REST response for different valid user profiles

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

REST response for different valid user profiles

Dembla, Chandan
Hello,

In order to configure JMeter to use Kerberos/SPNEGO authentication , we have done the below configurations :

  1.  In the "jaas.conf" file present in the bin folder for apache JMeter we added the details for keytab and principal
  2.  Also, the other properties that we set were use "keytab=true, storekey=true and isInitator-=false".In short, the jaas.conf in JMeter contains the same details as contained by our jaas.conf present on our server.
  3.  We have configured the "krb5.conf" as mentioned in the JMeter help guide.The krb5.conf contains the same details as the krb5.conf on our server.
  4.  In the "system.properties"we uncommented the properties "java.security.krb5.conf & java.security.auth.login.config" .We modified these file paths to use absolute location of jaas.conf and krb5.conf present in the bin folder of apache JMeter.
  5.  In the "user.properties" file we uncommented the three properties "kerberos_jaas_application=JMeter, kerberos.spnego.strip_port=true and kerberos.spnego.delegate_cred=false."

When we send a REST request   to our application using the appropriate settings in the HTTP authentication manager via Jmeter, we observe in our application logs that the authentication header has the value null and we are getting the username as "tomcat". When we hit the REST url through a browser, in our application logs we see that the authentication header starts with "Negotiate" and our correct username is picked.




Thanks/ Best Regards/ Mit freundlichen Grüßen,

Chandan Dembla
--
Knorr-Bremse Technology Center India Pvt. Ltd

Survey No. 276, Village Mann, Hinjawadi, Phase-II, Tal Mulshi,
Pune - 411057, Maharashtra, India
Phone: +91-20-39959028
Mobile: +91-9922111920
Fax: +91 20 3914 7099
mailto: [hidden email]<mailto:[hidden email]>
http://www.knorr-bremse.com<http://www.knorr-bremse.com/>


This transmission is intended solely for the addressee and contains confidential information.
If you are not the intended recipient, please immediately inform the sender and delete the message and any attachments from your system.
Furthermore, please do not copy the message or disclose the contents to anyone unless agreed otherwise. To the extent permitted by law we shall in no way be liable for any damages, whatever their nature, arising out of transmission failures, viruses, external influence, delays and the like.
Reply | Threaded
Open this post in threaded view
|

RE: REST response for different valid user profiles

Dembla, Chandan
Hello,

Could anyone reply for my email.

Thanks/ Best Regards/ Mit freundlichen Grüßen,

Chandan Dembla
--
Knorr-Bremse Technology Center India Pvt. Ltd

Survey No. 276, Village Mann, Hinjawadi, Phase-II, Tal Mulshi,
Pune - 411057, Maharashtra, India
Phone: +91-20-39959028
Mobile: +91-9922111920
Fax: +91 20 3914 7099
mailto: [hidden email] 
http://www.knorr-bremse.com

-----Original Message-----
From: Dembla, Chandan <[hidden email]>
Sent: Tuesday, May 12, 2020 12:29 PM
To: JMeter Users List <[hidden email]>
Subject: REST response for different valid user profiles

Hello,

In order to configure JMeter to use Kerberos/SPNEGO authentication , we have done the below configurations :

  1.  In the "jaas.conf" file present in the bin folder for apache JMeter we added the details for keytab and principal
  2.  Also, the other properties that we set were use "keytab=true, storekey=true and isInitator-=false".In short, the jaas.conf in JMeter contains the same details as contained by our jaas.conf present on our server.
  3.  We have configured the "krb5.conf" as mentioned in the JMeter help guide.The krb5.conf contains the same details as the krb5.conf on our server.
  4.  In the "system.properties"we uncommented the properties "java.security.krb5.conf & java.security.auth.login.config" .We modified these file paths to use absolute location of jaas.conf and krb5.conf present in the bin folder of apache JMeter.
  5.  In the "user.properties" file we uncommented the three properties "kerberos_jaas_application=JMeter, kerberos.spnego.strip_port=true and kerberos.spnego.delegate_cred=false."

When we send a REST request   to our application using the appropriate settings in the HTTP authentication manager via Jmeter, we observe in our application logs that the authentication header has the value null and we are getting the username as "tomcat". When we hit the REST url through a browser, in our application logs we see that the authentication header starts with "Negotiate" and our correct username is picked.




Thanks/ Best Regards/ Mit freundlichen Grüßen,

Chandan Dembla
--
Knorr-Bremse Technology Center India Pvt. Ltd

Survey No. 276, Village Mann, Hinjawadi, Phase-II, Tal Mulshi, Pune - 411057, Maharashtra, India
Phone: +91-20-39959028
Mobile: +91-9922111920
Fax: +91 20 3914 7099
mailto: [hidden email]<mailto:[hidden email]>
http://www.knorr-bremse.com<http://www.knorr-bremse.com/>


This transmission is intended solely for the addressee and contains confidential information.
If you are not the intended recipient, please immediately inform the sender and delete the message and any attachments from your system.
Furthermore, please do not copy the message or disclose the contents to anyone unless agreed otherwise. To the extent permitted by law we shall in no way be liable for any damages, whatever their nature, arising out of transmission failures, viruses, external influence, delays and the like.

This transmission is intended solely for the addressee and contains confidential information.
If you are not the intended recipient, please immediately inform the sender and delete the message and any attachments from your system.
Furthermore, please do not copy the message or disclose the contents to anyone unless agreed otherwise. To the extent permitted by law we shall in no way be liable for any damages, whatever their nature, arising out of transmission failures, viruses, external influence, delays and the like.

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: REST response for different valid user profiles

Felix Schumacher
In reply to this post by Dembla, Chandan

Am 12.05.20 um 08:58 schrieb Dembla, Chandan:
> Hello,
>
> In order to configure JMeter to use Kerberos/SPNEGO authentication , we have done the below configurations :
>
>   1.  In the "jaas.conf" file present in the bin folder for apache JMeter we added the details for keytab and principal
This is most probably wrong. Don't do it. (Or if you do it, use a keytab
for the client)
>   2.  Also, the other properties that we set were use "keytab=true, storekey=true and isInitator-=false".In short, the jaas.conf in JMeter contains the same details as contained by our jaas.conf present on our server.
Don't. JMeter is a client, not a server.
>   3.  We have configured the "krb5.conf" as mentioned in the JMeter help guide.The krb5.conf contains the same details as the krb5.conf on our server.
>   4.  In the "system.properties"we uncommented the properties "java.security.krb5.conf & java.security.auth.login.config" .We modified these file paths to use absolute location of jaas.conf and krb5.conf present in the bin folder of apache JMeter.
>   5.  In the "user.properties" file we uncommented the three properties "kerberos_jaas_application=JMeter, kerberos.spnego.strip_port=true and kerberos.spnego.delegate_cred=false."

Probably not needed but should do no harm.

The thing you really need to use is an Authentication Manager and use it
for the definition of your credentials. JMeter will use these
credentials to create (well, ask for) kerberos tickets, which it then
can use for the spnego part.

>
> When we send a REST request   to our application using the appropriate settings in the HTTP authentication manager via Jmeter, we observe in our application logs that the authentication header has the value null and we are getting the username as "tomcat". When we hit the REST url through a browser, in our application logs we see that the authentication header starts with "Negotiate" and our correct username is picked.

Look at the headers from the first response. It has to include a
"WWW-Authenticate: Negotiate" header. The requests URL has to match a
base url of your authentication manager. The domain has to match the
domain of your user and the mechanism has to be Kerberos.

You can enable debug information for Java kerberos stuff by setting the
java system property

|-Dsun.security.krb5.debug=true |

That should give quite a lot (probably too much) information about all
things the JVM does with respect to kerberos.

Felix||

||

>
>
>
>
> Thanks/ Best Regards/ Mit freundlichen Grüßen,
>
> Chandan Dembla
> --
> Knorr-Bremse Technology Center India Pvt. Ltd
>
> Survey No. 276, Village Mann, Hinjawadi, Phase-II, Tal Mulshi,
> Pune - 411057, Maharashtra, India
> Phone: +91-20-39959028
> Mobile: +91-9922111920
> Fax: +91 20 3914 7099
> mailto: [hidden email]<mailto:[hidden email]>
> http://www.knorr-bremse.com<http://www.knorr-bremse.com/>
>
>
> This transmission is intended solely for the addressee and contains confidential information.
> If you are not the intended recipient, please immediately inform the sender and delete the message and any attachments from your system.
> Furthermore, please do not copy the message or disclose the contents to anyone unless agreed otherwise. To the extent permitted by law we shall in no way be liable for any damages, whatever their nature, arising out of transmission failures, viruses, external influence, delays and the like.
>
Reply | Threaded
Open this post in threaded view
|

RE: REST response for different valid user profiles

Dembla, Chandan
Hello Felix,

Thanks for your solution. Now our Jmeter scripts started accepting the user profiles and started giving the expected results.

The solution is working 100%.

Thanks/ Best Regards/ Mit freundlichen Grüßen,

Chandan Dembla
--
Knorr-Bremse Technology Center India Pvt. Ltd

Survey No. 276, Village Mann, Hinjawadi, Phase-II, Tal Mulshi,
Pune - 411057, Maharashtra, India
Phone: +91-20-39959028
Mobile: +91-9922111920
Fax: +91 20 3914 7099
mailto: [hidden email] 
http://www.knorr-bremse.com

-----Original Message-----
From: Felix Schumacher <[hidden email]>
Sent: Wednesday, May 20, 2020 8:32 PM
To: [hidden email]
Subject: Re: REST response for different valid user profiles


Am 12.05.20 um 08:58 schrieb Dembla, Chandan:
> Hello,
>
> In order to configure JMeter to use Kerberos/SPNEGO authentication , we have done the below configurations :
>
>   1.  In the "jaas.conf" file present in the bin folder for apache
> JMeter we added the details for keytab and principal
This is most probably wrong. Don't do it. (Or if you do it, use a keytab for the client)
>   2.  Also, the other properties that we set were use "keytab=true, storekey=true and isInitator-=false".In short, the jaas.conf in JMeter contains the same details as contained by our jaas.conf present on our server.
Don't. JMeter is a client, not a server.
>   3.  We have configured the "krb5.conf" as mentioned in the JMeter help guide.The krb5.conf contains the same details as the krb5.conf on our server.
>   4.  In the "system.properties"we uncommented the properties "java.security.krb5.conf & java.security.auth.login.config" .We modified these file paths to use absolute location of jaas.conf and krb5.conf present in the bin folder of apache JMeter.
>   5.  In the "user.properties" file we uncommented the three properties "kerberos_jaas_application=JMeter, kerberos.spnego.strip_port=true and kerberos.spnego.delegate_cred=false."

Probably not needed but should do no harm.

The thing you really need to use is an Authentication Manager and use it for the definition of your credentials. JMeter will use these credentials to create (well, ask for) kerberos tickets, which it then can use for the spnego part.

>
> When we send a REST request   to our application using the appropriate settings in the HTTP authentication manager via Jmeter, we observe in our application logs that the authentication header has the value null and we are getting the username as "tomcat". When we hit the REST url through a browser, in our application logs we see that the authentication header starts with "Negotiate" and our correct username is picked.

Look at the headers from the first response. It has to include a
"WWW-Authenticate: Negotiate" header. The requests URL has to match a base url of your authentication manager. The domain has to match the domain of your user and the mechanism has to be Kerberos.

You can enable debug information for Java kerberos stuff by setting the java system property

|-Dsun.security.krb5.debug=true |

That should give quite a lot (probably too much) information about all things the JVM does with respect to kerberos.

Felix||

||

>
>
>
>
> Thanks/ Best Regards/ Mit freundlichen Grüßen,
>
> Chandan Dembla
> --
> Knorr-Bremse Technology Center India Pvt. Ltd
>
> Survey No. 276, Village Mann, Hinjawadi, Phase-II, Tal Mulshi, Pune -
> 411057, Maharashtra, India
> Phone: +91-20-39959028
> Mobile: +91-9922111920
> Fax: +91 20 3914 7099
> mailto:
> [hidden email]<mailto:[hidden email]
> > http://www.knorr-bremse.com<http://www.knorr-bremse.com/>
>
>
> This transmission is intended solely for the addressee and contains confidential information.
> If you are not the intended recipient, please immediately inform the sender and delete the message and any attachments from your system.
> Furthermore, please do not copy the message or disclose the contents to anyone unless agreed otherwise. To the extent permitted by law we shall in no way be liable for any damages, whatever their nature, arising out of transmission failures, viruses, external influence, delays and the like.
>

This transmission is intended solely for the addressee and contains confidential information.
If you are not the intended recipient, please immediately inform the sender and delete the message and any attachments from your system.
Furthermore, please do not copy the message or disclose the contents to anyone unless agreed otherwise. To the extent permitted by law we shall in no way be liable for any damages, whatever their nature, arising out of transmission failures, viruses, external influence, delays and the like.

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]