REST API Testing using Apache JMeter (step by step guide)

In this article, we are going to do a REST API testing with Apache JMeter which is an open source software and it can be used to load a JSON REST API. We will use an example Termin REST API.

1. REST API LOGIN

Termin platform is based on a JSON REST API. We’re going to see how you can simulate a login to our API using JMeter.

Most REST APIs work with the following login workflow:

1. Login using an HTTP POST Request by providing email and password.

2. Receive a temporary authentication token for later requests to identify yourself.

3. Send the auth token within subsequent requests, typically via HTTP Headers like Authorization: Bearer AUTH_TOKEN.

1.1 Login API Specs

First, let’s see how we can login on Termin Application. Termin API has a Swagger Specification: Swagger is a tool for providing a Rest API Documentation.

Doc specifying how to login via Termin API

Now let’s examine the request we need to forge using JMeter:

• HTTP Method: must be a POST request, with some post parameters
• HTTP Scheme: https since our Rest API is secured by SSL
• Hostname: api.termin.city
• Path: api/login (Login endpoint path)
• Post Parameters:

email: the account user email;
password: the associated password.

We should receive from the server a JSON Response which should look like:

We see the token here? That’s something we’ll use later to identify ourselves on the Rest API. Let’s take a look at the JMeter HTTP Request.

1.2 Executing Login

Login on Termin via the Rest API

Here we have our Login HTTP Request ready to be sent to our servers. In order to debug the login, we’re going to use the View Results Tree Listener.

Login request sent to the server

As we can see, the sent request is a POST form-urlencoded which contains our login and passwords.

Response received from the server

Now we’ve received the Authentication Token, we can extract it to reuse it in subsequent requests.

2. Extracting Auth Token

Token Based Authentication is a simple mechanism where a token uniquely identifies a user session. We need to handle this dynamic parameter to properly simulate a user interacting with our Json API.

2.1 Using Json Extractor

To extract the authentication token from the server response, we’re going to use JMeter JsonPath Extractor. The process of extracting a variable from a response works as follows:

1. The server sends back a response to our login request,
2. A post-processor, like the JsonPath Extractor is executed afterwards,
3. The extractor extracts part of the server response and put it into a variable like ${token}.

ADD — Post Processors — JSON Extractor:

Right under the login HTTP request. Let’s also add a Debug Sampler to see if the variable is extracted correctly:

Enabling JMeter variables in Debug Sampler

By setting JMeter Variables to true, we enable the sampler to output the variables during the test run.

2.3 Testing the Extraction

Token is successfully extracted from server response using Json Extractor

The Json extractor extracts the value of the token field from the Json response. We can now use the ${token} expression in subsequent requests to perform authenticated requests.

Let’s see how we reuse this token to tell our Rest API that we’re a given user.

3. Reinjecting Auth Token

Our Rest API has many endpoints which require authentication. Those endpoints provide data like user workspaces, projects, virtual users and more. To access user-protected endpoints, one must:

• Login to get an authentication token (like we did previsouly);
• Send the auth token within an Authorization: Bearer TOKEN http request header, for each subsequent request.

That’s exactly what we’re going to do here.

3.1 Retrieving User

We’re now particularly interested in querying the dashboard of our user.

This is part of the User API Endpoints.

User Rest API Endpoint from Swagger API Docs

We’re going to perform a GET request to the endpoint with path /api/user. It should return a JSON response containing the user dashboard. Here is an example response:

Let’s create an HTTP request within JMeter to query those:

Here we have setup an HTTP request to query the workspaces of the user:

• HTTP Method: must be a GET request, no parameters involved
• HTTP Scheme: https since our Rest API is secured by SSL
• Hostname: api.dev.termin.city
• Path: /api/user

For now, if we don’t provide the authentication token, the server will reject our request.

Server returns a redirection.

The server redirect to the login page: auth/login REST API.

We need to provide the authentication token by including an Authorization header within the request. By adding an HTTP Header manager to the request.

3.2 Adding Authorization Header

ADD — Config Elements — HTTP Header Manager

Setting extracted token within Authorization header

! WE have previously extracted the token from the api/login endpoint server response. Now, it’s time to reuse it to retrieve access protected resources:

1. First, add an HTTP Header Manager under the getUser HTTP Request,
2. Add the Authorization header, with value Bearer ${token}.

Got the user from the server.

We’ve got all the user’s info.

Authorization header has been sent within the request

4. Using JSON Assertion

We’re going to make sure the server response contains the Inna user. That’s a job for the JSON assertion. To add a Json assertion, right-click on the HTTP Request sampler, then select Add > Post Processor > Json Assertion.

The JSON assertion is configured as following:

• Assert JSON Path Exists: $.[1][‘name’] refers to the second workspace returned, and takes its name,
• Additionally Assert Value: Check to enable checking the value of the name field,
• Expected Value: should be Inna.

Execution:

5. Simulation Dymanic Behavior

5.1 Simulation

Let’s see how we can simulate a dynamically behaving user with JMeter:

• First, we’re going to extract a random company ID, (will be ${id})
• Second, we’re going to query the projects of that workspace using the endpoint.

We’re going to call it from JMeter, but first we need to extract a random company id:

Extracting random company id

The extractor is configured as a post-processor of the getUser request with the settings:

• Name of created variables: id,
• JSON Path Expressions: $..id,
• Match No: 0, which is random.

This extracts a random company id, and puts it in the ${id} variable.

5.2 Querying Projects

Finally, we need to query the projects according to the previously extracted company id. For this purpose, I have duplicated and modified the previous request to gain some time.

Querying projects with company id variable

Here we have setup an HTTP request to query the projects of a workspace:

• HTTP Method: must be a GET request, no parameters involved
• HTTP Scheme: https since our Rest API is secured by SSL
• Hostname: api.termin.city
• Path: /company/${id}/owners

I guess we’re ready to run a quick iteration to try this out!

JMeter is really well suited for Rest API Testing, especially those based on the Json Format. Testing JSON APIs with JMeter is really easy.

Join to Jungle Courses to find more practical lessons:

Курс API testing

Or select a practical course here:

Jungle Сourses | IT курси | Підвищення кваліфікації | Працевлаштування