RE: Authenticating To A .NET Web Application

Wed, 18 Dec 2019 10:55:58 -0800 

Martin,

Thanks for that. 

One thing I failed to mention was that I was using Fiddler to capture traffic 
by setting the JMeter Proxy Server in my HTTP requests. Once I removed that and 
the name/value pair for the __RequestVerificationToken from the Cookie Manager, 
my login was successful. 

-----Original Message-----
From: Herbener, Martin - Division of School Technology Planning and Project 
Management <[email protected]> 
Sent: Wednesday, December 18, 2019 1:17 PM
To: JMeter Users List <[email protected]>
Subject: RE: Authenticating To A .NET Web Application

Eric,

I am 98% sure that your Post (your step 4) needs to send the 
__RequestVerificationToken name/value as form fields instead of putting it into 
the cookies.  This is done using Parameters within the HTTP Request 
object/component in jMeter 
(http://jmeter.apache.org/usermanual/component_reference.html#HTTP_Request).

Martin 

-----Original Message-----
From: Eric Rubin [mailto:[email protected]]
Sent: Wednesday, December 18, 2019 11:43 AM
To: JMeter Users List <[email protected]>
Subject: RE: Authenticating To A .NET Web Application

I realized I was not passing in the right name for the request verification 
token. Now there is a new error:  "The anti-forgery cookie token and form field 
token do not match"

I'm not sure what is causing them to be mismatched, which I confirmed is the 
case by looking at the Results Tree. My test script flow is:

1)  Open login page
2)  Add Regular Expression Extractor to get the __RequestVerificationToken 
value:
        Variable name:  REQUEST_VERIFICATION_TOKEN
        Regular Expression:  input name="__RequestVerificationToken" 
type="hidden" value="([A-Za-z0-9+=/\-\_]+?)"
3)  Using the HTTP Cookie Manager, set the cookie name to 
__RequestVerificationToken and its value to ${REQUEST_VERIFICATION_TOKEN}
4)  Perform the login using a Post; the parameters being sent with the request 
are UserName, Password, and __RequestVerificationToken. Follow Redirects and 
User KeepAlive are both checked.

Upon examining the Login step from the Results Tree, the 
__RequestVerificationToken in the post data differs from that of the cookie 
data. 

Any insight on how to resolve is greatly appreciated! 

-----Original Message-----
From: Mariusz W <[email protected]>
Sent: Wednesday, December 18, 2019 2:15 AM
To: JMeter Users List <[email protected]>
Subject: Re: Authenticating To A .NET Web Application

Hi,
In  my case I support this token as follows:
1. http sample is send (I get response and in form is hidden input fileld named 
__RequestVerificationToken) 2. I add css extractor to sampler from previous 
point and save token e.g.
input[name="__RequestVerificationToken"] as selector 3. Add token saved in 
previous point to next http sample - in my case it is send as parameter named 
__RequestVerificationToken = ${SAVED_TOKEN}.

Regards,
Mariusz

wt., 17 gru 2019 o 22:17 Eric Rubin <[email protected]> napisał(a):

> Thanks, Martin.
>
> I've made a bit of progress with authenticating. Added a Regular 
> Expression Extractor since a Request Verification Token is sent in the 
> request and stored in a cookie.
>
> Inspected the traffic using Fiddler and it appears that the token's 
> value is being sent across the wire. Previously, I was seeing an error 
> indicating that the cookie was not present. Now I'm encountering this
> error:  The required anti-forgery form field 
> "__RequestVerificationToken" is not present. Any thoughts on how to resolve?
>
> -----Original Message-----
> From: Herbener, Martin - Division of School Technology Planning and 
> Project Management <[email protected]>
> Sent: Monday, December 16, 2019 1:18 PM
> To: JMeter Users List <[email protected]>
> Subject: RE: Authenticating To A .NET Web Application
>
> Eric,
>
> If you add a "View Results Tree" listener ( 
> https://jmeter.apache.org/usermanual/component_reference.html#View_Res
> ults_Tree) you should be able to get more insight into what is being 
> sent by jMeter and what is being received.
>
> Thanks
>
> Martin
>
> -----Original Message-----
> From: Eric Rubin [mailto:[email protected]]
> Sent: Tuesday, December 10, 2019 11:26 AM
> To: JMeter Users List <[email protected]>
> Subject: RE: Authenticating To A .NET Web Application
>
> Hi Martin,
>
> Thanks for reaching out.
>
> As it relates to the documentation provided in the links you sent, I 
> used JMeter as a proxy to record the test plan process. Unfortunately, 
> the test sill doesn't appear to authenticate the user during playback.
> I don't believe the form was even submitted, as we log both failed and 
> successful login attempts in our database. Further, I added an HTTP 
> request to a page behind the login, but the response message is unauthorized.
>
> I also compared the traffic generated by the recording and compared it 
> to the network output from Chrome's dev tools. There are numerous 
> requests, so it's a bit difficult to isolate the differences. One 
> thing that's obvious is that my recording contains a cookie manager 
> but is not supplying any name value pairs. The network traffic 
> reported by Chrome shows several, so I will add that into the recording to 
> see if that changes the result.
>
> Any other thoughts you may have to overcome this would be greatly 
> appreciated!
>
> Kind Regards
> Eric Rubin
> Senior Developer
> PANDORA Jewelry LLC
>
> T. +1 (410) 309-0200 | F. +1 (410) 309-0250 | M. 410-309-0200 | mailto:
> [email protected]
>
> Make Your Own Wish List
> on PANDORA.net
> -----Original Message-----
> From: Herbener, Martin - Division of School Technology Planning and 
> Project Management <[email protected]>
> Sent: Monday, December 9, 2019 1:04 PM
> To: JMeter Users List <[email protected]>
> Subject: RE: Authenticating To A .NET Web Application
>
> Hi,
>
> This is absolutely possible.
>
> I would start with
> https://cwiki.apache.org/confluence/display/JMETER/DifferentBehaviour
> and
> https://cwiki.apache.org/confluence/display/JMETER/JMeterFAQ#JMeterFAQ
> -HowdoIparameterizemyJMetertestcases,
> and see if you can get to a more specific problem/question.
>
> Good luck!
>
> Martin
>
> -----Original Message-----
> From: Eric Rubin [mailto:[email protected]]
> Sent: Monday, December 9, 2019 10:52 AM
> To: [email protected]
> Subject: Authenticating To A .NET Web Application
>
> I want to stress test some areas of an application that sit behind a 
> log in page. Is there a way to do this using JMeter?
>
> When a user enters their credentials and submits the form to 
> authenticate, the data is sent to the server using a strongly typed 
> object. In an attempt to replicate, I recorded the login process using 
> the BlazeMeter extension for Chrome. After recording it, I converted 
> the .har file to a .jmx, imported it into JMeter, and then ran my 
> test. Unfortunately, authentication is still not taking place.
>
> Is there another approach? Any suggestions would be greatly appreciated.
> Kind Regards
> Eric Rubin
> Senior Developer
> [http://logo.pandora.net/HQ_logo_email_signature.jpg]
> Pandora Jewelry LLC | 250 W. Pratt Street | Baltimore, MD 21201 T. +1
> (410) 309-0200 | F. +1 (410) 309-0250 | M. 410-309-0200 | 
> [email protected]<mailto:[email protected]>
> Make Your Own Wish List on
> PANDORA.net<http://www.pandora.net/us/>
> [
> http://pandorajewelrymarketing.blob.core.windows.net/logos/FB-fLogo-on
> line_2017.jpg ]<https://www.facebook.com/pandorajewelry>[
> http://pandorajewelrymarketing.blob.core.windows.net/logos/twitter-bir
> d-blue-on-white_2017.jpg
> ]<https://twitter.com/pandora_NA>[
> http://pandorajewelrymarketing.blob.core.windows.net/logos/google_yout
> ube_2017.jpg ]<https://www.youtube.com/user/TheOfficialPandora>[
> http://pandorajewelrymarketing.blob.core.windows.net/logos/instagram_2
> 017.jpg ]<http://instagram.com/theofficialpandora>[
> http://pandorajewelrymarketing.blob.core.windows.net/logos/pinterest_b
> adge_red_2017.jpg ]<https://www.pinterest.com/officialpandora/> [ 
> http://media.greatrated.com.s3.amazonaws.com/reviews.greatplacetowork.
> com/badges/1234569353-PANDORA-Jewelry-(United-States)-box.png]
> <http://reviews.greatplacetowork.com/pandora-jewelry-united-states>
> whitespace
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [email protected]
> For additional commands, e-mail: [email protected]
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [email protected]
> For additional commands, e-mail: [email protected]
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [email protected]
> For additional commands, e-mail: [email protected]
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [email protected]
> For additional commands, e-mail: [email protected]
>
>
B KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKCB  [  
X  ܚX KK[XZ[  \ \ ][  X  ܚX P Y]\  \X K ܙ B  ܈Y][ۘ[  [X[  K[XZ[ 
 \ \ Z[ Y]\  \X K ܙ B B 
KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKCB  [  X  
ܚX KK[XZ[
 \ \ ][  X  ܚX P Y]\  \X K ܙ B  ܈Y][ۘ[  [X[  K[XZ[
 \ \ Z[ Y]\  \X K ܙ B
  • ... Eric Rubin
    • ... Herbener, Martin - Division of School Technology Planning and Project Management
      • ... Eric Rubin
        • ... Herbener, Martin - Division of School Technology Planning and Project Management
          • ... Eric Rubin
            • ... Mariusz W
              • ... Eric Rubin
                • ... Herbener, Martin - Division of School Technology Planning and Project Management
                • ... Eric Rubin
    • ... [email protected]

Reply via email to