I must investigate a problem that occurs only if using Kerberos (does not occur with basic auth). Unfortunately, JMeter does not support Kerberos, so I have to use a proprietary tool. See http://stackoverflow.com/q/4164320 If I understood well, JMeter uses HttpClient. Here is how to configure HttpClient for Kerberos (paragraph 4.10): http://hc.apache.org/httpcomponents-client-ga/tutorial/html/authentication.html Thanks a lot! Nicolas Raoul
Would love to see this feature added. Without Kerberos support, we can't have confidence in our performance tests.
Hello, Would it be possible for you to setup a Kerberos publicly available site so we could implement this protocol ? Thank you Regards
Created attachment 30342 [details] Add support for kerberos Add support to jmeter (trunk) for http4client. Configuration is done via a new KerberosManager class. AuthManager was extended to support configuration of kerberos for certain domains. Http-Sampler classes were extended to support kerberos. This patch was tested with ApacheDS 2.0.0-M12 and Apache tomcat 7.0.40 under linux (ubuntu 13.04).
Thanks for patch, will review as soon as possible. If you can provide configuration used to test it would be great.
Created attachment 30401 [details] configurations used for tests The configurations are splitted into three directories. One for apacheds, one for tomcat and one for jmeter. To test I have used three virtual machines called client.example.com, www.example.com and kerberos.example.com. On kerberos.example.com I extracted the apacheds-2.0.0M3 tar.gz, copied instances/default to instances/example.com and applied the example.com.diff. Than I started the example.com instance by running bin/apacheds example.com (you might have to chmod +x ). When started the example.com.ldif can be applied by running ldapadd -x -h kerberos.example.com:10389 -D uid=admin,ou=system -W -f example.com.ldif and giving the password 'secret' when asked. On the machine www.example.com I extracted a tomcat-7.0.40 and applied the server.xml.diff to conf/server.xml. I copied the file jaas.conf and krb5.ini into conf. Then you will have to generate the conf/www.example.com.keytab with ktutil. Run ktutil and enter at the prompt addent -password -p HTTP/www.example.com@EXAMPLE.COM -k 1 -e aes256-cts-hmac-sha1-96 Again enter password 'secret' Now enter wkt conf/www.example.com.keytab and lastly enter quit Now you should have a keytab in conf called conf/www.example.com.keytab You should be able to start tomcat by calling ./bin/startup.sh Now compile jmeter go into the jmeter-testplan directory and start jmeter. Openn the kerberos.jmx testplan and run it. If I haven't forgotten a step in this short howto, it should take two samples without one error.
Created attachment 30572 [details] Add kerberos support Patch aligned with current trunk, so it applies cleanly.
Infos about how to setup a kerberos infrastructure are given.
Hello, Thanks for patch. Few notes about it: - could you provide it in unified format,"If you are providing a patch to fix a bug, please ensure it is in unified diff format. If using Eclipse, please set the patch root to "Project", not the default "Workspace" which is harder to apply." - looking at implementation, I see the following issues or enhancements : 1) kerberos is a boolean, I think it would be better to have a select box if we want to have another type of auth like Digest 2) Code seems to me intrusive regarding Kerberos in HTTPHC4Impl. This is probably due to Subject.doAs. Maybe we should enhance AuthManager with a method like isSubjectBased(url). If it returns true , we would call authManager.getSubject(authorization) and call Subject.doAs, if not we just call httpClient.execute. This way it would not be directly related to Kerberos. Same for setConnectionAuthorization, maybe we should call authManager.handle(auth), which would make code cleaner.
Created attachment 30591 [details] Updated patch in unified format
Created attachment 30621 [details] add kerberos support to jmeter My old patch was in unified format. I think you just wanted to have another base directory. I used standard "git diff", which appends an "a" and "b" prefix. Now I have used "git diff --no-prefix" which should make you happy. I also have addressed your first comment about having multiple mechanisms in AuthManager. Now you can select one value of a newly added enum Mechanism (BASIC and KERBEROS being the only values). Next I will address your next comment.
Hello, Many thanks you for new update. It's better but still there is something that I would like to improve. It seems to me in HttpHC4Impl, it would be nice to do something like this: authManager.configureCredentials(url, (AbstractHttpClient)client); AuthManager would take care of applying the auth policy. Same for executeRequest, it would be nice to just have this: private HttpResponse executeRequest(final HttpClient httpClient, final HttpRequestBase httpRequest, final HttpContext localContext, final URL url) throws IOException, ClientProtocolException { AuthManager authManager = getAuthManager(); if (authManager != null) { if(authManager.getSubject(url) != null) { Subject subject = authManager.getSubject(url); try { return Subject.doAs(subject, new PrivilegedExceptionAction<HttpResponse>() { @Override public HttpResponse run() throws Exception { return httpClient.execute(httpRequest, localContext); } }); } catch (PrivilegedActionException e) { log.warn( "Can't execute httpRequest with kerberos-subject", e); return null; } } } // perform the non-kerberos sample return httpClient.execute(httpRequest, localContext); } The issue is that KerberosManager is not visible to AuthManager. So wouldn't it be better to remove KerberosManager GUI and enhance HTTP Authorization Manager to have a GUI that changes depending on Mechanism. In this case Mechanism would not be an additional column but a select box outside of table and depending on value additional attributes would appear: BASIC => Nothing Kerberos => krb5.cong, jaas file, debug DIGEST => Nothing ... Another little question, why does KerberosManager implement TestIterationListener and TestStateListener, it does not seem useful to me as methods are empty. sebb, milamber what's your opinion ?
Not sure why this was resolved as fixed; reopening
My mistake, was needinfo
The AuthManager is treated specially for HTTP requests, so it seems sensible to use that feature for Kerberos Auth. As far as the GUI is concerned, there could be a check box, or a tabbed selection like we use now for the Http Post Body. I think we should restrict Kerberos to the HC4 implementation; less code to test and maintain.
Agree for limiting it to hc4. Regarding gui, did you look at provided patch, it adds a gui for kerberosmanager+ mechanism column for authmanager, so I was proposing something a bit different
(In reply to Philippe Mouawad from comment #15) > Regarding gui, did you look at provided patch Not yet > it adds a gui for > kerberosmanager+ mechanism column for authmanager, > so I was proposing something a bit different I've just realised: does AuthManager need to support both Kerberos and existing auth in the same GUI? I.e. is there a need for a single AM to support different auth mechanisms for different hosts?
> I've just realised: does AuthManager need to support both Kerberos and > existing auth in the same GUI? I.e. is there a need for a single AM to > support different auth mechanisms for different hosts? Can you clarify what you mean ? I understood your previous comment like this: 1) We add a tabbed pane with the different policies 2) Kerberos one would have what there is in Kerberos Manager configuration This would be interesting as we could have access to Kerberos Manager from AuthManager and could be able to avoid kerberos implementation details being in HttpHc4Impl.
(In reply to Philippe Mouawad from comment #17) > > I've just realised: does AuthManager need to support both Kerberos and > > existing auth in the same GUI? I.e. is there a need for a single AM to > > support different auth mechanisms for different hosts? > > Can you clarify what you mean ? > I understood your previous comment like this: > 1) We add a tabbed pane with the different policies > 2) Kerberos one would have what there is in Kerberos Manager configuration Yes. > This would be interesting as we could have access to Kerberos Manager from > AuthManager and could be able to avoid kerberos implementation details being > in HttpHc4Impl. Yes. But the issue is: with the existing AM, it supports multiple credentials for different hosts. If there were a separate tab for Kerberos, I assume it could support multiple Kerboros entries for different hosts. How would the GUI support both Kerberos and non-Kerberos? It would be very odd if some of the credentials were not visible but were still active. So I suspect we either need to somehow use the same table, or perhaps add another table that is visible concurrently.
Created attachment 30650 [details] Add support for kerberos I have inserted KerberosManager into AuthManager and implemented the methods hasSubjectForUrl and getSubjectForUrl in AuthManager. That way the changes for httpclient are a bit less intrusive. Since the kerberos settings are done via System-properties we can't have more than one setting in an entire JVM. So we could put the configuration for kerberos in AuthManager as well. For now one will have to set the config via JVM_ARGS="-Djava.security.login.config=.../jaas.conf -Djava.security.krb5.conf=.../krb5.conf", since the KerberosConfig seems to be not used now:(
If the settings really have to be provided via System properties, why do we need an AuthManager entry? Maybe the user should just edit system.properties.
Date: Tue Jul 30 21:16:35 2013 New Revision: 1508633 URL: http://svn.apache.org/r1508633 Log: Bug 53480 - Add Kerberos support to Http Sampler (HttpClient4) Bugzilla Id: 53480 Added: jmeter/trunk/src/protocol/http/org/apache/jmeter/protocol/http/control/KerberosManager.java (with props) Modified: jmeter/trunk/src/core/org/apache/jmeter/resources/messages.properties jmeter/trunk/src/core/org/apache/jmeter/resources/messages_de.properties jmeter/trunk/src/core/org/apache/jmeter/resources/messages_fr.properties jmeter/trunk/src/protocol/http/org/apache/jmeter/protocol/http/control/AuthManager.java jmeter/trunk/src/protocol/http/org/apache/jmeter/protocol/http/control/Authorization.java jmeter/trunk/src/protocol/http/org/apache/jmeter/protocol/http/gui/AuthPanel.java jmeter/trunk/src/protocol/http/org/apache/jmeter/protocol/http/sampler/HTTPHC4Impl.java jmeter/trunk/xdocs/changes.xml
Keeping open for now. Needs documentation and further testing.
Note following System JVM args must be set (there is a mistake in previous comment): JVM_ARGS="-Djava.security.auth.login.config=jaas.conf -Djava.security.krb5.conf=krb5.conf" Added them in system.properties
Date: Tue Jul 30 21:38:33 2013 New Revision: 1508641 URL: http://svn.apache.org/r1508641 Log: Bug 53480 - Add Kerberos support to Http Sampler (HttpClient4) Fix Test Plan to add new column Bugzilla Id: 53480 Modified: jmeter/trunk/bin/testfiles/AuthManagerTestPlan.jmx Date: Tue Jul 30 21:43:00 2013 New Revision: 1508646 URL: http://svn.apache.org/r1508646 Log: Bug 53480 - Add Kerberos support to Http Sampler (HttpClient4) Fix Test Plan to add new column Bugzilla Id: 53480 Modified: jmeter/trunk/bin/testfiles/GuiTest231.jmx Date: Wed Jul 31 13:37:30 2013 New Revision: 1508850 URL: http://svn.apache.org/r1508850 Log: Bug 53480 - Add Kerberos support to Http Sampler (HttpClient4) Revert to previous test plan Bugzilla Id: 53480 Modified: jmeter/trunk/bin/testfiles/AuthManagerTestPlan.jmx Date: Wed Jul 31 13:40:27 2013 New Revision: 1508851 URL: http://svn.apache.org/r1508851 Log: Bug 53480 - Add Kerberos support to Http Sampler (HttpClient4) Revert to previous test plan Bugzilla Id: 53480 Modified: jmeter/trunk/bin/testfiles/GuiTest231.jmx Date: Wed Jul 31 13:41:00 2013 New Revision: 1508852 URL: http://svn.apache.org/r1508852 Log: Bug 53480 - Add Kerberos support to Http Sampler (HttpClient4) Fix Tests failure Bugzilla Id: 53480 Modified: jmeter/trunk/src/protocol/http/org/apache/jmeter/protocol/http/control/Authorization.java Date: Fri Aug 2 13:52:59 2013 New Revision: 1509712 URL: http://svn.apache.org/r1509712 Log: Bug 53480 - Add Kerberos support to Http Sampler (HttpClient4) Add configuration Bugzilla Id: 53480 Added: jmeter/trunk/bin/jaas.conf jmeter/trunk/bin/krb5.ini (with props) Modified: jmeter/trunk/bin/system.properties
Date: Fri Aug 2 20:47:31 2013 New Revision: 1509850 URL: http://svn.apache.org/r1509850 Log: Bug 53480 - Add Kerberos support to Http Sampler (HttpClient4) Add client configuration Bugzilla Id: 53480 Added: jmeter/trunk/bin/krb5.conf Date: Fri Aug 2 20:48:01 2013 New Revision: 1509851 URL: http://svn.apache.org/r1509851 Log: Bug 53480 - Add Kerberos support to Http Sampler (HttpClient4) Fix and document client configuration Bugzilla Id: 53480 Modified: jmeter/trunk/bin/jaas.conf Date: Fri Aug 2 20:48:38 2013 New Revision: 1509852 URL: http://svn.apache.org/r1509852 Log: Bug 53480 - Add Kerberos support to Http Sampler (HttpClient4) Remove server configuration Bugzilla Id: 53480 Removed: jmeter/trunk/bin/krb5.ini Date: Fri Aug 2 20:51:09 2013 New Revision: 1509855 URL: http://svn.apache.org/r1509855 Log: Bug 53480 - Add Kerberos support to Http Sampler (HttpClient4) Make jaas application configuration and default to JMeter Bugzilla Id: 53480 Modified: jmeter/trunk/src/protocol/http/org/apache/jmeter/protocol/http/control/KerberosManager.java Date: Fri Aug 2 20:57:17 2013 New Revision: 1509856 URL: http://svn.apache.org/r1509856 Log: Bug 53480 - Add Kerberos support to Http Sampler (HttpClient4) Add ability to clear kerberos subjects on each Main Loop iteration Bugzilla Id: 53480 Modified: jmeter/trunk/src/protocol/http/org/apache/jmeter/protocol/http/control/AuthManager.java jmeter/trunk/src/protocol/http/org/apache/jmeter/protocol/http/gui/AuthPanel.java Date: Fri Aug 2 20:58:14 2013 New Revision: 1509857 URL: http://svn.apache.org/r1509857 Log: Bug 53480 - Add Kerberos support to Http Sampler (HttpClient4) Add ability to clear kerberos subjects on each Main Loop iteration i18n Bugzilla Id: 53480 Modified: jmeter/trunk/src/core/org/apache/jmeter/resources/messages.properties jmeter/trunk/src/core/org/apache/jmeter/resources/messages_fr.properties Date: Fri Aug 2 20:59:57 2013 New Revision: 1509858 URL: http://svn.apache.org/r1509858 Log: Bug 53480 - Add Kerberos support to Http Sampler (HttpClient4) Make jaas application configuration and default to JMeter Bugzilla Id: 53480 Modified: jmeter/trunk/bin/jmeter.properties
Comments in jaas.conf can not be made with '#' they have to be marked C/javadoc like with /** .... */
Date: Sat Aug 3 10:35:46 2013 New Revision: 1509954 URL: http://svn.apache.org/r1509954 Log: Bug 53480 - Add Kerberos support to Http Sampler (HttpClient4) Fix comments in jaas.conf Bugzilla Id: 53480 Modified: jmeter/trunk/bin/jaas.conf Date: Sat Aug 3 10:37:58 2013 New Revision: 1509955 URL: http://svn.apache.org/r1509955 Log: Bug 53480 - Add Kerberos support to Http Sampler (HttpClient4) Fix comments in krb5.conf Bugzilla Id: 53480 Modified: jmeter/trunk/bin/krb5.conf
Created attachment 30668 [details] correct comments in jaas.conf Comments have to be in c-style /* -- */
Thanks Felix, fixed it before your patch upload. Feel free to review and double check . Regarding Serializable, making KerberosManager public fixed the warning. Thanks
Date: Sat Aug 3 13:25:31 2013 New Revision: 1509985 URL: http://svn.apache.org/r1509985 Log: Bug 53480 - Add Kerberos support to Http Sampler (HttpClient4) Update documentation Bugzilla Id: 53480 Modified: jmeter/trunk/xdocs/usermanual/component_reference.xml Date: Sat Aug 3 13:26:12 2013 New Revision: 1509986 URL: http://svn.apache.org/r1509986 Log: Bug 53480 - Add Kerberos support to Http Sampler (HttpClient4) Update screenshots Bugzilla Id: 53480 Modified: jmeter/trunk/docs/images/screenshots/http-config/auth-manager-example1b.png jmeter/trunk/docs/images/screenshots/http-config/http-auth-manager.png jmeter/trunk/xdocs/images/screenshots/http-config/auth-manager-example1b.png jmeter/trunk/xdocs/images/screenshots/http-config/http-auth-manager.png
Created attachment 30669 [details] change wording for docs I think it is better style to write out numbers in sentences. I have positioned a comma to a different position and formulated the passage about more docs a bit different. But since I am not a native speaker, it could be all wrong :)
Date: Sat Aug 3 18:36:16 2013 New Revision: 1510053 URL: http://svn.apache.org/r1510053 Log: Bug 53480 - Add Kerberos support to Http Sampler (HttpClient4) Update docs as per Felix Schumacher patch and complete documentation Bugzilla Id: 53480 Modified: jmeter/trunk/xdocs/usermanual/component_reference.xml
This issue has been migrated to GitHub: https://github.com/apache/jmeter/issues/2851