George Maksimenko is a Lead QA engineer at Adexin. He has 10 years of experience in software testing. His primary activities in software testing are automation testing and performance testing.

Learn JMeter in 5 Hours

Start Learning
Slack

Run massively scalable performance tests on web, mobile, and APIs

How to Load Test WSDL Authentication with JMeter

The Web Services Description Language (WSDL) is an XML-based format for describing the functionality of a web service. A WSDL web service is a web service that works according to rules described in a WSDL file.

 

Web services provide public information like the weather, converting and validating information and so on. In these cases, this information is available for anonymous users. However, information provided by a web service can also include private or personal information. In these cases information should be secured and provided only to authorized users. We already have an awesome blog post on how to work with Secured Web Services. I strongly recommend reading it.

 

In this blog post we will concentrate on load testing WSDL web services’ authentication methods with Apache JMeter™. The most popular approaches for user authentication are HTTP basic authentication and SoapHeader authentication, and we will test them both.

 

HTTP basic authentication is a common authentication method for HTTP requests, which requires the user to provide a username and password when making a request. You can read more about how to load test it, here.

 

The SoapHeader authentication works like this: the WSDL web service returns an access token if the correct login and password appear in the header of the request. This token is then valid for a certain amount of time, and should be sent with the other requests to access protected information.

 

Load Testing WSDL

 

Let’s say I have a WSDL web service that has these two levels of authentication: HTTP basic authentication and SoapHeader authentication. Let’s create a script that will pass both levels of authentication.

 

This web service also has three methods:

 

1. The method ‘HelloWorld’ returns the string ‘Hello World’ and is protected with HTTP basic authentication.

 

2. The method ‘Authentication’ returns an access token if the header of a request contains a valid username and password. In addition to SoapHeader authentication, this method is also protected with basic authentication.

 

3. The method ‘HelloUser’ returns the string ‘Hello ${username}’ if the header of a request contains an active token. In addition to SoapHeader authentication, this method is also protected with basic authentication.

 

NOTE: SOAP/XML-RPC Request has been deprecated since version 3.0 in JMeter. We will use HTTP Request samplers to make calls to WSDL web services. HTTP requests must contain a “SOAPAction” header and “Content-Type” header to be interpreted as SOAP request. The “Content-Type” header has only two available options: “application/xml” and “text/xml”.

 

Load Testing WSDL HTTP Basic Authentication

 

Let’s create a script to show this in action.

 

1. Add a Thread Group to the Test plan.

 

Test plan -> Add -> Thread (Users) -> Thread Group

 

2. Add the HTTP Authorization Manager to the Thread Group. This element is needed to pass HTTP Basic Authentication.

 

Thread Group -> Add -> Config Element -> HTTP Authorization Manager

 

load testing wsdl with jmeter

 

Add the following configuration:

  • Base URL: https://mydomain.com/WebServices/
  • Username: basicblazeuser_wrong
  • Password: basicblazepass_wrong

 

We are using an incorrect username and password for demonstration purposes.

 

The HTTP Authorization Manager makes sure that the token will be used for all the subsequent requests.

 

3. Add a HTTP Request which calls the HelloWorld method.

 

Thread Group -> Add -> Sampler -> HTTP Request

 

performance testing wsdl with jmeter

 

Fill in the following values:

  • Name: HelloWorld
  • Protocol: https
  • Server Name or IP: mydomain.com
  • Method: POST
  • Path: /WebServices/WebService1.asmx
  • Body Data:

 

<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
  <soap:Body>
    <HelloWorld xmlns="http://tempuri.org/" />
  </soap:Body>
</soap:Envelope>

 

To fill this out yourself, you need to know the domain of your service (for the “Server Name or IP” field), the path of your method (for the “Path” field) and the structure of your request (for the “Body Data” field).

 

4. Add a HTTP Header Manager to the HelloWorld sample. As I said above it must contain “SOAPAction” and “Content-Type” headers.

 

HelloWorld -> Add -> Config Element -> HTTP Header Manager

 

how do i load testing WSDL

 

Add two rows:

  • Content-Type: text/xml; charset=utf-8
  • SOAPAction: "http://tempuri.org/HelloWorld"

 

To fill this out yourself, you should know both headers’ Content-Type and SOAPAction. Both headers are defined by the web service developer.

 

5. Add a View Results Tree listener to the Thread Group.

 

Thread Group -> Add -> Listener -> View Results Tree

 

Of course, we need a listener to see the results of our tests.

 

6. Run the script!

 

how do i run a performance test for wsdl

 

As you can see the request failed basic authentication, because the username and password are incorrect. To pass Basic authentication we need to know the correct username and password. In my case it is ‘basicblazeuser’ and ‘basicblazepass’.

 

7. Update the username and password in the HTTP Authorization Manager.

 

jmeter, wsdl authentication

 

Update the following values:

  • Username: basicblazeuser
  • Password: basicblazepass

 

8. Run the script and check the results again.

 

HTTP basic authentication, jmeter, open source

 

The request passed authentication and we can see the token in the Request Headers: Authorization: Basic YmFzaWNibGF6ZXVzZXI6YmFzaWNibGF6ZXBhc3M=

 

The response from the WSDL service looks like this:

 

<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
  <soap:Body>
    <HelloWorldResponse xmlns="http://tempuri.org/">
      <HelloWorldResult>Hello World</HelloWorldResult>
    </HelloWorldResponse>
  </soap:Body>
</soap:Envelope>

 

The response correctly contains the string ‘Hello World’.

 

Load Testing WSDL SoapHeader Authentication

 

Another kind of authentication is SoapHeader authentication. SoapHeader is a custom way to protect your data. It could be implemented in different ways, but the essence of all implementations is the same. The client app should provide username and password to get a token which will be used to access private data.

 

In my case the username is ‘soapblazeuser’, password is ‘soapblazepass’.

 

9. Add another Thread Group to the Test plan.

 

Test plan -> Add -> Thread (Users) -> Thread Group

 

10. Copy and paste HTTP Authorization Manager to current Thread Group from first Thread Group.

 

11. To pass this kind of authorization we need to send a username and password in the header of a SOAP request to the Authentication method.

 

Add an HTTP Request to call the Authentication method.

 

Thread Group -> Add -> Sampler -> HTTP Request

 

soapheader authentication with jmeter, wsdl

 

Fill in the following values:

  • Name: Authentication
  • Protocol: https
  • Server Name or IP: mydomain.com
  • Method: POST
  • Path: /WebServices/Authentication.asmx
  • Body Data:

 

<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
  <soap:Header>
    <AuthUser xmlns="http://tempuri.org/">
      <UserName>soapblazeuser_wrong</UserName>
      <Password>soapblazepass_wrong</Password>
    </AuthUser>
  </soap:Header>
  <soap:Body>
    <AuthenticationMethod xmlns="http://tempuri.org/" />
  </soap:Body>
</soap:Envelope>

 

The fields UserName and Password contain ‘soapblazeuser_wrong’ and ’soapblazepass_wrong’. The username and password are incorrect, we need it for demonstration purposes.

 

15. Add the HTTP Header Manager to the Authentication sampler.

 

Authentication -> Add -> Config Element -> HTTP Header Manager

 

jmeter soap header and http basic authentication do it yourself

 

Add two rows:

  • Content-Type: text/xml; charset=utf-8
  • SOAPAction: "http://tempuri.org/AuthenticationMethod"

 

16. Add an XPath Extractor to the Authentication sampler. This element is the most suitable for parsing XML structures. You can also use other extractors, like the 'Regular Expression Extractor'.

 

wsdl authentication, performance testing

 

Set the following fields:

  • Reference name: token
  • XPath query: //AuthenticationMethodResponse/AuthenticationMethodResult
  • Default value: NotFound

 

To fill this out yourself, you need to know the structure of the response for the Authentication method. Based on this knowledge, you will be able to create your own 'XPath query'.

 

If you need help working with XPath extractor you can find out more in this blog post.

 

The value of the access token will be extracted from the response of the Authorization request and will be saved to the variable token.

 

17. Add a HTTP Request which calls the HelloUser method.

 

Thread Group -> Add -> Sampler -> HTTP Request

 

load testing with jmeter

 

Fill in the following values:

  • Name: HelloUser
  • Protocol: https
  • Server Name or IP: mydomain.com
  • Method: POST
  • Path: /WebServices/Authentication.asmx
  • Body Data:

 

<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
  <soap:Header>
    <AuthToken xmlns="http://tempuri.org/">
      <AuthenticationToken>${token}</AuthenticationToken>
    </AuthToken>
  </soap:Header>
  <soap:Body>
    <HelloWorld xmlns="http://tempuri.org/" />
  </soap:Body>
</soap:Envelope>

 

The variable ${token} will contain the actual token, which will be generated by the web service via the Authentication method. But let’s see what happens in this case using an incorrect username and password.

 

18. Add a HTTP Header Manager to the HelloUser sample.

 

HelloWorld -> Add -> Config Element -> HTTP Header Manager

 

http basic authentication, jmeter

 

Add two rows:

  • Content-Type: text/xml; charset=utf-8
  • SOAPAction: "http://tempuri.org/HelloUser"

 

19. Add a View Results Tree listener to the Thread Group.

 

Thread Group -> Add -> Listener -> View Results Tree

 

20. Let’s run the script and check results.

 

performance testing wsdl

 

The server returned a response, but with the field HelloUserResult which contains the string ‘Unauthorized’. This means the token is not correct since the username/password pair is incorrect.

 

21. Update the Body Data for the Authentication request to have the correct username and password.

 

load performance testing with jmeter

 

Update the fields UserName and Password with ‘soapblazeuser’ and ’soapblazepass’ values.

 

22. Run the script and check results!

 

create a wsdl test with jmeter

 

We got a response with the value ‘Hello soapblazeuser’ in the HelloUserResult field!

 

We passed two levels of authentication. Nice! Please let me know if you have any questions in the comments section below.

 

To learn more JMeter, check out our free JMeter academy with advanced and basic courses.

 

Click here to subscribe to our newsletter.

 

To try out BlazeMeter, which enhances JMeter abilities, put your URL or JMX file in the box below, and your test will start in minutes. You can also request a demo.

Interested in writing for our Blog?Send us a pitch!

Your email is required to complete the test. If you proceed, your test will be aborted.