Forum Discussion

klaypigeon's avatar
klaypigeon
Occasional Contributor
6 years ago
Solved

Extract CSRF/XSRF from response cookie to pass as header

Hi, I am having a hard time locating an answer to this. I keep getting info about passing cookies around. Essentially my authentication response contains a cookie: Set-Cookie: [XSRF-TOKEN="WtY3ztIh...
  • klaypigeon's avatar
    klaypigeon
    6 years ago

    I have a solution to the problem stated. This is the Groovy that allows me access to the CookieStore. I have it set up now so the X-XSRF-TOKEN header is getting created from the associated cookie value.

     

    Unfortunately the subsequent request is still failing with a 401. I'm out of ideas and the vendor is unlikely to help me with SoapUI issues since it works fine using Python requests package. I will update if I get it working.

     

    Make sure you have 'Maintain HTTP Session' checked.

    Create a new Property in your TestCase and assign it an arbitrary value. (mine is XSRF)

    Insert a Groovy script similar

    // Thanks to user Kristoffer for his find
    // https://community.smartbear.com/t5/SoapUI-Pro/preserving-cookies/td-p/41244

    final httpStatePropertyName = com.eviware.soapui.model.testsuite.TestRunContext.HTTP_STATE_PROPERTY;
    final httpContext = context.getProperty(httpStatePropertyName);
    final cookieStore = httpContext.getAttribute("http.cookie-store");

    // Get cookies from store
    def cookies = cookieStore.getCookies();
    def xsrfToken;
    cookies.each {
     if (it.name == "XSRF-TOKEN"){
     s = it.value;
     //Strip quotes, tried with and without this
     xsrfToken = s.replace("\"", "");
     //Assign TestCase Property
     testRunner.testCase.setPropertyValue( "XSRF", xsrfToken );
     }
    }

    This value is assigned by creating a Header in my next request and assigning it the property value.

    X-XSRF-TOKEN = ${#TestCase#XSRF}

klaypigeon's avatar
klaypigeon
Occasional Contributor
6 years ago

I set up a  Groovy script to extract the cookie values after the login and set a test case property, xsrfToken to store the value.

myCookies is coming up null, even though I can see the cookies being set in the Login Response. I do have Maintain HTTP session, checked. Am I doing this right? Seems like everyone does it a little different.

 

import com.eviware.soapui.impl.wsdl.support.http.HttpClientSupport;
import org.apache.http.impl.cookie.BasicClientCookie

def myClient = HttpClientSupport.getHttpClient()
def myCookieStore = myClient.getCookieStore()
def myCookies = myCookieStore.getCookies();
def xsrfToken;

log.info ( myCookies );

myCookies.each {
	if(it.name == "XSRF-TOKEN")
		xsrfToken = it.value;
};

log.info ( xsrfToken );
testRunner.testCase.setPropertyValue( "XSRF", xsrfToken );

Help?

 

 

  • klaypigeon's avatar
    klaypigeon
    Occasional Contributor
    6 years ago

    I have a solution to the problem stated. This is the Groovy that allows me access to the CookieStore. I have it set up now so the X-XSRF-TOKEN header is getting created from the associated cookie value.

     

    Unfortunately the subsequent request is still failing with a 401. I'm out of ideas and the vendor is unlikely to help me with SoapUI issues since it works fine using Python requests package. I will update if I get it working.

     

    Make sure you have 'Maintain HTTP Session' checked.

    Create a new Property in your TestCase and assign it an arbitrary value. (mine is XSRF)

    Insert a Groovy script similar

    // Thanks to user Kristoffer for his find
    // https://community.smartbear.com/t5/SoapUI-Pro/preserving-cookies/td-p/41244

    final httpStatePropertyName = com.eviware.soapui.model.testsuite.TestRunContext.HTTP_STATE_PROPERTY;
    final httpContext = context.getProperty(httpStatePropertyName);
    final cookieStore = httpContext.getAttribute("http.cookie-store");

    // Get cookies from store
    def cookies = cookieStore.getCookies();
    def xsrfToken;
    cookies.each {
     if (it.name == "XSRF-TOKEN"){
     s = it.value;
     //Strip quotes, tried with and without this
     xsrfToken = s.replace("\"", "");
     //Assign TestCase Property
     testRunner.testCase.setPropertyValue( "XSRF", xsrfToken );
     }
    }

    This value is assigned by creating a Header in my next request and assigning it the property value.

    X-XSRF-TOKEN = ${#TestCase#XSRF}

    • klaypigeon's avatar
      klaypigeon
      Occasional Contributor
      6 years ago

      Follow up:

      It is undetermined why this was occuring, but SoapUI was unable to follow the redirect in the URI even though 'follow redirect' was enabled. Once I changed the URI from /api/latest/ to /api/v4/ the subsequent requests worked fine with the Token authentication.