I'm using JMeter to do load tests in SAP CRM Web client and I'm having a problem with sessions. The goal of this test plan is to run multiple operations in parallel. I'm using the same user to create multiple sessions but when i ran the test with 10 threads(users) and i can see in the response that only the first session is running correctly and the other 9 are either not doing anything or assuming/merging with the first session when presenting the results.
I used Cookie manager to store cookies automatically and I had to JMeter user.properties:
CookieManager.save.cookies=true
CookieManager.check.cookies=false
SAP CRM uses:
XSRF-TOKEN;
sap-contextid;
app-contextid;
sessionid;
MYSAPSSO2;
esid;
crm-icsessionsyncid;
crm-icesid;
session_access_token;
To Log in I’m using basic auth token (name: Authorization)
I have already looked through all the request and identified all the dynamic parameters and tokens that are or can be directly linked to maintaining the session opened except for one token that I cannot understand how it is generated.
We used HTTP script recorder so the paths are automatically field, furthermore the path is field with a token making it a hardcoded token and it appears multiple times. Being an hardcoded token I can't extract it. It seems to be a mix of multiple tokens that I referred above:
/sap(bD1QVCZjPTEwMCZpPTEmZT1SNVpsejRYOEJGOXpzUm5zT2ExSlZRJTNkJTNkQUZCV3RfWkdIdHFOMjN5eXBSaG5aUSUzZCUzZA==)/bc/bsp/XX/XXXXXX_XX_XXXXX/XXXXX.htm
This token changes if I record a new script but I cannot understand how can extract this token and print it in the other URL requests.
Is there any solution for this session problem?
Regular Expression Extractor can be used for extracting a dynamic ID from the URL.
Please see a sample below.
Related
On my site, I want to be able to retrieve whether my own YouTube account goes live. After looking around, I found this endpoint:
GET https://www.googleapis.com/youtube/v3/liveBroadcasts,
that would help me do just that. However, the main problem I found is that it requires an OAuth2 token, and the only way I could find to generate one was going through the whole Login with Google approach.
My main problem is that I want anyone who visits my site, to be able to see whether I'm live or not. I'm not looking for workarounds or using web crawlers either - I want to be able to use this specific endpoint. Is that even possible?
In other words, is it possible to get my own access token manually, and just plug that into the API request to access the endpoint directly? Or is this just impossible?
First thing to know about YouTube Data API is the following: for to issue authorized request to it, one cannot alleviate authentication through the browser.
You may read the doc OAuth 2.0 Flow: Installed apps for thorough info about the authorization flow on standalone computers.
The doc specifies step 4 -- Handle response from Google -- and step 5 -- Exchange authorization code for refresh and access tokens. By the initial OAuth flow, you get two tokens: a short-lived access token and a refresh token that produces access tokens on demand. Authentication without browser is not possible, but once having a refresh token, it can be traded programmatically for access tokens:
Initialization: obtain via browser authentication a refresh token;
Iterations: as many times as needed, query the API for an access token -- without any browser interaction! -- using the refresh token from (1), then proceed further with the call to the target API endpoint (again, without any browser interaction).
Note that the steps (1) and (2) may well be separated such that (1) is executed by a standalone (local) computer that stores the refresh token into a file; later, upon a secure transfer of that file on a different remote computer (e.g. a server that does not have a browser installed), execute (2) on that remote computer, repeatedly as needed
(see Using OAuth 2.0 for server-side, standalone scripts.)
Sounds right:
complete the flow (once) with your own google account,
cache the token server-side, and
include the API’s response when serving your page.
Pitfalls:
How long are OAuth tokens valid for? (The API will start returning errors if this occurs)
How often will the page be generated vs. what rate-limits does the API have? ( you may have to request status at most once per few minutes, and cache the response)
I am making a chatting service (something like Zendesk) and a website must be registered in order to use the service. There will be a frame which the website owner places in the .html file and the rest is up to me.
Problem
Anyone can start using the service right now (by reading the requests and copying them in Postman). I want a method to restrict access only to those websites that have registered to use the service when the session is started or by the messages sent from that session.
Failed solutions (to give an idea of what I am trying to do)
A stupid idea was to read and send the website URL with JavaScript and check if it exists in the database, but that can easily be forged.
I also tried generating unique tokens for each registered website, but the token is something that must be send with the request for validation and since it is something that public can see (the token is placed with the frame) that token is indeed meaningless. (Maybe I don't understand how tokens work)
At this point, seems like this is inevitable, any Ideas?
(Back-end is written in Django 3.1 and My database tables look like this, if it helps - Ignore the details, just an overview)
I'm new to JMeter so forgive me if I'm asking the obvious. I am writing a performance test for a site protected by user password, where the authentication is passed as a token in the cookies.
I am able to extract the token and add it to the pages themselves, but when using "retrieve embedded resources" it seems like the cookies are being cleared. I have a single cookie manager at the top of the thread group and the token itself is being added by a beanshell postprocessor.
Any ideas ?
Gil.
I have never heard about cookies removal from the "embedded resources" request, looking into the View Results Tree listener the cookies are present on fresh JMeter 3.0 installation
If HTTP Cookie Manager is disabled or removed I don't see this "Cookie Data"
So my expectation is that you either misconfigured something or made a mistake in your Beanshell script.
By the way, you can "tell" JMeter to store cookies as JMeter Variables by adding CookieManager.save.cookies=true line to user.properties file. See Using the HTTP Cookie Manager in JMeter article for more detailed information.
I have more than 3 sites have their own domain and same database used,
so, site switching with current session is not possible?
How it is possible like gmail, youtube and google +?.
If there would be sub domains (abc.main.com), then site switching is possible with current session.
In the examples you use authentication is handled externally, which (like #foozy already said) is also known as single sign-on (SSO). So they don't use a session variable, but some kind of Authentication token (often in the headers stored at the wrongly named and because of that a bit confusing "Authorization" tag; it should have been "Authentication" tag).
The same token is used for authentication at different hosts/applications, they validate the token at the service that supplied the Authentication token. If validation succeeds the authentication is successful.
Read more on the topic here
To get to your question: in sub-domains it would indeed be possible to share the session. If you have troubles getting that going there is a lot of information available on Stack-Overflow on the topic like for example here
When I use the Google Analytics Input Step, all I have to enter is my account username and password for the Authorization. From there, the step looks up the Domain Table ID for me. So by just giving this step my username and password, choosing the id and the metrics, I am able to retrieve all of the information I need--no other authorization required.
However, I am trying to recreate this by using the HTTP Client Lookup step (with a Generate Rows step before it). I gave it the following URL, as described by http://code.google.com/apis/analytics/docs/gdata/v3/reference.html:
https://www.googleapis.com/analytics/v3/data/ga?ids=ga:{*My Domain Table ID*}&start-date=2010-08-01&end-date=2012-04-01&metrics=ga:newVisits
and filled in the Http Login and Http Password fields with my username and password (exactly same as in Google Analytics Input step), respectively. However, when I preview the results of this HTTP Client step, the transformation returns an error that says that Login is required.
I have also tried this with the REST Client Lookup Step (with a Generate Rows step before it). I chose the GET HTTP method, the JSON application type, and filled in my HTTP Login and password for authentication. When I try to run this, it does not return an error, but in the result field of the preview output it says "Invalid Credentials."
What is the Google Analytics Input Step doing differently from the HTTP Client Lookup and REST Client Lookup steps? And how do I access the same information using those lookup steps?
I want to be able to access API's from other web sites as well, not just from Google Analytics, so it is important for me to be able to do this for any API.
Any help appreciated!
I have made a request to google analytics using HTTP client step, and it works perfect.
First, you need a token from Google Analytics:
https://www.google.com/accounts/ClientLogin?accountType=GOOGLE&Email=xxxxxxx#gmail.com&Passwd=xxxxxxx&service=analytics
This token is a long string.
The token is going to step client as HTTP header. The parameter must be called:
Authorization = token
Others parameters:
GData-Version=3.
After you add the request parameters. (ids, start-date, end-date, metrics, filter, segment)
You also have to add the key to your profile id, as the last parameter.
This request returns a XML. Use XML parser step to get metrics value.
which Kettle version are you using? as far as i know there are some changes in google api
read this bug report:
http://jira.pentaho.com/browse/PDI-7942