HTTPRequestHandler - PostRequest_Submit

Hi guys,

Do you know if it is possible to add authentication to a request when redirecting to an external url with this functions: PostRequest_Submit, PostRequest_AddArgument and PostRequest_AddBinaryArgument?

Thank you for your help.

Best Regarts.

Hi,

Do you mean basic authentication? When a popup appears in your browser and asks you for a username and password?

I don't think the HTTPRequestHandler methods will allow you to do this. Have you checked out the ardohttp extension? It advertises support for basic authentication.

Afonso Carvalho wrote:

Hi,

Do you mean basic authentication? When a popup appears in your browser and asks you for a username and password?

I don't think the HTTPRequestHandler methods will allow you to do this. Have you checked out the ardohttp extension? It advertises support for basic authentication.

Hi Afonso,

With ardohttp extension I can autofill the credentials of a login web page?


It depends on the sort of authentication. If you see something like this:

Then the page has basic authentication and I believe ardohttp can handle it.

If it's form authentication, something like this:

Image result for form authentication

Then I don't think so. You'd have to obtain the page and then automate the form filling. I've used selenium for this sort of automation but it might be too much for what you need. Could you show us what sort of login the external URL is using?

Afonso Carvalho wrote:

It depends on the sort of authentication. If you see something like this:

Then the page has basic authentication and I believe ardohttp can handle it.

If it's form authentication, something like this:

Image result for form authentication

Then I don't think so. You'd have to obtain the page and then automate the form filling. I've used selenium for this sort of automation but it might be too much for what you need. Could you show us what sort of login the external URL is using?

Hi Afonso,


Basically what I need to do is open an external web page by clicking on a link on a screen developed in Outsystems. When the external web page opens I need the credential fields appear automatically filled. The user doesn't need to write them. The external webpage was not developed in Outsystems. 

The external webpage is this: https://www.my.fidelidade.pt/canw_auth/LoginPage.aspx .

Is it possible to do this with selenium ?


Thanks for your help.

I think just filling it out ends up being more complicated. Assuming you have access to the credentials (though I'm not sure how or why you'd have them on your end), you could do it by opening that page in an iframe and running some javascript to set the form values - but this would only work if you owned the www.my.fidelidade.pt domain and your application was running from the same address. Browsers will only allow you to do this if both the javascript code and the iframe target belong to the same domain, for security reasons.

If that's not the case, I'm not seeing a way to achieve what you want. Selenium would allow you to fill out the form, but you'd have to submit it immediately and then process the results - I don't think you'd be able to send the filled out form to the user.

What's your end goal with having the credentials filled out? Do you want to obtain something that's visible after the login? Is it just a convenience feature?

Afonso Carvalho wrote:

I think just filling it out ends up being more complicated. Assuming you have access to the credentials (though I'm not sure how or why you'd have them on your end), you could do it by opening that page in an iframe and running some javascript to set the form values - but this would only work if you owned the www.my.fidelidade.pt domain and your application was running from the same address. Browsers will only allow you to do this if both the javascript code and the iframe target belong to the same domain, for security reasons.

If that's not the case, I'm not seeing a way to achieve what you want. Selenium would allow you to fill out the form, but you'd have to submit it immediately and then process the results - I don't think you'd be able to send the filled out form to the user.

What's your end goal with having the credentials filled out? Do you want to obtain something that's visible after the login? Is it just a convenience feature?

Hi Afonso,


It is not necessary to send the completed form to the user. The important thing is to allow the user to automatically login to the web page. I thought it was always necessary for the form to be filled in order to log in to the webpage. If Selenium allows me to fill out the form, but I would have to submit it immediately and then process the results, no problem as long as it automatically logs in.

I don't own the www.my.fidelidade.pt domain and my application isn't running from the same address.

What the customer wants is to manage access to multiple insurance web pages without having to memorize credentials. Basically the goal is to do what a password manager installed in a browser does but with the difference that credentials are stored in the Outsystems database.

How can I do this with Selenium?


Thanks for your help.

Best Regards.

Most password managers work as executables in your computer or browser extensions like LastPass because of the problems I mentioned - modern browsers will not allow a domain that you visit to execute javascript in a page owned by another domain. You can't edit a page that is served by the www.my.fidelidade.pt domain if your application is served from a different domain as browsers will block it as a same-origin policy violation.

Selenium would bypass this by acting like a bot and visiting the page in a headless browser, but then there's a problem - you don't want to access the data behind the login page, you want to actually serve it to your user. I don't see a way to perform this without again owning the domain.

There could still be a way to achieve this, but I have no idea on how difficult it would be to implement: 

a) you obtain the HTML for the www.my.fidelidade.pt login page(you could do this in a C# extension without external libraries like Selenium);

b) edit it to include the username and password field already filled in with the login information;

c) serve it in an iframe. 

This is practically an impersonation attack, as you'd be pretending to be the www.my.fidelidade.pt domain, while serving an edited login page.

Afonso Carvalho wrote:

Most password managers work as executables in your computer or browser extensions like LastPass because of the problems I mentioned - modern browsers will not allow a domain that you visit to execute javascript in a page owned by another domain. You can't edit a page that is served by the www.my.fidelidade.pt domain if your application is served from a different domain as browsers will block it as a same-origin policy violation.

Selenium would bypass this by acting like a bot and visiting the page in a headless browser, but then there's a problem - you don't want to access the data behind the login page, you want to actually serve it to your user. I don't see a way to perform this without again owning the domain.

There could still be a way to achieve this, but I have no idea on how difficult it would be to implement: 

a) you obtain the HTML for the www.my.fidelidade.pt login page(you could do this in a C# extension without external libraries like Selenium);

b) edit it to include the username and password field already filled in with the login information;

c) serve it in an iframe. 

This is practically an impersonation attack, as you'd be pretending to be the www.my.fidelidade.pt domain, while serving an edited login page.

Hi Afonso,

Try to do an impersonation attack can be dangerous for me and for my customer, I think. I found in forge an extention called Tellus that uses Selenium Grid: https://www.outsystems.com/forge/component-overview/4322/tellus .

I explored this extention and it realizes UI automated testing with OutSystems. Wouldn't it be possible to perform a test on an external url of another domain where the test would consist of filling the credentials or click in login button as well?

Thank you again for your help.

I'm not familiar with Tellus, but I looked at their demo video and what they seem to do is load an instance of Chrome, which they then use as they see fit. It displays a notification saying "Chrome is being controlled by automated test software" and goes to my first point back there: all of this can only happen by bypassing normal browser behaviour, either with an extension (LastPass), or by spinning a Chrome instance for test purposes and using it like a puppet (Tellus).

All of these strategies bypass what you seem to be looking for, simulating a user already having his credentials saved.

Afonso Carvalho wrote:

I'm not familiar with Tellus, but I looked at their demo video and what they seem to do is load an instance of Chrome, which they then use as they see fit. It displays a notification saying "Chrome is being controlled by automated test software" and goes to my first point back there: all of this can only happen by bypassing normal browser behaviour, either with an extension (LastPass), or by spinning a Chrome instance for test purposes and using it like a puppet (Tellus).

All of these strategies bypass what you seem to be looking for, simulating a user already having his credentials saved.

Hi Afonso,

Thank you for your explanation. Anyway I'm going to try use Tellus. I think it is my last option.

Good luck. If you manage to achieve this, I hope you consider sharing your solution!

Afonso Carvalho wrote:

Good luck. If you manage to achieve this, I hope you consider sharing your solution!

Yes, of course.