Cannot authorize to WCF Basic Authentication Web Service from JMeter

Question

I am using JMeter to run tests to a WCF Web Service with Basic Auth, the service is working and credentials are correct (I run them successfully from SOAPUI).

From all my research I have configured both the 'HTTP Header Manager' and 'HTTP Basic Authentication' and I cannot see anything wrong with my actual HTTP header when submitting:

What I have done so far:

Verified that credentials are correct by decoding the base64 string
Enabled 'serviceSecurityAudit' on the service itself resulting in the following application error:

After some manipulation of the SOAPAction I aligned it to the SOAPUI that works but the JMeter basic auth still fails:

The HTTP response is below but it is standard (I get this from SOAPUI when I intentionally type in wrong credentials)

<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><s:Fault><faultcode xmlns:a="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">a:InvalidSecurity</faultcode><faultstring xml:lang="en-ZA">An error occurred when verifying security for the message.</faultstring></s:Fault></s:Body></s:Envelope>

I have include the binding configuration below it uses standard basicHttpsBinding's (not wsHttpBinding):

<service name="PayM8.Axis.PaymentsService.V1.HyperLink.HyperLinkService">
        <endpoint address="" binding="basicHttpsBinding" bindingConfiguration="DefaultHttpsBinding"
          contract="PayM8.Axis.PaymentsService.V1.HyperLink.IHyperLinkService"/>
</service>

<basicHttpsBinding>
    <binding name="DefaultHttpsBinding" maxReceivedMessageSize="2147483647" maxBufferSize="2147483647">
      <security mode="TransportWithMessageCredential">
        <transport clientCredentialType="Basic" />
      </security>
    </binding>
</basicHttpsBinding>

Any idea's what might be wrong with my JMeter Basic Authentication HTTP request?

score 1 · Answer 1 · answered Jul 07 '17 at 09:40

1

Web Services may have different authentication types, the error you're getting is about missing or incorrect WS-Security header.

There are multiple ways of adding the header to the request, you could try using JMeterSoapPlugin which has some authentication types support.

You could also take a look at Take the Pain out of Load Testing Secure Web Services to see how to bypass different types of web service authentication.

answered Jul 07 '17 at 09:40

Dmitri T

159,985
5
83
133

Thanks for pointing that out, it would definitely have made sense if we were using wsHttpBinding's but it uses the standard basicHttpsBinding (Updated the question with the settings). We have some other services on the server that used wsHttpBinding, so to be safe I disabled them as well but no change it is still returning back with the exact same error. – Marius Vorster Jul 07 '17 at 10:36
I stand corrected Dmitri, we are in using **WS Security** because of its security mode of [TransportWithMessageCredential]. A custom username and password validator cannot work on 'TransportCredentialOnly' (IIS level basic authentication that uses windows authentiction). The JMeter plugins did not work for me (tried a couple including one provided) but will post how I made the WS JMeter posts work by just including the WS Header in the HTTP payload. Thanks for your explanation, it helped to point me in the right direction. – Marius Vorster Jul 12 '17 at 10:29

score 0 · Answer 2 · answered Jul 12 '17 at 11:01

In short as Dmitri mentioned we are using WS Security, this is enabled when you configure the security mode like below (both under BasicHttpBindings and wsHttpBinding)

<security mode="TransportWithMessageCredential">

Usually basic authentication make use of the HTTP Header adding the below:

Authorization: Basic QWxhZGRpbjpPcGVuU2VzYW1l

When using WS Security however the username and password is included in the SOAP payload itself. When I added the object inside in the HTTP Body data in the JMeter HTTP Request it works fine.

Helpful tools, if you don't want to figure out the content of the wsse:security object I suggest sending it off using SOAPUI and then grabbing the formatted object from the SOAPUI logs. Remember to set the WSS-Password Type to PasswordText.

Cannot authorize to WCF Basic Authentication Web Service from JMeter

2 Answers2

Linked