Test Rest APIs with Authentication Using JMeter

Test Rest APIs with Authentication Using JMeter

Rest APIs are increasingly popular these days.  They are also frequently being used in Microservices. In this guide, we are going to test REST APIs with authentication using JMeter.  We will see that HTTP Headers play a crucial role in access authentication.

Introduction

Let’s imagine you want to measure your Rest API request with JMeter and configure the request using JSON format and click the run button.  You will most likely receive an error from the server: “401 Unauthorized” because almost every REST API requires some authorization process.  To perform this authentication, before sending the request, we have to send a prior login request with the right credentials. It will give us the token and we will pass it in the subsequent request.

Adding an HTTP Request to the Thread Group

Before starting configuration, add the View Result Tree Listener.  This will help to us with which token we should extract.

Configure the HTTP Request Sampler to send a Rest API request.  We enter our Rest API request with “JSON” format in the “Body Data” section.  Our example is getting the active SIM number from the web service.

Once we run the script, we see that the server rejects the request with a “401 Unauthorized” error.  This is because our Rest API needs to be authorized.  Most of the Rest API’s require authorization because of security issues.

Authorization Token

We understand from this error message that we have to successfully log in to the system first.  The system will give the us authorization token that we need to extract and pass into the next request.  So we add one more “HTTP Request” Sampler and configure with “JSON” type credential info.

We will then pass our token via HTTP Header Manager. And we will add to this sampler to the Thread Group.

Using the REST API, we will be posting data as a JSON object.  So we need to set a Content-Type header.  For this, right click Test Plan and add Config Element → Http Header Manager and add “Content-Type” setting the value to “application/json”.

If we run the script like this, you can see below that our required token is in the “Response Headers” section.  Let’s see how we extract this variable.

Add a Regular Expression Extractor to the Authenticate Request and configure it as below.  The critical part is selecting the “Response Headers” radio button on the Field to check section.  We selected it because our required token resides in it as we saw above.

After successfully extracting the token, the last step is to add this variable into the HTTP Header Manager.

All of the configuration is done!  Thanks to the HTTP Header Manager, we can deliver our authentication token with our request.  We run our script and verify we get the “success” message.  We’ve tested REST APIs with authentication.

Load Testing on the Cloud

After checking that your script worked well, you can run this script, as you would with any JMeter script, on AWS (Amazon Web Services) to perform load test.  Apache JMeter is one of the most popular tools for load testing and scaling out your JMeter test plan on the cloud in RedLine13 is easy.  This guide and video walks you through running your first JMeter test.

That’s it.