Support BASIC and Digest HTTP authentication

[lukeis]

Originally reported on Google Code with ID 34

There should be an easy to use API for authenticating using standard HTTP mechanisms

Reported by simon.m.stewart on 2007-11-05 16:13:45

[lukeis]

I think it is worth mentioning that it is possible to do BASIC HTTP authentication --
in an ugly way - even now, by extending the driver.
@Override
protected WebClient newWebClient() {
    WebClient client = super.newWebClient();
    DefaultCredentialsProvider  provider = new DefaultCredentialsProvider();
    provider.addCredentials("username","password");
    client.setCredentialsProvider(provider);
    return client;
    }

Reported by turkoglu.deniz on 2008-08-12 10:02:34

[lukeis]

We are using version 0.6.870 and note that the newWebClient() method signature is
different to that above. We have found that the following works ok. because
newWebClient is called by the default constructor in the super class, you can't just
pass the usernam and password in the constructor, so we hacked about a bit with the
statics:

public class AuthenticatedHtmlUnitDriver extends HtmlUnitDriver {

    public static void setCredentials(String username, String password) {
        USERNAME = username;
        PASSWORD = password;
    }

    private static String USERNAME;
    private static String PASSWORD;

    public AuthenticatedHtmlUnitDriver() {
    }

    @Override
    protected WebClient newWebClient(BrowserVersion browserVersion) {       
        System.out.println("Logging in with: [username:" + USERNAME + "]");
        WebClient client = super.newWebClient(browserVersion);
        DefaultCredentialsProvider provider = new DefaultCredentialsProvider();
        provider.addCredentials(USERNAME, PASSWORD);
        client.setCredentialsProvider(provider);
        return client;
    }

}

Reported by jim.barritt on 2009-04-14 13:10:51

[lukeis]

Slightly nicer version is to have a factory method instead of setCredentials:

public static WebDriver create(String username, String password) {
        USERNAME = username;
        PASSWORD = password;
        return new AuthenticatedHtmlUnitDriver();
    }

Reported by jim.barritt on 2009-04-14 13:17:41

[lukeis]

I can only find the WebClient stuff inside HtmlUnit. Is there any solution/work
around to make this work with say the InternetExplorerDriver?

Reported by per.olesen on 2009-07-03 06:59:15

[lukeis]

If you’re using the Firefox driver there is an even dirtier work-around. It’s
possible to specify the username and password on the URL. e.g. 
http://username:password@www.basicauthprotected.com/.

The next hurdle is an anti-phishing dialogue box. This can however be suppressed
using aboubt:config, creating a new entry named network.http.phishy-userpass-length
with a type of Integer and a value of 255.

Reported by robdkay on 2010-04-27 11:02:33

[lukeis]

Reported by jari.bakken on 2010-06-17 00:28:34

• Labels added: Component-WebDriver

[lukeis]

Having also some issues (dialog box) with Basic Authentication on IE. As read in the
OpenQA Wiki this is handled automatically by the remote control. There should also
be such a feature for the InternetExplorerDriver. Is there any workaround so far?

Reported by roland.schaer on 2010-07-20 08:38:41

[lukeis]

Code for Handling HTTP Basic Authentication for FireFox driver is as follows. I know
this is a crude way but its working for now.

FirefoxProfile profile = new FirefoxProfile();
profile.setPreference("network.http.phishy-userpass-length", 255);
driver = new FirefoxDriver(profile);
driver.get(http://username:password@www.basicauthprotected.com/);

Reported by arun280780 on 2010-12-07 09:05:22

[lukeis]

Doesn't  work in my situation ( I have domain\username and password  )

http://domain\username:password@www.basicauthprotected.com

Reported by Mochalin.Igor on 2011-04-26 14:15:17

[lukeis]

Additional information 
doesn't work  in FireFox and  Chrome  

Reported by Mochalin.Igor on 2011-04-26 14:30:10

[lukeis]

How to prevent the anti phishing dialogue box in safari. Any pointers

Thanks 

Reported by crab19 on 2011-05-27 22:45:21

[lukeis]

Issue 1786 has been merged into this issue.

Reported by simon.m.stewart on 2011-06-08 13:12:38

[lukeis]

does anyone know if this issue is logged in the java forum somewhere.  i am having the
same problem with selenium rc/java.  i am also attempting this with domain\username.
 i keep reading that selenium rc "handles" basic authentication for me - yet there
is no explanation for this that i can find.  i have attempted everything this issue
mentions plus the following and nothing works so far.  should i create and issue for
this with a java implementation or can this issue be modified??

i have tried this approach as well with no luck (addCustomRequestHeader)
http://stackoverflow.com/questions/3021602/http-basic-auth-via-url-in-firefox-does-not-work

i apologize in advance if i have hijacked this issue in any way.  please let me know.

thanks!
-allen

Reported by otwoblue on 2011-06-20 07:25:30

[lukeis]

Firefox workaround - store your password in firefox manually. Reuse this existing profile
in code, for example:
    new FirefoxDriver(profile)

Reported by whittet on 2011-09-02 15:19:52

[lukeis]

Maybe I'm naive and correct me if I'm wrong, but for comment 16 isn't the Firefox passwords
only for websites? I believe no browser ever store's your HTTP Basic/Digest authentication
username & passwords. It may get cached (by server?) for the browser session once you
log in, but for every new session you have to login again.

Stored passwords are only for website form logins.

Reported by mangaroo on 2011-09-02 19:39:06

[lukeis]

Has anyone tried escaping the \ in domain\username for Firefox Basic HTTP auth? For
example,

http://domain%5cusername:password@www.basicauthprotected.com

I know for one of our sites we have to escape symbols like % and ! in the password
or it does not work.

Reported by darrell.grainger on 2011-09-03 02:44:35

[lukeis]

Unfortunately the http://user:pass@address.tld is not always a usable workaround, currently
I am facing the authentication window after I submitted a (language setting) form.
It should be considered when designing a solution.

Reported by jr.visko on 2011-09-23 09:00:28

[lukeis]

Couple of things I've done to handle cases on various browsers for basic authentication:

First of all, I always pass via the URL with http://user:pass@domain.com/folder_with_auth_required/

There are less issues on certain browsers if the trailing slash is included (notably
Opera) for reasons I won't detail here. 

Many browsers will still give a prompt for the user/pass even though it's in the URL,
or some will ask for confirmation before proceeding.  There are profile settings in
the browsers that can turn this off, notably FF as mentioned above.

FirefoxProfile profile = new FirefoxProfile();
profile.setPreference("network.http.phishy-userpass-length", 255); 

With version of selenium before 2.6, Firefox needed this setting but it is included
for you in version 2.6+ so is unnecessary:

With OperaDriver, you can disable the preference "Enable Trust Rating" to help, but
depending on the Opera version you will still get a confirmation prompt.  In those
cases, I have a timeout thread that basically presses the Enter key via Robot so the
driver can continue.

For those of you commenting that this should be fixed asap, remember this is open source
project and feel free to download the source, make fixes, and submit those patches.
 At that point you may see the difficulty involved in getting solutions to work cross-browser.

What I am basically saying here, is that yes, submit comments and well documented issues,
but put the time in where things aren't working ideally to create your own work arounds.
 I'm able to use basic auth across all browser drivers but it's not going to work out
of the box.  

Reported by luke.kende on 2011-09-26 03:43:20

[lukeis]

On comment 20, I wonder how often the workarounds for cross-browser support are non
destkop GUI based (AutoIt, Sikuli, whatever Robot). This includes stuff like file download
& upload beyond the authentication, and applies even more for Selenium RC. The reason
to bring this up is that sadly, this GUI type of workaround is (or can be) then broken
in a Selenium Grid or SauceLabs deployment, which don't have a complementary infrastructure
to pair GUI automation with it to handle such workarounds. That kind of pairing integration
would be worth thinking if we ever still need to pair GUI automation with browser automation.

Reported by mangaroo on 2011-09-26 06:41:37

[lukeis]

I am using the "network.http.phishy-userpass-length" setting described in comment 20,
but since the page I am testing is using Ajax heavily, I also need to set this on all
subsequent XHR requests. I have done this by using a proxy (littleshoot) and it works
quite well. In addition to the "network.http.phishy-userpass-length" setting I use
the following:

      profile.setPreference("network.proxy.type", 1);
      profile.setPreference("network.proxy.http", "127.0.0.1");
      profile.setPreference("network.proxy.http_port", 8080);
      profile.setPreference("network.proxy.no_proxies_on", "");

Then in my test, in @BeforeClass, I start the proxy like this:

      HttpRequestFilter requestFilter = new HttpRequestFilter() {
         @Override
         public void filter(HttpRequest httpRequest) { httpRequest.addHeader("Authorization",
"Basic " + BASE64EncodedAuthorizationString); }
      };

      final HttpProxyServer server = new DefaultHttpProxyServer(8080, requestFilter,
new HashMap<String, HttpFilter>());
      server.start();

I've also tried removing the "network.http.phishy-userpass-length" property, but it
is still required with selenium-firefox-driver-2.16.1 at least.

Reported by stian.lindhom.lemontree.no on 2012-01-12 07:09:59

[lukeis]

This is very important feature. Currently we're thinking about selenium usage for a
major project which uses Basic Http Authentication and this issue is the only thing
which stops us. Does somebody has any estimates?

Reported by bakaev.dmitriy on 2012-01-17 11:04:08

[lukeis]

You have to write your own script for Digest Based Authentication, no
testing tool provides it.

Reported by qasim.zaman@softrove.com on 2012-01-17 11:17:48

[lukeis]

The following proposed solution is not working in Firefox 9.0.1:

FirefoxProfile profile = new FirefoxProfile();
profile.setPreference("network.http.phishy-userpass-length", 255);
driver = new FirefoxDriver(profile);
driver.get(http://username:password@www.basicauthprotected.com/);

Reported by rui.abreu on 2012-01-17 18:14:23

[lukeis]

it worked for me like this:

FirefoxProfile profile = new FirefoxProfile();
profile.setPreference("network.http.phishy-userpass-length", 255);
profile.setPreference("network.automatic-ntlm-auth.trusted-uris", "<host>");
driver = new FirefoxDriver();
selenium = new WebDriverBackedSelenium(driver, "http://<user>:<password>@<host>");

Reported by krueger.fab on 2012-01-21 22:30:49

[lukeis]

Thanks for your support.
Let me try this and will revert you soon.

Reported by kaushikkanishka on 2013-03-01 04:58:15

[lukeis]

java, firefox this worked for me:

        FirefoxDriver driver = null;
        File scrFile = null;
        try {

            FirefoxProfile ffprofile = new FirefoxProfile();
            ffprofile.setPreference("network.http.phishy-userpass-length", 255);
            ffprofile.setPreference("network.automatic-ntlm-auth.trusted-uris",
                    getTrustedUrl()); // Set this to your DOMAIN, instead of
                                        // Server
            ffprofile.setPreference(
                    "network.automatic-ntlm-auth.allow-non-fqdn", "true");
            ffprofile.setPreference("network.ntlm.send-lm-response", "true");

            driver = new FirefoxDriver(ffprofile);
            driver.manage().timeouts().implicitlyWait(30, TimeUnit.SECONDS);
            driver.manage().window().maximize();
            logger.info("grabbing " + getGrabberUrl());

            driver.get(getGrabberUrl());
            Keyboard keyboard = driver.getKeyboard();
            keyboard.sendKeys(getUser());
            keyboard.pressKey(Keys.TAB);
            keyboard.releaseKey(Keys.TAB);
            keyboard.sendKeys(getPassword());
            keyboard.pressKey(Keys.ENTER);
            keyboard.releaseKey(Keys.ENTER);
            // WebDriverBackedSelenium webDriverBackedSelenium = new
            // WebDriverBackedSelenium(driver,getGrabberUrl());
            // webDriverBackedSelenium.
            // webDriverBackedSelenium.captureScreenshotToString()
            scrFile = ((TakesScreenshot) driver)
                    .getScreenshotAs(OutputType.FILE);

        } catch (Exception e) {
            logger.error("got error", e);
            ResponseBuilder response = Response.serverError().entity(e);
            return response.build();
        } finally {
            if (driver != null) {
                driver.quit();
            }

        }

Reported by nino.martinez.wael on 2013-03-13 19:54:43

[lukeis]

Issue 5347 has been merged into this issue.

Reported by barancev on 2013-03-15 10:05:04

[lukeis]

Issue 5444 has been merged into this issue.

Reported by barancev on 2013-04-10 20:45:11

[lukeis]

Using C# code, please some one tell me how to change mouse focus to "Authentication
Required" window pop-up and then enter the User name and password.

Reported by hosurma on 2013-04-12 07:27:41

[lukeis]

i have tried with all position able to achieve. could any one please help me to done

FirefoxDriver driver = null;
File scrFile = null;

FirefoxProfile ffprofile = new FirefoxProfile();
ffprofile.setPreference("network.http.phishy-userpass-length", 255);
ffprofile.setPreference("network.automatic-ntlm-auth.trusted-uris","xx.xx.xxx.xxx");
            ffprofile.setPreference("network.automatic-ntlm-auth.allow-non-fqdn", "true");
ffprofile.setPreference("network.ntlm.send-lm-response", "true");
driver = new FirefoxDriver(ffprofile);
driver.manage().timeouts().implicitlyWait(30, TimeUnit.SECONDS);
driver.manage().window().maximize();
driver.get("http://xx.xx.xxx.xxx");
driver.manage().timeouts().implicitlyWait(5, TimeUnit.SECONDS);
Keyboard keyboard = driver.getKeyboard();
keyboard.sendKeys("test");
keyboard.pressKey(Keys.TAB);
keyboard.releaseKey(Keys.TAB);
keyboard.sendKeys("test@123");
keyboard.pressKey(Keys.ENTER);
keyboard.releaseKey(Keys.ENTER);
scrFile = ((TakesScreenshot) driver).getScreenshotAs(OutputType.FILE);

Reported by amsathishkumar on 2013-06-07 14:46:11

[lukeis]

it does not work in htmlunit when using basic auth like "http://username:password@www.test.com",
but it works in firefox and chrome.
someone tell me how to login a website which using basic authencation by htmlunitdriver.
ps: i use python.

Reported by ghlangbaobao on 2013-07-08 12:45:35

[lukeis]

Issue 6143 has been merged into this issue.

Reported by james.h.evans.jr on 2013-08-21 11:16:03

[lukeis]

I came across a blog post related to this area, about downloading files stored under
a secured directory that required basic HTTP authentication. Cookies was used to transfer
the authenticated state information from Selenium to a REST/HTTP client to then download
the file (in browser agnostic way). The basic HTTP authentication with Selenium of
course is done via passing login with URL workaround mentioned here.

But I was wondering, if cookies can be used to pass/store that authentication state,
could we not do the reverse to solve this issue here? Use REST/HTTP client to do the
basic/digest HTTP authentication then pass the authentication cookie from the REST/HTTP
client to Selenium (add cookie method against current URL browser is on or the current
URL the REST/HTTP client hit for the authentication). And do this all behind the scenes
in a wrapped Selenium API method that the Selenium user simply calls, something like

driver.authenticate(username, password); //against current URL

or 

driver.authenticate(url, username, password);

or am I too naive in assuming how HTTP authentication works? If what that blog post
mentions works, I don't see why the reverse technique would not work.

If feasible, this would be a browser agnostic solution, and each client language binding
would implement it's own solution to this issue since it is REST/HTTP client specific,
unless we unify and make this done at the Selenium server side in Java (and not the
client binding side).

Reported by mangaroo on 2013-09-11 00:11:51

[lukeis]

Spoke too soon, forgot to paste in the blog post I mention: http://elemental-selenium.com/tips/15-download-secure-files

Reported by mangaroo on 2013-09-11 00:12:31

[lukeis]

Issue 6462 has been merged into this issue.

Reported by luke.semerau on 2013-10-24 17:45:51

[lukeis]

As I was browsing trough the bug tracker to see if there are bugs or enhancments I could
contribute to, I stumbled on this ne.
This is was (partially still is) an issue which made me research a bit longer.

I implemented different solutions which I shortly pitch here, code that has been written
is closed and getting them outside has big hurdles to take first but may just the idea
give you a help to solve it for your purposes.

For Internet Explorer, first approach was using windws own UI Automation with C# which
does the certificate selection (we use client certificates as authentication) and also
clicking away the unsecure ssl message (why test server shouldnt have a valid certificate
from the companies own CA stays unclear to me) and wrapping that all in a Java library
to use by our DriverManager which abstracts all the technical details of how to use
the drivers inside our infrastructure.
This method works but still IE is very slow in that parts, especially when you have
installed more than a handful of client certificates.

Second approach, and that is the one which I think could fit selenium core the best
to be browser independent was to implement a MITM proxy which gets started and stopped
again in the DriverManager and which translates all url get requests on https into
using http on the target browser and handles the endpoint to the target server injecting
client certificates (same method I used in a custom HTMLUnit driver), this worked on
all browsers I tested so far and also eliminated all the native IE errors/notification
about SSL and security. 

Reported by michel.racic on 2014-02-16 19:42:03

[lukeis]

Issue 7067 has been merged into this issue.

Reported by barancev on 2014-03-06 18:31:39

[lukeis]

@michel racic. I am interested in learning more about the code you developed for authenticating
via certificates with IE. Do you have any code you can share?

Reported by jenktom1@aol.com on 2014-03-07 04:16:52

[lukeis]

This is working in Firefox for me:


package org.core.selenium;

import java.util.concurrent.TimeUnit;

import org.apache.log4j.Logger;
import org.apache.log4j.xml.DOMConfigurator;
import org.openqa.selenium.firefox.FirefoxDriver;
import org.openqa.selenium.firefox.FirefoxProfile;
import org.core.helpers.SeleniumHelpers;
import org.core.settings.GlobalSettings;

public class BasicAthentication {

    public String className                 = BasicAthentication.class.getName();
    public GlobalSettings globalSettings    = new GlobalSettings();
    public Logger log;
    public SeleniumHelpers selHelpers;

    public FirefoxDriver driver;
    public FirefoxProfile ffProfile         = new FirefoxProfile();

    public String URL                       = new String("browserspy.dk/password-ok.php");
    public String username                  = new String("test");
    public String password                  = new String("test");

    public BasicAthentication() {
    }

    public static void main(String args[]) {
        BasicAthentication basic    = new BasicAthentication();
        basic.webDriverVersion();
    }

    public void webDriverVersion() {

        this.log                = Logger.getLogger(this.className);
        DOMConfigurator.configure(this.globalSettings.getDomConfig());

        try {

            /* preferences */
            this.ffProfile.setPreference("network.automatic-ntlm-auth.trusted-uris", this.URL);
            /* driver */
            this.driver         = new FirefoxDriver(ffProfile);
            this.driver.manage().timeouts().implicitlyWait(this.globalSettings.getWaitTime(),
TimeUnit.SECONDS);
            this.driver.manage().window().maximize();
            /* helpers */
            this.selHelpers     = new SeleniumHelpers(this.driver, this.log, this.className);
            /* go to url */
            this.driver.navigate().to("http://" + this.username + ":" + this.password + "@"
+ this.URL);
            /* screenshot */
            this.selHelpers.screenPrint();
            /* sleep */
            Thread.sleep(5000);     

        } catch (Exception e) {
            log.error("got error", e);
        } finally {
            if (driver != null) {
                driver.quit();
            }
        }
    }
}

Reported by otwoblue on 2014-03-27 04:25:03

[lukeis]

0
down vote
Hi, i'm using this and it's working for me.

public void login(String username, String password){
        WebDriver driver = getDriver();
        String URL = "http://" + username + ":" + password + "@" + "link";
        driver.get(URL);
        driver.manage().window().maximize();
    }

Reported by holaszkati on 2014-07-28 11:36:09

[lukeis]

Comment #89, #90 and other which mention the workaround that first appeared in comment
#5 and everyone is very likely to be aware of already - using fancy browser features
is not the same thing as testing the authentication dialog that real users will see
- also IE7+ deliberately doesn't support user:pass@my.page syntax http://support.microsoft.com/default.aspx?scid=kb;[LN];834489

I have no idea what is the business case to create automated TESTS of web pages without
being able to test them in Internet Explorer (I know there are workarounds for that
too, to use a proxy server, but this bug is about not having to use workarounds for
such a basic task).

Reported by Peter.Hozak on 2014-07-28 11:59:45

[lukeis]

The link given in #91 also gives details of how to enable use of the workaround in IE,
which allows you to test your site and your authentication but not the authentication
dialogue box.

Reported by David.R.Bisset on 2014-08-25 13:47:03

[lukeis]

How to handle chrome authentication pop up using Webdriver any one please

Reported by rajeshchevronne on 2014-09-06 12:23:20

[lukeis]

"driver.get(http://username:password@www.basicauthprotected.com/);"

this works for chromeDriver as well.

Reported by jason.smiley@1stdibs.com on 2014-10-03 19:10:26

[lukeis]

for firefox and chrome this is working to me: 

  webDriver->get("http://username:password@domain");

but not for Internet Explorer, any idea on how to login in the Authoritation Required
popup subwindow? 

Has anyone an example with webDriver->getWindowHandles(); in phpwebdriver that works?

Reported by alejandro.zambrano@tecnilogica.com on 2014-10-08 17:01:14

[lukeis]

for firefox and chrome this is working to me: 

  webDriver->get("http://username:password@domain");

but not for Internet Explorer, any idea on how to login in the Authoritation Required
popup subwindow? 

Has anyone an example with webDriver->getWindowHandles(); in phpwebdriver that works?

Reported by alejandro.zambrano@tecnilogica.com on 2014-10-09 11:45:47

[lukeis]

For Chrome, I resolve this issue (Basic HTTP Authentication) by adding a plugin on the
fly wich resolve the problem.

I explain my logic here : https://github.com/RobinDev/Selenium-Chrome-HTTP-Private-Proxy.
With some customization on the js function callbackFn(details) in the plugin, it can
be adapt to a lot of test needed one.

But maybe, if we can access to `chrome.webRequest.onAuthRequired.addListener`configuration
problem, it will solve the problem directly from webDriver.

Reported by onrobindev on 2014-11-16 11:02:39

[lukeis]

For chrome NTLM authentication, http://stackoverflow.com/a/28048163/351708

Reported by rohitkandhal on 2015-01-20 16:06:32

[lukeis]

Follow-up: https://github.com/SeleniumHQ/selenium/issues/453

Reported by kenorb on 2015-05-04 19:59:02

[lukeis]

Reported by luke.semerau on 2015-09-17 17:44:23

• Labels added: Restrict-AddIssueComment-Commit