Rest assured authentication

Rest assured authentication DEFAULT

How to test Rest API which require authentication using Rest assured

I want to test a Rest API which require authentication, before getting the Json response. FOr exa. If i want to visit rest API: http://192.168.xx.xx:9000/dashboards/all/list/m1/p1/sch1


if I am not already logged in , then this will redirect me to Login HTML page, and after login, this will show me the Json output.

Now I want to write a Rest assured code in java for same: I dont know , whether this is possible to do login using this or not.

SO I written a simple code for same::

So here instead of getting the Json response, I am getting the HTML source page response.

So, my question is if possible, how to do login and get the Json response.

Thanks in advance.

asked Jan 5 '14 at 8:49


2,89099 gold badges4141 silver badges6969 bronze badges


Authentication and Authorization in REST WebServices

Authentication and Authorization in REST WebServices

Authentication and Authorization in REST WebServices are two very important concepts in the context of REST API. The majority of the time you will be hitting REST API's which are secured. By secure we mean that the API's which require you to provide identification. Identification can be provided in the form of

  • Username and a Password
  • Authentication tokens
  • Secret keys
  • Bio-metrics and many other ways

In the context of REST API, we will be more interested in the first three options. The Authentication and Authorization models that we will discuss are spread across multiple tutorials, starting from this tutorial.

What is Authentication? and How does Authorization works in REST WebServices?

Authentication is a process to prove that you are the person who you intend to be.

For e.g. while logging into your email account, you prove that you are you by providing a Username and a Password. If you have the Username and the Password you are who you profess to be. This is what Authentication means.

In the context of REST API authentication happens using the HTTP Request.

Note: Not just REST API, authentication on any application working via HTTP Protocol happens using the HTTP Request.

Basic Authentication Flow

Taking the example of email login, we know that in order to Authenticate our self we have to provide a username and a Password. In a very basic Authentication flow using Username and Password, we will do the same thing in REST API call as well. but how do we send the Username and Password in the REST request?

A REST request can have a special header called Authorization Header, this header can contain the credentials (username and password) in some form. Once a request with Authorization Header is received, server can validate the credentials and can let you access the private resources.

Note: I hope from previous tutorials you are able to understand the meaning of a Resource. If not, please go through this tutorial:Rest architectural elements.A private resource is one that is not accessible to everyone. You need to Authenticate yourself to access the private resource.  For e.g. the email inbox, you have to login to see the emails.

Let us see it with an example, we have created an API which needs a valid Username and Password to access the Resource.


In the code below we will try to hit the URL and see what is the Response that we get.

In the code above we are simply making an HTTP GET request to the endpoint. In this code, we have not added any Authorization header. So the expected behavior is that we will get Authorization error. If you run this test, you will get the following output.

The output clearly says that we have "Invalid or expired Authentication key provided" error. This means that either there was no Authentication information or the information supplied was invalid. Eventually, server denies our request and returns an error response.

Note: Pay special attention to the Status code returned. In case of Authentication failures Server should respond with a status code of 401 Unauthorized.

Try to hit that URL using a browser. You should get a Username and Password prompt. Below image shows what you should be getting when you hit this URL from browser.

Authentication and Authorization in REST WebServices

In this tutorial, we will not discuss about how to pass Authentication information in the Request header. Here we will only focus on the definitions of  Authentication and Authorization. In the next set of tutorials, we will see different Authentication models, which will solve the above problem.

What is Authorization? and How does Authorization works in REST WebServices?

Authorization is the process of giving access to someone. If you are Authorized then you have access to that resource. Now to Authorize you need to present credentials and as we discussed earlier that process is called Authentication. Hence Authorization and Authentication are closely related terms and often used interchangeably.

Before ending the tutorial let us see the contents of the private resource in the URL mentioned above. To do that enter the following credentials

  • Username: ToolsQA

  • Password: TestPassword

Server will be able to Authenticate and then Authorize you to access the private resource content. The below image shows the content after successful Authentication.


With this basic understanding of Authentication and Authorization, read the coming tutorials where we will discuss the specif types of Authentication models in REST API.

  1. Grace cathedral dallas
  2. Total divas cast 2015
  3. Airworthiness directives

REST Assured Authentication

In this tutorial, we’ll analyze how we can authenticate with REST Assured to test and validate a secured API properly.

1. Overview

The tool provides support for several authentication schemes:

  • Basic Authentication
  • Digest Authentication
  • Form Authentication
  • OAuth 1 and OAuth 2

And we’ll see examples for each one.

2. Using Basic Authentication

The basic authentication scheme requires the consumer to send user id and a password encoded in Base64.

REST Assured provides an easy way to configure the credentials that the request requires:

2.1. Preemptive Authentication

As we’ve seen on a previous post on Spring Security authentication, a server might use a challenge-response mechanism to indicate explicitly when the consumer needs authenticate to access the resource.

By default, REST Assured waits for the server to challenge before sending the credentials.

This can be troublesome in some cases, for example, where the server is configured to retrieve a login form instead of the challenge response.

For this reason, the library provides the _preemptive _directive that we can use:

With this in place, REST Assured will send the credentials without waiting for an Unauthorized response.

We hardly ever are interested in testing the server’s ability to challenge. Therefore, we can normally add this command to avoid complications and the overhead of making an additional request.

3. Using Digest Authentication

Even though this is also considered a “weak” authentication method, using Digest Authentication represents an advantage over the basic protocol.

This is due to the fact that this scheme avoids sending the password in cleartext.

Despite this difference, implementing this form of authentication with REST Assured is very similar to the one we followed in the previous section:

Note that, currently, the library supports only challenged authentication for this scheme, so we can’t use preemptive() as we did earlier.

4. Using Form Authentication

Many services provide an HTML form for the user to authenticate by filling in the fields with their credentials.

When the user submits the form, the browser executes a POST request with the information.

Normally, the form indicates the endpoint that it’ll call with its action attribute, and each input field corresponds with a form parameter sent in the request.

If the login form is simple enough and follows these rules, then we can rely on REST Assured to figure out these values for us:

This is not an optimal approach, anyway, since REST Assured needs to perform an additional request and parse the HTML response to find the fields.

We also have to keep in mind that the process can still fail, for example, if the webpage is complex, or if the service is configured with a context path that is not included in the action attribute.

Therefore, a better solution is to provide the configuration ourselves, indicating explicitly the three required fields:

Apart from these basic configurations, REST Assured ships with functionality to:

  • detect or indicate a CSRF token field in the webpage
  • use additional form fields in the request
  • log information about the authentication process

5. OAuth Support

OAuth is technically an authorization framework, and it doesn’t define any mechanism for authenticating a user.

Still, it can be used as the basis for building an authentication and identity protocol, as is the case of OpenID Connect.

5.1. OAuth 2.0

REST Assured allows configuring the OAuth 2.0 access token to request a secured resource:

The library doesn’t provide any help in obtaining the access token, so we’ll have to figure out how to do this ourselves.

For the Client Credential and Password flows this is a simple task, since the Token is obtained by just presenting the corresponding credentials.

On the other hand, automating the Authorization Code flow might not be that easy, and we’ll probably need the help of other tools as well.

To understand correctly this flow and what it takes to obtain an Access Token, we can have a look at this great post on the subject.

5.2. OAuth 1.0a

In the case of OAuth 1.0a, REST Assured supplies a method that receives a Consumer Key, Secret, Access Token and Token Secret to access a secured resource:

This protocol requires user input, therefore obtaining the last two fields won’t be a trivial task.

Note that we’ll need to add the scribejava-apis dependency in our project if we’re using OAuth 2.0 features with a version prior to 2.5.0, or if we’re making use of the OAuth 1.0a functionality.

6. Conclusion

In this tutorial, we’ve learned how we can authenticate to access secured APIs using REST Assured.

The library simplifies the process of authentication for practically any scheme that we implemented.

As always, we can find working examples with instructions on our Github repo.

Thanks for reading ❤

#rest #web-development

What is GEEK

Buddha Community

REST Assured Authentication
Bearer Token Authentication in Rest Assured


Authentication rest assured


Cookies Based Authentication in RestAssured- Automate JIRA Application


Now discussing:


1637 1638 1639 1640 1641