Forum Discussion

klaypigeon's avatar
klaypigeon
Occasional Contributor
6 years ago

Extract CSRF/XSRF from response cookie to pass as header

Hi, I am having a hard time locating an answer to this. I keep getting info about passing cookies around. Essentially my authentication response contains a cookie:

Set-Cookie: [XSRF-TOKEN="WtY3ztIhTFdF8VXbKDi8iw==\012"

I need to pass this to subsequent requests as a header to maintain my authenticated status:

Header: X-XSRF-TOKEN = "WtY3ztIhTFdF8VXbKDi8iw==\012"

 

This must be pretty common and I am guessing there is GUI functionality to do this, but I cannot figure it out. Can someone point me in the right direction?

  • klaypigeon's avatar
    klaypigeon
    6 years ago

    I have a solution to the problem stated. This is the Groovy that allows me access to the CookieStore. I have it set up now so the X-XSRF-TOKEN header is getting created from the associated cookie value.

     

    Unfortunately the subsequent request is still failing with a 401. I'm out of ideas and the vendor is unlikely to help me with SoapUI issues since it works fine using Python requests package. I will update if I get it working.

     

    Make sure you have 'Maintain HTTP Session' checked.

    Create a new Property in your TestCase and assign it an arbitrary value. (mine is XSRF)

    Insert a Groovy script similar

    // Thanks to user Kristoffer for his find
    // https://community.smartbear.com/t5/SoapUI-Pro/preserving-cookies/td-p/41244

    final httpStatePropertyName = com.eviware.soapui.model.testsuite.TestRunContext.HTTP_STATE_PROPERTY;
    final httpContext = context.getProperty(httpStatePropertyName);
    final cookieStore = httpContext.getAttribute("http.cookie-store");

    // Get cookies from store
    def cookies = cookieStore.getCookies();
    def xsrfToken;
    cookies.each {
    if (it.name == "XSRF-TOKEN"){
    s = it.value;
    //Strip quotes, tried with and without this
    xsrfToken = s.replace("\"", "");
    //Assign TestCase Property
    testRunner.testCase.setPropertyValue( "XSRF", xsrfToken );
    }
    }

    This value is assigned by creating a Header in my next request and assigning it the property value.

    X-XSRF-TOKEN = ${#TestCase#XSRF}

  • klaypigeon's avatar
    klaypigeon
    Occasional Contributor

    I set up a  Groovy script to extract the cookie values after the login and set a test case property, xsrfToken to store the value.

    myCookies is coming up null, even though I can see the cookies being set in the Login Response. I do have Maintain HTTP session, checked. Am I doing this right? Seems like everyone does it a little different.

     

    import com.eviware.soapui.impl.wsdl.support.http.HttpClientSupport;
    import org.apache.http.impl.cookie.BasicClientCookie
    
    def myClient = HttpClientSupport.getHttpClient()
    def myCookieStore = myClient.getCookieStore()
    def myCookies = myCookieStore.getCookies();
    def xsrfToken;
    
    log.info ( myCookies );
    
    myCookies.each {
    	if(it.name == "XSRF-TOKEN")
    		xsrfToken = it.value;
    };
    
    log.info ( xsrfToken );
    testRunner.testCase.setPropertyValue( "XSRF", xsrfToken );

    Help?

     

     

    • klaypigeon's avatar
      klaypigeon
      Occasional Contributor

      I have a solution to the problem stated. This is the Groovy that allows me access to the CookieStore. I have it set up now so the X-XSRF-TOKEN header is getting created from the associated cookie value.

       

      Unfortunately the subsequent request is still failing with a 401. I'm out of ideas and the vendor is unlikely to help me with SoapUI issues since it works fine using Python requests package. I will update if I get it working.

       

      Make sure you have 'Maintain HTTP Session' checked.

      Create a new Property in your TestCase and assign it an arbitrary value. (mine is XSRF)

      Insert a Groovy script similar

      // Thanks to user Kristoffer for his find
      // https://community.smartbear.com/t5/SoapUI-Pro/preserving-cookies/td-p/41244

      final httpStatePropertyName = com.eviware.soapui.model.testsuite.TestRunContext.HTTP_STATE_PROPERTY;
      final httpContext = context.getProperty(httpStatePropertyName);
      final cookieStore = httpContext.getAttribute("http.cookie-store");

      // Get cookies from store
      def cookies = cookieStore.getCookies();
      def xsrfToken;
      cookies.each {
      if (it.name == "XSRF-TOKEN"){
      s = it.value;
      //Strip quotes, tried with and without this
      xsrfToken = s.replace("\"", "");
      //Assign TestCase Property
      testRunner.testCase.setPropertyValue( "XSRF", xsrfToken );
      }
      }

      This value is assigned by creating a Header in my next request and assigning it the property value.

      X-XSRF-TOKEN = ${#TestCase#XSRF}

      • klaypigeon's avatar
        klaypigeon
        Occasional Contributor

        Follow up:

        It is undetermined why this was occuring, but SoapUI was unable to follow the redirect in the URI even though 'follow redirect' was enabled. Once I changed the URI from /api/latest/ to /api/v4/ the subsequent requests worked fine with the Token authentication.