Sorry for my poor English, and thank you in advance.
I'm trying to make a thread group that makes jmeter logged in our system.
to accomplish this, I need to POST data which contains ID, password, and token.
The token generated every time when the page has opened and hold in hidden value.
So, the usual solution which is like GET response, do the regular expression extractor, and make the value variable and POST it later request doesn't work for me.
since the token become different from when jmeter GET token and POST it.
Then, I found a parallel controller and this might be a solution for me.
but I can't find a way to do it.
also, there are no references in my mother language(Japanese).
I want POST token to certain login action so I need to do regular expression extractor with parallel controller.
then POST the token with ID and password at same time.
I want to know the way of the above or if it's impossible, is there any alternative solution that might work for me.
Thank you a lot for your help.
Don't worry about language at all :)
I will add a solution according to how I understand your problem.
As I understood, your scenario is,
We Request a page
We will get a response with token
We fetch the token and send the next request with the token
We will get a response with a different token
Need to fetch the new token and send another request
In this case, I think you are trying to use the first token in all the requests. Without doing that what if you fetch the token per each request?
The problem with the parallel controller is if you want to fetch the token from a previous request. It might not work.
Please correct me if I haven't understood the question correctly
Parallel Controller is not something you should be using, it's for simulating AJAX requests as JMeter cannot execute JavaScript like browser does and hence cannot run multiple HTTP request samplers in parallel with one virtual user.
Your test plan structure should be much simpler, to wit:
HTTP Request sampler (to get login page)
a Post-Processor (most probably you're looking for CSS Selector Extractor) to get the values from hidden fields
HTTP Request sampler (to perform login)
See Variabilize and Correlate the script chapter for more details on the concept
Related
I need to call a Rest API ONCE to get a SAML Token to use in the Authorization Header for all other Thread Group/Users in my test. What is the preferred way of doing this? I can see where I can add a header manager and use the variables from there, but it looks like the variable is scoped to the thread group. I assume I can use a property. To make it simple I want one thread group that calls the api to get the token, so it will only call once set some property and all the other thread groups will use the property to get the SAML token. I am newbie so please be nice, it seems like this is a standard thing to do. My plan was a JSON Extractor and somehow use that to set a property.
The easier way is using JMeter Functions instead of Beanshell (moreover Beanshell scripting is a kind of performance anti-pattern). Also you don't need this 2nd "property to variable" conversion.
In 1st Thread Group use __setProperty() function in order to convert JMeter Variable into a property like
${__setProperty(token,${token},)}
In 2nd Thread Group use __P() function to get the token property value like
${__P(token,)}
In general using single SAML token for the multiple threads doesn't seem very good idea to me as normally different users should have different tokens and good load test needs to represent real life situations as close as possible. So I would recommend considering using single token per single virtual user. If you need to pass the tokens across thread groups you can go for Inter-Thread Communication Plugin, it is way easier, moreover you will have confidence that 2nd thread won't start until it receives the token from 1st thread.
I found these thread(s) that helped:
How to get value from property in BeanShell (jmeter)
Still not sure if this is the correct way, but it worked.
I called my REST API to get my Token
I Used a JSON extractor to get the Token
I Set a Global Property to hold my token using a Bean Shell Assertion
props.put("token", vars.get("token"));
In my other thread group I get the token from the property
String token = props.get("token");
vars.put("token",token );
In the HTTP Header Manager I get the token from local variable ${token}
This seems tedious, I am hoping there is better way.
I need to simulate a test scenario where my application sends a request with 100s of queries. On the back-end, this request is broken down into requests containing a single query each. So a request from Jmeter with 100 queries will become 100 requests on the back-end. Now - the response from the back-end could either contain the requested data for each of those queries OR contain a unique queryID. Sending back a queryID is server's way of telling that this query is still running. For example, if Jmeter sends a request with 100 queries, it might get back data for 80 and 20 unique queryIDs. So my application under test makes a callback request with those 20 queryIDs every 15 seconds until it gets back the requested data or timeout.
Here is what I have implemented so far.
-main_request_with_100_queries
--XPath_extractor_to_extract_any_queryIDs_found
-if_controller_to_check_if_queryID_MatchNr_is_greater_than_0
--15_second_pause
--beanshell_preprocessor_to_create_the_request_body_with_all_queryIDs
--callback_request_with_queryIDs
What I want to implement is to have another XPath extractor for my callback_request and if any queryIDs are found, then go back to the if_controller
I'm trying to make this work by using a module_controller but so far no luck. Has anyone ever implemented something like this? Can anyone suggest some ideas?
You can use While Controller to keep making the request until there is a queryID in the response.
While Controller [ "${querid.present}"=="true" ]
HTTP Request
Pre Processor [to_create_the_request_body_with_all_queryIDs]
Post Processor [to check for query ID. if no query id - change querid.present to false ]
If possible, try to use Regular Expression Extractor. xpath is very slow and might affect your performance of the script. Check here for more details.
Creating modular test script in JMeter.
I would like to perform a load test on a site that uses ValidateAntiForgeryTokens on a number of HttpPosts. However, as you would expect, when I run my load test script, I receive a number of 500 errors because the __RequestVerificationToken is either copied from an earlier request or is blank. Both of which fail.
Are there any ways to load test sites where I am using the ValidateAntiForgeryToken attribute on my HttpPost methods?
I've tried using StresStimulus and also SmartBear's LoadComplete for my tests.
If you are using fiddler and http://stresstimulus.stimulustechnology.com/ (which I haven't used) I have to imagine you can first login, and then use that session as your load. The AntiForgeryTokens are NOT one time, and as long as the cookie is there for your auth info and an anti forgery token generated during that login session, it should be fine.
I had the same problem with StressStimulus. Some of the forms submitted to the site were failing because the __RequestVerificationToken are not updated when the recorded request is run. {{Auto-Correlation}} did not work in my case. I used regex extractor to solve it. Here's the link to my post on StressStimulus
Without seeing the details of the scenario you are working with, it is hard to say for sure. But we've been able to automate many of these types of dynamic fields for load testing purposes (the only ones we haven't been able to bypass are those that require human input, i.e. captchas). In general, you need to find where the value of the __RequestVerificationToken field came from - be it a cookie, a javascript calculation, a hidden form field, etc. Once you've located that, you can extract or calculate that value as part of the load test scenario and send it along with the request. If my memory serves, we've tackled this one before with out much work - if you'd like to give us a shot at the problem, contact us. In general, we can handle these types of problems much more gracefully than either of the solutions you mentioned.
What are the strengths of GET over POST and vice versa when creating an ajax request? How do I know which I should use at any given time? Is it a security-minded decision?
Also, what is the difference in how they are actually sent?
GETs should be used for idempotent operations, that is operations that can be safely repeated more than once without changing anything. Browsers will cache GET requests (for normal and AJAX requests)
POSTs should be generally be used for non-idenpotent operations, like saving something. Although you can use them for other operations if you want.
Data for GETs is sent over the URL query string. Data for POSTs is sent separately. Some browsers have a maximum URL length (I think Internet Explorer is 2048 characters), and if the query string becomes too long you'll get an error.
You should use GET and POST requests in AJAX calls just as you would use GET and POST requests in normal calls. Basic rule of thumb:
Will the request modify anything in your Model?
YES: The request will modify (add/update/delete) data from your data store,
or in some other way change the state of the server (cause creation of
a file, for example). Use POST.
NO: The request will not affect the state of anything (database, file system,
sessions, ...) on the server, but merely retrieve information. Use GET.
POST requests are requests that you do not want to accidentally happen. GET requests are requests you are OK with happening by a user pointing a browser to via a URL.
GET requests can be repeated quite simply since their data is based in the URL itself.
You should think about AJAX requests like you think about regular form requests (and their GET and POST)
The Yahoo! Mail team found that when using XMLHttpRequest, POST is implemented in the browsers as a two-step process: sending the headers first, then sending data. So it's best to use GET, which only takes one TCP packet to send (unless you have a lot of cookies). The maximum URL length in IE is 2K, so if you send more than 2K data you might not be able to use GET.
http://developer.yahoo.com/performance/rules.html#ajax_get
Several of my ajax applications in the past have used GET request but now I'm starting to use POST request instead. POST requests seem to be slightly more secure and definitely more url friendly/pretty. Thus, i'm wondering if there is any reason why I should use GET request at all.
I generally set up the question as thus: Does anything important change after the request? (Logging and the like notwithstanding). If it does, it should be a POST request, if it doesn't, it should be a GET request.
I'm glad that you call POST requests "slightly" more secure, because that's pretty much what they are; it's trivial to fake a POST request by a user to a page. Making it a POST request, however, prevents web accelerators or reloads from re-triggering the action accidentally.
As AJAX, there is one more consideration: if you are returning JSON with callback support, be very careful not to put any sensitive data that you don't want other websites to be able to see in there. Wikipedia had a vulnerability along these lines where the user anti-CSRF token was revealed via their JSON API.
All good points, however, in answer to the question, GET requests are more useful in certain scenarios over POST requests:
They can be bookmarked
They can be cached
They're faster
They have known consequences (assuming they don't change data), so visiting them multiple
times is not a problem.
For the sake of posterity, updating this comment with the blog notes re: point #3 here, all credit to Omar AL Zabir (the author of the referenced blog post):
"Atlas by default makes HTTP POST for all AJAX calls. Http POST is
more expensive than Http GET. It transmits more bytes over the wire,
thus taking precious network time and it also makes ASP.NET do extra
processing on the server end. So, you should use Http Get as much as
possible. However, Http Get does not allow you to pass objects as
parameters. You can pass numeric, string and date only. When you make
a Http Get call, Atlas builds an encoded url and makes a hit to that
url. So, you must not pass too much content which makes the url become
larger than 2048 chars. As far as I know, that’s what is the max
length of any url.
Another evil thing about http post is, it’s actually 2 calls. First
browser sends the http post headers and server replies with “HTTP 100
Continue”. When browser receives this, it sends the actual body."
You should use GET where you're doing a request which has no side effects, e.g. just fetching some info. This request can:
Be repeated without any problem - if the browser detects an error it can silently retry
Have its result cached by the browser
Be cached by a proxy
These things are all good. Anything which is only retrieving data (particularly public data) should really be a GET. The server should send sensible Last-Modified: and Expires: headers to allow caching if required.
There is one other difference not mentioned by anyone.
GET requests are passed in the URL string and are therefore subject to a length limit usually dependent on the browser. It seems that most are around 2000 chars.
POST requests can be much much larger - in fact not limited really. So if you're needing to request data from a web server and you're passing in lots of parameter information then a POST request might be the only option.
So, as mentioned before really a GET request is for requesting data (no side effects) while a POST request is generally used for transmitting data back to the server to be stored (with side effects). e.g. Use POST to upload a file. GET to retrieve a file.
There was a time when IE I believe had a very short GET URL string. Some applications like Lotus notes use large numbers of random characters to represent document id's. I had the displeasure of using another product that generated random strings so the page URL was unique each time. The random string was HUGE... and it didn't always work with IE6 from memory.
This might help you to decide where to use GET and where to use POST:
URIs, Addressability, and the use of HTTP GET and POST.
POST requests are just as insecure as GETs. The main difference is that POST is used to modify the state of the server application, while GET only requests data from it.
The difference matters when you use clean, "restful" URLs, where the URL itself specifies the resource, and the different methods trigger different actions on the server side.
Perhaps most importantly, GET is book-markable / viewable in url history, and searchable with Google.
POST is important where you don't want the event to be bookmarkable or able to be typed in as a URL - otherwise you (or Google crawling your URLS) could end up accidentally doing things like deleting users from your system, for example.
GET
POST
In GET method, values are visible in the URL
In POST method, values are not visible in the URL.
GET has a limitation on the length of the values, generally 255 characters.
POST has no limitation on the length of the values since they are submitted via the body of HTTP.
GET performs are better compared to POST because of the simple nature of appending the values in the URL.
It has lower performance as compared to GET method because of time spent in including POST values in the HTTP body
This method supports only string data types.
This method supports different data types, such as string, numeric, binary, etc.
GET results can be bookmarked.
POST results cannot be bookmarked.
GET request is often cacheable.
The POST request is hardly cacheable.
GET Parameters remain in web browser history.
Parameters are not saved in web browser history.
Source and more in depth analysis: https://www.guru99.com/difference-get-post-http.html