Load testing is an important part of ensuring that the CAS server deployment is ready for prime-time production use, especially when deployed in a cluster and configured to be highly available. In this tutorial, I plan to go over the basic aspects of running a stress test using Apache JMeter against a CAS server that is acting as an OpenID Connect Provider.
Our starting position is based on the following:
6.6.0
5.4.3
as of this writing)First, let’s begin by preparing our CAS deployment to act as an OpenID Connect provider by including the correct extension module:
implementation "org.apereo.cas:cas-server-support-oidc"
Then, we teach CAS about specific aspects of the authorization server functionality:
cas.authn.oidc.core.issuer=https://sso.example.org/cas/oidc
cas.authn.oidc.jwks.file-system.jwks-file=file:///etc/cas/config/keystore.jwks
That should be all. Now, you can proceed to register your client web application with CAS that will take part in the load tests:
{
"@class": "org.apereo.cas.services.OidcRegisteredService",
"clientId": "client",
"clientSecret": "secret",
"serviceId": "^https://.*",
"name": "OIDC",
"bypassApprovalPrompt": true,
"generateRefreshToken": "true",
"supportedResponseTypes": [ "java.util.HashSet", [ "code" ] ],
"supportedGrantTypes": [ "java.util.HashSet", [ "authorization_code" ] ],
"id": 1,
"scopes" : [ "java.util.HashSet", [ "profile", "openid", "email" ] ]
}
It’s important to set bypassApprovalPrompt
to true
to allow Apache JMeter to bypass the consent screen.
serviceId
attribute to make this process easier for this tutorial. In reality, the application policy you use MUST be a lot more strict in terms of what it can authorize.So far, so good. Let’s start testing.
Apache JMeter is a Java-based performance testing tool that is open source and designed to load test functional behavior and measure performance. CAS presents ready-made test scripts for Apache JMeter, and as it stands, the CAS_OIDC.jmx
can be used to test the server acting as an OpenID Connect provider. If you open this script in your Apache JMeter, it will look something like this:
Take note of the user-defined variables and modify accordingly.
Then, review the test execution plan, which executes the following sequence:
code
casuser
and Mellon
.code
code
for an access token, an id token, and a refresh token.Now, if you run the test you can examine the results in an aggregated form:
So in the span of 30
seconds and using 2
threads, this CAS server was able to handle approx. 16
requests per second. That’s not too impressive for a beginner’s tutorial, I admit, and I am sure your results would be much more satisfying.
Note that it is highly recommended that the GUI be used for troubleshooting the scripts to work within your environment. Then, when you start load testing, you do that via the command line:
apache-jmeter/bin/jmeter -n -t "CAS_OIDC.jmx"
A heap dump is a snapshot of JVM memory. Typically it would be a large binary file that is roughly the same size as the heap of the application at the moment it is taken. One way to obtain a heap dump is by using the heapdump
Spring Boot actuator endpoint. So you could do a curl or simply open in a browser the URL https://sso.example.org/cas/actuator/heapdump
, which will download the heap dump file.
To get to this endpoint, you must first expose and enable the actuator endpoint:
cas.monitor.endpoints.endpoint.defaults.access=ANONYMOUS
management.endpoints.web.exposure.include=heapdump
management.endpoints.enabled-by-default=true
Once you have the heap dump, you can use Eclipe Jifa to analyze the heap dump. Eclipse Jifa (Java Issue Finder Assistant) is an open-source project for troubleshooting Java applications and it provides a scalable, web-based solution to prevent local memory and resource challenges. Heap Dump Analysis and GC Log Analysis are supported with features such as target heap overview, leak suspects, thread information, and GC root analysis.
You can use the following Docker image may be used to quickly run Eclipse Jifa:
docker run -p 8102:8102 jifadocker/jifa-worker:demo
Using the top menu, you can upload the heap dump file obtained earlier to Eclipse Jifa, and allow it to analyze the data. It might look something like this:
Happy Troubleshooting!
If you have questions about the contents and the topic of this blog post, or if you need additional guidance and support, feel free to send us a note and ask about consulting and support services.
It’s important that you start off simple and make changes one step at a time. Once you have a functional environment, you can gradually and slowly add customizations to move files around.
I hope this review was of some help to you and I am sure that both this post as well as the functionality it attempts to explain can be improved in any number of ways. Please feel free to engage and contribute as best as you can.
Monday-Friday
9am-6pm, Central European Time
7am-1pm, U.S. Eastern Time
Monday-Friday
9am-6pm, Central European Time