How to Test REST APIs with Windows Authentication with JMeter
Nowadays, alongside cloud platforms, mobile applications and Docker containers, a new trendy architectural style is gaining more and more popularity. This architecture is called microservices. With microservices, instead of having a heavy monolith application it is considered preferable to have many small, specialized services, which are easier to manage, update, deploy, test and so on. This seems like a natural solution and therefore a lot of monoliths in different companies were already split into smaller services, and successfully moved to production from there.
But despite its obvious advantages, this style has its own challenges too. One of them is choosing appropriate integration mechanisms between these services and making sure that they actually work together, as any of these services solves its own problem and doesn’t provide much value alone.
One of most popular mechanisms for integrating different parts of an application together is RESTful services. RESTful services provide simple, lightweight and reliable ways to exchange data. They can be implemented with well known protocols (like HTTP) and data formats (JSON for example) and they are supported by wide range of tools.
Another issue with microservices is security risks, as services now can be deployed on different machines and the information they send over the network might be intercepted, corrupted or compromised. There are a variety of security mechanisms for ensuring sensitive data protection, including SSL, Basic Authentication, Windows Authentication, Token based Authentication and so on.
Today we will build a simple example of an Apache JMeter™ test project for a REST Service protected with Windows Authentication and deploy it to IIS. IIS is a Microsoft recommended Web Server on a Windows platform (more details here). Then, we enable Windows Authentication and create a test project in JMeter to test if the authentication mechanism works as it was intended. We will be using Visual Studio 2017 Version 15.3.0 and JMeter version 3.2.
Windows Authentication is a mechanism that provides a secure authentication mechanism over a non-secure network by implementing authentication protocols like NTML and Kerberos. Windows Authentication can authenticate users based on their current login information, without additionally prompting them for a username and password. As NTML and Kerberos are part of Windows Active Directory and because of some limitations like lack of support of the HTTP Proxy by NTLM, Windows Authentication is the perfect choice for securing intranet applications.
Create a REST Service and deploy locally. The service that is used in the current tutorial can be found by following this URL.
Build and publish the service into IIS (pretty good documentation for how to do this can be found here).
Enable Windows Authentication in IIS for the service under the test. I use VideoService here but any REST service hosted in IIS will be fine. Select the service in the list of web sites and click the Authentication icon.
Disable Anonymous Authentication.
Browse the VideoService website in any browser and navigate to /api/movie. With my current configuration it is http://localhost:8804/api/movie. After providing a username and password you should see the movies list as in screenshot below:
Testing REST APIs with JMeter
As a REST API call is a simple HTTP request, we need the HTTP Request Sampler to do the service call.
To encapsulate a HTTP Request Sampler we need to add a Thread Group.
Add a HTTP Request sampler to the newly created Thread Group.
Configure the HTTP Request Sampler to send a request to the REST Service you are testing (pay attention to the Server Name, Port Number, Method and Path fields, they should contain data that is relevant to service under test).
Add a listener to catch the requests results. For this case I chose to use the View Results Tree listener.
Save and run the test from Run -> Start menu item. As the service was configured to use Windows Authentication, the expected result will be error code 401 (Unauthorized) as we didn’t provide any user information.
JMeter uses the HTTP Authorization Manager to provide user information in scenarios when service under test uses authentication mechanisms. Let’s add the HTTP Authorization Manager to our test group.
Configure the HTTP Authorization Manager to provide the correct user credentials.
As the service under test is protected with Windows Authentication, the Authorization Manager should be configured accordingly.
- A base URL is not required for Windows Authentication, so it is blank in our tutorial.
- Username and Password are the Windows credentials in the domain that the test server joined.
- Domain is the domain name our server is added to.
- Realm - fill in only if you use Realm authentication.
- Mechanism indicates the type of authentication. Possible values are BASIC_DIGEST and Kerberos. We use BASIC_DIGEST as we are not using Kerberos.
Add a response assertion to check the HTTP response code after each request. The goal is to verify that the request has succeeded. The expected result is HTTP code 200.
Check that the radio buttons combination appears as in the screenshot below, to verify that the Response Code equals 200. Add a pattern to check with the Add button and type in 200, which is the expected response code.
Run the test group to make sure that data from service under the test reached JMeter. Make sure that the tests are green and that assertion condition has been met.
After the test run, test results should look like the provided screenshot.
JMeter Negative Test Creation
Let’s add a negative test scenario to demonstrate that all requests that are not configured properly will fail to reach the REST service, to ensure that our authentication is working properly.
Repeat the steps from before, but in the step “Configure the HTTP Authorization Manager” enter incorrect user credentials.
Add response assertion as described in the previous paragraph.
Let’s configure an assertion to verify the response code from the negative test. As user credentials in the test configuration are invalid, the expected response code is 401 (unauthorized). To verify that, select the Response Code radio button, to check the Response HTTP Code, select Equals as check pattern.
There is a small issue in this scenario. As the response code is 401, JMeter might take it as a service access error.
To avoid that please check Ignore Status checkbox so that the 401 Code won’t raise an error (as it is an expected result). Add a pattern with Add button and enter 401 (unauthorized), to verify that the response code equals 401.
Run the test group and make sure that new test response code is 401 (unauthorized). Make sure that test result is green and that the assertion condition has been met.
Now the results should look like the screenshot below.
That’s it! You now know how to perform REST API testing for a service protected with Windows Authentication. Learn more about advanced JMeter usage from our free JMeter Academy.
BlazeMeter enhances JMeter abilities:
- Simple Scalability – It’s easy to create large-scale JMeter tests. You can run far larger loads far more easily with BlazeMeter than you could with an in-house lab.
- Rapid-Start Deployment – BlazeMeter’s recorder helps you get started with JMeter right away, and BlazeMeter also provides complete tutorials and tips.
- Web-Based Interactive Reports – You can easily share results across distributed teams and overcome the limitations of JMeter’s standalone UI.
- Built-In Intelligence – The BlazeMeter Cloud provides on-demand geographic distribution of load generation, including built-in CDN-aware testing.
To try us out, request a demo, or put your URL in the box below and your test will start in minutes.