Over a million developers have joined DZone.
{{announcement.body}}
{{announcement.title}}

How to Load Test WSDL Authentication With JMeter

DZone's Guide to

How to Load Test WSDL Authentication With JMeter

In this post, we'll go over how to use this great open source tool to make sure that authentication is working as it should, and your app is secure.

· Security Zone
Free Resource

Discover an in-depth knowledge about the different kinds of iOS hacking tools and techniques with the free iOS Hacking Guide from Security Innovation.

The Web Services Description Language (WSDL) is an XML-based format for describing the functionality of a web service. A WSDL web service is a web service that works according to rules described in a WSDL file.

Web services provide public information like the weather, converting and validating information, and so on. In these cases, this information is available for anonymous users. However, information provided by a web service can also include private or personal information. In these cases, information should be secured and provided only to authorized users. We already have an awesome blog post on how to work with Secured Web Services. I strongly recommend reading it.

In this blog post, we will concentrate on load testing WSDL web services' authentication methods with Apache JMeter™. The most popular approaches for user authentication are HTTP basic authentication and SoapHeader authentication, and we will test them both.

HTTP basic authentication is a common authentication method for HTTP requests, which requires the user to provide a username and password when making a request. You can read more about how to load test it, here.

The SoapHeader authentication works like this: the WSDL web service returns an access token if the correct login and password appear in the header of the request. This token is then valid for a certain amount of time and should be sent with the other requests to access protected information.

Let's say I have a WSDL web service that has these two levels of authentication: HTTP basic authentication and SoapHeader authentication. Let's create a script that will pass both levels of authentication.

This web service also has three methods:

1. The method 'HelloWorld' returns the string 'Hello World' and is protected with HTTP basic authentication.

2. The method 'Authentication' returns an access token if the header of a request contains a valid username and password. In addition to SoapHeader authentication, this method is also protected with basic authentication.

3. The method 'HelloUser' returns the string 'Hello ${username}' if the header of a request contains an active token. In addition to SoapHeader authentication, this method is also protected with basic authentication.

NOTE: SOAP/XML-RPC Request has been deprecated since version 3.0 in JMeter. We will use HTTP Request samplers to make calls to WSDL web services. HTTP requests must contain a "SOAPAction" header and "Content-Type" header to be interpreted as SOAP request. The "Content-Type" header has only two available options: "application/xml" and "text/xml".

Let's create a script to show this in action.

1. Add a Thread Group to the Test plan.

Test plan -> Add -> Thread (Users) -> Thread Group

2. Add the HTTP Authorization Manager to the Thread Group. This element is needed to pass HTTP Basic Authentication.

Thread Group -> Add -> Config Element -> HTTP Authorization Manager

Add the following configuration:

  • Base URL: https://mydomain.com/WebServices/
  • Username: basicblazeuser_wrong
  • Password: basicblazepass_wrong

We are using an incorrect username and password for demonstration purposes.

The HTTP Authorization Manager makes sure that the token will be used for all the subsequent requests.

3. Add an HTTP Request which calls the HelloWorld method.

Thread Group -> Add -> Sampler -> HTTP Request

Fill in the following values:

To fill this out yourself, you need to know the domain of your service (for the "Server Name or IP" field), the path of your method (for the "Path" field) and the structure of your request (for the "Body Data" field).

4. Add an HTTP Header Manager to the HelloWorld sample. As I said above, it must contain "SOAPAction" and "Content-Type" headers.

HelloWorld -> Add -> Config Element -> HTTP Header Manager

Add two rows:

  • Content-Type: text/xml; charset=utf-8
  • SOAPAction: "http://tempuri.org/HelloWorld"

To fill this out yourself, you should know both headers' Content-Type and SOAPAction. Both headers are defined by the web service developer.

5. Add a View Results Tree listener to the Thread Group.

Thread Group -> Add -> Listener -> View Results Tree

Of course, we need a listener to see the results of our tests.

6. Run the script!

As you can see, the request failed basic authentication because the username and password are incorrect. To pass basic authentication, we need to know the correct username and password. In my case, it is ' basicblazeuser' and ' basicblazepass '.

7. Update the username and password in the HTTP Authorization Manager.

Update the following values:

  • Username: basicblazeuser 

  • Password: basicblazepass

8. Run the script and check the results again.

The request passed authentication and we can see the token in the Request Headers: Authorization: Basic YmFzaWNibGF6ZXVzZXI6YmFzaWNibGF6ZXBhc3M=

The response from the WSDL service looks like this:

<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
  <soap:Body>
    <HelloWorldResponse xmlns="http://tempuri.org/">
      <HelloWorldResult>Hello World</HelloWorldResult>
    </HelloWorldResponse>
  </soap:Body>
</soap:Envelope>

The response correctly contains the string 'Hello World.'

Another kind of authentication is SoapHeader authentication. SoapHeader is a custom way to protect your data. It could be implemented in different ways, but the essence of all implementations is the same. The client app should provide a username and password to get a token which will be used to access private data.

In my case, the username is 'soapblazeuser,' and the password is 'soapblazepass.'

9. Add another Thread Group to the Test plan.

Test plan -> Add -> Thread (Users) -> Thread Group

10. Copy and paste HTTP Authorization Manager to the current Thread Group from first Thread Group.

11. To pass this kind of authorization we need to send a username and password in the header of a SOAP request to the Authentication method.

Add an HTTP Request to call the Authentication method.

Thread Group -> Add -> Sampler -> HTTP Request

Fill in the following values:

  • Name: Authentication
  • Protocol: https
  • Server Name or IP: mydomain.com
  • Method: POST
  • Path: /WebServices/Authentication.asmx
  • Body Data:
<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
  <soap:Header>
    <AuthUser xmlns="http://tempuri.org/">
      <UserName>soapblazeuser_wrong</UserName>
      <Password>soapblazepass_wrong</Password>
    </AuthUser>
  </soap:Header>
  <soap:Body>
    <AuthenticationMethod xmlns="http://tempuri.org/" />
  </soap:Body>
</soap:Envelope>

The fields UserName and Password contain ' soapblazeuser_wrong' and ' soapblazepass_wrong.' The username and password are incorrect, we need it for demonstration purposes.

15. Add the HTTP Header Manager to the Authentication sampler.

Authentication -> Add -> Config Element -> HTTP Header Manager

Add two rows:

  • Content-Type: text/xml; charset=utf-8
  • SOAPAction: "http://tempuri.org/AuthenticationMethod"

16. Add an XPath Extractor to the Authentication sampler. This element is the most suitable for parsing XML structures. You can also use other extractors, like the 'Regular Expression Extractor.'

Set the following fields:

  • Reference name: token
  • XPath query: //AuthenticationMethodResponse/AuthenticationMethodResult
  • Default value: NotFound

To fill this out yourself, you need to know the structure of the response for the Authentication method. Based on this knowledge, you will be able to create your own 'XPath query.'

If you need help working with XPath extractor, you can find out more in this blog post.

The value of the access token will be extracted from the response of the Authorization request and will be saved to the variable token.

17. Add an HTTP Request which calls the HelloUser method.

Thread Group -> Add -> Sampler -> HTTP Request

Fill in the following values:

  • Name: HelloUser
  • Protocol: https
  • Server Name or IP: mydomain.com
  • Method: POST
  • Path: /WebServices/Authentication.asmx
  • Body Data:
<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
  <soap:Header>
    <AuthToken xmlns="http://tempuri.org/">
      <AuthenticationToken>${token}</AuthenticationToken>
    </AuthToken>
  </soap:Header>
  <soap:Body>
    <HelloWorld xmlns="http://tempuri.org/" />
  </soap:Body>
</soap:Envelope>

The variable ${token} will contain the actual token, which will be generated by the web service via the Authentication method. But let's see what happens, in this case, using an incorrect username and password.

18. Add an HTTP Header Manager to the HelloUser sample.

HelloWorld -> Add -> Config Element -> HTTP Header Manager

Add two rows:

  • Content-Type: text/xml; charset=utf-8
  • SOAPAction: "http://tempuri.org/HelloUser"

19. Add a View Results Tree listener to the Thread Group.

Thread Group -> Add -> Listener -> View Results Tree

20. Let's run the script and check results.

The server returned a response but with the field HelloUserResult which contains the string 'Unauthorized.' This means the token is not correct since the username/password pair is incorrect.

21. Update the Body Data for the Authentication request to have the correct username and password.

Update the fields UserName and Password with ' soapblazeuser' and ' soapblazepass ' values.

22. Run the script and check results!

We got a response with the value 'Hello soapblazeuser' in the HelloUserResult field!

We passed two levels of authentication. Nice! Please let me know if you have any questions in the comments section below.

To learn more JMeter, check out our free JMeter academy with advanced and basic courses.

Learn about the importance of a strong culture of cybersecurity, and examine key activities for building – or improving – that culture within your organization.

Topics:
jmeter ,authentication testing ,authentication ,security testing ,security

Published at DZone with permission of George Maksimenko, DZone MVB. See the original article here.

Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}