I have created a web-service that uses basic authentication in JDeveloper 11.1.1.4.
When i test my application using a client application is runs correctly so i know that the authentication mechanism has no problems.
How can i pass authentication info into the HTTP Analyzer by right clicking on Webservices and selecting Test Web Service?
I have tried to pass credentials through SOAP Headers > :WS-Security:Header like below but is not working
I have also tried to pass authentication through Credentials option like shown below
In both cases i get this error 500 HTTP Analyzer Server Error The server sent HTTP status code 401: Unauthorized: .....
How can i get through this?
Thanks
UPDATE
I also tried to pass Authentication option to Request HTTP Headers but get the error message :
Error 403--Forbidden
From RFC 2068 Hypertext Transfer Protocol -- HTTP/1.1:
10.4.4 403 Forbidden
The server understood the request, but is refusing to fulfill it. Authorization will not help and the request SHOULD NOT be repeated. If the request method was not HEAD and the server wishes to make public why the request has not been fulfilled, it SHOULD describe the reason for the refusal in the entity. This status code is commonly used when the server does not wish to reveal exactly why the request has been refused, or when no other response is applicable.
If you're using Basic authentication, all you need is set request header Authorization. Value of this header: prefix Basic, one space, Base64 encoded string with usrname:password, so your header for Aladin:sesam open should be like this: Basic QWxhZGluOnNlc2FtIG9wZW4=.
On screenshot i see section Request HTTP headers, add Authorization header to it.
I am aware that this is an old post , but this may benefit those who run into this issue.
I am using Jdeveloper 11.1.2. I have secured the JAX-RPC web service (created by exposing PL/SQL poackage) using basic authentication. I attached the security policy: "Auth.xml" using the wizard.
I was able to test this using HTTP Analyzer. I just passed the user credentials in the SOAP Headers as shown below and it worked fine for me.(I also passed invalid creds and no creds to see if the security works as expected.)
Hope this helps !!!
Related
Is there a possibility to instruct Swagger not to send the Hypertext Transfer Protocol (http) in front of a POST or GET request ?
As you can see on the screenshot, the Request URL is using http protocol
The reason of my question is that the POST request from swagger-ui is not arriving on the server. An undocumented response is returned from the server although the response code is 200. This can be seen on the second screenshot.
When disabling https on the reverse proxy, the request arrives on the server correctly and response code is 200.
In my java spring application, I've implemented the proposed solution which are described in https://springdoc.org/faq.html : How can I deploy springdoc-openapi-ui behind a reverse proxy?
But it didn't solve my proble.
I managed to find how to tell swagger to make the request when pressing the excecute button
In application.yaml, you have to add the following:
swagger:
url: "https://www.example.com.com/aa"
I used BlazeMeter's chrome extension to build a .jmx file for testing our login page in JMeter. Most of our application is written in node js. We are using Auth0 for our login and the /login/callback is giving me a 400. I am not sure why. My goal is to test our applications with about 200 users. Any help would be great!
The HTTP 400 Bad Request response status code indicates that the server could not understand the request due to invalid syntax.
Most probably you are getting this error due to malformed request body or missing header, most probably you need to add a HTTP Header Manager and configure it to send Content-Type header with the value of application/json
Also be aware that OAuth authorization flow isn't something you will be able to record and replay, it is all about obtaining an Authorization Bearer token and sending it along with the requests requiring authorization via the aforementined HTTP Header Manager.
There are several ways of obtaining an OAuth token, check out How to Run Performance Tests on OAuth Secured Apps with JMeter guide for more details on bypassing OAuth login challenge in JMeter tests.
I am trying hit localhost from jMeter with port 9090 and passing two user name and password parameters. When I run the test plan I'm getting the Forbidden response from jMeter.
My test plan is as follows,
And If run the above test plan the result is like this,
How to resolve this? Any suggestions please!!
It looks like Basic Authentication challenge. Add a HTTP Authorization Manager to your test plan and put authentication details in there.
You are using the incorrect authentication method for the server.
The way you have programmed jmeter will send a request to the server like:
http://localhost:9090/node?name=admin&pass=admin
However, your server is expecting a request like:
http://admin:admin#localhost:9090/
The former is an application authentication method, and the latter is server basic authentication method.
To provide the server with the correct request for Basic Authentication you can use the HTTP Authorization Manager, using your username and password. This will manage the entire security session for you during your tests. It will keep you logged on as you send further requests.
HTTP specification says;
HTTP access authentication is described in "HTTP Authentication:
Basic and Digest Access Authentication" [43]. If a request is
authenticated and a realm specified, the same credentials SHOULD
be valid for all other requests within this realm (assuming that
the authentication scheme itself does not require otherwise, such
as credentials that vary according to a challenge value or using
synchronized clocks).
I don't really understand what this means, but here is my scenario is there anything against HTTP specs here? I use Java Rest service
Client sends username:password using HTTP Authorization header using HTTP Basic
Server sends back a token
Now client sends a custom authorization token instead of password for further requests still in the HTTP authorization header still using HTTP Basic username:token
Now this does not feel right since what I am really doing with the auth token is NOT an actual HTTP Basic authorization. Also usage of the very same header is inconsistent between requests.
But on the other hand I do not want create yet another custom header for the token exchange. Because its hard to base64 encode them with test tools when you use a custom header. And still inconsistent headers between requests.
Note: these requests refers to different endpoints
What do you advice?
If you do that, since you are using the same headers, aren't you going to need server side logic to differentiate when the login is the actual login, as opposed to your token? At the end of the day, HTTP Authorization is already a token (only a simple encoded version of the username/password string), so in all cases you are receiving a token, now you have to decode it, decide if it's one of your session tokens, or if it's a username/password, and therefore check against two sources of "good tokens".
I would advice against this, but not because you're breaking standards, it just feels convoluted.
Why do you need to change username/password to a token on the first place? Are you redirecting to an endpoint where you no longer require HTTP Basic Auth?
I'm trying to extract information from an URL using my Java code. But the URL has a pop-up authentication scheme. How would I know the authentication scheme used? I have the credentials for it.
A browser typically shows an authentication "popup" when the server responds to an HTTP request with a "401 Unauthorized" response message. The response header includes a "WWW-Authentication" header which tells you the authentication scheme to use (among other things).
There are various ways to deal with this in a Java application, depending on how you are attempting to fetch the web resource associated with the URL. For instance, if you are using HttpUrlConnection, you can extract the "WWW-Authentication" header, parse it, and extract the authentication scheme.
Normally the authentication is based on HTTP. There are several techniques to use (HTTP basic authentication Kerberos NTLM and so on) Each of this technologies applies additional information into HTTP header. So the authentification is not URL based but HTTP Header based.
Please give us more information about your problem, to help you