging to serer (by sending POST with login and password) it sets some cookies by Set-Cookie HTTP header. These cookies should be included in every next request as a prove that you successfully logged in before (the most common logic for simple web applications). So, if you get Access Denied, means you didn't include appropriate cookies in test request. Use Cookie Manager for that.
Feel free to ping me in case you need any assistance.
Jmeter help manual is all you need to know about how each element works.
P.S.: Jmeter also can generate distributed load from multiple slave servers, in GUI and CLI modes both. So, in case you need to stress your server yout, Jmeter is the best choise.
And welcome to Jmeter users family! Good luck.

Related

Unable to login into the application on Jmeter

I'm trying to build a login script for my website load testing on Jmeter, but I am not able to do so. I have added the cookie manager and cache manager too. I already recorded the script through http script recorder and made a transaction of the same and running test on this recorded scripts. The website is using spring security for login security.I tried to add Beanshell Preprocessor into the login sameple request for gzip deflate and passed the form parameters but still the server is not authenticating the request.
Most probably your login request doesn't work due to missing or improperly implemented correlation.
Modern web applications widely use dynamic tokens for various reasons starting from client-side state tracking like JSESSIONID and ending up with security mechanisms like CSRF
The easiest way of identifying dynamic parameters is recording your test scenario one more time and comparing resulting .jmx scripts. All parameters which will be different are a subject to correlation, to wit you need to:
Extract them from the previous response using a suitable JMeter Post-Processor
Replace recorded hard-coded values with the JMeter Variables from step 1
More information: How to Handle Correlation in JMeter

Workaround in JMeter for Autorization Bearer from Microsoft login (for single page application with specific organizational service accounts)

Single page application with specific organizational service accounts uses microsoft authorization (2.0).
To pretend in JMeter as user working with this application, it is enough to have Bearer access_token and then pass this Bearer in header of JMeter script requests.
I can manually login with user credentials in browser, get Bearer and set up it as variable in JMeter in API requests headers and successfully continue to work with application functionality.
Also I can login in WebDriverSampler (and I suppose, can emulate with WebDriverSampler another user's actions with application like in "browser").
What is the simplest and shortest way, having all above, to get Bearer somehow for API calls in a script without time-consuming or programming-oriented complex solutions? Is it possible somehow to use WebDriverSampler requests for parsing Bearer?
On this stage, the goal is to collect (and generate) Bearers, which have long time of life, with intention to use this set of Bearers for multi-session JMeter "users" later. (Because users amount is under cost constrtaints with users service accounts, i.e. I have 1 provided user only).
Will be very appreciated for grace tips and advices with such kind of problem.
It should be possible to use i.e. BrowserMob Proxy for capturing the traffic between the browser orchestrated by the WebDriver Sampler and the backend, this way you will be able to extract Authorization header value and i.e. store it into a CSV file for later re-use.
In general it should also be possible to replicate the browser's authentication flow with JMeter's HTTP Request samplers as browsers don't do any magic, they just send HTTP Requests and display the responses so well-behaved JMeter test should generate the same network footprint as the real browser does

JMeter: Record n play, also gives API access

I have recorded a login flow of an application and found some URIs like below:
/api/oauth2/initiate GET
/oauth2/authorize GET
/api/v1/oauth2/authorize GET
/api/v1/oauth2/authenticate POST
{"username":"${Username}","password":"${Password}","client_id":"${client_Id}","response_type":"code","redirect_uri":"${scheme}://${host}/api/oauth2/callback","server_id":"${server_Id}"}
When I am hitting above in sequence via JMeter I am getting 200 response. Just like JMeter I tried recording in Postman and it worked same, but instead of JSON it gave response in XML format.
It doesn't generate a access_token, it works via session cookies.
My question is - Do I really have API access or it is just browser record n play? If Yes, Does this mean I can get access to any API, if I am a registered user of that application? For ex: Facebook, YouTube or any startup website.
JMeter works on the protocol level. This means that whatever request you are generating. Say a simple browser request or an API call, you can do that easily.
Now the thing is replicating requests. You don't need to record the requests necessarily using the browser. You need to analyze the few things that are required. Say Postman is generating a request. You specify the things you want to send and you use the API Token there. The same things can be specified there as well. It all depends on how you are understanding the concept of request generation.
You simply need to replicate the samplers and the parameters. And the request headers in postman can be replicated here in the same way.
For each HTTP Request Sampler make sure you add a corresponding child HTTP Header Manager config element.
Headers basically tell the server that what client we are using and in what form data is being sent and then server responds accordingly with the information.
What you're recorded is OAuth2 flow and you won't be able to replay it without correlating the dynamic values.
You can have access to Google API or Facebook Graph API given you have proper access_token but I don't think you should be testing them directly, you should focus on solely your application.

How to Login LDAP with Jmeter?

I am currently recording a web with Login LDAP that means I need to input username and password in popup authentication (screenshot attached).
After I am done recording, I play back the script, and it always failed.
And I followed tutorial from https://www.blazemeter.com/blog/windows-authentication-apache-jmeter but it still failed.
Here is my Test Plan:
Here is HTTP Authorization Manager setting:
Please help.
Thanks,
Rio
If you really "followed the tutorial" you should know what is your authentication type challenge, the choice is in:
Basic Access
NTLM
Kerberos
Your setup is wrong for any of the types as you should have either base url or domain or domain+realm+appropriate configuration in jaas.conf and krb5.conf files.
I don't think sending one request is sufficient for simulating log in process, real users do the following:
open login page (at least 1 request)
type credentials (you need to mimic the time required to type using Timers)
perform login (another at least 2 request)
You may also need to perform correlation of dynamic parameters (if any), check out How to Handle Correlation in JMeter to learn more about the concept / implementation
Your approach of AJAX requests simulation is wrong, as per the definition AJAX requests are Asynchronous, to wit real browsers execute them at the same time while in your setup they are sequential. So consider placing the AJAX calls under the Parallel Controller

How to work with apache Jmeter for login applications?

Hi I would like to test using Jmeter for my application which has login page. I am able to write Sample http request for login page which is working ( passing username and password as POST parameters).
But the another Sample HttpRequest (home.do) is not working which is again redirecting to login page. I also added HttpCookieManager at Thread level. Not sure why the authentication is not carry forward to other pages, Can anyone please help me on this.
Most probably your test doesn't work due to missing or incorrect correlation. The absolute majority of modern web applications use dynamic parameters for different reasons (client state tracking, security, etc.) so you need to setup your test plan like:
Open Login Page (usually GET request)
Extract dynamic parameters
Perform Login (usually POST request), provide credentials and dynamic parameters extracted from the previous request
Extract dynamic parameters
Open Home Page (usually GET request)
etc.
You can extract dynamic parameters using JMeter Post-Processors
Also make sure you add HTTP Cookie Manager to your Test Plan to represent browser cookies and deal with cookie based authentication.
BTW, you can quickly build test plan "skeleton" by simply recording your test scenario using HTTP(S) Test Script Recorder