All,
I have a webtest for Web Performance testing, which does login prior to running other web requests in Visual Studio 2010 Ultimate.
The login system uses STS and Windows Identity Framework to login users. For a normal login, ie not in my webtest, there is no issue with logging in.
When I run my webtest, I get the following
ID4223: The SamlSecurityToken is rejected because the SamlAssertion.NotOnOrAfter condition is not satisfied.
NotOnOrAfter: '2/6/2012 10:52:06 PM'
Current time: '2/6/2012 11:16:01 PM'
I have used Fiddler to look at the requests and responses, but there seems to be little difference, except that I do not get the FED cookies on the webtest, but rather the error mentioned above.
What am I missing?
NOTE: the STS website is in a different timezone than the requesting webserver.
Looks like one of the fields in the request is hard coded rather than taking a value from previous http requests. I.e. the login post/response is bringing back a timecode which is ignored in favor of the time your webtest was recorded.
Related
I am trying to automate testing of a web application.
I have recorded the test using JMeter proxy template (JMeter version is 3.2) and couple of times when I ran the test in the JMeter it ran properly but after sometime only some part runs properly.
Following are the steps I am doing:
Hitting the URL
Logging into the application
changing some feature in the application
and so on.
All the steps ran perfectly first few times but then after that only till login everything runs properly.
Just to be sure I tried passing the jsessionid from the first request to the next requests using the Regular "Expression Extractor". I can see in the View Results Tree that jsessionid is passed properly but next page after the step two still takes me into the login screen.
Any help will be very much appreciated.
I have attached screenshot for better understanding:
The response header of logged in page includes a sessionid which is used by another request while logging in.
All the sessionID are properly maintained still after logging in the next page takes me to the login page instead displaying what was done next in the recording.
When it comes to load testing of JSF-based web applications you need to take care at least of the following dynamic parameters:
JSESSIONID
javax.faces.Viewstate
JSESSIONID is a normal HTTP cookie so it is quite enough to add a HTTP Cookie Manager to deal with it
javax.faces.Viewstate is client state management mechanism which also acts as a security token to verify user's origin. So you will need to properly correlate it, i.e. extract from previous response using one of JMeter PostProcessors, store into a JMeter Variable and add as a parameter to the next request. Remember to do this for each and every request.
There might be more application specific dynamic parameters, the easiest way of detecting them is recording the same request (or scenario) 2 times, compare the recorded scripts, detect and work around the differences.
In my script, I'm using a JSESSIONID instead of a cookie; the JSESSIONID is extracted using a HTTP URL Re-writing Modifier and I can confirm that the correct value (the one which appears in the response data from the login page) is being applied in the Request.
e.g. POST https://qa67.ososinfo.org:446/Staff/staffdetail.xhtml;JSESSIONID=0655ca5420354753ae413984d34cfc27
I'm also using a VIEWSTATE, which I'm extracting prior to running the remainder of the test steps by using a Regular Expression Extractor and setting the resulting variable as a parameter in the HTTP Request,
e.g. javax.faces.ViewState=8d2%2BgOIseczB2FWSo74DqQfkmiYVaK73D8bnLTNWCx%2FB8EtE
The problem is that I'm hitting a Response code: 500 | Response message: Internal Server Error every time I attempt a post with all of the applicable data.
I tried running through the steps manually in a Firefox browser. I copied the contents of the Request tab from the failing page into a REST client, logged in using a separate tab of the same browser and grabbed the appropriate JSESSIONID and VIEWSTATE information, then posted with that info in place - and the manual post was successful.
Am I missing something? Is JMeter requiring something to accomplish this POST that a I'm not seeing in a manual attempt? Please note that I can verify the test is working through the point of login - I can manually see the jmeter user logged in from an admin screen.
Happy to share any/all of what I'm seeing if it might be helpful in helping to troubleshoot.
Query mainly due to trying to do this using Selenium but I see exactly the same behaviour if I repeat manually so I guess it's a general Chrome question.
So what I'm trying to do is use Chrome with some Selenium tests. Tests happen on a remote machine running 64 bit Ubuntu Linux (running Selenium Server) and are driven from my machine running 64 bit W7 Pro. Scripting is done in Python. Chrome is up to date, Selenium Server is up to date, as is Chromedriver.
The site I'm working on (still in development) uses a lot of AJAX/jQuery calls. It uses basic authentication to log you in.
Using Chrome, if I pass in the login credentials in the URL (as you have to with Selenium it seems) it gets me onto the site OK. Page navigation works OK. But AJAX requests fail as the basic authentication credentials are not added to the header for the request. If I log in via standard URL (manually enter ID + PW) the AJAX requests work OK. I see the same behaviour on Linux and Windows if I try it manually. Using FireFox, it all works OK - the AJAX requests have the authentication header as they're supposed to, regardless how you authenticate. Credentials are carried through correctly throughout. I've checked all the requests using Fiddler and can see the missing header for the Chrome AJAX request when passing in the credentials via the URL.
I did try and use the popup login box instead, but that appears to be a non-starter. Selenium hangs on the initial GET, and until you clear the popup, control is not passed back to the script. So I have no way of sending keys to it. I also tried navigating by using window.location.href = "url" directly, instead of the selenium "get". No luck that way either. And finally, if I reduce the page load timeout, wait for it to fail, and then try and pick up the popup, that doesn't work either. When it times out, the popup is removed.
At this point. I've just about given up. I can't use user profiles as it's a daily changing password (work thing) so theres no point in storing it.
I'm not the developer. I don't know JavaScript terribly well. I've spoken to the lead dev and their response is that this is a Chrome bug and nothing they can fix.
Does anyone concur? Or have a way round this. I'm snookered at the moment because of it ...
If you are facing Basic authentication issues, try authenticateUsing() method.
The Alert Method, authenticateUsing() lets you skip the Http Basic Authentication box.
WebDriverWait wait = new WebDriverWait(driver, 10);
Alert alert = wait.until(ExpectedConditions.alertIsPresent());
alert.authenticateUsing(new UserAndPassword("USERNAME", "PASSWORD"));
PS: Change the syntax for Python bindings
First I'm not in the web side of our world, so be nice with the backend guy.
A quick background : For a personal need I've developped a google chrome extension. They are basically a webpage loaded in a chrome windows and... yeah that's it. Everything is on the client side (scripts, styles, images, etc...) Only the data are coming from a server through ajax calls. A cron job call a php script every hours to generate two files. One, data.json contains the "latest" datas in a json format. Another one hash.json contain the hash of the data. The client chrome application use local storage. If the remote hash differ from the local one, he simply retrieve the data file from the remote server.
As I have a BizSpark account with Azure my first idea was : Azure Web Site with php for the script, a simple homepage and the generated file and the Azure Scheduler for the jobs.
I've developed everything locally and everything is running fine... but once on the azure plateform I get this error
XMLHttpRequest cannot load http://tso-mc-ws.azurewebsites.net/Core/hash.json. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://localhost:23415' is therefore not allowed access.
But what I really can't understand is that I'm able (and you'll be too) to get the file with my browser... So I just don't get it... I've also tried based on some post I've found on SO and other site to manipulate the config, add extra headers, nothing seems to be working...
Any idea ?
But what I really can't understand is that I'm able (and you'll be
too) to get the file with my browser... So I just don't get it
So when you type in http://tso-mc-ws.azurewebsites.net/Core/hash.json in your browser's address bar, it is not a cross-domain request. However when you make an AJAX request from an application which is running in a different domain (http://localhost:23415 in your case), that's a cross-domain request and because CORS is not enabled on your website, you get the error.
As far as enabling CORS is concerned, please take a look at this thread: HTTP OPTIONS request on Azure Websites fails due to CORS. I've never worked with PHP/Azure Websites so I may be wrong with this link but hopefully it should point you in the right direction.
Ok, will perhap's be little troll answer but not my point (I'm .net consultant so... nothing against MS).
I pick a linux azure virtual machine, installed apache and php, configure apache, set some rights and define the header for the CROS and configure a cron in +/- 30minutes... As my goal is to get it running the problem is solved, it's running.
I’ve got a situation with a large internal corporate web based application running ASP.NET 3.5 on IIS6 generating 401 “Unauthorised” responses followed by 200 “Ok” responses (as profiled by Fiddler). I’m aware of why this happening (integrated auth forcing the browser to resend credentials) but I’m looking for some thoughts on how to minimise or eradicate the situation. The application in question is running in the WAN with some users experiencing latency of up to 250ms so forcing a subsequent request can have a noticeable impact on page load time, particularly when there are a number of cascading drop down lists on the pages making.
The users of the application are internal within a managed desktop environment so mechanisms to force the browser to send credentials on the first request (is this even possible?) could be possible from a deployment perspective. This would work for pages requiring the user’s identity but for resources not requiring authentication (WebResource.axd, ScriptResource.axd and some custom web services), allowing anonymous auth would be possible. I’ve looked at defining this on a per location basis in the web.config but the results were mixed (still a number of 401 responses).
I’d appreciate any guidance on a “best practice” for dealing with this situation. There are a lot of resources out there identifying the problem but none that I’ve found providing a feasible solution.
Thanks!
Edit: Resources not requiring authentication (i.e. web services used for cascading drop down lists) can be requested anonymously through adding a location entry to the web config but I'm yet to find an answer for authenticated resources.
Unfortunately this is an artifact of the HTTP NTLM authentication scheme.
In short, the browser (Internet Explorer or otherwise) doesn't know that it needs to authenticate at all until it gets bounced with a 401 response containing a WWW-Authenticate response header.
In the case of WWW-Authenticate: NTLM -- annoyingly enough -- it requires two 401 responses on a single persistent connection to complete, and this process must be repeated once the HTTP persistent connection is closed. So even if you were able to get the browser to initiate a request blindly attempting NTLM, at least one 401 response cannot be removed from the transaction.
I think your best bet would be to maximize the amount of time that persistent connections are left open when idle.
CSCRIPT.EXE c:\inetpub\adminscripts\ADSUTIL.VBS SET W3SVC/AuthPersistSingleRequest FALSE
Will reduce the amount of 401's significantly.
I believe you can convince Firefox to automatically send NTLM credentials to a whitelisted set of domains via "about:config" settings - use the "network.automatic-ntlm-auth.trusted-uris" setting. I haven't tried this myself though. I'm not sure there's any equivalent for Internet Explorer.
Unfortunately if you're using something else like Kerberos there does not seem to be a way to avoid the 401.
You may need to consider Forms Authentication if the 401-induced latency is too long. The users would have to explicitly log in, but just once. Then you could use a cookie or cookieless scheme and get a response on the first try.
I imagine that page load would be slow if you have cascading drop-downs and your initial page load populates one value that causes a POST to get the next list, set that value, another POST to get the next list again, and so on. If this is the situation, perhaps you need to populate all those drop-downs on the first round-trip rather than waiting for POST responses.
TL;DR I put HTTP header information in HTTP body
My example is in Angular, but any TypeScript/JavaScript (framework) might have the same issue.
When doing a HTTP post call to my backend API, which requires headers with the logged in user information, I added my HTTP headers where my HTTP body should be and the headers were empty.
PROBLEM
markInstructionAsCompleted(visitScheduleId: string, instructionId: number) {
return this.http.post(`${environment.apiUrl}/VisitInstructions/schedule/${visitScheduleId}/done/${instructionId}`, this.getHeaderWithAuthorization());
}
SOLUTION, notice that there's an added second argument to the HTTP post call, which is null
markInstructionAsCompleted(visitScheduleId: string, instructionId: number) {
return this.http.post(`${environment.apiUrl}/VisitInstructions/schedule/${visitScheduleId}/done/${instructionId}`, null, this.getHeaderWithAuthorization());
}