I used JMeter as proxy to record all requests of a test scenario of our web services, and JMeter created request and one HTTP Authorization Manager, with stored authorizations for each request.
But when I launch this scenario, I get a 401 response code for all requests. I move HTTP Authorization manager in Thread Group, but I still get a 401 code.
All requests of our WS require authentication.
How do add authentication in one place for each request ? And, how parameterized them ?
Thanks, Denis
The answers may vary depending on web service security type and there are a lot of options, for example web service may require custom authentication header, custom HTTP header, custom cookie, custom token somewhere, etc.
Exhibit A: request without authentication
<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope" xmlns:web="http://www.webserviceX.NET">
<soap:Header/>
<soap:Body>
<web:GetCitiesByCountry>
<!--Optional:-->
<web:CountryName>India</web:CountryName>
</web:GetCitiesByCountry>
</soap:Body>
</soap:Envelope>
Exhibit B: request with username/password authentication
<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope" xmlns:web="http://www.webserviceX.NET">
<soap:Header>
<wsse:Security soap:mustUnderstand="true"
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsse:UsernameToken wsu:Id="UsernameToken-29FBADA106D95AD8E114818886210611">
<wsse:Username>johndoe</wsse:Username>
<wsse:Password
Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">
secret
</wsse:Password>
<wsse:Nonce
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">
jnXB+PJ34M7aqfDU88glzg==
</wsse:Nonce>
<wsu:Created>2016-12-16T11:43:40.755Z</wsu:Created>
</wsse:UsernameToken>
</wsse:Security>
</soap:Header>
<soap:Body>
<web:GetCitiesByCountry>
<!--Optional:-->
<web:CountryName>India</web:CountryName>
</web:GetCitiesByCountry>
</soap:Body>
</soap:Envelope>
The most commonly used way of parametrizing a request is using CSV Data Set Config.
See Take the Pain out of Load Testing Secure Web Services article for more detailed explanation of some web services authentication types bypassing in JMeter test.
Related
I have two problems, when use the method setUserClaimValue from RemoteUserStoreManagerService SOAP endpoint, the update, works good.
But, the endpont /userinfo lost the values, I need to re-authenticate the user for generate a new access token and all works good again.
I need use the method setUserClaimValue from RemoteUserStoreManagerService for update more than one claim, but nothing happend, I don't have any error but the claims were not updated.
This is my env:
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ser="http://service.ws.um.carbon.wso2.org" xmlns:xsd="http://common.mgt.user.carbon.wso2.org/xsd">
<soapenv:Header/>
<soapenv:Body>
<ser:setUserClaimValues>
<!--Optional:-->
<ser:userName>username#mail.com</ser:userName>
<!--Zero or more repetitions:-->
<ser:claims>
<!--Optional:-->
<xsd:claimURI>http://wso2.org/claims/emailaddress</xsd:claimURI>
<!--Optional:-->
<xsd:value>newemail#mail.com</xsd:value>
</ser:claims>
<!--Optional:-->
<ser:profileName></ser:profileName>
</ser:setUserClaimValues>
</soapenv:Body>
</soapenv:Envelope>
What method I should use for update more thant one claim?
Why when update claims, my actual access token lost data from /userinfo endpoint, and is it necessary to generate a new access token?
1)
What method I should use for update more thant one claim?
You have to use setUserClaimValues from RemoteUserStoreManagerService. You can follow this document for further information on this RemoteUserStoreManagerService.
A sample soap service is given below.
<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope" xmlns:ser="http://service.ws.um.carbon.wso2.org" xmlns:xsd="http://common.mgt.user.carbon.wso2.org/xsd">
<soap:Header/>
<soap:Body>
<ser:setUserClaimValues>
<ser:userName>piraveena</ser:userName>
<ser:claims>
<xsd:claimURI>http://wso2.org/claims/organization</xsd:claimURI>
<xsd:value>wso2</xsd:value>
</ser:claims>
<ser:claims>
<xsd:claimURI>http://wso2.org/claims/country</xsd:claimURI>
<xsd:value>srilanka</xsd:value>
</ser:claims>
<ser:profileName>default</ser:profileName>
</ser:setUserClaimValues>
</soap:Body>
</soap:Envelope>
2)
Why when update claims, my actual access token lost data from
/userinfo endpoint?
I couldn't reproduce this issue locally. I was able to obtain the userclaims without reauthenticating even after updating the claims via admin service.
When user claim is updated, the userattribute cache which is mapped against the accesstoken also will be cleared by an event. So the next time when you call the useinfo endpoint, the cache will be empty. In that case, the claim will be obtained from userstore. Please refer to this code here. Due to this, the user doesn't need to reauthenticate since the userattributes exist in the userstore.
But you may face this issue when you have enabled email as username and you update the email of the user via the service.
I have enabled the admin services from carbon.xml for API Manager and extracted the wsdl successfully. Now I am trying to invoke the service RemoteTenantManagerService using SOAP UI. I have loaded the wsdl in SOAP UI and also provided the Basic authentication Username/Password as admin/admin. But I am getting following message back. Port for API Manager is Offset 1
Request:
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ser="http://service.ws.um.carbon.wso2.org">
<soapenv:Header/>
<soapenv:Body>
<ser:getAllTenants/>
</soapenv:Body>
</soapenv:Envelope>
Response:
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Body>
<soapenv:Fault>
<faultcode>soapenv:Server</faultcode>
<faultstring>The service cannot be found for the endpoint reference (EPR) /services/RemoteTenantManagerService.RemoteTenantManagerServiceHttpsSoap11Endpoint</faultstring>
<detail/>
</soapenv:Fault>
</soapenv:Body>
</soapenv:Envelope>
There are two types of transports, PassThrough and servlet. The admin services are exposed through servlet transport. Hence those must be invoked using servlet transport port.
For ex:- https://{host}:9443/services/RemoteTenantManagerService
In your case you have set offset to the "1" so please call the service using the URL https://{host}:9444/services/RemoteTenantManagerService
The generated WSDL contains the endpoint with Passthrough port hence soapUI shows it as the default endpoint. Please change the port to servlet port (your case it should be 9444) and run again.
I believe I found bug in WSO2 ESB.
I defined proxy service for our customer.
With security turned off I always get expected result, but when I enable security (scenario 1 - UsernameToken), then I get error "SOAP Envelope can not have children other than SOAP Header and Body".
I'm able to reproduce this bug with 'echo' service.
Here is request:
<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope" xmlns:echo="http://echo.services.core.carbon.wso2.org">
<soap:Body>
<echo:echoString>
<in>ABC</in>
</echo:echoString>
</soap:Body>
</soap:Envelope>
Turning security off or adding <soap:Header /> element before <soap:Body> element provides expected response again.
I'm using WSO2 ESB version 4.8.1, SoapUI 5.0.0 as client.
The SOAP headers contain application specific information related to the SOAP message. They typically contain routing information, authentication information, transaction semantics etc.
If you removed <soapenv:Header/> SoapUI will not send your user name and password to rampart.
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:echo="http://echo.services.core.carbon.wso2.org">
<soapenv:Header/>
<soapenv:Body>
<echo:echoString>
<!--Optional:-->
<in>ABC</in>
</echo:echoString>
</soapenv:Body>
</soapenv:Envelope>
So your error was return by org.apache.axiom.soap.SOAPProcessingException due to AxisEngine System error.
When your sending request to secured one header is must..
I am trying to create a mockWebservice which should Authenticate UserName,password sent in the SOAP Request xml header.
My request xml will look like this
<s11:Envelope xmlns:s11="http://schemas.xmlsoap.org/soap/envelope/">
<s11:Header>
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<wsse:UsernameToken>
<wsse:Username>User_Name</wsse:Username>
<wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">PASSWORD</wsse:Password>
</wsse:UsernameToken>
</wsse:Security>
<wsa:Action xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing">DeliverAccountInvestigationCaseStatus</wsa:Action>
<wsa:To xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing">http://rp.baml.com</wsa:To>
<wsa:MessageID xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing">Test from APP_NAME</wsa:MessageID>
</s11:Header>
<s11:Body>
<tns:DeliverAccountInvestigationCaseStatusRequest xsi:schemaLocation="http://rp.baml.com/data/DeliverAccountInvestigationCaseStatusV001 DeliverAccountInvestigationCaseStatusV001.xsd" xmlns:tns="http://rp.baml.com/data/DeliverAccountInvestigationCaseStatusV001" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<tns:ReferenceNumber type="GSS">1-</tns:ReferenceNumber>
<tns:TimeStamp>2014-01-31</tns:TimeStamp>
<tns:Status></tns:Status>
<tns:Resolution></tns:Resolution>
<tns:Comment>Test</tns:Comment>
</tns:DeliverAccountInvestigationCaseStatusRequest>
</s11:Body>
</s11:Envelope>
My Webservice should throw error if, username or password is not correct in the header.
When you mock a response you are simulating a response to a service's request. You normally mock when you cannot reach one of the supporting web services or it has not yet been built.
What this means is that you can mock any kind of response. If you need to validate the username and password, you will have to write that validation code yourself.
Check out soapUI.org's service mocking guide for some background on mocking.
I want to add wsse Security header to my web service client on ASP 3.5. I test the web service from SoapUI using this Soap Envelope and get an answer:
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:comp="http://myCompany.org.tr"> <soapenv:Header xmlns:env="http://schemas.xmlsoap.org/soap/envelope/">
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<wsse:UsernameToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"/>
<wsse:Username>MyUsername</wsse:Username>
</wsse:Security>
</soapenv:Header>
<soapenv:Body>
(Body Info.)
</soapenv:Body>
</soapenv:Envelope>
I want to create this envelope through classic Web Service Reference which created by Visual Studi 2012. Which class should I use to add Username Info to my envelope?
Thank you John, and Ladislav.
Turns out that you should add the header via web.config file to get properly ordered SOAP message. Otherwise .Net tries to nest your code with its own capsulation (even you dont ask for it), and sends some rubbish as a result.