Howto Use Selenium and Selenium IDE with sites using SAML - authentication

I need to log into site:
play.pl
my mobile provider and fetch some data.
They use SAML. I'm unable to do this using CURL or Selenium. Any ideas what shoud i do/check?

AFAIK, neither cURL or Selenium has an inbuilt SAML stack.
So you would either have to add a "plug-in" using something like OpenSAML or send a "hard-coded" SAML message.
The problem with the latter is that SAML is very strict re. the time elapsed between send / receive so the time in the message would have to reflect current time.

Related

Selenium Webdriver with Chrome browser not displaying authentication pop-up

I am automating an internal application of my client which is having LDAP authentication.
I am using Selenium 3.141.59 with C#, Chrome browser 78.
Issue:
When I have open browser manually and place url then browser displaying sign-in Pop-up to enter the userID and password. (refer screenshot)
Same time when Selenium launch browser instance then navigate to same url, it's not showing any sign-in pop-up.
Due this I was unable to continue next steps in automation.
I have tried send the userID and password along with url as blow but it's also not redirecting.
https://userID:password#url
Can anyone help me, how to resolve this issue.
What you have tried is not supported any more. You now have to include authentication headers in requests. In your case I would recommend to set up a proxy which would add headers to all outcoming messages of your browser
For example you can use Browsermob Proxy that you can configure just in your tests. Some details of how basic authentication works you can find here. It is solution for Java, however you can find which headers to set up and which values to assign (In short: header - Authorization: Basic username:password Realm="" where username:password is credentials pair encoded in Base64).
This also might be useful for you: How do I encode and decode a base64 string?
UPD: This is solution for Python Selenium.

Jmeter is not passing the Microsoft authentication in my script for testing performance on my test website, showing Access denied

My application has a microsoft authentication on it before logging into it & I have recorded script but when I am running it, it is showing me access denied error everytime.I have set authentication manager but still same error. See image attached.
I have tried HTTP Authentication Manager & provided login username & password.
Most probably your application uses OAuth therefore it is neither something you can really record and replay nor handle with the HTTP Authorization Manager.
Depending on your application setup you will either need:
To perform correlation of the query parameters
Or to pass the relevant Authorization Bearer token via HTTP Header Manager. The process of obtaining the token can be different depending on your application login chain implementation, check out How to Run Performance Tests on OAuth Secured Apps with JMeter article to get a couple of ideas regarding bypassing 3rd-party provider login challenge in JMeter tests.
Check if you can provide the auth credentials as parameter of the requests.
for example www.abc.com?username=abc&password=abc. Replicate the same with Jmeter
Use Fiddler (or you can get away with browser dev tools if you don't mind searching manually) and log in manually via your browser.
Check the request(s) that are submitted to Microsoft for tokens/GUIDs and search for where the browser got those strings from (it'll be in one of the previous requests' responses' bodies or redirect URLs. In Fiddler you can use the find function on responses, browser dev tools you'll have to find it manually).
You can then use a JMeter Regular Expression Extractor post-processor (or any of the other post processors you prefer) to extract that string from the earlier request into a variable.
In your login request you can then use the value of that variable (if you used regular expression post-processor with a capture group the first group's value will be ${variable_g1}
You'll probably have an anti-forgery value that you can extract from the HTML of the login page which needs to be submitted with the username and password and then in the response you'll get a cookie set and potentially JWT token in the response body/URL.

How to Login LDAP with Jmeter?

I am currently recording a web with Login LDAP that means I need to input username and password in popup authentication (screenshot attached).
After I am done recording, I play back the script, and it always failed.
And I followed tutorial from https://www.blazemeter.com/blog/windows-authentication-apache-jmeter but it still failed.
Here is my Test Plan:
Here is HTTP Authorization Manager setting:
Please help.
Thanks,
Rio
If you really "followed the tutorial" you should know what is your authentication type challenge, the choice is in:
Basic Access
NTLM
Kerberos
Your setup is wrong for any of the types as you should have either base url or domain or domain+realm+appropriate configuration in jaas.conf and krb5.conf files.
I don't think sending one request is sufficient for simulating log in process, real users do the following:
open login page (at least 1 request)
type credentials (you need to mimic the time required to type using Timers)
perform login (another at least 2 request)
You may also need to perform correlation of dynamic parameters (if any), check out How to Handle Correlation in JMeter to learn more about the concept / implementation
Your approach of AJAX requests simulation is wrong, as per the definition AJAX requests are Asynchronous, to wit real browsers execute them at the same time while in your setup they are sequential. So consider placing the AJAX calls under the Parallel Controller

Struts controller/porccessor monitoring/log utility

I'm looking for some kind of monitoring tool to visualize/log all internal struts forwards together with all http headers, parameters, request and session attributes values.
The intend is to understand the full flow of certain request in struts 1.x application.
Thanks a lot.
Use MaintainJ to monitor all calls and methods in java web application... And in firefox install 'firebug' run it select net tag... Under this tag you can see every server call and response of that call... Chrome too have this feature...

How to do stress testing for a Liferay webpage?

I have a webpage in a Liferay 5.2.3 site, in order to view this page the user shoulde be logged in.
i tried JMeter for stress testing but i stopped after i had this issue here ("invalid authentication token"). What other tool i could use to do stress test without facing the authentication issue (with example of script if its available).
I had the same problem. I managed to log in and then when sending POST requests to the server I only received 403. What I have done is that I set the auth.token.check.enabled to false in the portal-ext.properties.
auth.token.check.enabled=false
But be careful. The Portal Authentication Token was implemented to prevent Cross Site Request forgery, as explained here: https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF).
On a production environment set the property back to true.
More about that on the liferay site: http://www.liferay.com/community/wiki/-/wiki/Main/Authentication+Token
Well I'm not sure but you could try Grinder, it supports jython as scripting language, although i dont have a working script example at the moment.
You can use JMeter but you have to use its proxy to record your actions (login included).
Please see JMeter proxy step by step