Extending JMeter with a WS-Trust/STS sampler

JMeter does not have any inbuilt support for WS-Security or WS-Trust and that made me develop this STS Sampler for JMeter – which could make anyone’s life better while load testing an STS.
First you need to have the Apache JMeter distribution. I am using v2.7.
Then you can download sts.sampler.zip from here – unzip it and copy the “repo” directory directly to JMETER_HOME. Also copy all the jars inside lib.ext directory to JMETER_HOME/lib/ext.
That’s it – now start the JMeter.
Under your thread group – right click – and add the Java Request Sampler…
Now, select org.wso2.apache.jmeter.sts.STSSampler as the classname – you will see the following then…
Let me briefly explain here – what exactly the different parameter names mean..
STS_End_Point : End point of the Security Token Service. If you are using the STS that comes with WSO2 Identity Server, then this would be https://localhost:9443/services/wso2carbon-sts
STS_Security_Policy : Location to the WS-Security Policy – that is being used to secure STS. It can be a security policy with UsernameToken and Sign & Encryption.
Applies_To : Against which service you are going to use this Token, obtained from the STS – or in other words, the scope of the token. This can be any URI known to the STS. STS may use this URI to find public key of that service and will use that to encrypt the key issued. So, whatever you put should be meaningful to your STS.
Token_Type : It can be any one of the following…
1. http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
2. http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
Key_Type : It can be any one of the following…
1. /SymmetricKey : A symmetric key token is requested (default)
2. /PublicKey : A public key token is requested
3. /Bearer : A bearer token is requested. This key type can be used by requestors to indicate that they want a security token to be issued that does not require proof of possession.
Key_Size : Size of the key. By default it’s being set to 256. This is an integer element indicates the size of the key REQUIRED specified in number of bits.
Claim_Dialect : Claim dialect which is known the STS. This can be used to group set of claims together.
Required_Claims : URIs known to the STS which indicate the required set of attributes. This can be a comma separated list.
System_Trust_Store : When the URL to the STS is on https – this indicates the location to the JKS file which includes the public certificate corresponding to the STS endpoint.
System_Trust_Store_Password : Password to access System_Trust_Store
Username : This is required when the STS is secured with UsernameToken security policy. This is the corresponding user name.
Password : Password corresponding to the above Username.
Encryption_Key_Store : This is required when the STS is secured with WS-Security Encryption. Location of the JKS where the public key of the STS endpoint being stored.
Encryption_Key_Store_Password : Password corresponding to the Encryption_Key_Store.
Encryption_Key_Alias : Alias from the Encryption_Key_Store corresponding to the STS endpoint. This helps to load the public key of STS.
Signature_Key_Store : This is required when the STS is secured with WS-Security Signature. Location of the JKS where the private key of the STS client being stored.
Signature_Key_Store_Password : Password corresponding to the Signature_Key_Store.
Signature_Key_Alias : Alias from the Signature_Key_Store corresponding to the STS client. This helps to load the private key of STS client.
Signature_Key_Password : Password corresponding to the private key of the STS client.
Following is an example configuration that I used to load test STS which ships with WSO2 Identity Server.

Reference: Extending JMeter with a WS-Trust/STS sampler from our JCG partner Prabath Siriwardena at the Facile Login blog.

Related Whitepaper:

Web Application Security; How to Minimize Prevalent Risk of Attacks

Vulnerabilities in web applications are now the largest vector of enterprise security attacks.

Stories about exploits that compromise sensitive data frequently mention culprits such as cross-site scripting, SQL injection, and buffer overflow. Vulnerabilities like these fall often outside the traditional expertise of network security managers.

Get it Now!  

Leave a Reply

× nine = 54

Java Code Geeks and all content copyright © 2010-2014, Exelixis Media Ltd | Terms of Use | Privacy Policy
All trademarks and registered trademarks appearing on Java Code Geeks are the property of their respective owners.
Java is a trademark or registered trademark of Oracle Corporation in the United States and other countries.
Java Code Geeks is not connected to Oracle Corporation and is not sponsored by Oracle Corporation.

Sign up for our Newsletter

20,709 insiders are already enjoying weekly updates and complimentary whitepapers! Join them now to gain exclusive access to the latest news in the Java world, as well as insights about Android, Scala, Groovy and other related technologies.

As an extra bonus, by joining you will get our brand new e-books, published by Java Code Geeks and their JCG partners for your reading pleasure! Enter your info and stay on top of things,

  • Fresh trends
  • Cases and examples
  • Research and insights
  • Two complimentary e-books