0
votes

Using JMeter 3.1 r1770033, I am having two issues with storing a company-specific cookie via our Single Sign-On. (SSO)

I have read many blog posts and questions on this site regarding cookies, but none appear to address my specific issue of "HC3CookieHandler: Not storing invalid cookie:"

I believe this is due to the implementation of how the company wants the cookie formatted.

Cookie: companyAuthorizedEnvironment=assignedTokenId

I'm able to be successful using a Command Line Interface using curl, but not via JMeter.

 curl --request POST --header "X-OpenAM-Username:username" --header "X-OpenAM-Password:password” --header "Content-Type:application/json" --data "{}" https://sso.company.com/access/authenticate/

Response

{"tokenId": "AQIC5w_TEXT_REMOVED_NTcy*", "successUrl": "/openam/console" }

Below is an outline of my simple login/logout test with explanations and a summary of the 2 resulting issues.

Any help is greatly appreciated!



TEST PLAN

HTTP Cache Manager

Clear cache each iteration? = enabled
Use Cache-Control = disabled
Max # of elements = 5000

HTTP Cookie Manager

I've tried every possible Implementation/Policy combination, with no success.

Clear cookies each iteration = enabled
Implementation = HC3CookieHandler
Cookie Policy = default

SETUP THREAD GROUP = SSO AUTHENTICATION

"This process allows the remote client to authenticate to the SSO using valid credentials. Upon successful authentication, an authentication token is presented to the user which is then used to gain access to secured applications."

HTTP Header Mgr

    X-OpenAM-Username: ${username}
    X-OpenAM-Password: ${password}
    Content-Type: application/json

HTTP Request

    Server Name = sso.stage.company.com
    Protocol = ${__P(protocol,https)}
    Method = POST
    Path = /access/authenticate/

    REGEX

        Ref Name = newTokenId
        Reg Expression = "tokenId":(.+?)\,
        Template = $1$
        Match No. = 1
        Default = null

    BEANSHELL ASSERTION

        ${__setProperty(tokenId,${newTokenId})}

TEARDOWN THREAD GROUP = SSO LOGOUT

"This process allows the remote client to terminate an active session with the SSO by logging out of the system"

HTTP Header Mgr

    Cookie: companyauthstage=${tokenId}
    Content-Type: application/json

HTTP Request

    Server Name = sso.stage.company.com
    Protocol = ${__P(protocol,https)}
    Method = POST
    Path = /access/logout/


ISSUE 1 - LOGIN

I am seeing the following warning in my trace log.

WARN  - jmeter.protocol.http.control.HC3CookieHandler: Not storing invalid cookie: <amlbcookie=01; Domain=sso.stage.company.com.; Path=/> for URL https://sso.stage.company.com/access/authenticate/ (Illegal domain attribute "sso.stage.company.com.". Domain of origin: "sso.stage.company.com") 

Not sure why it's illegal. I am wondering if somewhere a period (.) is being appended to the domain. I've verified I'm didn't have an extra period anywhere.

ISSUE 2 - LOGOUT

Response code: 401
Response message: Unauthorized

I suspect it's unauthorized because the "Cookie: companyauthstage=${tokenId}" header is not being stored, but am not 100% sure.

2

2 Answers

1
votes

If you are totally sure that the cookie is fine you can force JMeter to disable cookies checks and store them as they are by adding the next line to user.properties file (normally lives under "bin" folder of your JMeter installation)

CookieManager.check.cookies=false

JMeter restart will be required to pick the property up.

You can achieve the same by passing the property via -J command-line argument like:

jmeter -JCookieManager.check.cookies=false -n -t ....

References:

0
votes

You've already got the description you need:

Illegal domain attribute "sso.stage.company.com.". Domain of origin: "sso.stage.company.com"

It is "illegal" because it has a dot at the end, hence it doesn't match the domain it came from. That lays in the security scope, so all the client software should have taken it very seriously, and so the cookie manager does.

So you better go give a heads-up kick to your developers - that's a bug.