Using post to test user login
list Shawn Maschino
Hi all - I ran into a challenge and was wondering if anyone else had seen it and found a workaround. I'd like to use the "post" function of the HTTP test to verify a web page that does user authentication for an application. The way the login works is: - User enters login details on a web form - The user is sent to a "middle" page while authentication is done - If authentication is successful they are redirected into the web application, otherwise they redirect to an error page When using the post check I can only get to that middle page, which doesn't tell me if authentication was correct or not. The reason for the middle page is that this web site is using SSO authentication against an external LDAP system. We'd need to be able to get to the page that the redirect pushes to. Does anyone know if there is a way around this? My first impressions would be no, but I thought it wouldn't hurt (too much!) to ask. Thanks! Shawn
list Larry Barber
I had a similar problem and ended up writing a short Python program to supply the userid and password. I don't believe my boss would have a problem if I GPL'd it and released it. Let me know if you're interested. Thanks, Larry Barber On 6/21/06, Maschino, Shawn (GE Indust, Plastics) <user-518eb92a87d3@xymon.invalid>
▸
wrote:
Hi all – I ran into a challenge and was wondering if anyone
else had seen it and found a workaround. I'd like to use the "post"
function of the HTTP test to verify a web page that does user authentication
for an application. The way the login works is:
- User enters login details on a web form
- The user is sent to a "middle" page while authentication is
done
- If authentication is successful they are redirected into the
web application, otherwise they redirect to an error page
When using the post check I can only get to that middle page, which
doesn't tell me if authentication was correct or not. The reason for the
middle page is that this web site is using SSO authentication against an
external LDAP system. We'd need to be able to get to the page that the
redirect pushes to. Does anyone know if there is a way around this? My
first impressions would be no, but I thought it wouldn't hurt (too much!) to ask.
Thanks!
Shawn
list Ralph Mitchell
I've been doing exactly that for years, with Big Brother scripts. As such, it's all in Bourne shell, using curl to fetch web pages, grepping for the interesting bits, then using curl again to post the pages back. Some of the scripts grind right through the Siteminder login process, which bounces you from the original server to the authenticating server, then back again. Curl handles the redirects just fine. It also deals with SSL on secure web servers. If you're interested, I can see about stripping out the company specific stuff from one of them, so you can see how it works. There should be no problem integrating with Hobbit. OK, so it's not Python or Perl, but it was what I had to work with 6 years ago when I started. I keep telling myself that when the rush dies down I'll see about converting to Python... Ralph Mitchell
▸
On 6/21/06, Maschino, Shawn (GE Indust, Plastics) <user-518eb92a87d3@xymon.invalid>
wrote:
Hi all – I ran into a challenge and was wondering if anyone
else had seen it and found a workaround. I'd like to use the "post"
function of the HTTP test to verify a web page that does user authentication
for an application. The way the login works is:
- User enters login details on a web form
- The user is sent to a "middle" page while authentication is
done
- If authentication is successful they are redirected into the
web application, otherwise they redirect to an error page
When using the post check I can only get to that middle page, which
doesn't tell me if authentication was correct or not. The reason for the
middle page is that this web site is using SSO authentication against an
external LDAP system. We'd need to be able to get to the page that the
redirect pushes to. Does anyone know if there is a way around this? My
first impressions would be no, but I thought it wouldn't hurt (too much!) to ask.
Thanks!
Shawn
list Shawn Maschino
Thanks Ralph and Larry - if either of you can share an example script that would be great. We are using Siteminder for our SSO here so it sounds like it may be easy to steal, er, borrow, what you have to get it working.
▸
From: Ralph Mitchell [mailto:user-00a5e44c48c0@xymon.invalid]
Sent: Wednesday, June 21, 2006 11:00 PM
To: user-ae9b8668bcde@xymon.invalid
Subject: Re: [hobbit] Using post to test user login
I've been doing exactly that for years, with Big Brother scripts. As
such, it's all in Bourne shell, using curl to fetch web pages, grepping
for the interesting bits, then using curl again to post the pages back.
Some of the scripts grind right through the Siteminder login process,
which bounces you from the original server to the authenticating server,
then back again. Curl handles the redirects just fine. It also deals
with SSL on secure web servers.
If you're interested, I can see about stripping out the company specific
stuff from one of them, so you can see how it works. There should be no
problem integrating with Hobbit.
OK, so it's not Python or Perl, but it was what I had to work with 6
years ago when I started. I keep telling myself that when the rush dies
down I'll see about converting to Python...
Ralph Mitchell
On 6/21/06, Maschino, Shawn (GE Indust, Plastics)
<user-518eb92a87d3@xymon.invalid> wrote:
Hi all - I ran into a challenge and was wondering if anyone
else had seen it and found a workaround. I'd like to use the "post"
function of the HTTP test to verify a web page that does user
authentication for an application. The way the login works is:
- User enters login details on a web form
- The user is sent to a "middle" page while authentication is
done
- If authentication is successful they are redirected into the
web application, otherwise they redirect to an error page
When using the post check I can only get to that middle page, which
doesn't tell me if authentication was correct or not. The reason for
the middle page is that this web site is using SSO authentication
against an external LDAP system. We'd need to be able to get to the
page that the redirect pushes to. Does anyone know if there is a way
around this? My first impressions would be no, but I thought it
wouldn't hurt (too much!) to ask.
Thanks!
Shawn
list Paul Williamson
I'm interested in this as well, as we use siteminder too! Paul
user-518eb92a87d3@xymon.invalid 06/22/06 9:41 AM >>>
▸
Thanks Ralph and Larry - if either of you can share an example script that would be great. We are using Siteminder for our SSO here so it sounds like it may be easy to steal, er, borrow, what you have to get it working.
list Ralph Mitchell
OK, I'll see about working up a relatively generic script tonight. As I recall it works something like: curl -s -S -L -o home.html http://somesite.domain.com FORM=`cat home.html | formextract.pl | sed -e 'some stuff'` curl -s -S -L -o page.html $FORM That's *very* simplistic, though. 'formextract.pl' is a hack on ' formfind.pl' which comes with curl. It extracts form variables from a page and returns a string suitable for passing back to curl. The 'sed' part is usually a bunch of substitutions to insert the userid and password. Ralph Mitchell
▸
On 6/22/06, PAUL WILLIAMSON <user-b9fa55f5c833@xymon.invalid> wrote:I'm interested in this as well, as we use siteminder too! Pauluser-518eb92a87d3@xymon.invalid 06/22/06 9:41 AM >>>Thanks Ralph and Larry - if either of you can share an example script that would be great. We are using Siteminder for our SSO here so it sounds like it may be easy to steal, er, borrow, what you have to get it working.
list Ralph Mitchell
Attached are two files: bb-siteminder.sh is an example script to demonstrate how to login formextract.pl is a slightly modified copy of Daniel Stenberg's formfind.pl, which can be found here: http://curl.haxx.se/docs/programs.html I'm not a perl programmer, so any screwups in formextract are mine, not Daniel's... :) It's doubtful that the example script will work out of the box. I've found that I generally have to take it in easy stages - fetch the first page, eyeball it, adjust the script, lather, rinse, repeat. Ralph Mitchell
▸
On 6/22/06, Ralph Mitchell <user-00a5e44c48c0@xymon.invalid> wrote:OK, I'll see about working up a relatively generic script tonight. As I recall it works something like: curl -s -S -L -o home.html http://somesite.domain.com FORM=`cat home.html | formextract.pl | sed -e 'some stuff'` curl -s -S -L -o page.html $FORM That's *very* simplistic, though. 'formextract.pl' is a hack on ' formfind.pl' which comes with curl. It extracts form variables from a page and returns a string suitable for passing back to curl. The 'sed' part is usually a bunch of substitutions to insert the userid and password. Ralph Mitchell On 6/22/06, PAUL WILLIAMSON <user-b9fa55f5c833@xymon.invalid> wrote:I'm interested in this as well, as we use siteminder too! Pauluser-518eb92a87d3@xymon.invalid 06/22/06 9:41 AM >>>Thanks Ralph and Larry - if either of you can share an example script that would be great. We are using Siteminder for our SSO here so it sounds like it may be easy to steal, er, borrow, what you have to get it working.
Attachments (2)