The easiest way to do authorization and role based security testing in web applications, was to switch on basic authentication in IIS and embed user/password in the URL. I have not for a couple years ago, but I have never though about that as a bad functionality. If an user/admin was responsible and knew the risks involved, there was no problem. I was surprised that it does not work in IE anymore. Now my easy way to impersonate test users is gone, MS issued a „workaround” that as should help those relaying on the feature:
If users typically type HTTP or HTTPS URLs that include user information in the Address bar, or click links that include user information in HTTP or HTTPS URLs, you can work around this new functionality in Internet Explorer in two ways:
- Do not include user information in HTTP or HTTPS URLs.
- Instruct users not to include their user information when they type HTTP or HTTPS URLs.
… in other word’s 🙁 if you did use the feature, don’t use it anymore, what a great workaround!
I am using a WatiN to run automatic tests in CCNET. Now tell me how to satisfy such scenario:
- I want to have Windows Authentication turned on in IIS configuration (no login prompt for some users).
- I want to have auto-login (no prompt) turned on in IE (some test would be run in context of default user without dialog prompt)
- I want to sometimes authenticate other users in IE instance that is currently running (some test would be run in context of other users with login dialog prompt – LogonDialogHandler in WatiN, or other type of from-code authentication)
IE does not respond to Response.Status = 401, and I have not found other way to force user login prompt from inside application (from eg. /ReLogon.aspx). I have set up two virtual directories:
- with Windows Authentication turned on – used for default user independent tests
- with Windows Authentication turned off (forces basic login prompt) – used for test that should be ran in a specific user context
PS. Please let me know i there is better solution.