Skip to main content

User and Client Authentication

Some web servers authenticate users to prevent access to sensitive data. Authentication can be handled by Eggplant Performance in different ways depending on the authentication scheme used.


More information about HTTP authentication.

When requesting a resource from a server, the server can initiate an authentication challenge by returning an HTTP 401 response code and returning with a WWW-Authenticate response header. This header indicates one or more authentication schemes that can be used to authenticate the user. Two authentication schemes are handled automatically by Eggplant Performance:

For all other authentication challenges, the Authorization headers are inserted into the generated script like any other header. Schemes which use tokens can often be handled easily using data correlation.


The example below shows example code from a Web Virtual User script, generated from a web recording. Your code will look different, and you may not need to edit it if you are able to set up a correlation rule to extract the tokens automatically. However it is useful to know what script code may be generated, and what to look for if you do need to change things.

This example is extracting a bearer token from JSON response data which contains {"access_token":"<token>", but your web server may use a different mechanism to return the bearer token.

In your Web Virtual User script file
Url url11 = new Url(protocol1, eppdev, "/token");
try (Request request11 = getWebBrowser().createRequest(HttpMethod.POST, url11, 11))
// Usual code to set request headers and POST data etc
// ...

try (Response response11 = request11.send())
// Rule: Correlate authorization_bearer
// Matching value extracted from recording:
// "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJqb2huZG9lIiwiZXhwIjoxNjY3MzgzMjAyfQ.xCuil4oEcAmyYGYy... [truncated]"
ExtractionCursor extractionCursor11 = new ExtractionCursor();

// Rule: Verify that the result code matches what was recorded
response11.verifyResult(HttpStatus.OK, ActionType.ACT_WARNING);

Url url13 = new Url(protocol1, eppdev, "/users/me");
try (Request request13 = getWebBrowser().createRequest(HttpMethod.GET, url13, 13))
request13.setHeader("Accept", "application/json");
/* Rule: Correlate authorization_bearer */
request13.setHeader("Authorization", "Bearer " + getString("authorization_bearer"));

try (Response response13 = request13.send())
// Rule: Verify that the result code matches what was recorded
response13.verifyResult(HttpStatus.OK, ActionType.ACT_WARNING);