Hello,
I’ve recorded a simulation of me logging into my application and adding a note to an account, but the simulation never succeeds in adding a note to the account. I believe it isn’t authenticating, since the log shows it getting a 403 error on the post request to the login URL before it goes on, so I think when it continues on it is just getting the login page over and over for it’s various requests, since it isn’t authorized. The application is a Java application with a collection of JSP and JSF web pages and uses form based authentication. Since Gatling supports cookies, I think it should be able to login, as all it needs is the JSESSIONID cookie to have a session and the ARRAfinity cookie to get back to the right server in the cluster for its session. I’m doing a regex check against the response body to pullout the CSRF token and use it. I was already getting the 403 before adding the CSRF check. Here’s what I have in my simulation where I’m trying to login and getting a 403, in case someone sees what I’m doing wrong:
val scn = scenario(“RecordedSimulation”)
.exec(http(“request_0”)
.get(“/Matador/”)
.headers(headers_0)
.resources(http(“request_1”)
.get(“/Matador/selectProfile.jsf”)
.check(regex(“”“setupFormsAndLinks[(]”(.*)“[)]”“”).find.saveAs(“csrfToken”))
.headers(headers_0),
http(“request_2”)
.get(“/Matador/a4j/g/3_3_3.Finalcom.trumbull.ss.web.skin.legacy.images.LegacyButtonImage/DATB/eAFjOPOfgYEhBYiFGAAVQgJC.jsf”)))
.pause(5)
.exec(http(“request_4”)
.post(“/Matador/ss_login”)
.headers(headers_0)
.formParam(“j_username”, “manager0”)
.formParam(“j_password”, “redacted”)
.formParam(“ANTI_CSRF_TOKEN”, “$csrfToken”)
.resources(http(“request_5”)
.get(“/Matador/selectProfile.jsf”)
.headers(headers_0),
http(“request_6”)
.post(“/Matador/SecureController”)
.headers(headers_0)
.formParam(“actionCommand”, “doLogin”)
.formParam(“action”, “postAuthLoad”)
.formParam(“source”, “welcome”)
.formParam(“application”, “Admin”)
.formParam(“ANTI_CSRF_TOKEN”, “$csrfToken”),
http(“request_7”)
.get(“/Matador/diary?”)
.headers(headers_0),
http(“request_9”)
.get(“/properties/labels.properties?=1508417741681")
.headers(headers_9),
http(“request_10”)
.get("/properties/labels_en.properties?=1508417741682”)
.headers(headers_9),
http(“request_11”)
.get(“/properties/labels_en_US.properties?_=1508417741683”)
.headers(headers_9),
http(“request_13”)
.get(“/Matador/diary/?”)
.headers(headers_0),
http(“request_14”)
.get(“/Matador/a4j/g/3_3_3.Finalcom.trumbull.ss.web.skin.legacy.images.LegacyButtonImage/DATB/eAGbmWbMwMCQAsRCDAAQFAGp.jsf”)))
.pause(18)
… more simulation steps below
If anyone sees what’s wrong, any help would be greatly appreciated. I’ld like to use Gatling to loadtest my app, but obviously can’t if it isn’t getting past the
the login screen. When I run it with five users, it comes back in the summary with:
status.find.in(200,304,201,202,203,204,205,206,207,208,209), b 5 (100.0%) ut actually found 403
The 403 is always on the step where it posts to the login controller, but then afterwards everything else looks like it worked and it is making requests fine. It
even has different times for different page requests and acts like it’s following expected redirects, but I assume it isn’t hitting the application, since it didn’t
get authenticated. After all, it never manages to post the note that I posted when I recorded the simulation, so it seems obvious that it isn’t hitting the
internal webpages…