Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Published by Scroll Versions from space FUNCTDEV and version SVC2020.1

This topic explains describes configuration options for using the HTTP 1.0 with selected supporting tools and provisioning action tools.Sections include0 transport. In this section:

Table of Contents
maxLevel1

Configuring HTTP 1.0 Settings

When selecting HTTP 1.0 as the transport protocol, you can specify whether you want the client’s requests to use Keep-Alive connections (required for NTLM and Digest HTTP authentication). It will also be reused for a single invocation of a test suite from the GUI or the command line. You will be able to add, modify, and remove custom HTTP headers to the SOAP request from within the Transport tab of an appropriate tool.

...

...

General page options include:

  • Router Endpoint: Specify the desired endpoint URL for the service. By default, SOAP Client endpoints are set to the endpoint defined in the WSDL. Besides WSDL, there are three other endpoint options:

  • SOAP Action: Specifies how the server processes the request. This field is disabled if the Constrain to WSDL check box is selected. For SOAP Client only

...

General

The options available under the General tab vary depending on the tool you are configuring. 

Endpoint

The Endpoint option is available for SOAP Clients. Choose a definition from the drop-down menu: 

  • WSDL: Specifies the endpoint defined in the WSDL.
  • Default: Specifies the endpoint defined in the Test or Action Suite. 
  • Custom: Allows you to set any custom endpoint.
  • UDDI serviceKey: Describes what UDDI serviceKey is used to reference this server endpoint in the UDDI registry specified in the Preferences panel’s WSDL/UDDI tab.

Router Endpoint

The Router Endpoint option is available for Messaging Clients. It specifies the endpoint URL for the server. Choose Fixed from the drop-down menu and manually specify the URL in the field provided. The endpoint can be specified as a fixed value, parameterized value, or scripted value. For details about scripting values, see Extensibility and Scripting Basics.

Method

The Method setting is available for REST Clients. It specifies which method is used to processes the request. This field is disabled if the Constrain to WSDL check box is selected.

...

 The method to invoke can be specified as a fixed value, parameterized value, or scripted value.

...

see Parameterizing Tests with Data Sources, Variables, or Values from Other Tests and Parameterizing Tools with Data Source Values, Variables, and Extracted Values.

With fixed values, you can access data source values using ${var_name} syntax. You can also use the environment variables that you have specified. For details about environments, see Configuring Testing in Different Environments and Configuring Virtualize Environments.

...

 For details about scripting values, see Extensibility and Scripting Basics.

SOAPAction

...

The SOAPAction setting is available for SOAP Clients and specifies how the server processes the request. This field is disabled if the Constrain to WSDL option is enabled. 

Message Exchange Pattern

Enable the Expect synchronous response option if a response body is expected.

...

This option is enabled by default because an HTTP response header is always expected.

...

If this option is not

...

enabled, then

...

a one-way message

...

is sent. The service may send a notification header (typically "HTTP/1.0 202 Accepted") in response.

Connection Settings

...

Specifies Keep-Alive or Close connections

...

.

  • Keep-Alive connection: Adds a "Connection: Keep-Alive" header to request a keep-alive connection if the server supports it. This is required for NTLM and Digest HTTP authentication.
  • Close connection (default): Outputs no additional HTTP headers and performs a regular HTTP 1.0 exchange. This is the default behavior for HTTP 1.0.

The connection setting enabled will also be reused for a single invocation of a test suite from the GUI or the command line. 

Redirect Settings

...

Enable the Follow HTTP redirects option for messaging clients

...

to automatically follow HTTP redirects.

...

 Disable this option if you want to perform an action or validation on the original request/response traffic (instead of working only with the final request/response pair).

...

Compression Settings

Compression

...

settings are available for messaging clients

...

. They specify whether to compress requests and decompress responses. You can enable the following compression setting options:

  • Gzip request payload: Gzips the request payloads being sent over the network. Data sent to attached tools will not be compressed. Note that compression does not apply to SOAP Clients configured to send attachments or in MTOM mode.
  • Decompress gzip-encoded response payload: Decompresses response payloads that have "Content-Encoding: gzip" as a header field. Attached tools will receive the uncompressed data.

...

  • .

...

...

URL Parameters 

URL Parameters page options include:

...

The URL Parameters settings are available for Messaging Client tools. The interface enables you to add parameters to the URL for a GET request. After clicking the Add button, you can specify Parameters/Value pairs in the dialog that opens. If a data source is available, you can parameterize the values as well.

Info
titleMessage Client URL Parameter Format

URL query parameters are formatted according to the "application/x-www-form-urlencoded" content type. Space characters are replaced with '+'. Non alpha numeric characters are replaced with a percent sign followed by two hexadecimal digits representing the character code. Names and values are separated by '=' and name-value pairs are separated by '&'. 

If you want to use a different format, query parameters can also be specified directly at the end of the tool's endpoint URL (instead of in the URL Parameters section). For example, you could use http://host:8080/path?a=1&b=2&c=3

...

Security> Client side SSL page options include:

...

Security

Security settings for the transport are spread across the following tabs.

Client side SSL

Enable the Use client key store option to specify the key store used to complete the handshake with the server.Security>

HTTP Authentication

...

...

Enable the Perform authentication option to set up  basic, NTLM,  Digest, or Kerberos authentication. You can enable the Use Global Preferences option to use the authentication settings configured in the Security Preferences (see Security Settings) or choose an authentication type from the Type drop-down menu to configure authentication settings that apply to the client. You can specify the following types:

  • Basic
  • NTLM
  • Kerberos 
  • Digest, select the Perform Authentication check box, then select Basic, NTLM, Kerberos, or Digest from the Type drop-down list.

For Basic, NTLM, or Digest, enter the Username and Password to authenticate the request.

For Kerberos, enter the Service Principal to authenticate the request. If the correct username and password, or the correct service principal, are not used, the request will not be authenticated.

  • Use Global Preferences: Alternatively, you can select Use Global Preferences if you have set Global HTTP Authentication Properties within the Security Preferences.  For more information, see Security Settings.within 

OAuth Authentication 

Configure the OAuth Authentication settings for clients that connect to services that perform authentication under OAuth 1.0a. For OAuth 2.0, authentication is configured in the REST Client's Resource and Payload tabs. Refer to OAuth Authentication for additional details. You can configure the following settings: Security> OAuth Authentication page options include:

  • Perform Authentication: Enabling this option indicates that OAuth Authentication should be performed. An Authentication field containing OAuth specific information will be added to the HTTP Header.
  • Consumer Key and Secret Configuration: The Consumer Key and Consumer Secret are the credentials that the client uses to validate itself with the server. The Consumer Key is unique to each client using it. Both of these are required at all steps.
  • OAuth Authentication Mode: Specifies what step of the OAuth Scenario you'd like to perform.
    • Obtain Request Token: Requests the Request Token from the server using the Consumer Key and Secret.
    • Scope: Restricts what information may be accessed. This information in embedded into the Consumer Key.
    • Exchange Request Token for Access Token: Exchanges the Request Token plus the verification code for the Access Token.
  • Request Token: Specifies Temporary Request Token credentials obtained from the server (used to exchange for the Access Token).
  • Request Token Secret: Specifies Temporary Request Token credentials obtained from the server (used to exchange for the Access Token).
  • Verification Code: Specifies the verification code provided by the server; this confirms that the resource owner will grant permission.
    • Sign Request for OAuth Authentication: Uses the specified Access Token and Access Token Secret to give the client access to the user's private resources.
  • OAuth Parameters: Allows you to specify additional parameters on the OAuth Token— for example, the timestamp and nonce.

For details on using OAuth authorization, see Using OAuth Authentication.

...

.

...

HTTP Headers

You can specify HTTP Headers page options include to include with your request. Use the following controls to add header names and values:

  • Add: Click to add a custom HTTP header. The header name is case insensitive.
  • Modify: Click to modify the selected HTTP header. A dialog box will display, allowing you to modify the Name and Value of the header. If the tool is using a data source, values for the header can be accessed from the data source.
  • Remove: Click to delete the selected HTTP header.

These controls are used to override header fields. For example, you can override the Content-Type header field by specifying the desired name and value via these controls. 


Image Modified

The following header fields, which headers are added by default , and can be overridden via using these UI controls. 

Host

The value will contain This header value contains the host name and port number from the HTTP endpoint or resource URL.

Content-

...

Type 

This header specifies the The media type of the outgoing message. This header is only sent if the outgoing message contains a body which is controlled by the HTTP method.  A body is sent for POST, PUT, and DELETE methods and not for GET, OPTIONS, HEAD, or TRACE.The  The default value is determined based on the type of message being sent. The content-type of an a SOAP message will vary depending on the SOAP version, "text/xml" for SOAP 1.1 or "application/soap+xml" for SOAP 1.2. Other XML messages will use "text/xml" by default. JSON messages will use "application/json". A message configured using the Table view will use "application/x-www-form-urlencoded". A message sent with MIME attachments will contain a "multipart" content-type with "start" and "boundary" parameters. Messages belonging to EDI, Fixed Length, CSV, or Custom message formats will have the media type for the message format.

Image Modified

Content-Length

The size of the outgoing message in bytes.

The following HTTP headers are configured conditionally. They are configured outside of this table or have values that must be dynamically generated.

SOAPAction

This HTTP header is sent for SOAP 1.1 only. It is set in the SOAPAction field of the General page settings

Image Modified

Authorization

This header is constructed automatically based on the HTTP Authentication and OAuth settings specified in your preferences (under Security> HTTP Authentication and OAuth). The value for NTLM, Digest, and Kerberos authentication will vary depending on various factors, including dynamically-generated challenge responses and security tokens. 

Connection

This header is added to the message with value of Keep-Alive if Keep-Alive connection is enabled. This header is not sent if Close connection is enabled (this is the default). Keep-Alive must be enabled for NTLM and Digest HTTP authentication.

Proxy-Authorization

This header is constructed based on the Proxy Authentication settings in the preferences and whether the server indicated that proxy authentication is required.

...

.

...

Cookies

Cookies page options include:

...

Choose Custom from the Cookies menu and enable the Reset existing cookies before sending request

...

 option to clear the current cookies so that next HTTP invocations start a new session

...

Using OAuth Authentication

Parasoft supports both OAuth 1.0a and 2.0 security protocols for Web Server Flow and Client Credentials Flow (2-legged scenario). OAuth Authentication can be configured for HTTP 1.0/HTTP 1.1 transport.

For the REST client, it is configured under the HTTP Options tab. For the Messaging Client, it is configured under the Transport tab.

About OAuth

OAuth (Open Authorization) is an authentication protocol that provides users a method to grant third-party applications access to their private resources without revealing login credentials. It also provides a way to restrict the amount of information that can be accessed. This protocol was implemented to handle the problem of exposing login credentials to third-party applications.

OAuth is based on the traditional client-server authentication model, but introduces a third role to this model: the user (also known as the resource owner). In the traditional client-server authentication model, the client directly accesses resources hosted by the server. In the OAuth model, the client must first obtain permission from the resource owner before accessing resources from the server. This permission is expressed in the form of a token and matching shared-secret key.

For example, assume that a user (resource owner) wants to grant a printing service (client) access to his private photos stored at a photo sharing service (server). Instead of revealing the user's login credentials to the printing service, the user can perform OAuth authentication to grant the printing service permission to access his private photos. 

This would happen in three stages:

  1. The printing service requests temporary credentials from the photo sharing service.
  2. Once the printing service receives the credentials, it redirects the user to the photo sharing service's OAuth Authorization URL, then the user provides login credentials. Note that the printing service has no visibility into the user's login credentials at this step. Once the user decides to give the printing service access to the private photos, a confirmation verification code is generated.
  3. The printing service then exchanges the temporary credentials plus the verification code for an access token. Once the printing service has the access token, they can then obtain and print the user's private pictures from the photo sharing service.

Using OAuth 1.0a

Using OAuth 1.0a involves the following general steps:

  1. Obtain and authorize a request token from the service provider
  2. Exchange the request token for an access token
  3. Sign OAuth requests to access protected resources

The following example uses the REST Client to send request messages to the server. Note that the Messaging Client can use OAuth 1.0a in the same manner.

Obtain and authorize a request token from the service provider 

...

Exchange the request token for an access token

  1. Create a new REST Client and configure the settings for the location where the Request Token should be exchanged for the Access Token.
  2. Under the HTTP Options tab, select either HTTP 1.0 or HTTP 1.1, and enable OAuth Authentication by checking Perform Authentication. This will enable the other fields necessary to complete the OAuth Authentication.
  3. Under Consumer Key and Consumer Secret, add the key and secret.
  4. Select Exchange Request Token for Access Token for the OAuth Mode.
  5. Parameterize the Request Token and Request Token Secret fields from the Text Data Bank extractions.
  6. Parameterize the Verification Code field from the Browser Data Bank.
  7. Attach a Text Data Bank to the Response Traffic of the REST Client and extract the Access Token (usually denoted as oauth_token) and the Access Token Secret (usually denoted as oauth_token_secret).

Sign OAuth requests to access protected resources

  1. Create a new REST Client and configure the settings for the location where the Access Token should be used to access the private resources.
  2. Under the HTTP Options tab, select either HTTP 1.0 or HTTP 1.1, and enable OAuth Authentication by checking Perform Authentication. This will enable the other fields necessary to complete the OAuth Authentication.
  3. Under Consumer Key and Consumer Secret, add the key and secret.
  4. Select Sign Request for OAuth Authentication for the OAuth Mode.
  5. Parameterize the Access Token and Access Token Secret fields from the Text Data Bank extraction.
  6. Request the user's private resources. This should be possible because the Access Token has been obtained.

Using OAuth 2.0

OAuth 2.0 has been significantly simplified in comparison to its predecessor (OAuth 1.0a). Since OAuth 2.0 is a completely new protocol, it is not backwards compatible with OAuth 1.0a. However, it does share the same the overall architecture and approach to providing users a method to grant third-party applications access to private resources without revealing login credentials.

To learn more about the changes being introduced in OAuth 2.0, see the working draft at http://tools.ietf.org/html/draft-ietf-oauth-v2-20.

Using OAuth 2.0 involves the following general steps:

  1. Request authorization
  2. Obtain access token
  3. Access protected resources

The following example uses the REST Client to send request messages to the server. Note that the Messaging Client can use OAuth 2.0 in the same manner.

Request authorization 

...

Obtain access token 

...

Access protected resources

...