Forum Discussion

klaypigeon's avatar
klaypigeon
Occasional Contributor
6 years ago

Extract CSRF/XSRF from response cookie to pass as header

Hi, I am having a hard time locating an answer to this. I keep getting info about passing cookies around. Essentially my authentication response contains a cookie:

Set-Cookie: [XSRF-TOKEN="WtY3ztIhTFdF8VXbKDi8iw==\012"

I need to pass this to subsequent requests as a header to maintain my authenticated status:

Header: X-XSRF-TOKEN = "WtY3ztIhTFdF8VXbKDi8iw==\012"

 

This must be pretty common and I am guessing there is GUI functionality to do this, but I cannot figure it out. Can someone point me in the right direction?

  • klaypigeon's avatar
    klaypigeon
    6 years ago

    I have a solution to the problem stated. This is the Groovy that allows me access to the CookieStore. I have it set up now so the X-XSRF-TOKEN header is getting created from the associated cookie value.

     

    Unfortunately the subsequent request is still failing with a 401. I'm out of ideas and the vendor is unlikely to help me with SoapUI issues since it works fine using Python requests package. I will update if I get it working.

     

    Make sure you have 'Maintain HTTP Session' checked.

    Create a new Property in your TestCase and assign it an arbitrary value. (mine is XSRF)

    Insert a Groovy script similar

    // Thanks to user Kristoffer for his find
    // https://community.smartbear.com/t5/SoapUI-Pro/preserving-cookies/td-p/41244

    final httpStatePropertyName = com.eviware.soapui.model.testsuite.TestRunContext.HTTP_STATE_PROPERTY;
    final httpContext = context.getProperty(httpStatePropertyName);
    final cookieStore = httpContext.getAttribute("http.cookie-store");

    // Get cookies from store
    def cookies = cookieStore.getCookies();
    def xsrfToken;
    cookies.each {
     if (it.name == "XSRF-TOKEN"){
     s = it.value;
     //Strip quotes, tried with and without this
     xsrfToken = s.replace("\"", "");
     //Assign TestCase Property
     testRunner.testCase.setPropertyValue( "XSRF", xsrfToken );
     }
    }

    This value is assigned by creating a Header in my next request and assigning it the property value.

    X-XSRF-TOKEN = ${#TestCase#XSRF}

  • klaypigeon's avatar
    klaypigeon
    Occasional Contributor
    6 years ago

    I set up a  Groovy script to extract the cookie values after the login and set a test case property, xsrfToken to store the value.

    myCookies is coming up null, even though I can see the cookies being set in the Login Response. I do have Maintain HTTP session, checked. Am I doing this right? Seems like everyone does it a little different.

     

    import com.eviware.soapui.impl.wsdl.support.http.HttpClientSupport;
import org.apache.http.impl.cookie.BasicClientCookie

def myClient = HttpClientSupport.getHttpClient()
def myCookieStore = myClient.getCookieStore()
def myCookies = myCookieStore.getCookies();
def xsrfToken;

log.info ( myCookies );

myCookies.each {
	if(it.name == "XSRF-TOKEN")
		xsrfToken = it.value;
};

log.info ( xsrfToken );
testRunner.testCase.setPropertyValue( "XSRF", xsrfToken );

    Help?

     

     

    • klaypigeon's avatar
      klaypigeon
      Occasional Contributor
      6 years ago

      I have a solution to the problem stated. This is the Groovy that allows me access to the CookieStore. I have it set up now so the X-XSRF-TOKEN header is getting created from the associated cookie value.

       

      Unfortunately the subsequent request is still failing with a 401. I'm out of ideas and the vendor is unlikely to help me with SoapUI issues since it works fine using Python requests package. I will update if I get it working.

       

      Make sure you have 'Maintain HTTP Session' checked.

      Create a new Property in your TestCase and assign it an arbitrary value. (mine is XSRF)

      Insert a Groovy script similar

      // Thanks to user Kristoffer for his find
      // https://community.smartbear.com/t5/SoapUI-Pro/preserving-cookies/td-p/41244

      final httpStatePropertyName = com.eviware.soapui.model.testsuite.TestRunContext.HTTP_STATE_PROPERTY;
      final httpContext = context.getProperty(httpStatePropertyName);
      final cookieStore = httpContext.getAttribute("http.cookie-store");

      // Get cookies from store
      def cookies = cookieStore.getCookies();
      def xsrfToken;
      cookies.each {
       if (it.name == "XSRF-TOKEN"){
       s = it.value;
       //Strip quotes, tried with and without this
       xsrfToken = s.replace("\"", "");
       //Assign TestCase Property
       testRunner.testCase.setPropertyValue( "XSRF", xsrfToken );
       }
      }

      This value is assigned by creating a Header in my next request and assigning it the property value.

      X-XSRF-TOKEN = ${#TestCase#XSRF}

      • klaypigeon's avatar
        klaypigeon
        Occasional Contributor
        6 years ago

        Follow up:

        It is undetermined why this was occuring, but SoapUI was unable to follow the redirect in the URI even though 'follow redirect' was enabled. Once I changed the URI from /api/latest/ to /api/v4/ the subsequent requests worked fine with the Token authentication.