I am new to Jmeter and with the help of blogs and SOF, I could able to manage the record and parameterize the Script.
I am testing ASP.Net web application which uses Windows Authentication and AD.
The problem here is after execution in View Result Tree I can see the old user http page. For example I recorded the script with USer A and I parameterized all the varaible required to run the same script with user B. But at execution I can see User A session is loading and the data created by this transaction is corrupted which has some values of User A and User B.
I tried using Post processor >> Regular expression extractor for capturing ViewState and EventValidation and kept it back to post request now error is resolved but transaction itself is not happening. No new data created after this change.
Please help me. I am confused now what I am doing wrong here.
It seems that you have hard-coded "Authorization" header which identifies all your virtual users as "User A". If it is the case - this header needs to be removed from all the requests and you need to construct a proper one with HTTP Authorization Manager.
See Windows Authentication with Apache JMeter to learn about how to properly setup JMeter for dealing with Active Directory logins. It is possible to parametrize usernames, passwords,domains, etc. as normal using CSV Data Set Config.
Related
Ok, I hope I don't get too beat up here for this question as it is kind of complex. At least in my view, with what I know so far. So the details first:
I built a nice app with django that brings in event data for users, utilizes that data for many things (not relevant to this question) but one of the things is that it syncs these events to the users Google calendar. I made the google app within the developer console, and it uses the provided credentials.json file to allow users to authenticate the app, thus creating individual user token.json files per user, then I have another script (not within django, just a custom python file) that runs from a cron job to automatically sync/ update the calendar info from the database to the google calendars.
Now, the new problem is having this work without my help. IE: a new user logs in and creates a profile, then if they should choose to sync to their Google calendars I have to be there, running the authentication process from my personal server. So I did that, by moving the whole app to a hosted platform and brought it up to speed in production mode.
Users can create a profile, using django-allauth it works to make an initial user account where they can fill in the rest of the profile. It does populate the token string for their account, but here is where I'm stuck.
What process is there to make the token.json file OR use the existing token string (the one it saves now on the server version) to allow the system to sync the calendars? Once the token files are created, the rest of this works. I just can't get the right answers to how django-allauth will handshake with Google and do this?
Thanks for any help!
Update: ultimately wound up using a service account with google api, and directing my users to combine the service account email (adding it as a shared user to the specific calendar) and they copy/paste the shared calendar ID in their profile on my app. All the logic now just uses this share function to sync the calendars, and it works great.
I have a JMeter script which quite happily logins to a session and then needs to click through to a new site as part of a single sign on test. If I do this manually a new site with a new URL is opened. If I do this via JMeter I'm getting a "java.net.UnknownHostException:" error.
I suspect this has something to do with cookie management but I am not 100% sure. I do have a cookie manager for the Thread Group.
Update: I experience the same thing when I record the session using the Test Script Recorder.
It means JMeter does not know your website.
Most probably it's a proxy issue, you need to provide to JMeter what your browser already has in terms of configuration.
See:
http://jmeter.apache.org/usermanual/get-started.html#proxy_server
I have recently started working on WSO2 API manager and I have added a user signup workflow to it by following on this link :
https://docs.wso2.com/display/AM180/Adding+a+User+Signup+Workflow
It was pretty simple and straightforward, but the thing is, in my case I am the admin as well as the user. So Once I send a signup request, I manually log on to workflow-admin console and approve the request and once i approve the request I can login to the API Store. But in a typical production environment, the admin as well as the user must get some kind of email notification so that they can approve/reject as well as login once request is approved. How do I achieve this kind of scenario wherein the user will get an email notification once his/ her request has been approved as well as the admin will get a notification once a request is sent?
I have checked the adding a workflow-extension module in the documentation:
https://docs.wso2.com/display/AM180/Adding+Workflow+Extensions
But i'm still trying to figure it out.
Looking forward to some help.
As far as I know the current release of the Business Process Server doesnt have support for email notifications for HumanTasks. But this will be available from the next release of the Business Process Server (v3.5). As a work around what you can do is create a service in the ESB to send out emails and create a BPEL workflow (with humanTasks) which will trigger this email service in the ESB. But if you can wait till the next release (which should be available by end of Aug), then this feature would be available with the new Business Process Server.
Ok I finally got it working.
Write a class in java similar to UserSignUpWSWorkflowExecutor.java, make sure it extends the UserSignUpWorkflowExecutor class in the org.wso2.carbon.apimgt.impl.workflow package. And now in the complete method of your class, check for the signup status and write the logic for sending mail here. After this step make a jar of the particular package/component and add it to the patches directory in binary file of wso2 API Manager, while doing so make sure the name of the jar is similar to the one in the plugins directory. After this Step start your API Manager and in the admin console there is a workflow-extensions.xml file. Edit that file and add give the name of jar that you just created along with its package name. save it and restart the API Manager.
Note : Enable the user sign up worflow executor by following this link first
https://docs.wso2.com/display/AM180/Adding+a+User+Signup+Workflow
I've recently seen XSSI mentioned on multiple pages, e.g. Web Application Exploits and Defenses:
Browsers prevent pages of one domain from reading pages in other domains. But they do not prevent pages of a domain from referencing resources in other domains. In particular, they allow images to be rendered from other domains and scripts to be executed from other domains. An included script doesn't have its own security context. It runs in the security context of the page that included it. For example, if www.evil.example.com includes a script hosted on www.google.com then that script runs in the evil context not in the google context. So any user data in that script will "leak."
I fail to see what kind of security problems this creates in practice. I understand XSS and XSRF but XSSI is a little mysterious to me.
Can anybody sketch an exploit based on XSSI?
Thanks
This is typically a problem if you are using JSONP to transfer data. Consider a website consisting of a domain A that loads data from domain B. The user has to be authenticated to site A and B, and because the Same Origin Policy prevents older browsers from communicating directly with a different domain (B) than the current page (A), the developers decided to use JSONP. So site A includes a script pointing to http://B/userdata.js which is something like:
displayMySecretData({"secret":"this is very secret", ...})
So A defines a function called displayMySecretData, and when the included script from server B runs, it calls that function and displays the secret data to the user.
Now evil server E comes along. It sees that A is including data from B using JSONP. So server E includes the same script, but defines its own displayMySecretData which instead steals the data.
The attacker then tricks the user into visiting his site. When the user goes there and he is logged in to B, the browser automatically sends the authentication cookies for B along with the request to fetch the script from B. B sees an authenticated user, and thus returns the script as expected. E gets the data, and presto...
Using JSONP to load confidential data from a different domain this way is thus really insecure, but people are still using it. Bad idea!
XSSI is not limited to jsonp responses. In some browsers you can override the Array constructor. If a Json response contains [...] and you include it as a script it will execute the new constructor instead of the builtin one. The fix is to insert something in the response that can't be parsed like ])}while(1);</x> and then use code to remove it before parsing it. An attacker can't do that since script inclusion is always the entire script.
More detail on the problem and this solution at http://google-gruyere.appspot.com/part3#3__cross_site_script_inclusion
XSSI is a fancy way of saying: you are including in your program, someone elses code; You don't have any control over what is in that code, and you don't have any control over the security of the server on which it is hosted.
For example, let's say i include in my html page
<script type="text/javascript" src="http://mymatedave.com/js/coolwidget.js"></script>
That script will run in my webapp with the same level of trust as any of my own javascript code. It will have access to the the full page content and DOM, it will be able to read all my app's cookies and read the users keypresses and mouse movements, and everything else that javascript can do.
If my mate dave, then decides to put something malicious in his cool widget (say, a sniffer/keylogger that sends all the user's cookies, form data and keypresses to his server) then I won't necessarily know. Also, the security of my app now depends on the security of dave's server. If dave's server gets compromised and coolwidget.js is replaced by the attacker, i again won't necessarily know and the malicious code will run as part of my app.
This is regarding a Blackberry that is connected to a BES Server, and the Administration Web Service.
I need to enable and send an Enterprise Activation email, however I need to also set an ActivationPassword.
I looked at the help document and after tracing the abstract classes, I think I need to do "something" with EnableBlackBerryUserDispatcherAttributes.
How do I send an enterprise activation email with a password to an Exchange user? I can't find anything, anywhere. (Sure I can add a user to the server, but what good is that if I can't activate the account !?)
I've found the following objects in the webservice that indicate it is possible, but I can't figure out how to use them...
ActivationPassword;
ActivationContext;
ActivationPasswordType;
ActivationPasswordOperationTypeEnumType;
clearActivationPassword;
EnterpriseActivationEvent;
setActivationPassword;
Just to be clear the online samples only address the creation of a user, not enabling them.
My alternative is to shell out $250 bucks for this missing documentation.
If you are an ISV partner or T3 subscriber, the answer to this question is free for you at devsupport#rim.com so I'll appreciate any strings you can pull as well. While you're at it I'd appreciate if you can tell me how to update the email component as described on this part of the admin website
The user list from the company
directory is automatically updated on
a timely basis. The update process can
be manually started using the email
component.
you should have a look at the dispatcher webservice. This means you have to generate a stub for the dispatcher webservice as shown in the tutorial. The stub is a instance of com.rim.bes.bas.baa.BAADispatcher which holds methods for setting and generating EA-passwords.
Regards