I have a multi-tenant application that may run arbitrary workflows as needed.
I plan on using the workflow designer to create these workflows, but even if I limit the Activities in the Toolbox, that doesn't prevent a malicious user from editing his own XAML file, doing activities I'd rather them not (specifically calling out to the .NET framework)
For a given workflow, how do I verify that the only actions being used are those I approve of? Is an XPath query the only way, or is there a feature within WF that will validate this?
If you need a visual introduction to what I'm looking for here is a sample project and video referring to it.
I'd just load the workflows in a sandboxed AppDomain. You can Use the GetStandardSandbox static method of the SecurityManager to set this up relatively easily (and safely).
Of course, I haven't actually done this yet, but I'm definitely thinking about adding some of this to my current WF code (which does use AppDomains to isolate execution of workflows from my application).
All you can do is load the XAML as XML and check what is in there. And make sure to check any VB expression entered as users can put interesting things in there as well.
I am using Watir and i have to put the value in a textfield from a captcha(image generated are different each time). So what should i do in this
Wikipedia says for CAPTCHA:
A CAPTCHA ( /ˈkæptʃə/) is a type of challenge-response test used in
computing as an attempt to ensure that the response is generated by a
person
So, the purpose of CAPTCHA is to prevent automation.
If you are the part of the team that is developing the application (and not just trying to automate random web site), ask a developer what is the easiest way to automate that page. There are several solutions, from removing CAPTCHA in testing environment, to providing CAPTCHA value somewhere at the page (also only in testing environment)...
i m doing selenium testing against an gwt wizard application, as a wizard, there are multiple steps, once user finish one step and click next, it transfer to next step, as gwt application, all steps are refreshed in the same page.
now i need to use selenium RC (java client) to write test against that gwt wizard and have 2 questions:
1. each time i start the wizard it require user login first, how can i avoid that login step to test the wizard directly?
2. since all steps are hold on the same page, how can i separate the test, say one test method for each step, without put the test in one big method?
Thanks.
I would suggest using Selenium2/Webdriver. Selenium 2 has the concept of page objects which allow you to create test objects which map to different pages within your app. I assume that you are enabling ensureDebugId in your gwt app (which allows you to access elements based on a predictable dom id). The combination of debugIds and selenium2 will allow you to quickly create a clean test representation of your pages and then allow your unit tests to simply drive the pages to where you need. The last bit of advice I would give for selenium2 and gwt is make sure that your page objects are created via AjaxElementLocatorFactory.
When I make HTTP Request in JMeter I get Response data like "This page uses JavaScript and requires a JavaScript enabled browser." How is it possible to fix this problem.
JMeter is not a browser, and does not interpret the JavaScript in downloaded pages.
From the JMeter wiki:
JMeter does not process Javascript or applets embedded in HTML pages.
JMeter can download the relevant resources (some embedded resources
are downloaded automatically if the correct options are set), but it
does not process the HTML and execute any Javascript functions.
If the page uses Javascript to build up a URL or submit a form, you
can use the Proxy Recording facility to create the necessary sampler.
If this is not possible, then manual inspection of the code may be
needed to determine what the Javascript is doing.
Depending on what you are doing, you could create an execution test using Selenium IDE for Firefox. The test will run in your browser so the JavaScript will also run. Note though that I never used Selenium as a substitute for JMeter and don't know about common features to both the tools.
I suppose you can use the WebDriver plugin to run real browser tests (IE/Firefox/Chrome/Selenium).
There is good documentation here
You can add WebDriver to JMeter test to fully evaluate the page rendering.
Web Driver Sampler automates the execution and collection of
Performance metrics on the Browser (client-side). A large part of
performance testing, up to this point, has been on the server side of
things. However, with the advancement of technology, HTML5, JS and CSS
improvements, more and more logic and behaviour have been pushed down
to the client. This adds to the overall perceived performance of
website/webapp, but this metric is not available in JMeter. Things
that add to the overall browser execution time may include:
Client-side Javascript execution - eg. AJAX, JS templates
CSS transforms - eg. 3D matrix transforms, animations
3rd party plugins - eg. Facebook like, Double click ads, site analytics, etc
All these things add to the overall browser execution time, and this
project aims to measure the time it takes to complete rendering all
this content.
Official guide: https://jmeter-plugins.org/wiki/WebDriverTutorial/
You need to add HTTP Cookie/Cache Manager to your thread in order to solve this.
There seems to be a lot of stress/load testing tool that support AJAX.
I am wondering how well does these tool implemented.
Do they only record http request and replay it?
Is it the right way to test AJAX app?
How does google test their ajax apps?
Most of the load testing tools out there do AJAX load testing the same way: they execute the raw HTTP traffic that is seen during a "recording" phase (which can be page requests, image requests, or even AJAX requests). The main difference among them is how good their recorder/IDE tool is and how easily it helps you parameterize the HTTP requests such that they reflect real world traffic based on dynamic/realtime results.
Warning, blatant plug: The only real exception to this is my company, BrowserMob. Instead of simulating the traffic observed, it actually uses real web browsers to drive back load. As such, the AJAX stuff is handled by the browser.
Useful link: Separate from the blatant plug above (though I do hope you check it out - we're up front with the pricing and provide a free trial), I recently wrote an article for Ajaxian about AJAX load testing. It goes in to more detail about the technical implications of using real browser users (RBUs) vs. virtual users (VUs).
Take a look at LoadBooster(https://www.loadbooster.com). It utilizes headless scriptable browser PhantomJS/CasperJs to test web sites. Phantomjs will parse and render every page, execute the client-side script. The headless browser approach is easier to write test scenarios to support complex AJAX heavy Web 2.0 app,browser navigation, mouse click and keystrokes into the browser or wait until an element exists in DOM. LoadBooster support selenium HTML script too.
Disclaimer: I work for LoadBooster.
If you are worried about functionality only, something like Watin, Watir, Selenium or any functional tool for that matter would work. As long as you put sufficient timing in your functional tests to allow for ajax callbacks then that should do the trick.
To add to my response,
If you are talking about unit testing your javascript you could use something like qunit as described by a fellow LosTechian in this posting. This is a pretty inventive use of an nunit addin and qunit for integrating js unit tests.
By pure coincidence, the same person that posted that qunit testing blog post just posted one yesterday about this very topic
Google apps are written in GWT, which comes with its own extension to JUnit. Article on unit testing ajax applications with GWT.
If you don't want to setup your own load testing server there are a couple of free online load testing services that can run load tests directly over the Internet. For example http://loadimpact.com or http://loadstorm.com
I've used Virtual User Generator, which is a part of the Loadrunner software from HP, to test AJAX applications. The software has several application protocols that can be used to record web applications, e.g. AJAX, and Click and Script.
For the majority of web application load testing it is sufficient to record and replay http requests. This will give the result of how the servers are handling the load. If your web application does a lot of asynchronous loading, and rendering on the client side, e.g. parsing large datasets of xml or json, or many DOM modifications, it can be relevant to include the browser tier to measure the end user experience.
All load testers would support AJAX- they're just additional http connections.
There are a few free ones out there- Jmeter, BadBoy, Grinder that all do it well.
All of them have some sort of support for recording/playback, but that's not always what you're looking for.
Easiest way I've done it is to record a sample session, replace a few params with variables and loop it off of a csv or excel file.
Great starting point: video of a google presentation on open source testing.
Edit: updated video link.
I've used SilkPerformer at a previous job. According to the link, they have some AJAX enhancements. Unfortunately, Silk is far from free.
Check out Jiffy. It's an end-to-end measurement suite, and is subsequently kind of complex. However, the statistics are quite impressive.
Siege? it can do HTTP testing and pass whatever you want.
You can also have a look at fwptt it is open source. If you are a .net developer you can make use of the parameter automatic handling and the possibility to use your own .net object for doing the tests.
I've successfully used JMeter to load test our Ajax (JSF/RichFaces) application. I didn't bother with JMeter's recording tool - rather I used the HttpFox plugin for Firefox to monitor what the browser is POST-ing to the server and I recreated this in JMeter.
It did get a bit complex, but the load test is now fairly robust. JMeter has all kinds of useful 'elements' to extract ID's from a web page, perform conditional logic, increment counters etc.
Better write isolated test method or API for load testing ajax application. There are some reasons:
It's not so easy to write functional tests to Ajax applications, for example for GWT.
You can use Jmeter WebDriver plugin, but for each run it starts browser which will use most of RAM and CPU.
You will load backend not frontend, so you can avoid ajax.
You can devide your testing like that: for Ajax application use Selenium or PhantomJS/CasperJS. For load testing use JMeter, Gatling via API not via Ajax.
My choice is firebug(browser addon). its very lightweight and easy to handle