ANTSLOAD 16 - Simulating Basic Authentication in ANTS Load

Brian DonahueBrian Donahue Posts: 6,590 New member
edited March 28, 2005 9:21AM in Knowledge Base
In web applications, there are three methods of authentication. One is forms authentication, where the user name and password are posted to a web application and the application’s code manages the security. The second is basic authentication, where the challenge and response is handled by the web server according to the W3C HTTP standard (RFC 2616). The third and final authentication mechanism is Windows Authentication (NTLM), which is proprietary and only supported by Internet Explorer. At this time ANTS Load cannot support virtual clients using Windows Authentication.

For forms authentication, the process is easy to understand. The name of a web control is posted along with its value back to the web server and an Active Server Page will process the information to decide if the user is allowed access. A forms authentication session would look similar to this in ANTS Load:

WebClient.HttpRequest.AddPostData("txtName", “Brian_Donahue”, True)
WebClient.HttpRequest.AddPostData("txtPassword", “Password”, True)
WebClient.HttpRequest.AddPostData("txtCompany", "Aardvark", True)
WebClient.HttpRequest.AddPostData("x", "30", False)
WebClient.HttpRequest.AddPostData("y", "6", False)
WebClient.Post("http://thing/Aardvark/logon.asp")

Basic authentication consists of a ‘challenge’ by the server in the form of a ‘401 Authentication Required’ message when the web browser client requests a page that is password protected.

The client’s response to this challenge is to add an ‘authorization header’ to the request and re-submitting it to the server. The authorization header consists of a name called ‘Authorization’ and a value static the type of authentication (Basic), a space, then a Base64-encoded string made up of the username, a colon : and a password.

To simulate a basic authentication session in ANTS Load, you would wait for a challenge from the webserver and add the appropriate response. A typical basic authentication session would look like this in an ANTS Load script:

Imports System
Imports RedGate.Ants.Engine

Public Class BrowserClient1
Inherits Control.VirtualClient

Protected Overrides Sub Run()
Dim userPassword As String = "JoeBloggs:password"
Dim encodedUserPassword As String = EncodeBase64(userPassword)

' Script created with Internet Explorer on 27/01/2003 10:34:37

' Random pause of between and 1 and 2 seconds
' (Remove this line if you want all scripts to start at the same time)
RandomSleep(1000, 2000)

WebClient.HttpRequest.ProtocolVersion = "HTTP/1.1"
BeginPage("http://localhost/basicauthtest/authtest/index.htm")
WebClient.HttpRequest.UserAgent = "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.0.3705)"
WebClient.Get("http://localhost/basicauthtest/authtest/index.htm")
If WebClient.HttpResponse.Status = 401 Then
WebClient.HttpRequest.Headers.Set("Authorization", "Basic " & encodedUserPassword)
WebClient.Get("http://localhost/basicauthtest/authtest/index.htm")
End If
EndPage("http://localhost/basicauthtest/authtest/index.htm")
' End of page 1 contains 2 request(s).
' End of script contains 1 page(s).

End Sub

Private Function EncodeBase64(ByVal input As String) As String

Dim strBytes() As Byte = System.Text.Encoding.UTF8.GetBytes(input)
Return System.Convert.ToBase64String(strBytes)

End Function

End Class

Note that the EncodeBase64 function has been added to the script to do the Base64 encoding of the user name and password. The Base64 encoding is not included in the ANTS Load WebClient classes.

This example has shown how to support websites that require basic authentication with ANTS Load. If you have any questions about the concepts in this document or the example code, feel free to send an email to [email protected].

Comments

  • Brian DonahueBrian Donahue Posts: 6,590 New member
    If you do have a requirement for NTLM v1, 2 or basic authentication, we can provide an extended ANTS Load class that will allow you to add the credentials to a web request more easily. Please note that it is still not possible to use the script recorder against a website that requires Windows Authentication. The requests will simply result in a 401 error.

    Please contact [email protected] if you are interested in this.
Sign In or Register to comment.