Welcome to OStack Knowledge Sharing Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
625 views
in Technique[技术] by (71.8m points)

Jmeter - Getting Response code:403 Response message:Forbidden error

I have created a Jmeter 5.3 script. The login works fine but after that i am getting > Response code:403 Response message:Forbidden error for the subsequent requests.

In the past, it worked when I added X-XSRF-TOKEN to the header manager. Now it is not working even with that. Any input is appreciated.

Request Body: POST https://rrsso.secure.com/cargobkgwar/services/userroles/lookup

POST data: {"ReferenceMenuController":{},"QueueConsoleController":{},"MasterTableListController":{},"MasterTableEditController":{},"SampleUsageController":{},"SampleUserListController":{},"SampleUserEditController":{},"SampleChartController":{},"UpdatePasswordController":{},"UserPropertiesListController":{},"UserPropertiesEditController":{},"AccessDeniedController":{},"SubRulesController":{},"RuleHistoryController":{},"AboutReleaseController":{},"ReleaseNotesController":{},"ConsoleController":{},"BookingController":{},"AvailabilityController":{},"BookListController":{},"ManageOfferController":{},"FlightDetailsController":{}}

Cookie Data: XSRF-TOKEN=KZ7uJQ08xDTWQhu2nsWQ4IzhFOHcStIfAVAPrQKNrzHCtWBmnKiz!-568463951!320078472!1610313174332; OAMRequestContext_rrsso.secure.com_443_4f3161=O1a944lrqSv4egD4G2UQpw==; OAMAuthnCookie_rrsso.secure..com_443=aa0c56de9b268c931dc75b986d223a7e955e3921%7E%2B0M7rZF1h6Jboy7dqRl2h1uo79QylW3InDZDfhF8do%2BKb8eELTLFhztLsMtzY%2F%2BFFkt0tS9o%2FuZ7%2Fb4AxFv4FBWDwoICNgZLjeTVzywXc7VWZ75seHp4GdfSVMjlZ3PR45ywO2BC4SXTO9Ol6REN1RUHl6Uc1oMKx7cubZ8AwLZRWhHobuPPopHSCR8O0Q5%2BJQitbg9dC6QrtjlyE%2FnEcicF6B2U%2BOxHxGGiPzxgWrXeMMX8%2Fw1l28lv8L3q1XMekNTlktebGG7MjOrRg7n7x6kqkJMszhGNv8PvE2UASIFDEsTUS%2BjOegew04dLd0BNYk4kL1TzbuJ3F7%2F3dmvpDim3x%2FwTZ8hoyAhjaPy%2FD1i8Lm654%2BOaZJ%2Bza26t9LO0TGgI9OwabeEn89ybtRW5iA%2FmCvgWDrT8lbGbLJ8fs7x%2FYeJ46AWTiomTP7z0%2FnqtRHm14i8hDAkfzXhwhejk75IozsMMwCyUk6jKhxWj8qZ15%2FKDe%2BV5jWl04k7ErrSwenJYyFKw8dUCG1U5Non%2FwQ%3D%3D; OAMAuthnHintCookie=1; rm-sso-uid=8l5lXRW2YxKfuwHXE4THdltQbd8kifYI; JSESSIONIDBLS=nebuJQ8PrrhKt4HoYXoPlUSqNo1AtRa9EkoybY3WWTutoHP3pAjv!-568463951!320078472; OAM_GITO=GymRbSnLNbhmOaJnOtP9Rw==~9FyIDXwulQBrBv/FQ/0rfKchN2m08TUmNp9ddjOkMzM6p2jM6TRFIX9pTtILuE52BqpRjbHMX9vWA9OXWezYsk9hLj+YvdAvdOcNWDQRwy+szPoGp8Ydt6vfHzK7dFTIgqgNVobqZSe0bH2j0kiXfOI4o2ueWplCBOaX03UxRwNpwAPbtpHU0dbwzjE/UYxu+A/ftlSKBGS/8HmrvwPbBgNnLLprD2Mp1fS8s7InvMM=

REquest Header: Connection: keep-alive Referer: https://rrsso.secure.com/cargobkgwar/modules/welcome.html Accept-Language: en-US DNT: 1 Pragma: no-cache Accept: application/json, text/javascript, /; q=0.01 X-Requested-With: XMLHttpRequest Content-Type: application/json; charset=utf-8 Cache-Control: no-cache Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; Touch; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; Tablet PC 2.0; Zoom 3.6.0; wbxapp 1.0.0; wbx 1.0.0; Zoom 3.6.0) X-XSRF-TOKEN: ${COOKIE_XSRF-TOKEN} Content-Length: 621 Host: rrsso.secure..com

REsponse Body: [{"message": "Unauthorized Access"}]

Response Header: HTTP/1.1 403 Forbidden Date: Sun, 10 Jan 2021 21:12:55 GMT Server: Apache/2.4 Set-Cookie: OAM_GITO=kGd/kyTPdkJwTv2i9WGraw==~sk4miutnl6uMea23C23aaELnRjNIe6GuJrzwgOeCmMWmJg3XEeS513k1yRTnvIzjqiYhuTZ8F/dZ/xA14Sgmm+TyoevctBX7jQDWIDlq9U6QKmMVXDPwEN2MNTjgWMNSPIaCpBgOX5LNupmZIXrygeONgoUQEgLZhsJkdXOJIVtshV8PLkNn+eGaYmtyVJAZCspGUocjSDXJzEh/wwRTZQUFruOMgSYqSo8QGIRfYOE=;Domain=.com; path=/ Content-Length: 36 Vary: Accept-Encoding Keep-Alive: timeout=8, max=1016 Connection: Keep-Alive Content-Type: application/json


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Answer

0 votes
by (71.8m points)

As per HTTP Status Code 403 description:

The HTTP 403 Forbidden client error status response code indicates that the server understood the request but refuses to authorize it.

This status is similar to 401, but in this case, re-authenticating will make no difference. The access is permanently forbidden and tied to the application logic, such as insufficient rights to a resource.

So most probably the user which is successfully logged in doesn't have appropriate permissions to perform the action you're trying to implement. Make sure that you're using correct credentials and the user role is the one which can do the lookup of other roles.

If you're able to perform these steps successfully in the browser most probably JMeter sends something different, you need to compare the outgoing requests originated from JMeter and from the real browser, better using an external sniffer tool, the requests must be exactly the same (apart from dynamic parameters which needs to be correlated)


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome to OStack Knowledge Sharing Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...