How to test Form Authentication by using rest Assured

 



What is Form Authentication?

  • Form Authentication is a type of authentication where the user provides credentials (like username and password) through an HTML form (usually a login page).
  • The credentials are sent to the server (often via POST request) → if valid, the server creates a session (often maintained using cookies or tokens) → and the client can then access protected resources.
This is different from Basic/Digest authentication, where credentials are passed in HTTP headers.
Form-based login is very common in web applications.


How to test Form Authentication using Rest Assured
When testing Form Authentication in Rest Assured, the process usually looks like this:

1. Provide login credentials

  • Supply the username and password that the login form requires.

2. Tell Rest Assured the login form details

  • Specify the login page (form action URL), and the parameter names for username and password fields (e.g., username, password).

3. Send login request

  • Rest Assured submits the credentials just like a browser submitting a login form.

4. Handle cookies/session

  • Once the server authenticates, it typically returns a session cookie or auth token.

  • Rest Assured automatically manages these cookies so subsequent requests can use the authenticated session.

5. Access protected resources

  • Now you can send API requests that require authentication and verify the response.







How Form Auth Works in Rest Assured:


Rest Assured provides:

.formAuth(loginUrl, usernameField, passwordField, username, password)


This simulates a form-based login by:

  • Making a POST request to the login URL
  • Submitting the credentials using field names (like usernamepassword)
  • Then it stores session/cookie for further requests like GETPOST, etc.

Sample API for Form Auth

We will use: https://the-internet.herokuapp.com/login (a public test site)

  • Login URLhttps://the-internet.herokuapp.com/authenticate

  • Username Field Name: username

  • Password Field Name: password

  • Username: tomsmith

  • Password: SuperSecretPassword!


















Java Code with Rest Assured:

import io.restassured.RestAssured;
import io.restassured.filter.session.SessionFilter;
import static io.restassured.RestAssured.*;

public class FormAuthExample {
    public static void main(String[] args) {

        // Create session filter to maintain session across requests
        SessionFilter session = new SessionFilter();

        // Step 1: Log in using form-based auth
        given()
            .baseUri("https://the-internet.herokuapp.com")
            .filter(session)
            .formParam("username", "tomsmith")
            .formParam("password", "SuperSecretPassword!")
        .when()
            .post("/authenticate")
        .then()
            .statusCode(302);  // Expect redirect on successful login

        // Step 2: Access GET API after login
        given()
            .baseUri("https://the-internet.herokuapp.com")
            .filter(session)
        .when()
            .get("/secure")
        .then()
            .statusCode(200)
            .log().body();  // Print response to confirm access
    }
}


Code explanation:

(a) Create session filter and maintain session across requests
(b) Login using form based authentication
(c) Access GET API after login
(d) Print the response on console


Maven Dependencies

<dependencies>
    <dependency>
        <groupId>io.rest-assured</groupId>
        <artifactId>rest-assured</artifactId>
        <version>5.4.0</version>
        <scope>test</scope>
    </dependency>
</dependencies>


Suggested Posts:

1. Test Status Line of API in RestAssured
2. Test Form Authentication in RestAssured
3. Test DELETE API in RestAssured
4. First RestAssured Code to Test API
5. How to Test Basic Authentication in RestAssured

No comments:

How to test Digest Auth by using Rest Assured

 



What is Digest Authentication?

  • Digest Authentication is a security mechanism used by servers to verify the identity of a client (user or system) before allowing access to protected resources.
  • Unlike Basic Authentication (where username and password are sent in plain text encoded with Base64)

Digest Authentication is more secure because:

  • It applies a hashing algorithm (like MD5/SHA) to the credentials before sending them over the network.
  • The server sends a nonce (a random value) to the client.
  • The client combines the nonce, username, password, HTTP method, and requested URI → then hashes them → and sends the hashed value back.
  • The server performs the same hashing process and compares results. If they match → authentication succeeds.

How to test Digest Authentication in Rest Assured

In Rest Assured, testing Digest Authentication involves these steps:

1. Specify authentication type as Digest
  • Instead of default/basic authentication, explicitly tell Rest Assured to use digest authentication.
2. Provide credentials
  • Pass the username and password required by the server for authentication.
3. Send the request
  • Rest Assured automatically performs the handshake with the server (sending nonce, hashing, etc.).
4. Validate the response
  • Once authenticated, the server will return the protected resource.
  • You can then test the response body, status code, or headers to confirm access was granted.



API Endpoint for Testing:

https://httpbin.org/digest-auth/auth/user/passwd


This endpoint expects:

  • Username: user

  • Password: passwd

















Steps to Use Digest Auth in Rest Assured:


Maven dependencies:

<!-- Maven Dependency -->
<dependency>
    <groupId>io.rest-assured</groupId>
    <artifactId>rest-assured</artifactId>
    <version>5.4.0</version>
    <scope>test</scope>
</dependency>




Java Code: Digest Auth with Rest Assured

import io.restassured.RestAssured;
import static io.restassured.RestAssured.*;
import static org.hamcrest.Matchers.*;

public class DigestAuthExample {

    public static void main(String[] args) {

        RestAssured.baseURI = "https://httpbin.org";

        given()
            .auth()
            .digest("user", "passwd") // Digest Auth
        .when()
            .get("/digest-auth/auth/user/passwd")
        .then()
            .statusCode(200)
            .body("authenticated", equalTo(true))
            .body("user", equalTo("user"))
            .log().all(); // Print full response
    }
}


Code explanation:

(a) Set base URI
(b) Set request by digest authentication code
(c) Get response and log response on console.



Output:

{
  "authenticated": true,
  "user": "user"
}

Above is the response of API which is logged on console.


Suggested Posts:

1. Overview of RestAssured
2. Features of RestAssured
3. Test DELETE API in RestAssured
4. First RestAssured Code to Test API
5. How to Test Basic Authentication in RestAssured

No comments:
Subscribe to: Comments (Atom)