New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add Kerberos support to Http Sampler (HttpClient4) #2851
Comments
mlissner (migrated from Bugzilla): |
@pmouawad (migrated from Bugzilla): Thank you |
@FSchumacher (migrated from Bugzilla): Configuration is done via a new KerberosManager class. AuthManager was extended to support configuration of kerberos for certain domains. Http-Sampler classes were extended to support kerberos. This patch was tested with ApacheDS 2.0.0-M12 and Apache tomcat 7.0.40 under linux (ubuntu 13.04). Created attachment jmeter-kerberos.diff: Add support for kerberos |
@pmouawad (migrated from Bugzilla): |
@FSchumacher (migrated from Bugzilla): One for apacheds, one for tomcat and one for jmeter. To test I have used three virtual machines called client.example.com, www.example.com and kerberos.example.com. On kerberos.example.com I extracted the apacheds-2.0.0M3 tar.gz, copied instances/default to instances/example.com and applied the example.com.diff. Than I started the example.com instance by running bin/apacheds example.com (you might have to chmod +x ). When started the example.com.ldif can be applied by running On the machine www.example.com I extracted a tomcat-7.0.40 and applied the server.xml.diff to conf/server.xml. Now compile jmeter go into the jmeter-testplan directory and start jmeter. Openn the kerberos.jmx testplan and run it. If I haven't forgotten a step in this short howto, it should take two samples without one error. Created attachment jmeter-kerberos-configs.tgz: configurations used for tests |
@FSchumacher (migrated from Bugzilla): Created attachment kerberos_jmeter.diff: Add kerberos support |
@FSchumacher (migrated from Bugzilla): |
@pmouawad (migrated from Bugzilla):
|
@pmouawad (migrated from Bugzilla): |
@FSchumacher (migrated from Bugzilla): I also have addressed your first comment about having multiple mechanisms in AuthManager. Now you can select one value of a newly added enum Mechanism (BASIC and KERBEROS being the only values). Next I will address your next comment. Created attachment kerberos-jmeter-enums.diff: add kerberos support to jmeter |
@pmouawad (migrated from Bugzilla): It's better but still there is something that I would like to improve. It seems to me in HttpHC4Impl, it would be nice to do something like this: AuthManager would take care of applying the auth policy. Same for executeRequest, it would be nice to just have this:
The issue is that KerberosManager is not visible to AuthManager. So wouldn't it be better to remove KerberosManager GUI and enhance HTTP Authorization Manager to have a GUI that changes depending on Mechanism. In this case Mechanism would not be an additional column but a select box outside of table and depending on value additional attributes would appear: BASIC => Nothing Another little question, why does KerberosManager implement TestIterationListener and TestStateListener, it does not seem useful to me as methods are empty. sebb, milamber what's your opinion ? |
Sebb (migrated from Bugzilla): |
@pmouawad (migrated from Bugzilla): |
Sebb (migrated from Bugzilla): As far as the GUI is concerned, there could be a check box, or a tabbed selection like we use now for the Http Post Body. I think we should restrict Kerberos to the HC4 implementation; less code to test and maintain. |
@pmouawad (migrated from Bugzilla): |
Sebb (migrated from Bugzilla):
Not yet
I've just realised: does AuthManager need to support both Kerberos and existing auth in the same GUI? I.e. is there a need for a single AM to support different auth mechanisms for different hosts? |
@pmouawad (migrated from Bugzilla):
Can you clarify what you mean ?
This would be interesting as we could have access to Kerberos Manager from AuthManager and could be able to avoid kerberos implementation details being in HttpHc4Impl. |
Sebb (migrated from Bugzilla):
Yes.
Yes. But the issue is: with the existing AM, it supports multiple credentials for different hosts. If there were a separate tab for Kerberos, I assume it could support multiple Kerboros entries for different hosts. How would the GUI support both Kerberos and non-Kerberos? It would be very odd if some of the credentials were not visible but were still active. So I suspect we either need to somehow use the same table, or perhaps add another table that is visible concurrently. |
@FSchumacher (migrated from Bugzilla): That way the changes for httpclient are a bit less intrusive. Since the kerberos settings are done via System-properties we can't have more than one setting in an entire JVM. So we could put the configuration for kerberos in AuthManager as well. For now one will have to set the config via JVM_ARGS="-Djava.security.login.config=.../jaas.conf -Djava.security.krb5.conf=.../krb5.conf", since the KerberosConfig seems to be not used now:( Created attachment kerberos-jmeter-kerberosmanager-authmanager.diff: Add support for kerberos |
Sebb (migrated from Bugzilla): |
@pmouawad (migrated from Bugzilla): URL: http://svn.apache.org/r1508633 Added: |
@pmouawad (migrated from Bugzilla): |
@pmouawad (migrated from Bugzilla): JVM_ARGS="-Djava.security.auth.login.config=jaas.conf -Djava.security.krb5.conf=krb5.conf" Added them in system.properties |
@pmouawad (migrated from Bugzilla): URL: http://svn.apache.org/r1508641 Modified: Date: Tue Jul 30 21:43:00 2013 URL: http://svn.apache.org/r1508646 Modified: Date: Wed Jul 31 13:37:30 2013 URL: http://svn.apache.org/r1508850 Modified: Date: Wed Jul 31 13:40:27 2013 URL: http://svn.apache.org/r1508851 Modified: Date: Wed Jul 31 13:41:00 2013 URL: http://svn.apache.org/r1508852 Modified: Date: Fri Aug 2 13:52:59 2013 URL: http://svn.apache.org/r1509712 Added: |
@pmouawad (migrated from Bugzilla): URL: http://svn.apache.org/r1509850 Added: Date: Fri Aug 2 20:48:01 2013 URL: http://svn.apache.org/r1509851 Modified: Date: Fri Aug 2 20:48:38 2013 URL: http://svn.apache.org/r1509852 Removed: Date: Fri Aug 2 20:51:09 2013 URL: http://svn.apache.org/r1509855 Modified: Date: Fri Aug 2 20:57:17 2013 URL: http://svn.apache.org/r1509856 Modified: Date: Fri Aug 2 20:58:14 2013 URL: http://svn.apache.org/r1509857 Modified: Date: Fri Aug 2 20:59:57 2013 URL: http://svn.apache.org/r1509858 Modified: |
@FSchumacher (migrated from Bugzilla): |
@pmouawad (migrated from Bugzilla): URL: http://svn.apache.org/r1509954 Modified: Date: Sat Aug 3 10:37:58 2013 URL: http://svn.apache.org/r1509955 Modified: |
@FSchumacher (migrated from Bugzilla): Created attachment jaas.conf-correct-comments.diff: correct comments in jaas.conf jaas.conf-correct-comments.diffdiff --git bin/jaas.conf bin/jaas.conf
index d67ed3d..0c76909 100644
--- bin/jaas.conf
+++ bin/jaas.conf
@@ -1,22 +1,24 @@
-# Licensed to the Apache Software Foundation (ASF) under one or more
-# contributor license agreements. See the NOTICE file distributed with
-# this work for additional information regarding copyright ownership.
-# The ASF licenses this file to You under the Apache License, Version 2.0
-# (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-#Sample file, you need to edit for your configuration
-# see http://docs.oracle.com/javase/6/docs/technotes/guides/security/jgss/lab/part6.html#Kerberos_5_Configuration
-# see http://docs.oracle.com/javase/7/docs/technotes/guides/security/jgss/tutorials/KerberosReq.html
-# see http://docs.oracle.com/javase/7/docs/jre/api/security/jaas/spec/com/sun/security/auth/module/Krb5LoginModule.html
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * Sample file, you need to edit for your configuration
+ * see http://docs.oracle.com/javase/6/docs/technotes/guides/security/jgss/lab/part6.html#Kerberos_5_Configuration
+ * see http://docs.oracle.com/javase/7/docs/technotes/guides/security/jgss/tutorials/KerberosReq.html
+ * see http://docs.oracle.com/javase/7/docs/jre/api/security/jaas/spec/com/sun/security/auth/module/Krb5LoginModule.html
+ */
JMeter {
@@ -24,4 +26,4 @@ JMeter {
doNotPrompt=false
useKeyTab=false
storeKey=false;
-};
\ No newline at end of file
+}; |
@pmouawad (migrated from Bugzilla): Feel free to review and double check . Regarding Serializable, making KerberosManager public fixed the warning. |
@pmouawad (migrated from Bugzilla): URL: http://svn.apache.org/r1509985 Modified: Date: Sat Aug 3 13:26:12 2013 URL: http://svn.apache.org/r1509986 Modified: |
@FSchumacher (migrated from Bugzilla): But since I am not a native speaker, it could be all wrong :) Created attachment auth-docs.diff: change wording for docs auth-docs.diffdiff --git xdocs/usermanual/component_reference.xml xdocs/usermanual/component_reference.xml
index b0efd1e..fa06f62 100644
--- xdocs/usermanual/component_reference.xml
+++ xdocs/usermanual/component_reference.xml
@@ -3430,7 +3430,7 @@ These can be set up using a <complink name="CSV Data Set Config"/> Element (for
<properties>
<property name="Name" required="No">Descriptive name for this element that is shown in the tree. </property>
- <property name="Clear auth on each iteration ?" required="Yes">Used by Kerberos authentication, if checked authentication will be done on each iteration of Main Thread Group loop even if it has already been done</property>
+ <property name="Clear auth on each iteration ?" required="Yes">Used by Kerberos authentication. If checked, authentication will be done on each iteration of Main Thread Group loop even if it has already been done</property>
<property name="Base URL" required="Yes">A partial or complete URL that matches one or more HTTP Request URLs. As an example,
say you specify a Base URL of "http://jmeter.apache.org/restricted/" with a username of "jmeter" and
a password of "jmeter". If you send an HTTP request to the URL
@@ -3457,14 +3457,14 @@ This was an experimental feature and has been removed.
</note>
<br></br>
<b>Kerberos Configuration:</b>
-<p>To configure Kerberos you need to setup at least 2 JVM system properties:
+<p>To configure Kerberos you need to setup at least two JVM system properties:
<ul>
<li>-Djava.security.krb5.conf=krb5.conf</li>
<li>-Djava.security.auth.login.config=jaas.conf</li>
</ul>
-You can also configure those 2 properties in file system.properties.
+You can also configure those two properties in the file system.properties.
-See 2 configuration file samples with reference documentation in jmeter bin folder.
+Look at the two sample configuration files in the jmeter bin folder for references to more documentation.
</p>
<br></br>
<b>Controls:</b> |
@pmouawad (migrated from Bugzilla): URL: http://svn.apache.org/r1510053 Modified: |
Nicolas Raoul (Bug 53480):
I must investigate a problem that occurs only if using Kerberos (does not occur with basic auth).
Unfortunately, JMeter does not support Kerberos, so I have to use a proprietary tool. See http://stackoverflow.com/q/4164320
If I understood well, JMeter uses HttpClient.
Here is how to configure HttpClient for Kerberos (paragraph 4.10):
http://hc.apache.org/httpcomponents-client-ga/tutorial/html/authentication.html
Thanks a lot!
Nicolas Raoul
Votes in Bugzilla: 4
OS: All
The text was updated successfully, but these errors were encountered: