How to Use HTTP Basic Authentication in JMeter
Occasionally, you’ll need to test URLs that can sometimes be restricted from anonymous visits. The types and resources can vary from corporate libraries and knowledge bases to targeted forums or others. All tend to have limited or restricted access.
For instance, if you download something from a FTP server, you would encounter the "gatekeeper" screen shown below. This pop-up window is generated by a browser when the server requires a username/password. The frame will vary from browser to browser (e.g. Mozilla Firefox, Apple Safari, or Microsoft Internet Explorer), but regardless, a username/password is required to access what are often some basic resources.
That’s where the term "HTTP Basic Authorization" comes from. And you must have a strategy to handle this when you’re working with JMeter tests.
Before we begin scripting, it may be helpful to get a quick background on basic authentication, which is a method for an HTTP user agent to provide a user name and password when making a request.
Why even discuss it? Why not simply use the POST request to access some resources? The reason is simple: If we want to use POST requests to access resources on servers that have limited access, we should implement the login page to access user credentials. But this approach makes the process needlessly complex.
HTTP basic authentication (BA) is the simplest technique for enforcing access controls to Web resources because it doesn't require cookies, a session identifier, or login pages.
However, we need a strategy for such situations while executing performance tests. Let's see how to do this using a local installation of phpmyadmin. (This Web application helps manage MySQL databases without writing SQL queries.)
*Note: by default, phpmyadmin uses the login screen.
To change this behavior and use basic authentication, change config.inc.php (for Linux, it is placed in /etc/phpmyadmin). Find the following string in it:
$cfg['Servers'][$i]['auth_type'] = 'cookie';
and edit it to the following:
$cfg['Servers'][$i]['auth_type'] = 'http';
Basic Authentication in JMeter
Ok. Now look at JMeter. Among other elements, we have the HTTP Authorization Manager. The Authorization Manager lets you specify one or more user logins to Web pages that are restricted using server authentication. You see this style of authentication when you attempt to access a restricted page, and your browser displays a login dialog box. JMeter transmits the login information when it encounters this type of page.
Note: Authorization headers are not shown in the View Results Tree Listener, so we won't be able to check their values from the test script.
Before we dive into the details, here’s a quick overview of the test script:
Now, we'll check out the HTTP Authorization Manager. Which fields does it have?
Three fields should be taken care of in our example:
The Base URL – the link to the resource we want to access.
Username and password – they should be defined.
The HTTP Authorization Manager is disabled during the first run.
Since we’ve configured it properly, the system does not give us access to the resources.
Now, let's see how it works when we have the HTTP Authorization Manager enabled.
In this scenario, the server has given us authorization and JMeter has received the HTML as a response.
Want to Learn more about JMeter?
Check out our free Webcast "JMeter Load Testing at Scale"
and the "Performance Testing Bootcamp with JMeter and Taurus"
Questions? Comments? Leave them below.
How the BlazeMeter Load Testing Cloud Complements and Strengthens JMeter
While JMeter represents a strong and compelling way to perform load testing, of course, we recommend supplementing that tool with BlazeMeter, which lets you simulate up to millions of users in a single developer-friendly, self-service platform. With BlazeMeter, you can test the performance of any mobile app, website, or API in under 10 minutes. Here’s why we think the BlazeMeter/JMeter combination is attractive to developers:
Simple Scalability – It’s easy to create large-scale JMeter tests. You can run far larger loads far more easily with BlazeMeter than you could with an in-house lab.
Rapid-Start Deployment – BlazeMeter’s recorder helps you get started with JMeter right away, and BlazeMeter also provides complete tutorials and tips.
Web-Based Interactive Reports – You can easily share results across distributed teams and overcome the limitations of JMeter’s standalone UI.
Built-In Intelligence – BlazeMeter provides on-demand geographic distribution of load generation, including built-in CDN-aware testing.
To try out BlazeMeter, request a demo, or put your URL in the box below and your test will start in minutes.