I'm facing a problem with HTTP Auth after redirecting from another page.
So let's assume. In my test i will visit my url with e.g visit('http://admin:password#url1').
After doing some stuff on this site i click on a button and i will be redirected to another site (http://url2.com) which requires a http auth as well. Now I need to enter new credentials which are not the same as from url1. Selecting the element and filling it with input will not work. I'm using Ruby with capybara and firefox with selenium-webdriver. How can I do this?
Since you're using selenium-webdriver, after clicking on the button you can try
page.driver.send(:find_modal).authenticate(username, password)
Related
I am currently working on a small project using keycloak 2.5.0
I've already set up the user login and i'm now trying to implement a page wide logout button.
As the documentation states, is simply called the route
http: //my-auth-server/auth/realms/master/protocol/openid-connect/logout?redirect_uri=http: //application-root.com/
For the sake of simplicity i used an anchor tag to make this GET Request.
If i take a look into the Network tab of the firefox developer tools everything seems to be working fine. I am getting back a 302 status code for the redirection request. And after that, the application successfully requests the http: //application-root.com/ with a status code of 200 and redirects me to this page.
But when i want to request the locked content again (the one secured by keycloak) its still accessible.
But whenever i manually delete the JSESSIONID and KEYCLOAK_ADAPTER_STATE cookie after the redirection, everything works fine and i'm being logged out correctly. Sadly i can't delete those cookies programmaticly because they are HttpOnly
What is the expected behaviour of this request ?
Am i missing something ?
Has anyone experienced anything similar ?
Thanks for any help
I implemented logout using Keycloak 4.8.3 version. Mandatory parameter is id token (id_token_hint). Optional parameter is redirect url (post_logout_redirect_uri).
Example:
http: //my-auth-server/auth/realms/master/protocol/openid-connect/logout?id_token_hint=eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJEY0gyNnl0OFV0OEJQTGxoR&post_logout_redirect_uri=http:%2F%2Fapplication-root.com%2F
I am trying to record a test script with JMeter for an internal website hosted on company intranet. I can record only till navigation of the login page, submitting username/password, and click on login button. The login page reloads all the time. Nothing else happens.
Steps to reproduce ->
1) I started the JMTeter HTTP Test script recorder
2) I changed the browser settings to point it to the proxy.
3) Navigated to login page, keyed in username/password, and clicked login
4) The login page reloads, nothing else happens.
I tried it on all the browser. It's same everywhere. I recorded testes on gmail and facebook successfully. I did not face any issue there for navigation. Please help me. Is it an issue with the server where the site is hosted?
What kind of login authentication that you used in your internal website? Is it the same authentication as gmail or facebook (using login form, then compare it to database)? Or is it Active Directory User (windows account) authentication (usually, there is browser popup to enter username and password).
You can try this:
Start the JMTeter HTTP Test script recorder
changed the browser settings to point it to the proxy
Navigate to login page, keyed in username/password, and clicked login. From this point, you will have sampler for login step
changed the browser settings to not using JMeter proxy
Navigate to login page, keyed in username/password, and clicked login. It should be working
changed the browser settings to point it to the proxy again
Do the rest recording normally to get the rest scenarios.
I hope that will help you.
I'm using basic authentication on my site, which does a simple windows popup asking for username and password. I'm wondering if there's a way to redirect http traffic to https traffic before this popup? Currently, i'm using a custom redirect error page, so when someone goes to http://www.mysite.com/ the popup comes up and asks for username password, and after they enter it the page redirects http traffic to https. But i'm assuming that password is sent in clear text, since the redirect is happening after the login attempt.
I've tried playing with IIS, and javascript on the page itself, but it seems the popup is happening before any of that comes into play. Is there anyway to redirect before that popup comes up?
Thanks!
I know this is old but here is how I managed to achieve this for anyone who would need the same.
Remove the HTTP bingind on the target domain's virtual server
Create a second virtual server for the same domain with only HTTP binding
Add a rewrite rule to the new virtual server that redirects all trafic to the HTTPS version of the domain
This is the only straight forward way i found and it is probably the simplest.
Voila!
I am using RPX in my CakePHP project. I have set the toke url like this: http://www.mysite.com/users/login
Here is my login action code.
function login() {
$this->Ssl->force();
$this->layout = 'colorbox';
$this->pageTitle = "User Login";
}
I have used SSL with the login form. Look above code( $this->Ssl->force(); ). Login using RPX works fine without SSL. I commented $this->Ssl->force(); line, and got RPX working properly. But when I uncommented that Ssl code, it doesn't work properly.
when ssl code was uncommented there, I did this.
1. Selected google to login from RPX badge (in my login form)
2. Entered my google id and password to login and it worked.
3. But I was redirected back to the login form without any session.
Can any one help me please.
Thanks.
The current code redirects the login page from http:// to https:// and therefore it loses the session and other token data. So need to use either http or https before and after redirecting from RPX to my site.
Thanks.
Updated with clarifications
Hello,
When our users go to http://mysubdomain.server.com/login they get redirected to https://secure.server.com/login?subdomain=mysubdomain. So the actual login page is located on the secure.server.com subdomain.
The problem is that if the user logs in with the credentials meant for subdomainA and tells Firefox to remember the password, the browser will autocomplete the login form even if the user visits the login page meaning to log into subdomainB.
Firefox assumes that the login form on secure.server.com/login?subdomain=subdomainA is the same with the one on secure.server.com/login?subdomain=subdomainB.
At first, I thought Firefox remembers passwords based on a combination of the URL and the name attribute of the form, but I've tried changing the name based on the subdomain (name="login-<subdomain_name>"), and it still doesn't work.
How can I make Firefox remember passwords for subdomainA and for subdomainB separately, and not together?
I couldn't quite decipher what your setup is, but you can enable login manager debugging and check what Firefox does. You can also inspect signons.sqlite in your profile to see what pieces of data are stored with the login.
I thought that for web forms it keyed off the form's submit URL, but my memory is shady on this.
[edit]
source (nsLoginManager.js) says it only uses the form's action and the page's URL, and it uses not the action/page URL itself, but (see _getPasswordOrigin) the scheme+host+port combination.
If they're actually entering data into http just to be redirected to https after login, isn't that a bad scenario? You're already sending the most sensitive piece of data unencrypted across the wire.
I believe a better solution would be to redirect them to the https site and do login there...is there something I'm missing with your setup? Do they login again on the secure site?
AFAIK domain name (complete) is the current basis for remembering login. It wasn't always so, though. I'm not sure about protocol or port number, but a.domain.com is different from b.domain.com and domain.com, but same as a.domain.com/somewhere.