Apereo CAS - OpenID Connect Load Testing w/ Apache JMeter & Eclipse Jifa

Posted by Misagh Moayyed on March 03, 2022 · 10 mins read ·

Load testing is an important part of ensuring that the CAS server deployment is ready for prime-time production use, especially when deployed in a cluster and configured to be highly available. In this tutorial, I plan to go over the basic aspects of running a stress test using Apache JMeter against a CAS server that is acting as an OpenID Connect Provider.

Our starting position is based on the following:

Initial Setup

First, let’s begin by preparing our CAS deployment to act as an OpenID Connect provider by including the correct extension module:

implementation "org.apereo.cas:cas-server-support-oidc"

Then, we teach CAS about specific aspects of the authorization server functionality:

cas.authn.oidc.core.issuer=https://sso.example.org/cas/oidc
cas.authn.oidc.jwks.file-system.jwks-file=file:///etc/cas/config/keystore.jwks
Clustered Deployments
When deploying CAS in a cluster, you must make sure all CAS server nodes have access to and share an identical and exact copy of the keystore file. Keystore differences will lead to various validation failures and application integration issues.

That should be all. Now, you can proceed to register your client web application with CAS that will take part in the load tests:

{
  "@class": "org.apereo.cas.services.OidcRegisteredService",
  "clientId": "client",
  "clientSecret": "secret",
  "serviceId": "^https://.*",
  "name": "OIDC",
  "bypassApprovalPrompt": true,
  "generateRefreshToken": "true",
  "supportedResponseTypes": [ "java.util.HashSet", [ "code" ] ],
  "supportedGrantTypes": [ "java.util.HashSet", [ "authorization_code" ] ],
  "id": 1,
  "scopes" : [ "java.util.HashSet", [ "profile", "openid", "email" ] ]
}

It’s important to set bypassApprovalPrompt to true to allow Apache JMeter to bypass the consent screen.

Redirect URI
I am intentionally using a very wide pattern in the application definition above using the serviceId attribute to make this process easier for this tutorial. In reality, the application policy you use MUST be a lot more strict in terms of what it can authorize.

So far, so good. Let’s start testing.

Apache JMeter

Apache JMeter is a Java-based performance testing tool that is open source and designed to load test functional behavior and measure performance. CAS presents ready-made test scripts for Apache JMeter, and as it stands, the CAS_OIDC.jmx can be used to test the server acting as an OpenID Connect provider. If you open this script in your Apache JMeter, it will look something like this:

Take note of the user-defined variables and modify accordingly.

Then, review the test execution plan, which executes the following sequence:

  • Send an authentication request asking for a code
  • Log in using a sample username and password, casuser and Mellon.
  • Follow redirects to the client application to obtain the code
  • Then exchange the code for an access token, an id token, and a refresh token.

Now, if you run the test you can examine the results in an aggregated form:

So in the span of 30 seconds and using 2 threads, this CAS server was able to handle approx. 16 requests per second. That’s not too impressive for a beginner’s tutorial, I admit, and I am sure your results would be much more satisfying.

Note that it is highly recommended that the GUI be used for troubleshooting the scripts to work within your environment. Then, when you start load testing, you do that via the command line:

apache-jmeter/bin/jmeter -n -t "CAS_OIDC.jmx"

Heap Dumps w/ Eclipse JIFA

A heap dump is a snapshot of JVM memory. Typically it would be a large binary file that is roughly the same size as the heap of the application at the moment it is taken. One way to obtain a heap dump is by using the heapdump Spring Boot actuator endpoint. So you could do a curl or simply open in a browser the URL https://sso.example.org/cas/actuator/heapdump, which will download the heap dump file.

To get to this endpoint, you must first expose and enable the actuator endpoint:

cas.monitor.endpoints.endpoint.defaults.access=ANONYMOUS
management.endpoints.web.exposure.include=heapdump
management.endpoints.enabled-by-default=true

Actuator Access
Note that I am using very relaxed access rules to expose and enable CAS actuator endpoints. In reality, you MUST opt for hardened rules when it comes to access and exposure of web-based endpoints that can provide insight into the running CAS software.

Once you have the heap dump, you can use Eclipe Jifa to analyze the heap dump. Eclipse Jifa (Java Issue Finder Assistant) is an open-source project for troubleshooting Java applications and it provides a scalable, web-based solution to prevent local memory and resource challenges. Heap Dump Analysis and GC Log Analysis are supported with features such as target heap overview, leak suspects, thread information, and GC root analysis.

You can use the following Docker image may be used to quickly run Eclipse Jifa:

docker run -p 8102:8102 jifadocker/jifa-worker:demo

Using the top menu, you can upload the heap dump file obtained earlier to Eclipse Jifa, and allow it to analyze the data. It might look something like this:

Happy Troubleshooting!

Need Help?

If you have questions about the contents and the topic of this blog post, or if you need additional guidance and support, feel free to send us a note and ask about consulting and support services.

So…

It’s important that you start off simple and make changes one step at a time. Once you have a functional environment, you can gradually and slowly add customizations to move files around.

I hope this review was of some help to you and I am sure that both this post as well as the functionality it attempts to explain can be improved in any number of ways. Please feel free to engage and contribute as best as you can.

Misagh Moayyed