How to use Jmeter to test websites behind RSA SecurID tokens, by requesting the token at the start of a test suite.

scribbles - needs tidying

Jmeter is a very useful performance/load testing tool, written in Java, that is usually used to put significant load onto a website you want to test. Essentially it's a scriptable DDOS tool for testing your servers. It can coordinate a set of bots to push many requests at a target server and analyse the responses. It can also handle various traffic other than HTTP, do some fairly simple content testing (you'll want Selenium or similar for that really), and produce various graphs and logs of how things are doing.

However, all this does rely on being able to get past whatever security mechanism the servers are using to protect their innards. As far as I'm concerned, this is about websites with login pages, but the general approach should work for other types of services that Jmeter can test.

The easy way to test your server is to disable the login requirement, or simplify it so that for test purposes you only require an insecure login of some kind that you can configure in the Jmeter scripts you're creating. However that isn't always possible and if you also want to include the auth processes as part of your testing, you want to poke at the server in its real state, not some semi-crippled state just for testing.

If your auth process uses RSA SecurID, things get even worse, because there isn't any scope for making a test user:password you can use in the Jmeter scripts - that "password" is changing every minute. Also RSA (understandably) don't make it easy to use a soft token with an API to allow the token values to be retrieved programmatically.

So, how do we run an automated test suite when we require a token whose values changes every minute? The common solution to that is to ask a user who has a token to type in the value at the start of the test run, do the auth process, store the resulting RSA cookie, and hand that auth cookie with every request as if you were a normal web browser.

In Jmeter-land, we can use a custom snippet of BeanShell to pop up a little dialog box at the beginning of a test run asking the user to enter a user id and RSA token value. Use those 2 values to craft a login request, check the response is good, store the resulting cookie in the CookieManager, then get on with the rest of the test run.

And that looks something like this:

The core idea is that "GetSecurID Token" part - whose contents is displayed in the main pane. That captures the value the user enters in the popup in a Jmeter variable named login_code. That value can be used to make a request to the login HTTP URL.

The assertion element is just to check the user typed something. If they didn't you could either be nice or (as I did) just bail out, after all this is just a test tool for you to use, if you use it wrong, that's your own problem.

The "HTTP Cookie Manager" should automatically capture the response cookie and use it for any subsequent requests that fall under the domain of that auth cookie.

Previous Post Next Post

© Me. Best viewed with a sense of humour and a beer in hand.