Is there any way you can run pa11y on an url that has two-factor authentication ? In general, what is the approach to run test for pages that has two-factor authentication.
#pa11y #two-factor authentication
I'm looking for a way to can auto run 508 test on pages that have two-factor authentication on the azure pipeline for every build.
Related
I have implemented a simple java web application with tomcat realm authentication(Custom FORM authentication). Now, I'm trying to add a second authentication page for the user(two-factor authentication, I'm using Google authenticator). As far as I have referred the Tomcat documentation, we can specify only one login-config.
I tried adding a filter and also tried managing whether the user has finished the Two-Factor authentication manually with session and tokens.
Is there a way to add the second authentication in the web.xml or the server.xml. So, tomcat should handle whether the user has finished both the authentication.
Thanks in advance.
Tomcat only starts one login process. That process may decide to ask the user for more than one credential but tomcat is not aware of it.
So, you should create a filter and/or login servlet that handles authentication for the tomcat container. That filter/servlet (combination) must prompt for all desired credentials.
If you do not use a framework for your application that already has an authentication layer, you are essentially writing your own 2FA implementation.
There are multiple requests being passed in signing in of the application since its using Sitefinity - Azure AD B2C Authentication and there are some values being passed in each requests such as nonce, state properties, id token etc. The workflow is quite complicated when having a peek into the values/token being passed across the requests of login. Though I have created/tried with all the values that are getting as the response of previous requests, still the login is not happening. Also, I went through some documents of B2C authentication with Sitefinity and its architecture and I got to know that the token being generated by the Sitefinity is an internal process and the response of that token cannot be fetched from a previous response/ client side.
Workarounds that I did:
Integrated selenium into Jmeter and automated the login scenarios and stored the cookie generated. Then used these cookie and token in following internal requests- This approach worked fine.
Hardcoded a live cookie in Cookie Manager and send the internal requests - This also worked fine.
I am wondering if there is any other possibilities in logging in because the above two methods are not reliable in long run. Anyone have idea about generating the token id locally and pass that to JMeter. for example creating a .exe file which generates the Sitefinity token.With this we will be able to pass or execute the .exe file in OS Process Sampler in Jmeter and fetching the token from its response.
Or
Any other approach?
I assume you are using the OpenIdConnect authentication provider that is built into Sitefinity?
So, basically when a user clicks on the Login button, he is being redirected to:
/login/LoginExternalProvider/OpenIdConnect/
Here Sitefinity replies with a redirection to:
/Sitefinity/Authenticate/OpenID/connect/authorize?client_id=sitefinity&....
which in turn redirects to
/Sitefinity/Authenticate/OpenID/login?signin=....
and this finally redirects to the external authentication provider.
(yeah, it is a complex workflow).
So, if you try to load test only the first request (/login/LoginExternalProvider/OpenIdConnect/) - wouldn't it then follow the redirect responses automatically (sorry, not familiar with jmeter)?
Those responses contain the correct cookies that Sitefinity has created, etc.
As per Sitefinity documentation:
Sitefinity CMS uses claims authentication, implemented on top of IdentityServer3, certified by OpenID Foundation. It allows implementing single sign-on and access control for modern web applications and APIs. It uses OAuth2 and OpenID Connect protocols.
Standardized authentication, based on OpenID Connect with JWT, certified IdentityServer3.
Given you're capable of logging in using your browser - you can replicate the same requests using JMeter's HTTP Request samplers, it's just a matter of correlation - the process of extracting the dynamic data from the responses and using them in the next requests.
You can refer OpenID Connect - How to Load Test with JMeter article for example JMeter script implementation
I’m writing automated tests for a web app on a server with basic authentication enabled.
I’ve tried passing the username and password in the URL and also using the web authentication function. I haven’t had any luck either way. Has anyone else attempted automating basic auth? For now, I’m logging in at beginning of the test manually.
Try using WebUI.authenticate() method:
WebUI.authenticate('http://the-internet.herokuapp.com/basic_auth', 'admin', 'admin', 12)
I am performing the Jmeter load testing. Our application is on Oauth authentication. How can i logging using Jmeter so that we can perform load testing on our application.
Right now we are not able to set parameters on "HTTP Authorization Manager" for login.
You won't be able to use HTTP Authorization Manager, you need to pass the Bearer token via HTTP Header Manager.
With regards to the token value - there are several ways of getting it, they depend on OAuth version and your application configuration, you need to contact your application developers in order to learn how you can obtain the token.
You can also check out How to Run Performance Tests on OAuth Secured Apps with JMeter article for several workarounds listed and explained.
We need to do some performance and load testing on an application that uses Windows Identity Foundation (WIF) for authentication. Since the tests will need to measure the performance of secured pages, what is the best way to "impersonate" a logged in user?
Should we simply copy and paste an authentication cookie into the request? Is there a recommended approach to doing this?
We will probably use something like JMeter to do the load testing.
Update: It looks like you can record tests in JMeter so that can be used to capture the sign-in request.
http://girliemangalo.wordpress.com/2009/03/18/jmeter-101-using-http-proxy-to-record-your-test/
Copying cookies will probably take you anywhere as WIF authentication cookies expire, just like Forms cookies do.
I do not know JMeter but maybe it can be automated so that legitimate authentication with required redirects to and from the STS takes place? We automate our WIF-powered web apps using one of UI automation based technologies and there are no issues.