I have a webpage in a Liferay 5.2.3 site, in order to view this page the user shoulde be logged in.
i tried JMeter for stress testing but i stopped after i had this issue here ("invalid authentication token"). What other tool i could use to do stress test without facing the authentication issue (with example of script if its available).
I had the same problem. I managed to log in and then when sending POST requests to the server I only received 403. What I have done is that I set the auth.token.check.enabled to false in the portal-ext.properties.
auth.token.check.enabled=false
But be careful. The Portal Authentication Token was implemented to prevent Cross Site Request forgery, as explained here: https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF).
On a production environment set the property back to true.
More about that on the liferay site: http://www.liferay.com/community/wiki/-/wiki/Main/Authentication+Token
Well I'm not sure but you could try Grinder, it supports jython as scripting language, although i dont have a working script example at the moment.
You can use JMeter but you have to use its proxy to record your actions (login included).
Please see JMeter proxy step by step
Related
Hi I would like to test using Jmeter for my application which has login page. I am able to write Sample http request for login page which is working ( passing username and password as POST parameters).
But the another Sample HttpRequest (home.do) is not working which is again redirecting to login page. I also added HttpCookieManager at Thread level. Not sure why the authentication is not carry forward to other pages, Can anyone please help me on this.
Most probably your test doesn't work due to missing or incorrect correlation. The absolute majority of modern web applications use dynamic parameters for different reasons (client state tracking, security, etc.) so you need to setup your test plan like:
Open Login Page (usually GET request)
Extract dynamic parameters
Perform Login (usually POST request), provide credentials and dynamic parameters extracted from the previous request
Extract dynamic parameters
Open Home Page (usually GET request)
etc.
You can extract dynamic parameters using JMeter Post-Processors
Also make sure you add HTTP Cookie Manager to your Test Plan to represent browser cookies and deal with cookie based authentication.
BTW, you can quickly build test plan "skeleton" by simply recording your test scenario using HTTP(S) Test Script Recorder
I have been trying to resolve this for some time now. I tried googling for this problem but didn't manage to find anything. All the questions I found were about replaying already recorded HTTPS requests.
So, I need to record HTTPS requests on a site protected with simple authentication (the pop-up window asking for username and password).
And this is where I get stuck. I enter correct login details and confirm it, nothing happens and in a second i get prompted to enter login details again, no error message nothing. When I press ESC I get 401 UNAUTHORIZED error.
Basically the site is acting as if the login details were incorrect when in fact I tried the same login details without Jmeter's proxy and the server accepted it.
What I tried:
1) Logging into this site without JMeter's proxy - works without problem
2) Recording different HTTPS site with JMeter's proxy - I tried my email and that works correctly as well
I should also mention that I am behind a company proxy, but I tried it at home and the result was same.
As for JMeter configuration, I am using everything on default having:
Thread Group
HTTP Cache Manager
HTTP Cookie Manager
HTTP Request Defaults
Recording Controller
HTTP(S) Test Script Recorder
Guessing the Thread Group doesn't really matter since I don't run any tests, only recording.
Additional Details:
Server:IIS
Logging into sharepoint website
EDIT:
Forgot to mention I tried already Blazemeter Extension, but when i try to record the logging session, it just freezes. Website hangs on trying to contact Blazemeter Cloud and Blazemeter plugin freezes, making it imposssible to stop recording and having to restart whole browser.
Also just noticed that when I am already logged in and try to access the site it records it without any issue. So it's only the login which is problematic for some reason.
JMeter removes cookies and authorization headers while recording.
You can use JMeter Chrome Extension as an alternate way of recording your test scenario.
In order to properly replay the recorded script you'll need to add HTTP Authorization Manager to it .
Sharepoint can have different authentication types, i.e.
Basic HTTP Authentication
Windows Integrated Authentication (NTLM)
Kerberos
See Windows Authentication with Apache JMeter guide to learn how to bypass each authentication challenge in your JMeter test.
So I was able to finally resolve this. The issue lied in sharepoint authentication. I was logged in a domain with my personal account, but was trying to access the sharepoint using a different account.
Sharepoint ignored the login details I was prompted to enter and used mw domain credentials instead. So the answer for me was to access the sharepoint website while being logged into domain(windows) with the same account.
I first need to know if the site is present at all, such as when the connection is refused rather than a browser error or something, then test basic http authentication is present or failed, ie to know that the failure is due to the presence of http authentication.
I first want to find out if a failure is due to http authentication, then if it is try with a password and find out if that also fails or not.
As you can see here: http://code.google.com/p/selenium/wiki/RoadMap
Support HTTP Basic and Digest Authentication: Not Started
So just wait for it.
If a site is present you can check by testing if a specific element you expect to appear is present or not. Therefore you need a timeout (maybe 30 sec.) after which you can mark the test as a fail if the element didn't appear in that time.
Just to add - only way to go to HTTP Basic authentification site is via loading URL like:
http://username:password#the-site.com
I suggest having test which loads page via this URL - then you know that HTTP basic auth is there
Its kinda workaround solution, but there is nothing better yet
I need to test a web application using Selenium. The app is fairly common in its setup: it requires signing in for most of the functionality to be exposed. Upon loading a page, if the user is not authenticated, it will redirect to a login form and then back to the requested page once credentials are supplied.
What's the usual way to go around this with Selenium? I take it people are not logging in on every single test as this would cause significant overhead on big test suites. Is there a way to set up a session in a test and then use the cookie information for subsequent tests, or do a conditional sign-in (without incurring in massive code repetition!)?
I am using PHPUnit with Selenium ATM.
Thank you!
Gonzalo
(I'm using C#+NUnit+Selenium RC)
Most of the time, each test goes through the login form. However, if I'm writing a series of tests that are very short (< 10 seconds each) and there are a lot of them, I usually share the same browser instance across tests by moving the selenium start\close calls from the SetUp\TearDown methods to the Test Fixture SetUp\TearDown methods. This avoids the cost of re-authenticating as well as the cost of launching a new browser every time. I'm sure you can do something similar with PHPUnit.
If this is basic http auth you can use the username/password with the url request as documented in the Selenium FAQ: http://wiki.openqa.org/display/SEL/Selenium+Core+FAQ#SeleniumCoreFAQ-HowdoIuseSeleniumtologintositesthatrequireHTTPbasicauthentication%28wherethebrowsermakesamodaldialogaskingforcredentials%29%3F
How do I use Selenium to login to
sites that require HTTP basic
authentication (where the browser
makes a modal dialog asking for
credentials)?
Use a username and password in the
URL, as described in RFC 1738: Test
Type open
http://myusername:myuserpassword#myexample.com/blah/blah/blah
Note that on Internet Explorer this
won't work, since Microsoft has
disabled usernames/passwords in URLs
in IE. However, you can add that
functionality back in by modifying
your registry, as described in the
linked KB article. Set an
"iexplore.exe" DWORD to 0 in
HKEY_CURRENT_USER\Software\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE.
If you don't want to modify the
registry yourself, you can always just
use Selenium Remote Control, which
automatically sets that that registry
key for you as of version 0.9.2.
We are currently facing a production issue on Websphere 7 with respect to richfaces fileupload component. The problem description is that immediately after the file for upload is browsed and selected using this component, the basic authentication dialogbox appears asking for user credentials.
Following are the frameworks we are using in our project:
JSF 1.2 & Richfaces 3.3.3
Spring Framework 3.x
Spring Webflow 2.1
Spring Security 3.x (only basic authentication using login dialogbox)
The user is authenticated once when he wants to access the application at the beginning using basic authentication. All screens that dont use fileupload component are working fine. But if we use fileupload component, as I mentioned above, the file selection (even from local machine path) triggers the basic authentication dialogbox again. The strange thing is that this behaviour does not occur on our Dev Environment which uses Tomcat 6. On Tomcat, the fileupload is not triggering any user login and upload is working fine.
This problem is occuring only when the app. is deployed on Websphere 7. Can anybody please tell whether Websphere requires any additional configuration for accessing Files through this component ?
We have spent a lot of time investigating this problem without any meaningful results. As this is a production issue for us now, it is very critical and needs to be resolved at the earliest.
So please help in this regard. Thanks in advance.
I don't know the File Upload component, and the answer may well lie in the detail of how that works, but in general WebSphere will challenge if an HTTP request arrives for a protected resource and the request does not contain a valid LTPA cookie. The cookie is normally sent by the browser on each request when authentication has happended once, BUT it will only do so if it believes that the cookie is related to a given domain. So if the main part of your website were served from, say,
htpp://my.own.org.com/mysite
and the file upload were related to a subtly different host
http://my.other/filesite
Then the cookie would not be sent, and a challenge would result.
My approach to diagnosing this would be get some kind of traffic sniffer. See exactly what is flowing and the addresses being used. I'm predicting that you will see the LTPA cookie in the usual case and not in the upload case. Then it's a matter of figuring out "why".