Blazemeter recording has been proven unsupportive for this application recording .So I went withHAR to JMX file & from JMeter I enhanced the requests captured for my functionality.Initially I faced 401 unauthorized errors in the home page itself of my request(my application is also SSO enabled) but I sorted this by placing hardcoded values of cookie csrf & sessionid in Header Manager so finally avoided this 401 error.
But the subsequent request which calls Autodesk 3rd party request is showing up with 403 forbidden errors.
Please let m eknow how to handle this. This application also has X-XSRF-TOKEN being passed as headers in it, I tried to pass them as following below in my script but didnt work so I left as it is.Not sure it is inturn causing this 403 forbidden error.
Add the next line to user.properties file (lives in "bin" folder of your JMeter installation)
CookieManager.save.cookies=true Restart JMeter to pick up the change
Add HTTP Cookie Manager to your Test Plan
Add HTTP Header Manager to your Test Plan and configure it to send the following header:
Name: X-XSRF-TOKEN Value: ${COOKIE_XSRF-TOKEN}
I tried below to handle xsrf but it didnt work. dd HTTP Cookie Manager to your Test Plan
Add HTTP Header Manager to your Test Plan and configure it to send the following header:
Name: X-XSRF-TOKEN Value: ${COOKIE_XSRF-TOKEN}
so I left this token in all my request headers as it is and in the subsequent request( 3rd party autodesk) is showing up with 403 forbidden error.
I don't think hard-coded values will work, normally cookies and session IDs have limited life time therefore when they expire you will face authentication issues once again.
Instead of "hard-coding" you need to perform correlation, to wit extract dynamic values from the previous response using a suitable Post-Processor, save them into JMeter Variables and replace recorded values with variables.
Example: What is CSRF & How to Load Test CSRF-Protected Websites
With regards to "3rd-party" requests I would rather exclude them from the script unless they're absolutely required so your test plan would focus solely on your application endpoint(s) without hitting Google, Microsoft, Autodesk, whatever resources