How authenticate for webservice with JMeter?

0
votes

I used JMeter as proxy to record all requests of a test scenario of our web services, and JMeter created request and one HTTP Authorization Manager, with stored authorizations for each request.

But when I launch this scenario, I get a 401 response code for all requests. I move HTTP Authorization manager in Thread Group, but I still get a 401 code.

All requests of our WS require authentication.

How do add authentication in one place for each request ? And, how parameterized them ?

Thanks, Denis

1
web-servicesjmeter

1 Answers

0
votes

The answers may vary depending on web service security type and there are a lot of options, for example web service may require custom authentication header, custom HTTP header, custom cookie, custom token somewhere, etc.

  • Exhibit A: request without authentication

    <soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope" xmlns:web="http://www.webserviceX.NET">
   <soap:Header/>
   <soap:Body>
      <web:GetCitiesByCountry>
         <!--Optional:-->
         <web:CountryName>India</web:CountryName>
      </web:GetCitiesByCountry>
   </soap:Body>
</soap:Envelope>

  • Exhibit B: request with username/password authentication

    <soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope" xmlns:web="http://www.webserviceX.NET">
    <soap:Header>
        <wsse:Security soap:mustUnderstand="true"
                       xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
                       xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
            <wsse:UsernameToken wsu:Id="UsernameToken-29FBADA106D95AD8E114818886210611">
                <wsse:Username>johndoe</wsse:Username>
                <wsse:Password
                        Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">
                    secret
                </wsse:Password>
                <wsse:Nonce
                        EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">
                    jnXB+PJ34M7aqfDU88glzg==
                </wsse:Nonce>
                <wsu:Created>2016-12-16T11:43:40.755Z</wsu:Created>
            </wsse:UsernameToken>
        </wsse:Security>
    </soap:Header>
    <soap:Body>
        <web:GetCitiesByCountry>
            <!--Optional:-->
            <web:CountryName>India</web:CountryName>
        </web:GetCitiesByCountry>
    </soap:Body>
</soap:Envelope>

The most commonly used way of parametrizing a request is using CSV Data Set Config.

See Take the Pain out of Load Testing Secure Web Services article for more detailed explanation of some web services authentication types bypassing in JMeter test.