Application is not authenticating the virtual users of jmeter script and in logs printing "anonymousUser"

Question

I recorded my script in badboy and convert it in JMeter. My script like: enter image description here

when run this script for 1 user then application is not authorizing the user and following exception thrown in logs:

DEBUG: access.intercept.FilterSecurityInterceptor - Previously Authenticated: org.springframework.security.authentication.AnonymousAuthenticationToken@: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@0: RemoteIpAddress: ; SessionId: ; Granted Authorities: ROLE_ANONYMOUS DEBUG: access.vote.AffirmativeBased - Voter: org.springframework.security.access.vote.RoleVoter@514020c0, returned: -1 DEBUG: access.vote.AffirmativeBased - Voter: org.springframework.security.access.vote.AuthenticatedVoter@502dc360, returned: 0 DEBUG: web.access.ExceptionTranslationFilter - Access is denied (user is anonymous); redirecting to authentication entry point org.springframework.security.access.AccessDeniedException: Access is denied

And when i access the web application and login with same user then it authorizing the same user and print following trace in log:

DEBUG: access.intercept.FilterSecurityInterceptor - Previously Authenticated: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@: Principal: com.A.B.C.D.User@6d513c13; Credentials: [PROTECTED]; Authenticated: true; Details: com.A.B.C.D.E.UserAuthenticationDetails@0: RemoteIpAddress: ; SessionId: ; Granted Authorities: LEARNER DEBUG: access.vote.AffirmativeBased - Voter: org.springframework.security.access.vote.RoleVoter@514020c0, returned: 1 DEBUG: access.intercept.FilterSecurityInterceptor - Authorization successful DEBUG: access.intercept.FilterSecurityInterceptor - RunAsManager did not change Authentication object

But in JMeter my test was not marked fail and all the samplers went successful and return 200.

Could anyone please help me! thanks.

Answer 1

Record and replay is not something which will work in 100% of times, most likely you will have to manually "tune" your script to perform correlation and parameterization.

• Correlation: the process of handling dynamic parameters (web application developers use them for tracking user status or protecting from CSRF attacks), detecting them is quite easy: just record your test 2 times and compare the recorded requests. Values which will be different need to be correlated, i.e. you need to extract them from previous response with the Regular Expression Extractor and use the generated JMeter Variable instead of hard-coded value in the next request
• Parameterization: you are not going to run your load test with 1 virtual user, do you? You should be using as many username/password combinations as many users you are targeting to mimic. Normally people use CSV Data Set Config for holding this type of data. Again, you will need to replace the recorded values with the variables from the CSV file

Once done run your test with 1 - 2 virtual users/iterations and carefully inspect request and response details in the View Results Tree listener to ensure that your test works fine.

With regards to in JMeter my test was not marked fail, JMeter treats HTTP responses with status code below 400 as successful, so even if you have hundreds of exceptions in bold and red but HTTP Status Code is 200 - JMeter will mark the result "green". You can use Response Assertion in order to add some failure criteria to JMeter tests, i.e. for logged in user text like Welcome, ${username} is expected, etc.