I have been asked to test my Rest API in JMeter and configured my service details in HTTP Request tab in JMeter and unfortunately i am seeing Authentication failed error even though it displays correct information in Request tab.
Here is my Header Manager section as below...
This is my request and using POST method for this.
Can you pls help in getting this fixed...
you have to implement correct correlation.
Authentication must be executed every time.
The authorization token is a random value that you get from previous authentication.
You have to extract it (maybe with a regular expression) and use it in the HTTP operation.
The recommended way of testing resources protected by Basic HTTP Authentication is using HTTP Authorization Manager.
Add HTTP Authorization Manager to your test plan
Provide Base URL and credentials (plain text)
That's it, you don't need to add Authorization header manually, JMeter will automatically generate it, check out How to Use HTTP Basic Authentication in JMeter article for more details if required.
Related
I read about JWT and i think i understand how it works, but when things come to ballerina examples i don't understand anything:
How do i set the algorithm which i want to use along with JWT and the expiration time?
How do i use a custom private key?
How can i get the token from this example for instance "https://ballerina.io/learn/by-example/secured-service-with-jwt-auth"?
May be how can i get the token using CURL (for testing purposes)?
Also i'm wondering how to use the JWT without the need of having a database with users and passwords..
I'm absolutely new to security and ballerina also. Can anybody help please?
Ballerina JWT module [1] provides following functionalities.
Issue a JWT
You can issue/generate a JWT by providing jwt:JwtIssuerConfig. You can configure username, issuer, audience, expiration time, signing algorithm, custom claims and configuration for signature (key-store config). Please refer to API docs of jwt:JwtIssuerConfig [2]. Example code can be found at [3].
Validate a JWT
You can validate a JWT by providing jwt:JwtValidatorConfig. You can configure expected issuer, expected audience, clock skew, cache configuratons and configurations for validating signature (trust-store config). Please refer to API docs of jwt: JwtValidatorConfig [4]. Example code can be found at [3].
Secure a service with JWT
You can use JWT to secure and HTTP service. The Authorization header of the inbound HTTP request will get validated and authenticated according to the provided configurations. Please refer to API docs of jwt:InboundJwtAuthProvider [5]. Example code can be found at [6].
Calling to a service with JWT
You can use JWT to call to an external server which is authenticated with JWT. The outbound HTTP request is prepared with the Authorization header according the provided configurations. Please refer to API docs of jwt:OutboundJwtAuthProvider [7]. Example code can be found at [8].
Answers for the questions:
How do i set the algorithm which i want to use along with JWT and the expiration time?
You can configure jwt:JwtIssuerConfig [2] as described above.
How do i use a custom private key?
You can configure the jwt:JwtKeyStoreConfig field of jwt:JwtIssuerConfig [2], with your custom private key.
How can i get the token from this example for instance "https://ballerina.io/learn/by-example/secured-service-with-jwt-auth"?
May be how can i get the token using CURL (for testing purposes)?
This is a sample service which is secured with JWT. The token used to invoke this service is provided at the bottom of the sample. How to invoke this service with CURL is also provided.
Also i'm wondering how to use the JWT without the need of having a database with users and passwords..
All of the above samples, does not need any database or file store. All the configurations are provided in the code itself. If there is any requirement to retrieve data from database, that is also possible.
References:
1 https://ballerina.io/learn/api-docs/ballerina/jwt/index.html
2 https://ballerina.io/learn/api-docs/ballerina/jwt/records/JwtIssuerConfig.html
3 https://ballerina.io/learn/by-example/jwt-issue-validate.html
4 https://ballerina.io/learn/api-docs/ballerina/jwt/records/JwtValidatorConfig.html
5 https://ballerina.io/learn/api-docs/ballerina/jwt/objects/InboundJwtAuthProvider.html
6 https://ballerina.io/learn/by-example/secured-service-with-jwt-auth.html
7 https://ballerina.io/learn/api-docs/ballerina/jwt/objects/OutboundJwtAuthProvider.html
8 https://ballerina.io/learn/by-example/secured-client-with-jwt-auth.html
I'm trying to make a request from my reactjs app existing on "localhost:3000" to my django living in "localhost:8000"
I was expecting some authentication token in header to passed along with the request, but it's not the case. The request seems to be stripped and the token is nowhere to be found. Unless I pass the token in the url as a parameter (which exposes the token that can be decoded. I don't like it), I can't seem to be able to get the token in any way.
so my questions:
is this CORS issue? My understanding is that CORS usually deals with javascripts only, and Django already has the middleware to deal with this.
I'm currently using a GET as method. Does using a POST help in this case? How would the reactjs script be written? Currently it's just a href attached to a NavItem
and ultimately:
How do I pass the token from reactjs to django?
We can perform the implicit grant on the front-end and then configure the Django API in Auth0 and specify its identifier in the audience parameter. This would grant you an access token which you could then use against your API. Your API would then verify the token and check the audience is correct. (This has a good overview of the process https://auth0.com/docs/api-auth/grant/implicit and then with the API https://auth0.com/docs/architecture-scenarios/spa-api)
Basically what we can do is when Auth0 authenticates the user it redirects the user to the app with an access token, and optionally an id token, in the hash fragment of the URI. We can extract that and use the token to call the API on behalf of the user.
So, after we have [created the API in Auth0][3, [defined the endpoints]3, and secured the endpoints we can call the API (by sending the access token in an Authorization header using the Bearer scheme).
If you have any Auth0 specific question please feel free to join over in community.auth0.com you may have better luck finding help/solutions.
The 403 error is telling you that the request is not being processed because something is stopping from process that request 403: The server understood the request, but is refusing to fulfill it. Authorization will not help and the request SHOULD NOT be repeated
As you said probably because the CORS, try to follow the guide bellow of how to install Django-cors
https://github.com/mbrochh/django-graphql-apollo-react-demo#add-jwt-authentication-to-django
I'm working on BP monitor app and trying to test web APIs according to the documentation with the OAuth 2.0 type authorization. But I'm facing some problems to get validate GET or POST response.
Could you please help me how I can get the response of GET and POST web APIs.
1) In the postman app, you first enter your API endpoint into the URL field.
2) Just to the left of the URL input, there is a dropdown to select whether you'd like to send your request as GET or POST.
3) To the right of the URL input, you can define any extra parameters needed.
These parameters are where you can define specific details needed for your test-case.
Postman also allows you to easily generate OAuth tokens for testing (support for OAuth 1.0a and OAuth2).
I want to implement a custom code for token generation or you can think of removing OAuth2 from the WSO2 implementation and incorporating my specific APIs for token management. Is this possible? If yes, then please guide me how to achieve the same.
If you need to customize it fully, It means that you need to completely remove the OAuth2. There there is no worth of it. But; if you just need to customize some behaviors of the OAuth2, It can be done easily. There are several extension points for it. One main extension is that customization of OAuth2 grant types. You can find details from here and some sample for it. It may helps to do some major customization of the OAuth2 flow. Hope it would help for you.
When you send an API request to the backend, you pass a token in the Authorization header of the request. The API Gateway uses this token to authorize access, and then drops it from the outgoing message. If you wish to use a different (or a custom generated) authorization token than the application generated access token, you can use it as a token exchange mechanism in mediation logic of the API. In this tutorial, we explain how to pass a custom authorization token that is different to the authorization token generated for the application.
Add the following sequence content in to a file and save it as XML file.
Log in to the API Publisher, create a new REST API
Navigate to the Runtime Configurations tab, enable the Message Mediation in Request flow. Engage the In sequence that you created earlier and click Save .
If the API is not in PUBLISHED state, go to Lifecycle tab, click REDPLOY to re-publish the API.
Go Developer Portal, subscribe and obtain a token to invoke the published API.
Install any REST client in your machine. We use cURL here.
Go to the command line, and invoke the API using the following cURL command.
In this command, you pass the token that the backend expects, i.e., 1234, in the Custom header with the authorization token that the system generates in the Authorization header.
curl -H "Authorization: Bearer " -H "Custom: Bearer 1234"
NOTE
is the token that you got in step 20.
appears on the API's Overview page in the API Developer Portal. Copy the HTTP endpoint. If you select the HTTPs endpoint, be sure to run the cURL command with the -k option.
Note the response that you get in the command line. According to the sample backend used in this tutorial, you get the response as "Request Received."
FOR MORE EXPLANATION, PLEASE VISIT THIS LINK
[LINK] : https://medium.com/#PrakhashS/passing-access-token-to-oauth2-protected-backends-wso2-api-manager-7d0671a0afca
I have server with some resources; until now all these resources were requested through a browser by a human user, and the authentication was made with an username/password method, that generates a cookie with a token (to have the session open for some time).
Right now the system requires that other servers make GET requests to this resource server but they have to authenticate to get them. We have been using a list of authorized IPs but having two authentication methods makes the code more complex.
My questions are:
Is there any standard method or pattern to authenticate human users and servers using the same code?
If there is not, are the methods I'm using now the right ones or is there a better / more standard way to accomplish what I need?
Thanks in advance for any suggestion.
I have used a combination of basic authentication and cookies in my web services before. In basic authentication you pass the user name/password encoded in the HTTP header where it looks something like this.
Authorization: Basic QWxhZGluOnNlc2FtIG9wZW4=
The string after the word "Basic" is the encoded user name and password that is separated by a colon. The REST API can grab this information from the HTTP header and perform authentication and authorization. If authentication fails I return an HTTP Unauthorized error and if they are authenticated but are not authorized I return an HTTP Forbidden error to distinguish between failure to authentication versus authorization. If it is a web client and the person is authenticated then I pass the following in the HTTP header with a request.
Authorization: Cookie
This tells the web service to get the cookie from the HTTP request and use it for authorization instead of doing the authentication process over again.
This will allow clients that are not web browsers to use the same techniques. The client can always use basic authentication for every request, or they can use basic authentication on the initial request and maintain cookies thereafter. This technique also works well for Single Page Applications (SPAs) where you do not have a separate login page.
Note: Encoding the user name and password is not good enough security; you still want to use HTTPS/SSL to secure the communications channel.