I am trying to load test my Website using jMeter.
I am getting issue with my login page. I have passed the __RequestVerificationToken value in login page by capturing it via RegEx as shown:
Field to check: Body.
Reference Name: token.
Regular Expression: <input name="__RequestVerificationToken" type="hidden" value="(.*)" />.
Template: $1$
I am still getting the same error with response as :
<title>The anti-forgery token could not be decrypted. If this application is hosted by a Web Farm or cluster, ensure that all machines are running the same version of ASP.NET Web Pages and that the <machineKey> configuration specifies explicit encryption and validation keys. AutoGenerate cannot be used in a cluster.</title>
<b> Exception Details: </b>System.Web.Mvc.HttpAntiForgeryException: The anti-forgery token could not be decrypted. If this application is hosted by a Web Farm or cluster, ensure that all machines are running the same version of ASP.NET Web Pages and that the <machineKey> configuration specifies explicit encryption and validation keys. AutoGenerate cannot be used in a cluster.<br><br>
More details from the Request tab in View tree results:
POST data:
__RequestVerificationToken=%24%7Btoken%7D&UserModel.UserName=pm&UserModel.Password=Abc1234D
Cookie Data:
ASP.NET_SessionId=l0cvy41ons0xv1t3e5glx2j5; __RequestVerificationToken_L0NyZWlzc1dlYg2=elGNi5_GoW2DYFM-obeXg9DHsihM26jv8HgT4IEpjngwc1gfJ4lRTboi3t-UV4L9485dM_9bdAVfRZKauTIXAZoKvNt2Q9R0yW19ZQIO17A1
Request Headers:
Connection: keep-alive
Referer: http://172.52.50.137/CreissWeb/
Accept-Language: en-US,en;q=0.5
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Content-Length: 91
Host: 172.52.50.137
HTTP Request:
__RequestVerificationToken ${token} false true
UserModel.UserName pm false true
UserModel.Password Abc1234D false true
Any help will be highly appreciated. !!
Your regular expression extractor does not work as you expected. The POST data clearly shows that __RequestVerificationToken=${token}.
Try to change the Regular Expression to name="__RequestVerificationToken" type="hidden" value="(.*)" & see if it helps.
If it does not work, Post the HTTP response you get.
Related
I have to perform load testing of a particular application and am using JMeter for that.
In my application, I have a unique access token which will be obtained on successful login and this token has to be passed to the consecutive requests to obtain the response.
Now I have added a recorder for my test plan and ran the HTTP test script recorder.all the browser action is recorded in the recorder of the test plan.
the structure of my test plan and workbench is as mentioned below.
**Testplan-**
*Threadgroup*
Recorder-
//inside the recorder
[Request1-login
Request2-To load the uploaded images by the corresponding user]
//Outside the recorder inside the thread group,
View Results Tree
HTTP Cache Manager
HTTP Coockie Manager
**WorkBench**
HTTP(s) Test Script Recorder
By default, there is a header manager for each request when recorded what I did was to add the extracted token obtained using json extracter of the request1 to the header manager of the request2 in the recorded script.
The token is getting passed along with the request header as shown below but the response obtained is unauthorised.
Request Headers:
Connection: keep-alive
Referer: http://localhost/
Accept-Language: en-US,en;q=0.5
Origin: http://localhost
Content-Type: application/json;charset=utf-8
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0
Accept: application/json, text/plain, */*
Authorisation:91kLM68tdMBoDFRURArvdmwYgWV9Nr2sHYDwivTM.91kLM68tdMBoDFRURArvdmwYgWV9Nr2sHYDwivTM.Arvdm_M68-BoDFRURArvdmwYgWV9Nr2sHYDwivTM
Content-Length: 0
Host: http://localhost/phpmyadmin/index.php
I have checked the same token in postman and am obtaining the correct response.
am I missing out something?Is there anything else I have to take care of before running the recorded test script?Please help
Compare exactly (Header + Body) requests :
sent by postman
vs request sent by JMeter
There must be a difference somewhere.
And in CookieManager ensure you have set Policy to "standard" if using JMeter 3.x
As per your comment:
Authorization was misspelled (Authorisation)
While trying to redirect user to a URL, it works with GET requests but not with postback requests.
Through firebug's Network window, I can see the redirect response received by browser after the postback request (that should cause redirect) completes. The browser seemingly initiates a GET request for the redirect URL but doesn't actually successfully redirect. It remains there on the same page.
I use JSF server side. The initiated GET request is not received at all by the server. However initiated by the browser on server's demand. I guess problem is somewhere client side only
Can anyone please explain how to make redirect work successfully ? Let me know incase I should provide any more information.
Edit:
Request header for redirect:
GET /Px10Application/welcome.xhtml HTTP/1.1
Host: localhost:8080
User-Agent: Mozilla/5.0 (Windows NT 6.2; rv:20.0) Gecko/20100101 Firefox/20.0
Accept: application/xml, text/xml, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Referer: http://localhost:8080/Px10Application/channelPages.xhtml?channelId=-3412&type=Group
X-Requested-With: XMLHttpRequest
Faces-Request: partial/ajax
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Cookie: hb8=wq::db6a8873-f1dc-4dcc-a784-4514ee9ef83b; JSESSIONID=d40337b14ad665f4ec02f102bb41; oam.Flash.RENDERMAP.TOKEN=-1258fu7hp9
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
Response header for redirect:
HTTP/1.1 200 OK
X-Powered-By: Servlet/3.0 JSP/2.2 (GlassFish Server Open Source Edition 3.1 Java/Sun Microsystems Inc./1.6)
Server: GlassFish Server Open Source Edition 3.1
Set-Cookie: oam.Flash.RENDERMAP.TOKEN=-1258fu7hp8; Path=/Px10Application
Pragma: no-cache
Cache-Control: no-cache
Expires: -1
Content-Type: text/xml;charset=UTF-8
Content-Length: 262
Date: Wed, 22 May 2013 17:18:56 GMT
X-Requested-With: XMLHttpRequest
Faces-Request: partial/ajax
You're thus attempting to send a redirect on a JSF ajax request using "plain vanilla" Servlet API's HttpServletResponse#sendRedirect(). This is not right. The XMLHttpRequest does not treat a 302 response as a new window.location, but just as a new ajax request. However as you're returning a complete plain vanilla HTML page as ajax response instead of a predefined XML document with instructions which HTML parts to update, the JSF ajax engine has no clues what to do with the response of the redirected ajax request. You end up with a JS error (didn't you see it in the JS console?) and no form of visual feedback if you don't have the jsf.ajax.onError() handler configured.
In order to instruct the JSF ajax engine to change the window.location, you need to return a special XML response. If you have used ExternalContext#redirect() instead, then it would have taken place fully transparently.
externalContext.redirect(redirectURL);
However, if you're not inside JSF context, e.g. in a servlet filter or so, and thus don't have the FacesContext at hands, then you should be manually creating and returning the special XML response.
if ("partial/ajax".equals(request.getHeader("Faces-Request"))) {
response.setContentType("text/xml");
response.getWriter()
.append("<?xml version=\"1.0\" encoding=\"UTF-8\"?>")
.printf("<partial-response><redirect url=\"%s\"></redirect></partial-response>", redirectURL);
} else {
response.sendRedirect(redirectURL);
}
If you happen to use JSF utility library OmniFaces, then you can also use Servlets#facesRedirect() for the job:
Servlets.facesRedirect(request, response, redirectURL);
See also:
Authorization redirect on session expiration does not work on submitting a JSF form, page stays the same
JSF Filter not redirecting After Initial Redirect
I'm calling a server site on our internal server. This domain looks like this:
http://server.domain:12345/x.html
Now, with IE this works just fine, I'm getting the data. (My problem there is that IE caches the website after the first call forever, but never mind).
Now, if I'm trying to do exactly the same in Firefox, it won't work, the same in Google Chrome.
Firebug says this:
Answer-Header
Connection Keep-Alive
Content-Length 109
Content-Type text/html; charset=UTF-8
Keep-Alive timeout=5000
Server AbWeb Version SRSG 1.34
Set-Cookie sessionkey=80da7dfe-1c9c-4460-9592-3ce55cecb379
Request-Header
Accept text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Charset ISO-8859-1,utf-8;q=0.7,*;q=0.7
Accept-Encoding gzip, deflate
Accept-Language de-de,de;q=0.8,en-us;q=0.5,en;q=0.3
Connection keep-alive
Host server.domain:12345
Origin http://otherserver.domain
Referer http://otherserver.domain/test/
User-Agent Mozilla/5.0 (Windows NT 6.1; WOW64; rv:5.0) Gecko/20100101 Firefox/5.0
Chrome says this:
X XMLHttpRequest cannot load http://server.domain:12345/x.html. Origin http://otherservere.domain is not allowed by Access-Control-Allow-Origin.
server.domain:12345/x.html
X Failed to load resource
It seems you perform cross-domain JavaScript calls. The target server must set the Access-Control-Allow-Origin HTTP header. In your case the server http://server.domain must set a header like:
Access-Control-Allow-Origin: http://otherserver.domain
I do not know why it works for IE, it may have to do with your security domains as your just working in the intranet.
See another example:
Jquery form doesn't show submission message on web server but it shows submission message on local host
Say, there's a URL, http://www.example.com/#hello.
Will the #hello thing be sent to the web server or not, according to standards?
How do modern browsers act?
The answer to this question is similar to the answers for Retrieving anchor link in URL for ASP.NET.
Basically, according to the standard at RFC 1808 - Relative Uniform Resource Locators (see Section 2.4.1), it says:
"Note that the fragment identifier is not considered part of the URL."
As stephbu pointed out, "the anchor tag is never sent as part of the HTTP request by any browser. It is only interpreted locally within the browser".
The hash variables aren't sent to the web server at all.
For instance, a request to http://www.whatismyip.org/#test from Firefox sends the follow HTTP request packet
GET / HTTP/1.1
Host: www.whatismyip.org
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Cache-Control: max-age=0
You'll notice the # is nowhere to be found.
Pages you see using # as a form of navigation are doing so through javascript.
This parameter is accessible though the window.location.hash variable
The anchor part (after the #) is not sent to any $_SERVER variables in PHP. I don't know if there is a way of retrieving that piece of info from the URL or not (as far as I know, it's not possible). It's supposed to be used by the browser only to find a location in the page, which is why the page does not reload if you click on an anchor like so: hello
I have a virtual directory on IIS 5.1 with two aspx pages. Access to Page1 configured as "Integrated Windows Authentication" option turned on and anonymous access is disabled. Page2 available through anonymous access. On client side there is XmlHttpRequest object that can send requests that contains POST data to this pages.
At first I try to send request to Page1. Standard Windows Authentication dialog appears, I entering my credentials and Page1 succesfully receiving POST data.
After that I try to make the same POST request to Page2 that can be accessed anonymously. And in this case Request has header Content-Length=0, and no any data has been sended.
If to repeat request to Page1 - it successfully receiving POST data. The same code is working good in Firefox 3.5. Page2 can receive data even after sending request to Windows Authentication required Page1. What can be wrong? And maybe it is any workaround for this problem?
Thanks!
Sending data:
function sendRequest() {
var url = "http://tom/AuthTest/Default.aspx";
var data = "data";
reqSend(url, data);
}
function sendRequestToWinAuth() {
var url = "http://tom/AuthTest/DefaultWA.aspx";
var data = "newdata";
reqSend(url, data);
}
function reqSend(url, data) {
var xmlhttp = createRequestObject();
if (!xmlhttp) {
alert("Cannot create XMLHttpRequest object.");
return;
}
try {
xmlhttp.open("POST", url, false);
xmlhttp.send(data);
}
catch (ex) {
alert("Error: " + ex.message);
}
}
Request to Page1:
POST /AuthTest/DefaultWA.aspx HTTP/1.1
Accept: */*
Referer: http://tom/AuthTest/client/testauth.html
Accept-Language: ru
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Host: tom
Content-Length: 7
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: innovator_user=admin
Authorization: Negotiate TlRMTVNTUAADAAAAGAAYAF4AAAAYABgAdgAAAAoACgBIAAAABgAGAFIAAAAGAAYAWAAAAAAAAACOAAAABYKIogUBKAoAAAAPcwBjAGEAbgBkAHQAbwBtAFQATwBNAGUdQIkWMQ6PAAAAAAAAAAAAAAAAAAAAAAo3goJdI7RH9poJwnjypksH2F2pIzbEOQ==
newdata
Request to Page2:
POST /AuthTest/Default.aspx HTTP/1.1
Accept: */*
Referer: http://tom/AuthTest/client/testauth.html
Accept-Language: ru
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Host: tom
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: innovator_user=admin
Authorization: Negotiate TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgKAAAADw==
Content-Length: 0
Seems i have found a way to keep pages requiring windows authentication and pages allowing anonymous access on one site.
There 2 ways to do it:
This behavior (bug) is only reproducing when using NTLM authentication. So to avoid it, we can setup a Kerberos authentication mode on IIS site. Here is a good detailed FAQ about IIS and Kerberos: http://www.adopenstatic.com/faq/
To tell a thruth I have tried to follow the first way, but really my IIS doesn't want to use Kerberos anyway. On other hand I try to check this situation on another machine - and was surprised - Kerberos authentication was used there by default. I have tried to found any difference in configurations - but not successfull. So there is the second way:
Using Windows Authentication mode on a directory or file in a separate directory. For example we have some structure like:
../Default.aspx
../auth/DefaultWinAuth.aspx
../auth/DefaultWinAuth2.aspx
We can set IWA (Integrated Windows Authentication) mode on 'auth' directory or DefaultWinAuth page. After that all files and subdirectories that are included in this folder or situated on the same level as 'DefaultWinAuth.aspx' page will not be able to receive POST data. But all other files and directories outside directory 'auth' will work fine.
I've had this exact problem, apparently its by design in IE, check out this link:
http://www.websina.com/bugzero/kb/browser-ie.html
Basically IE won't send POST data to an unauthenticated URL/page if you are currently on an authenticated URL/page. I didn't find a work-around, I had to do something else, but let me know if you do figure out a way. Cheers