I am new to JMeter. My password is encrypted in Client side using jQuery.jcryption library. I get my secret key from server side and in client side using the key used to encrypt username and password. Then encrypted User Name and password is decrypted on server side based on same key.
My questions are:
How do i encrypt my data in JMeter at each thread run using jQuery.jcryption.js?
Is there any way to run jQuery files in JMeter?
I am stuck and not able to resolve this.
$.jCryption.getKeys("../account/getPublicKey.srvc?generateKeypair=true",
function(receivedKeys) {
var user = $("#userNameId").val();
var password = $("#passwordId").val();
$.jCryption.encrypt(user, receivedKeys, function(encrypted) {
$.jCryption.encrypt(password, receivedKeys, function(encryptedPasswd) {
$("#userNameHiddenId").val(encrypted);
$("#passwordHiddenId").val(encryptedPasswd);
validateAndSubmitLogin('form#loginForm');
});
});
});
Related
As part of our effort to be GDPR compliant, I’m trying to extend our Keycloak server with some custom functionality, to be triggered when a user is removed:
sending a confirmation message to a Slack channel
sending a HTTP request to another service we built, to delete any assets that user might have created there
The first one was easy. It's implemented as a SPI event listener, following this example:
#Override
public void postInit(KeycloakSessionFactory keycloakSessionFactory) {
keycloakSessionFactory.register(
(event) -> {
// the user is available via event.getUser()
if (event instanceof UserModel.UserRemovedEvent){
userRemovedMessageHandler.handleUserRemoveEvent(session, (UserRemovedEvent) event);
LOG.debug("User removed event happened for user: " + ((UserRemovedEvent) event).getUser().getId());
}
});
}
But I'm stuck on the second task (sending the HTTP request). The other service is set up to require a trusted client token, using a designated Keycloak Client and scope. The equivalent POST request to auth/realms/{realm}/protocol/openid-connect/token is done with these parameters:
grant_type: password
username: {user that is about to be deleted}
password: {user password}
client_id: {the specific client}
client_secret: {that client's secret}
scope: usersets
I can’t find out how to do that from within the SPI code. I can retrieve a regular Access Token (as described in this other SO post):
private String getAccessToken(KeycloakSession session, UserModel deleteUser) {
KeycloakContext keycloakContext = session.getContext();
AccessToken token = new AccessToken();
token.subject(deleteUser.getId());
token.issuer(Urls.realmIssuer(keycloakContext.getUri().getBaseUri(), keycloakContext.getRealm().getName()));
token.issuedNow();
token.expiration((int) (token.getIat() + 60L)); //Lifetime of 60 seconds
KeyWrapper key = session.keys().getActiveKey(keycloakContext.getRealm(), KeyUse.SIG, "RS256");
return new JWSBuilder().kid(key.getKid()).type("JWT").jsonContent(token).sign(
new AsymmetricSignatureSignerContext(key));
}
but that's not the token I need. In order to retrieve the required trusted client token I’d need the internal Keycloak / SPI-equivalent of the above POST request, but I can’t figure out how to do that or where to look.
Besides, I'm not sure if it is even possible to retrieve a trusted client token for a user that is in the process of being deleted. In other words, I don’t know if the UserRemovedEvent is fired before, during or after the user is actually deleted, or if Keycloak waits until any custom EventHandlers have finished running.
(In order to figure that out, I'll try if it is possible to retrieve that token using a regular http POST request from within the add-on code, but I have no idea if it's possible to connect to Keycloak like that from inside. I'll update the question if that works.)
I'd greatly appreciate any suggestion!
(I also asked this in the Keycloak discourse group here but it looks as if it will remain unanswered there)
I am attempting to abstract the authorization/authentication from my upstream services into Kong API gateway. Previously, I was using express + passport to handle sessions. Whenever a user logs in with their credentials a session would be created with their user info attached to the req object (req.user).
Currently, I am using API keys + session + serverless functions to compare user passwords (using bycrypt lua library) from a file mapped into the Kong container. The client would send an initial login (with username and password) request with an API key to log in, the serverless function would compare the password hashes, if all that passes, the session would get created.
However, my question is, is there a way to store the user info into the session database, so my upstream service can ask for that information to ensure that the session attached to the user logged in is valid at any given time?
Any ideas even if not related to Kong would be appreciated!
When creating a new session on Kong, you can explicitly provide the unique Key used to identify a session (by default created by KONG itself).
When The password checks pass and you are generating a session on Kong you can create your own unique key and use that key while creating the session.
Kong_admin = 'http://localhost:8001'
kong_session = {'key': 'any-unique-combination'}
#any unique combination which you would like to use for identifying the session
user = 'test-user#dummy.com'
#create a session for this dummy user using your key
response = requests.post('%s/consumers/%s/jwt' % (Kong_admin, user),data=kong_session)
#Once the session is created you can find it using
resp = requests.get('%s/consumers/%s/jwt/any-unique-combination' % (Kong_admin, user))
# you can use this key in your token payload so your upstream service can decrypt the
# payload and get this key and you can store this key in your database mapped with
# user during session creation.
# with this you ll be able to decrypt any session payload , get a key and then query
# it on database at any point of time
I am running a script for login a site in jmeter where the credentials for the password is hashcode and in encrypted format. like this below as java library are used like validation of password, I am not able to write the java code for converting the decrypt the password
Actual what post data displayed:
&member_login_number=test#gmail.com&member_login_password=0d42afb79ebef4fbf34989341c42ca40dd3504d5da60c8eeffaf73d169e77c63601c72a4cda2c706e2b4e15a84dc8d50e024ab1b2e6198d94d0ae70c57de1808
CSV Data Config
username :testing#test.com
Password:password
Now when i using the csv data config to parameterized the password with the
actual password request is not getting success even after entering the
hashcode password to csvfile the post is not successful.
Is there any solution for this?
Screenshots below:
username_password_request
Laravel 5.0
I want to encrypt some data in the database using not only the application key but also the users password or any other string that HE will provide.
The reason is that i want only him to be able to decrypt the data.
How would i go about it?
-Use Javascript and encrypt the password locally and then send it to the server?
or
-Send the text that user enters directly to the server?
All traffic will be upon HTTPS
// Encrypt
$key = md5(Config::get('app.key') . $userString);
Crypt::setKey($key);
$encypted = Crypt::encrypt($input);
// decrypt
$key = md5(Config::get('app.key') . $userString);
Crypt::setKey($key);
$decypted = Crypt::decrypt($encypted);
I am using express/socket.io combination in my node.js app. So far it's working fine.
Now, I need to store facebook user id and email id (after user being authorized) into session scope. I see there are lot of options and a bit lost here.. in my app, most of the communications happen through socket.io.. ultimately what i want is to access user id and email id anytime in the client side...
var express = require("express"),
fs = require("fs"),
app = express.createServer(
form({ keepExtensions: true })
),
io = require("socket.io");
socket = io.listen(app);
After being authorized, I suggest using the accessToken which is already in the cookies and then sending it through the socket.io and fetching the email and the id using graph.facebook or your own DB. The problem with storing user ID and Email is that it could insecure, since session hijacking could happen.
Facebook has its own experts on security to make sure it wouldn't be hijacked. Use it!
This might help:
http://criso.github.com/fbgraph/
After being authorized you can store the data in your session via express
http://expressjs.com/guide.html#session-support
On a very basic level:
// Get data from facebok and store it on a var `userData`
// server
socket.on('getUserData', function (callback) {
callback(facebookUserData);
});
// client
socekt.emit('getUserData', function(userData) {
console.log(userData);
});