Session Management (Redirects to login page)

[Akash Lalwani]

Hi,

I am new to Rest Assured and got stuck in calling a REST API. It requires two authentication before a call.

1. Basic Authentication

2. Form Authentication

Sample Code :

RestAssured.baseURI  = "https://abcd.com"; 

RestAssured.basePath = "/abc";

// Basic Authentication

RestAssured.authentication = RestAssured.basic("userName", "password");

// Form authentication which returns session id.

String sessionId = RestAssured.given().auth().form("userName", "password").

contentType("application/x-www-form-urlencoded").

when().get("/Login.action").getSessionId();

// Sets session id for all requests.

RestAssured.sessionId = sessionId;

// Calling REST API

RestAssured.given().sessionId(sessionId).contentType("application/json").body(myJson).when().post("/api/something.action").then().log().all();

Now both the authentication are working fine as I have asserted with the help of status code which is 200 and generated the session id. But still the call to API is redirecting to login page. Logs generated can be found below -

HTTP/1.1 302 Moved Temporarily

Date: Wed, 17 Aug 2016 12:44:56 GMT

Server: Apache-Coyote/1.1

X-Powered-By: Servlet/3.0; JBossAS-6

Location: https://abcd.com/abc/Login.action

Content-Length: 0

Cache-Control: public

Connection: close

Content-Type: text/plain; charset=UTF-8

Can someone please help me ?? What's wrong with the above code ?

Thanks,

Akash

[Johan Haleby]

Hi, 

Never heard of an API that requires both basic auth AND form auth at the same time. Are you sure about this? :) Regarding sessions you might want to have a look at the session filter. Also you probably shouldn't define the session globally (statically) but rather on a per-request basis. REST Assured automatically follows redirects, but conforms to the way Apache HTTP client behaves (which is according to the http spec). I've blogged about this here.

/Johan

--
You received this message because you are subscribed to the Google Groups "REST assured" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rest-assured+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Akash Lalwani]

Hi Johan,

Thanks for the reply. I handled the basic authentication by passing Authorization in header as shown below and then I tired to get Login.action (which is not REST API) I got the response containing login page html. So basically its not logged in as of now. But still it contains a sessionFilter. So my question is, will the REST Assured be able to do form authentication in this case as https://abcd.com/abc/Login.action is not a REST API ?

Response r = RestAssured.given().auth().

form("userName", "password").

filter(sessionFilter).

header("Authorization", "Basic c2Vtc2RvZTpEZW=").

when()

.get("/Login.action");

After this I got the login page HTML in response (was hoping for welcome page instead). Then I tried with calling API by passing session ID as shown below -

RestAssured.given().

header("Authorization", "Basic c2Vtc2RvZTpEZW=").

sessionId(sessionFilter.getSessionId()).

contentType("application/json").

body(myJson).

when().

post("/api/something.action").then().log().all();

I still get the same error.

HTTP/1.1 302 Moved Temporarily

Date: Wed, 17 Aug 2016 14:54:30 GMT

Server: Apache-Coyote/1.1

X-Powered-By: Servlet/3.0; JBossAS-6

Location: https://dev.semsnycdoe.com/sems/Login.action

Content-Length: 0

Cache-Control: public

Connection: close

Content-Type: text/plain; charset=UTF-8

Thanks,

Akash

To unsubscribe from this group and stop receiving emails from it, send an email to rest-assured...@googlegroups.com.

[Johan Haleby]

It needs to go to the log in page in order to do form authentication if you haven't specified an action url in FormAuthConfig and the redirect may not happen automatically if you're doing a POST (see the blog I was referring to). Please see documentation for more info on form authentication.

Also you don't need to define basic auth like you do, it's probably better to use preemptive basic auth (see docs).

To unsubscribe from this group and stop receiving emails from it, send an email to rest-assured+unsubscribe@googlegroups.com.

[Akash Lalwani]

Thanks Johan !! I got it working :-)

[Johan Haleby]

Great! What was wrong?

To unsubscribe from this group and stop receiving emails from it, send an email to rest-assured+unsubscribe@googlegroups.com.

[Akash Lalwani]

In our web application we encrypt the password at client side and then send it to server side along with Initialization Vector and key (I don't know why :P) so I need to send all these parameters in POST instead of just plain text userName and password.

Code :

RestAssured.sessionId = RestAssured.given().auth().basic("username", "password").expect().statusCode(200).when().get("/Login.action").getSessionId();

RestAssured.authentication = RestAssured.basic("username", "password");

RequestSpecBuilder builder = new RequestSpecBuilder();

RequestSpecification spec = builder.addParam("formIV","formIV")

.addParam("formKey","formKey")

.addParam("password","password2")

.addParam("userName","userName2").build();

RestAssured.given().spec(spec).when().post("/Login.action");

And then just called the API, it worked.

But one more doubt, I need to set RestAssured.authentication by basic authentication and also I need to get session id using this, so is there any way instead of calling it 2 times as shown in code, we can get it by calling just 1 time ? i.e Can I combine the first 2 lines of code ?

Thanks,

Akash

[Johan Haleby]

On Thu, Aug 18, 2016 at 3:04 PM, Akash Lalwani <akash.l...@gmail.com> wrote:

In our web application we encrypt the password at client side and then send it to server side along with Initialization Vector and key (I don't know why :P) so I need to send all these parameters in POST instead of just plain text userName and password.

Code :

RestAssured.sessionId = RestAssured.given().auth().basic("username", "password").expect().statusCode(200).when().get("/Login.action").getSessionId();

RestAssured.authentication = RestAssured.basic("username", "password");

RequestSpecBuilder builder = new RequestSpecBuilder();

RequestSpecification spec = builder.addParam("formIV","formIV")

.addParam("formKey","formKey")

.addParam("password","password2")

.addParam("userName","userName2").build();

RestAssured.given().spec(spec).when().post("/Login.action");

And then just called the API, it worked.

But one more doubt, I need to set RestAssured.authentication by basic authentication and also I need to get session id using this, so is there any way instead of calling it 2 times as shown in code, we can get it by calling just 1 time ? i.e Can I combine the first 2 lines of code ?

Hmm one way I can think of off the top of my head is that you probably could construct a filter that does both basic auth and gets the session id.

 

To unsubscribe from this group and stop receiving emails from it, send an email to rest-assured+unsubscribe@googlegroups.com.