Mar 27 2008

Automate NTLM Authenticated Web Service Testing with WebInject

Tag: java,ntlm,perl,soap,testing,webservicespmularien @ 8:09 pm

This is a bit of a different subject matter than I usually cover, so I apologize in advance. I was recently working on a project involving many, many remote web services. We were running into issues with some services being sporadically unavailable, and wanted to gather data on their uptime. One interesting twist was that all the services were protected by NTLM authentication, which severely limited the number of choices I could find easily.

I came across a Perl-based tool called WebInject. With some slight tweaking, it does support NTLM authentication, and it also supports POST body content, which I needed to be able to POST SOAP requests.

Here’s how to set it up on a Windows platform and implement NTLM support.

  • First, download the WebInject distribution. Unzip to a folder (say, c:\webinject).
  • Next, download and install ActivePerl 5.8 (latest) from here.
  • Once you install ActivePerl, you’ll need to install some Perl packages:

The following packages are required:

ppm install Error
ppm install Tk::ProgressBar::Mac
ppm install Authen::NTLM

WebInject comes with an executable which wraps up a Perl interpreter and all the packages you need. However, it doesn’t include the package with NTLM support. So we are setting things up so that our external Perl interpreter (ActivePerl) has all the dependencies it needs in order to run WebInject as a Perl script.

Once you’ve installed the packages listed above, you should be able to run WebInject as a Perl script:

perl webinjectgui.pl

You will need to make a minor change to the webinject.pl script to enable HTTP keepalives (these are required for NTLM authentication). Look for the LWP::UserAgent->new line and modify as such:

    $useragent = LWP::UserAgent->new(keep_alive=>1);

This will allow WebInject to communicate with an NTLM web service. Set up authentication as documented in the WebInject documentation. Of course, after I went through this, another colleague suggested trying out SoapUI, which also supports some types of NTLM authentication. I’ll try to write up that tool later on – first impressions look really good (certainly much more sophisticated than WebInject).

Related Reading:
http://www.goldb.org/goldblog/2007/05/16/WebInjectOpenSourceWebServiceTestingToolGetsHighMarks.aspx
http://www.infoworld.com/article/07/05/11/19TCwebservicetest_5.html
http://www.webinject.org/cgi-bin/forums/YaBB.cgi?board=Development;action=display;num=1185818423