HTTP Authorization Manager

HTTP Authorization Manager

Sometimes you will need to load test URLs that are restricted from public access. The types and resources can vary from corporate libraries and knowledge bases to targeted forums or others. All tend to have limited or restricted access. When you try to access such URLs, a browser generates a pop-up window and asks for username and password to authenticate. You should handle this in your JMeter script to get access to the web resources. This is where the HTTP Authorization Manager comes into the picture. Before we begin, let’s understand basic authentication.

Basic Authentication

Basic Authentication is a method for an HTTP user agent to provide username and password when making a request. HTTP Basic authentication is the simplest technique for enforcing access controls to a web resource because it does not require cookies, session identifiers, or login pages. Rather, HTTP Basic authentication uses standard fields in the HTTP header, removing the need for handshakes.

For instance, if you want to download a file from an FTP Server, you would encounter a pop-up window asking for username and password as shown below.

Popup asking for authentication

The browser generates this pop-up window when a server requires username and password to authenticate.

Here are the steps to handle basic authentication using an HTTP Authorization Manager.

HTTP Authorization Manager

The Authorization Manager lets you specify one or more user logins for web pages that are restricted using server authentication. You see this type of authentication when you use your browser to access a restricted page, and your browser displays a login dialog box. HTTP Authorization Manager provides the ability to add a relevant “Authorization” HTTP header to subsequent HTTP requests.

Let’s use httpbin.org as an example application to demonstrate the use of JMeter’s HTTP Authorization Manager. HTTPBin provides sample endpoints to call with configurable parameters.

If you navigate to the endpoint https://httpbin.org/basic-auth/user/passwd in your browser, it should prompt you to enter a username and password

Typical sign in window in a browser
The default username is “user” and the default password is “passwd”. The server should respond with the following json:

{
"authenticated": true,
"user": "user"
}

If you don’t provide any credentials or if you provide wrong credentials, the server rejects the access to protected resource and responds with an HTTP Status code of 401

Access rejected

When you provide correct credentials, the server responds with an HTTP Status code of 200, and you can see the browser sending the “Authorization: Basic dXNlcjpwYXNzd2Q=” HTTP header in the request.
Authorization accepted

Let’s see how we can handle this using JMeter’s HTTP Authorization Manager.

Use the following Configuration in HTTP Authorization Manager to authenticate on httpbin.org and place this at the top element in the thread group:

  • Base URL: https://httpbin.org/basic-auth/user/passwd.
  • User: user.
  • Password: passwd.
  • Mechanism: BASIC_DIGEST.

HTTP Authorization Manager

Add a HTTP request right below the authorization manager with the following configuration:

  • Protocol: https.
  • Server name: httpbin.org.
  • Method: GET.
  • Path: /basic-auth/user/passwd.

HTTP Request

If you disable Authorization manager and run the test, the server responds with HTTP Status code 401. This is because authorization is not configured in the JMeter test plan.
Results if HTTP Authorization Manager disabledIf you enable it and run it, you will get HTTP Status code 200 as shown below.
Positive results if HTTP Authorization Manager enabled

This is because HTTP Authorization Manager adds “Authorization” HTTP header to subsequent HTTP requests.
HTTP Authorization Manager adds “Authorization” HTTP header to subsequent HTTP requests

You can download the sample test plan from the link here.

RedLine13 Enhances JMeter Load Testing

JMeter is an excellent open source load-testing tool used by thousands of developers. If you are one of them, you may want to load test. JMeter can be used for load testing. With RedLine13, you can easily run a JMeter Load Test with your JMX script of any mobile application, web application, or API.

To learn about executing a JMeter test with Redline13 follow this link.