Jmeter - Getting Response code:403 Response message:Forbidden error

Question

I have created a Jmeter 5.3 script. The login works fine but after that i am getting > Response code:403 Response message:Forbidden error for the subsequent requests.

In the past, it worked when I added X-XSRF-TOKEN to the header manager. Now it is not working even with that. Any input is appreciated.

Request Body: POST https://rrsso.secure.com/cargobkgwar/services/userroles/lookup

POST data: {"ReferenceMenuController":{},"QueueConsoleController":{},"MasterTableListController":{},"MasterTableEditController":{},"SampleUsageController":{},"SampleUserListController":{},"SampleUserEditController":{},"SampleChartController":{},"UpdatePasswordController":{},"UserPropertiesListController":{},"UserPropertiesEditController":{},"AccessDeniedController":{},"SubRulesController":{},"RuleHistoryController":{},"AboutReleaseController":{},"ReleaseNotesController":{},"ConsoleController":{},"BookingController":{},"AvailabilityController":{},"BookListController":{},"ManageOfferController":{},"FlightDetailsController":{}}

Cookie Data: XSRF-TOKEN=KZ7uJQ08xDTWQhu2nsWQ4IzhFOHcStIfAVAPrQKNrzHCtWBmnKiz!-568463951!320078472!1610313174332; OAMRequestContext_rrsso.secure.com_443_4f3161=O1a944lrqSv4egD4G2UQpw==; OAMAuthnCookie_rrsso.secure..com_443=aa0c56de9b268c931dc75b986d223a7e955e3921%7E%2B0M7rZF1h6Jboy7dqRl2h1uo79QylW3InDZDfhF8do%2BKb8eELTLFhztLsMtzY%2F%2BFFkt0tS9o%2FuZ7%2Fb4AxFv4FBWDwoICNgZLjeTVzywXc7VWZ75seHp4GdfSVMjlZ3PR45ywO2BC4SXTO9Ol6REN1RUHl6Uc1oMKx7cubZ8AwLZRWhHobuPPopHSCR8O0Q5%2BJQitbg9dC6QrtjlyE%2FnEcicF6B2U%2BOxHxGGiPzxgWrXeMMX8%2Fw1l28lv8L3q1XMekNTlktebGG7MjOrRg7n7x6kqkJMszhGNv8PvE2UASIFDEsTUS%2BjOegew04dLd0BNYk4kL1TzbuJ3F7%2F3dmvpDim3x%2FwTZ8hoyAhjaPy%2FD1i8Lm654%2BOaZJ%2Bza26t9LO0TGgI9OwabeEn89ybtRW5iA%2FmCvgWDrT8lbGbLJ8fs7x%2FYeJ46AWTiomTP7z0%2FnqtRHm14i8hDAkfzXhwhejk75IozsMMwCyUk6jKhxWj8qZ15%2FKDe%2BV5jWl04k7ErrSwenJYyFKw8dUCG1U5Non%2FwQ%3D%3D; OAMAuthnHintCookie=1; rm-sso-uid=8l5lXRW2YxKfuwHXE4THdltQbd8kifYI; JSESSIONIDBLS=nebuJQ8PrrhKt4HoYXoPlUSqNo1AtRa9EkoybY3WWTutoHP3pAjv!-568463951!320078472; OAM_GITO=GymRbSnLNbhmOaJnOtP9Rw==~9FyIDXwulQBrBv/FQ/0rfKchN2m08TUmNp9ddjOkMzM6p2jM6TRFIX9pTtILuE52BqpRjbHMX9vWA9OXWezYsk9hLj+YvdAvdOcNWDQRwy+szPoGp8Ydt6vfHzK7dFTIgqgNVobqZSe0bH2j0kiXfOI4o2ueWplCBOaX03UxRwNpwAPbtpHU0dbwzjE/UYxu+A/ftlSKBGS/8HmrvwPbBgNnLLprD2Mp1fS8s7InvMM=

REquest Header: Connection: keep-alive Referer: https://rrsso.secure.com/cargobkgwar/modules/welcome.html Accept-Language: en-US DNT: 1 Pragma: no-cache Accept: application/json, text/javascript, /; q=0.01 X-Requested-With: XMLHttpRequest Content-Type: application/json; charset=utf-8 Cache-Control: no-cache Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; Touch; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; Tablet PC 2.0; Zoom 3.6.0; wbxapp 1.0.0; wbx 1.0.0; Zoom 3.6.0) X-XSRF-TOKEN: ${COOKIE_XSRF-TOKEN} Content-Length: 621 Host: rrsso.secure..com

REsponse Body: [{"message": "Unauthorized Access"}]

Response Header: HTTP/1.1 403 Forbidden Date: Sun, 10 Jan 2021 21:12:55 GMT Server: Apache/2.4 Set-Cookie: OAM_GITO=kGd/kyTPdkJwTv2i9WGraw==~sk4miutnl6uMea23C23aaELnRjNIe6GuJrzwgOeCmMWmJg3XEeS513k1yRTnvIzjqiYhuTZ8F/dZ/xA14Sgmm+TyoevctBX7jQDWIDlq9U6QKmMVXDPwEN2MNTjgWMNSPIaCpBgOX5LNupmZIXrygeONgoUQEgLZhsJkdXOJIVtshV8PLkNn+eGaYmtyVJAZCspGUocjSDXJzEh/wwRTZQUFruOMgSYqSo8QGIRfYOE=;Domain=.com; path=/ Content-Length: 36 Vary: Accept-Encoding Keep-Alive: timeout=8, max=1016 Connection: Keep-Alive Content-Type: application/json

Answer 1

As per HTTP Status Code 403 description:

The HTTP 403 Forbidden client error status response code indicates that the server understood the request but refuses to authorize it.

This status is similar to 401, but in this case, re-authenticating will make no difference. The access is permanently forbidden and tied to the application logic, such as insufficient rights to a resource.

So most probably the user which is successfully logged in doesn't have appropriate permissions to perform the action you're trying to implement. Make sure that you're using correct credentials and the user role is the one which can do the lookup of other roles.

If you're able to perform these steps successfully in the browser most probably JMeter sends something different, you need to compare the outgoing requests originated from JMeter and from the real browser, better using an external sniffer tool, the requests must be exactly the same (apart from dynamic parameters which needs to be correlated)