By Roshi Malhotra

(Continued from Updates about QTP 10 (I) … )

II. Report improvements

The native QTP report includes several new improvements:

Tracability: Selecting a report-node will automatically focus on the relevant code-line in the script. This may sound like a cool feature at first, but a closer look revels that it only works for actions (not functions); and that in any case, using a custom report function (as most of us do) completely nullifies the feature (since you’re always at the same code line when performing the report).

Exporting: The report now has a two-click export feature, which comes with a built-in ability to export to Word and PDF documents, as well as the ability to export through a custom XSL of your choosing. You can choose between Short and Long formats (corresponding to PShort.XSL and PDetails.XSL) to get a document relevant to your needs. This blessed feature has one major flaw – It has no API support. This means that you cannot export the results automatically at the end of a test run, which is quite a miss, to say the least.

Resource Monitor: QTP can now hook onto the Windows Performance Monitor and present it as part of the test results. You can select several counters to monitor (e.g. GDI objects, memory usage etc.), and the monitor output graph will be available in special tab in the result window. You can set up a “checkpoint” for a counter (e.g. Fail the test if there are more than 500 GDI objects), facilitating a kind of a poor-man’s version of load-testing.

The fact that clicking the graph focuses on the relevant test step (as well as the other way around), provides an effective way to quickly locate problematic actions and resource usage spikes. This feature is well executed, and HP has even went the extra mile and added several unified counters that simplify monitoring the application. However, the fact that you can only monitor one process per test may leave the more advanced users with their own implementation of a resource monitor. 

Native image integration: This is a small, yet long-awaited feature. The ReportEvent command now has a new optional parameter – you can specify a path to a picture file, and it will be attached to the report node of the current event. When used in conjunction with the CaptureBitmap method, this presents a technical, yet revolutionary upgrade to the native QTP report. Finally, users can attach screenshots to their custom report events without any special functions or frameworks.

III. IDE improvements

Intellisense: IDE improvements, and the new intellisense engine in particular, is what got me excited about QTP Atlantis. 

Can create an Excel COM object provided a full intellisense for all its methods and properties, for as many levels as we’d like. Every variable set to this object also presented the same intellisense, and the autocomplete caught every variable we’ve defined or used (yes, there’s autocomplete for variable names!). The autocomplete and intellisense features worked smoothly, and presented no apparent performance issue. It’s still left to be seen how it functions in a real script, with hundreds / thousands code lines.

Tasks and Comment Pane: QTP has a new bottom pane which includes a run-of-the-mill implementation of tasks and comments. Double clicking a comment will take you to the relevant code-line, though strangely enough, you cannot do this with a task (i.e., tasks cannot be linked to specific code lines). It was mentioned that enabling the comments feature for function libraries may sometimes cause performance issues.

Dynamic code-zones: When standing inside a code block like If, While, Do, etc, the IDE will mark the relevant block with blue lines, making it much more easy to make your way inside nested blocks of this sort (somewhat like highlighting left-right bracket pairs). While it will surely make our life easier, a more robust mechanism like collapsible code-regions is still needed.

Custom Toolbars: You can add your own buttons and commands to QTP toolbars and menus. While this does not include inner-QTP macros, you can assign a program / File shortcut to your own button / menu item. It’s nice, but i think it will only gain power once QTP’s inner mechanisms will be bindable to such buttons.

IV. Miscellaneous features

General look and feel: QTP has departed from the old Tab layout, and into the more modern settings-tree layout (similar to Office, EMule, Adobe, and pretty much every other program). It’s nice, but nothing as groundbreaking as the transformation in QTP 9.0.

Bitmap Checkpoint improvements: These include presenting the size of the selected area when choosing to check only a part of an Image, as well as the ability to plug your own custom DLL for comparing images. Another great addition is the ability to see the difference between the expected and actual bitmaps in a separate tab.

API changes: QTP Automation API will receive several upgrades, the most noteworthy of which is the ability to read and write that code of the test you’ve opened. Writing the code will not effect an ongoing run-session (there goes my ambitious try-catch implementation for QTP), but it still opens the door for some creative tweaks and hacks…

Saving a test with all linked resources: For those who’re working with QC, this is a real blessing. Up until QTP 10, copying a QC saved test to your local system was a hellish procedure of changing each and every resource and action reference to your local file-system. QTP and QC Atlantis offer a one-click solution for copying a test and all its resources to your local file-system, and automatically changing all the references accordingly.

Dynamic Action Call: I’ve saved the best for last. QTP 10 presents a new native command – LoadAndRunAction. It allows you to load external actions during the run-session, without having to associate them with your test beforehand. All the run-time debug abilities will be available for these dynamically added actions, so you’re not giving anything up by using this feature. I think it’s a long awaited feature, and a well executed one.

By Himanshu Agarwal

(Continued from Secured Web Services (I))

4.) NTLM (NT LAN Manager)

The protocol uses a challenge-response. NTLM credentials are based on data obtained during the interactive logon process and consist of a domain name, a user name, and a one-way hash of the user’s password.

Let’s understand this process:

Step1: A user accesses a client computer and provides a domain name, user name, and password. The client computes a cryptographic hash of the password and discards the actual password.

Step2: The client sends the user name to the server (in plaintext).

Step3: The server generates a 16-byte random number, called a challenge or nonce, and sends it to the client.

Step4: The client encrypts this challenge with the hash of the user’s password and returns the result to the server. This is called the response.

Step5: The server sends the following three items to the domain controller:
a)    User name
b)  Challenge sent to the client
c)   Response received from the client

Step6: The domain controller uses the user name to retrieve the hash of the user’s
Password from the Security Account Manager database. It uses this password hash to encrypt the challenge.

Step7: The domain controller compares the encrypted challenge it computed to the response computed by the client.
If they are identical, authentication is successful.

5.) SSL and Client Certificates

Secure Sockets Layer, SSL, is the standard security technology for creating an encrypted link between a web server and a browser. It addresses issues of privacy, integrity and authentication.
SSL uses X.509 certificates. SSL uses conventional cryptography with shared key.

For key sharing we can use following algorithms.
DES, 3DES
RC2, RC4
IDEA

6.) SOAP headers-based authentication

Here web services are secured by using SOAP headers that contains any authentication information needed to authenticate the web service.

Such as: User credentials are passed within the SOAP header of the SOAP message

7.) Proxy based authentication

Two fundamental types

WWW: end-to-end authorization for accessing web resources (realms) defined by URI(s)

Proxy hop-by-hop authorization to use a proxy service that will fetch the URI(s) requested by the user agent. Here proxy asks for authentication not the server.

By Himanshu Agarwal

Secured web services are the services which are private to the anonymous users.

There exist two types of web services i.e. public and private.

Public web services are accessible to any person but private web services can only be accessed by registered/licensed users.

In order to make the web service private, it is required to apply some authentication mechanism over it, so that only registered users can access it.  Such web services are known to be secured.

Lets first deal with the standards that make up a secure web service, which are as follows:
•    Authentication
•    Authorization
•    Auditing
•    Privacy
•    Integrity
•    Availability
•    Nonrepudation

Authentication is a process by which an entity, also called a principal, verifies that another entity is indeed who or what it claims to be.

Authorization is a mechanism to provide an authenticated user with access to resources.

Auditing is to collect information about successful and failed requests to a Web service.

Privacy means ensuring that information provided in a communication between client and server is hidden from an attacker

Integrity refers to the ability to protect data from being deleted or changed, either maliciously or by accident.

Availability is ensuring that a legitimate user is not denied access to a requested resource.

Nonrepudation is a technique for providing proof that an action occurred so as to prevent the client from fraudulently reneging on a transaction.

Now let’s deal with the authentication mechanisms that can be applied over a web service.
•    Basic
•    Digest
•    Kerberos
•    Windows NTLM
•    SSL and Client certificates
•    SOAP headers-based
•    Proxy

1.) Basic Authentication

•    It is a method designed to allow a web browser, or other client program, to provide credentials – in the form of a user name and password – when making a request.

•    Before transmission, the username and password are encoded as a sequence of base-64 characters

•    For example, the user name Aladdin and password open sesame would be combined as Aladdin:open sesame – which is equivalent to QWxhZGRpbjpvcGVuIHNlc2FtZQ== when encoded in Base64

2.) Digest authentication

Digest authentication is basically an application of MD5 cryptographic hashing with usage of nonce values to prevent cryptanalysis. Here transmitting of password is in an encrypted form which is more secure than the simple base64 encoding used by basic authentication.

The password is not used directly in the digest, but rather
HA1 = MD5(username:realm:password).

As the message is sent with the digest, So at the receiver side message contents can be verified and can guard against tampering with message content.

3.) Kerberos

Kerberos method involves, Kerberos Distribution Center (KDC): it is responsible for authenticating the client and issuing a ticket that has the client credential, and then the client can use it for authentication with the web service.

As majority of us deal with Microsoft environment, for this KDC is available in Windows Server 2003 as a domain controller.

Kerberos authentication mechanism involves client, authentication broker and service.

(To be continued…)

By Pallavi Sharma

In the last series we saw what are the various challenges which a tool should overcome to test a SOA based application. We saw a list of commercial and open source tools which can assist us in testing our web services.

From this series we will take each tool one by one and understand what all it has to offer us. The first solution to web service testing we will consider is the one provided by Rational. Rational offers the following solutions:

a. Rational Tester for SOA Quality
b. Rational Performance Tester Extension for SOA Quality.

Following are the list of features which they offer:

• Both built on Rational Performance Tester technology
• Support for Web Services standards UDDI, WSDL, SOAP, HTTP, HTTPS, WS-Security
• Integrated with Rational Test Management tools (Test Manager with ClearQuest)
• Monitoring tools (Tivoli) can be easily integrated with it.

The best part of this tool is for both functional and performance testing of the web service we can use the same interface of Rational Performance Tester. As shown in the figure below:

[Fig- 1a]

Following are the various advantages of Rational SOA Tester:

• Simplify testing of GUI-less service
o Automated generation of web service test client
o No programming knowledge necessary to create, comprehend, modify, and execute a functional or performance test
o Automated data correlation and data driven testing through a code-free test environment
• Simplify service integration testing
o Automated test creation from Web Sphere Business Process Execution Language resources
• Create, comprehend, modify, and execute a functional or performance test
o Graphical test editor enables both high-level and deeper detail views
o Support Web services standards (e.g. SOAP,HTTP(S), WS-Security, UDDI)

How to Get Rational SOA Tester:

You need to have Rational Performance Tester 7.01 installed on your system. Once you have that you can download the SOA Tester as an extension over RPT. The link for the same is as follows: http://www.ibm.com/developerworks/downloads/r/tsq/learn.html?S_TACT=105AGX15&S_CMP=ART

A simple tutorial explaining how you use the SOA tester will be the topic of our next blog series. Till then hopefully you have acquired the tool.
References:
1.http://www.ibm.com/developerworks/downloads/r/tsq/learn.html?S_TACT=105AGX15&S_CMP=ART

(Copyrighted by CresTech Software Systems Pvt. Ltd.)