I am new to performance testing, doing it through Jmeter for my application.
I have recorded the script through blazemeter and running it in Jmeter, but it is failing at authentication step. My application uses OAuth0 to manage authentication.
How can I do performance testing on such application, will regex extractor help my case?
Can anyone please help me out? Thanks in advance.
This is not something you can record and replay, you need to create the signature, the exact steps will differ depending on your server implementation as there could be different algorithms in scope.
You need to obtain the documentation or contact application developers with regards to how to properly create the signature.
If you're lucky enough you can use OAuth Java client library for your OAuth provider from JSR223 Test Elements in order to sign the request.
Check out How to Run Performance Tests on OAuth Secured Apps with JMeter article for more details on how to bypass OAuth login challenge in JMeter tests.
Related
We have an in-house Single Sign On server, built on IdentityServer2 and we use it to authenticate many different web products. Some of these products are in .NET, some in ColdFusion and we are adding another in Ruby on Rails.
I am having a great deal of difficulty, though, in finding information on connecting to any generic OAuth2 provider. All of the information seems to revolve around Omniauth and the specific provider gems that most people connect to. These, however, will not help me.
I just need someone to point me in the right direction. I don't care if it's using Omniauth, Rack or anything else. I just need something that will provide some sort of instructions on how to get this working in Rails.
Thanks in advance for your help.
There really isn't a generic way to do this as it all depends on the SSO server setup. I ended up just building the auth string according to what the server was asking for and then using the JWT token to process the token it gave back.
The only thing I can say is that if you run into this issue, either check with the folks managing the SSO server to see what the request URL should contain or check the documentation of the SSO software if you are doing it yourself.
You can use doorkeeper gem which is a OAuth 2 provider for Rails and Grape.You can go
https://github.com/doorkeeper-gem/doorkeeper
hope that helps you.
At work we have a system set up running a ThinkTecture IndentityServer SSO provider which currently provides authentication for several .NET and ColdFusion sites. I am currently working on a new site we are supporting in Ruby on Rails and am having difficulty figuring out how to connect it to the SSO. (I'm pretty new to rails, but a long time developer in CF and .NET)
I've looked at the omniauth-oauth2 and oauth2 gems but it seems there are important parts missing from the documentation and explanations I can find. There is a ton of info if I wanted to authenticate using Twitter, Facebook or something similar, but I can't find anything that just addresses the client side for any generic OAuth2 provider.
I'm just looking for someone to point me in the right direction to find information on how I can do this. I don't care if it's specific to IdentityServer or just generic regardless of the provider. Thanks for the help.
Update: Just so you know, I would prefer to use OAuth2 for this connection, but I am not opposed to using any of the other ways that IdentityServer provides, including ADFS, WSFed or Simple HTTP. I can't use OpenID, though, because these accounts are specific to our system and can't be used for other systems.
You really need an open id connect library.
http://openid.net/developers/libraries/
It turns out this is pretty easy, overall. The difficulty is that there is no straight answer to the question. How you connect to IdentityServer entirely depends upon how IdentityServer is set up.
I'm not going to post my exact code, as this will not help anyone who doesn't have IdentityServer set up exactly the same way we do, and as I don't have access to the IdentityServer, I can't say exactly how that is. I will explain the overall solution, though.
The only gem needed for this is JWT
Get key codes from IdentityServer admin (client id, secret key, sign key)
Build login URL according to configuration of IdentityServer
Redirect user to login path generated in the last step
Receive token back from IdentityServer
Decode and verify using the JWT.decode function
From there you just have a JSON string with your data.
I need to create register/login functionality in CQ5. There are three ways
1 - The register/login functionality should be prepared as web service hosted on a Java Application Server and then we can consume data from web services.
2 - The functionality should be prepared as web service based on RESTFull that hosted on CQ itself since AEM is developed around the REST principal and REST web services is certainly one which will be supported. So I believe RESTfull web services can be hosted with CQ5.
3 - Why do we need web services? I do not think it requires web services since my application is not going to communicate with other application and it dont want to expose any services to outside world. Why don't we create register/login functionality as we do in normal web application. Can we create a OSGI bundle that invoke databases to store user details for register/login functionality?
I would go for 3rd option but my concern is AEM is not the place to build our business logic to carry out functions that are not related to content rendering.
which option would you choose and why? Kindly share your ideas and thoughts. I am just looking for best solution to develop register/login functionality in CQ.
Thanks
I think i am late to the party but it might help someone. Yes, you can very well create rest webservices in CQ and they work well. So, you can take that approach.
The way to go about implementing login/registration would be how it is done OOTB but OOTB is also bad in the way it implements it so you have to make modifications to overcome that.
1) You need to register and Authentication handler with CQ. If you are looking for a sample there is a form authentication handler source that you can look at.
2) We have integrated out Auth handler with Active Directory (AD). Since AD is supported by default, so it is easy to integrate with Auth Handlers.
3) Next you need to create a user login token for which you can look into TokenUtil class of CQ or if you are looking to develop SSO, you can look into SSO code that is packaged OOTB.
I would like to have my application http://app.acquee.com/designer to accept a google account as a login. I found a bunch of libs for django but most work on top of existing Django authentication system that I do not use. I have my own set of user tables where I keep user info and privileges.
Any suggestion on how to integrate that with the Google Openid?
Seems I will have to do it manually using python-openid. Or could I use django-openid?
However, with the latter, I don't even know how to issue the discover command.
Regardless, I get stuck on google's step 5, sending a login authentication request (optionally with OAuth parameters) to the provided endpoint address. Can someone provide a sample request? is it a GET/POST? content?
Cheers
You can try https://launchpad.net/django-openid-auth - I'm using it in a commercial project, for both regular Google Accounts and Google Apps accounts. I remember that it was the most convincing one at the time I was doing a review, although I can't give you any details now due to my short memory. Anyway - it's working great.
I'm going to be developing a REST-ful Web Service for a new public website. The idea behind the web service is to have 3rd parties develop fully functional UIs for the business logic.
For security reasons, I'd like to avoid users having to give their passwords for our service to the 3rd party applications. (Perhaps this shouldn't be a big concern?) Instead, I'm looking to implement some sort of login system on our site that provides an auth token to the 3rd party app but keeps the actual password out of their hands.
This made me think that OpenID might be a potential solution here. It seems to me that it should work: the actual password is handled by the OpenID provider and so it doesn't rest with the 3rd party app. I think that the trouble would probably lie with the various passthroughs, but that should be manageable.
However, there's a surprising lack of Googleable info on this, so I'd like SO's opinion. Has anyone implemented a similar system before? Is it even possible? Is it worth the trouble?
I agree completely that what you want is OAuth; I say that having worked on both OAuth and OpenID systems. I've also been in your boat a few times, having to develop a REST web service api.
For a really good ideas on OAuth, and why it is what you want see these attached article:
These are must read, there are four parts read them all:
http://hueniverse.com/oauth/guide/
the RFC, read after reading above as it can be a little daunting for most:
http://oauth.net/core/1.0
And then finally maybe some code. I have a couple projects hosted that are using Java/Groovy to do OAuth. One is a plain old OAuth client, the other is a client for specific interactions with NetFlix.
http://www.blueleftistconstructor.com/projects/
If you are relatively inexperienced with REST (you haven't built a full scale web api yet) I would recommend that you buy (or better get your boss to) "RESTful Web Services" by Richardson & Ruby. It is an O'Reilly book. I can say that it is one of their better books to debut in the past few years.
It might also help to look at some RESTful OAuth based APIs. The NetFlix API is a perfect example: http://developer.netflix.com/docs
Good luck and happy coding!
So far, I've found 1 worthwhile link:
http://markmail.org/message/utf7js473zqv45hv
This conversation mentions something called "OpenID Exchange" which is right up my alley... but the included link is broken and there's not much solid information on Google for it.
Looks like OAuth might be the ticket: http://oauth.net/
We have been working on a project to integrate OpenID Authentication for SOAP web services. You can find our project at http://code.google.com/p/ws-sandhana/.
You can provide Single Sing On to your web services using OpenID authentication and you can enforce the trusted OpenID Providers and required attributes of the users by defining service security policies.
This is an open source implementation on Apache Rampart which is the security module for Apache Axis2 web service engine. You can find our blog at http://sandhana-project.blogspot.com/ for more information.