Why select inputs by `autocomplete` instead of `name` or `id`?

QA Shop's auth form ships with a honeypot naming inversion: the real email and password inputs render with randomized `name` attributes (drawn from a per-form list like `harbor`, `lantern`), while aria-hidden decoy inputs carry the predictable semantic names (`name="email"`, `name="password"`) and the testids that bots scan for. Submitting any decoy blocks the IP. The `autocomplete` attribute (`email`, `current-password`, `new-password`) is intentionally preserved unchanged so password managers, screen readers, and tests keep working — it is the only stable, public selector hook on these inputs. Reaching for `name="email"` is exactly the bot pattern the honeypot is designed to catch.

Why do I need WebDriverManager?

WebDriverManager auto-resolves the matching ChromeDriver binary for the locally installed Chrome version, eliminating the most common Selenium setup-failure: driver/browser version drift. Without it you manage driver downloads by hand and reinstall them every Chrome auto-update. Selenium 4.6+ also ships with Selenium Manager, which does the same job natively — WebDriverManager just predates it and is still the most idiomatic dependency in the Java ecosystem. Either is fine; pick one and stick with it.

Why XPath for the submit button?

Java's CSS support in Selenium is strong, but no `:contains()` text matcher exists in the CSS spec. The `translate(., 'LOGIN', 'login')` trick is the standard way to do case-insensitive text matching in XPath 1.0 (which Selenium uses) — it lower-cases the node text by mapping every uppercase letter to its lowercase counterpart, then `contains` matches the lower-cased needle. Anchoring the locator on the rendered button text (`Log in`) is preferable to a brittle CSS class because the visible label is part of the published UI contract, while CSS classes are an implementation detail that visual refactors break.

Doesn't QA Shop use Cloudflare Turnstile? Will headless CI choke on the captcha?

No. QA Shop scopes Turnstile to **principal-account register and forgot-password only** — it does NOT fire on /auth/login or on automation-account register. The submit button on the login form is enabled on render, so a plain `findElement(...).click()` works without `ExpectedConditions.elementToBeClickable`. Login is still defended by rate-limit + the honeypot naming inversion (decoy submit blocks the IP) + the IP block-list + the abuse-block check in proxy.ts.

Log in to QA Shop with Selenium 4 + Java

This recipe is the smallest end-to-end Selenium test that signs a seeded customer into QA Shop in Java.

It walks the public login surface — load the page, fill credentials with the autocomplete-attribute selectors that survive QA Shop's honeypot defense, click submit, and assert the authenticated-only header menu. Run it with JUnit 5 in about eight seconds.

It is the canonical first Java-on-Selenium test to write whenever you need to drive a real session into your suite, and it is the foundation that every authenticated QA Shop recipe (checkout, account settings, order history) builds on top of.

§ 01 · PREREQUISITES

Prerequisites

You need a JDK 17+ project with selenium-java, junit-jupiter, and webdrivermanager on the classpath, plus a Chrome browser available locally and a seeded customer to log in as.

selenium-java + junit-jupiter + webdrivermanagerMaven or Gradle dependencies

On Maven, add org.seleniumhq.selenium:selenium-java:4.43.0, org.junit.jupiter:junit-jupiter:5.10.2, and io.github.bonigarcia:webdrivermanager:5.9.2. Selenium 4.6+ also ships Selenium Manager natively, which auto-resolves drivers — WebDriverManager is the more idiomatic Java choice and is what this recipe uses.

RECIPE_BASE_URLenv var pointing at QA Shop

Set to http://localhost:3002 for a local checkout, or https://automationtestingplatform.com for the hosted demo. The script reads it with a sensible default.

RECIPE_AUTH_EMAIL / RECIPE_AUTH_PASSWORDenv vars for the seeded customer

The seeded recipe-verifier@automationtestingplatform.com account ships with the QA Shop database. Locally it is provisioned by supabase/seed.sql; in CI both values live in GitHub repo secrets. The script throws fast if either is missing rather than silently passing.

A running QA Shop on the base URLdev server or hosted demo

The recipe assumes the server is already up. The test does not start it for you.

§ 02 · THE SCRIPT

The script

Save this file as src/test/java/LoginTest.java and run it with mvn test -Dtest=LoginTest (or the Gradle equivalent).

// title="LoginTest.java"
import io.github.bonigarcia.wdm.WebDriverManager;
import org.junit.jupiter.api.AfterEach;
import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Test;
import org.openqa.selenium.By;
import org.openqa.selenium.WebDriver;
import org.openqa.selenium.WebElement;
import org.openqa.selenium.chrome.ChromeDriver;
import org.openqa.selenium.support.ui.ExpectedConditions;
import org.openqa.selenium.support.ui.WebDriverWait;
 
import java.time.Duration;
 
import static org.junit.jupiter.api.Assertions.assertTrue;
 
public class LoginTest {
    private WebDriver driver;
    private static final String BASE_URL =
        System.getenv().getOrDefault("RECIPE_BASE_URL", "http://localhost:3002");
 
    @BeforeEach
    void setUp() {
        WebDriverManager.chromedriver().setup();
        driver = new ChromeDriver();
    }
 
    @AfterEach
    void tearDown() {
        if (driver != null) driver.quit();
    }
 
    @Test
    void seededCustomerCanSignIn() {
        String email = System.getenv("RECIPE_AUTH_EMAIL");
        String password = System.getenv("RECIPE_AUTH_PASSWORD");
        if (email == null || password == null) {
            throw new IllegalStateException(
                "RECIPE_AUTH_EMAIL and RECIPE_AUTH_PASSWORD must be set."
            );
        }
 
        driver.get(BASE_URL + "/auth/login");
        WebDriverWait wait = new WebDriverWait(driver, Duration.ofSeconds(30));
 
        WebElement emailInput = wait.until(ExpectedConditions
            .visibilityOfElementLocated(By.cssSelector("input[autocomplete='email']")));
        emailInput.sendKeys(email);
 
        driver.findElement(By.cssSelector("input[autocomplete='current-password']"))
            .sendKeys(password);
 
        // Turnstile is not on /auth/login (scoped to principal register +
        // forgot-password only), so the button is enabled on render.
        WebElement submitBtn = driver.findElement(
            By.xpath("//button[contains(translate(., 'LOGIN', 'login'), 'log in')]")
        );
        submitBtn.click();
 
        WebElement userMenu = wait.until(ExpectedConditions
            .visibilityOfElementLocated(By.cssSelector("[data-testid='header-user-menu']")));
        assertTrue(userMenu.isDisplayed());
    }
}

Three details are worth calling out.

The driver is constructed with WebDriverManager.chromedriver().setup() followed by new ChromeDriver(). WebDriverManager downloads the matching driver binary on first run and caches it — no manual driver management, no version-drift errors. For headless CI you would pass ChromeOptions with --headless=new, but for the smallest possible recipe we stay headed so you can watch the flow on first run.

The credential locators are By.cssSelector("input[autocomplete='email']") and By.cssSelector("input[autocomplete='current-password']"). QA Shop's auth form randomizes the real input name attributes per render as a honeypot defense — name="email" belongs to a hidden decoy input that, if submitted, blocks your IP. The autocomplete attribute is preserved unchanged across renders so password managers and screen readers keep working, and that is the contract we lean on here.

The submit click runs immediately after findElement(...) — no elementToBeClickable wait. QA Shop scopes Cloudflare Turnstile to principal-account register + forgot-password only, so /auth/login renders with an enabled submit button. The XPath //button[contains(translate(., 'LOGIN', 'login'), 'log in')] is the standard XPath 1.0 trick for case-insensitive text match — anchoring on the rendered button label (Log in) is more durable than a brittle CSS class.

§ 03 · FAQ

FAQ

Common questions when running this recipe or adapting it.

Run headless on CIChromeOptions --headless=new

Construct ChromeOptions opts = new ChromeOptions(); opts.addArguments("--headless=new", "--no-sandbox", "--disable-dev-shm-usage"); and pass new ChromeDriver(opts). The QA Shop CI harness does the same in TypeScript — see tests/recipes/selenium/setup.ts.

Bump the wait timeoutfor slow networks or constrained CI

The 30-second WebDriverWait is sized for slow CI runners and the post-login redirect on a cold cache. Drop it to Duration.ofSeconds(10) for a local dev run, or raise it past 30 if you are running against a constrained CI box.

Switch to a different seeded customerpin RECIPE_AUTH_*

The recipe-verifier@automationtestingplatform.com customer is the canonical fixture for these recipes, but any seeded account with a known password works. Override RECIPE_AUTH_EMAIL and RECIPE_AUTH_PASSWORD at run time and the rest of the script keeps working.

For the same flow in Playwright (TypeScript), see the Playwright login recipe. For the broader Playwright vs Selenium vs Cypress picture, see the QA Shop testing guide.

The Python and TypeScript Selenium login counterparts are coming soon — placeholder slugs are /recipes/selenium/python-login and /recipes/selenium/typescript-login.

Frequently asked questions

Last verified: May 3, 2026

// title="LoginTest.java" import io.github.bonigarcia.wdm.WebDriverManager; import org.junit.jupiter.api.AfterEach; import org.junit.jupiter.api.BeforeEach; import org.junit.jupiter.api.Test; import org.openqa.selenium.By; import org.openqa.selenium.WebDriver; import org.openqa.selenium.WebElement; import org.openqa.selenium.chrome.ChromeDriver; import org.openqa.selenium.support.ui.ExpectedConditions; import org.openqa.selenium.support.ui.WebDriverWait; import java.time.Duration; import static org.junit.jupiter.api.Assertions.assertTrue; public class LoginTest { private WebDriver driver; private static final String BASE_URL = System.getenv().getOrDefault("RECIPE_BASE_URL", "http://localhost:3002"); @BeforeEach void setUp() { WebDriverManager.chromedriver().setup(); driver = new ChromeDriver(); } @AfterEach void tearDown() { if (driver != null) driver.quit(); } @Test void seededCustomerCanSignIn() { String email = System.getenv("RECIPE_AUTH_EMAIL"); String password = System.getenv("RECIPE_AUTH_PASSWORD"); if (email == null || password == null) { throw new IllegalStateException( "RECIPE_AUTH_EMAIL and RECIPE_AUTH_PASSWORD must be set." ); } driver.get(BASE_URL + "/auth/login"); WebDriverWait wait = new WebDriverWait(driver, Duration.ofSeconds(30)); WebElement emailInput = wait.until(ExpectedConditions .visibilityOfElementLocated(By.cssSelector("input[autocomplete='email']"))); emailInput.sendKeys(email); driver.findElement(By.cssSelector("input[autocomplete='current-password']")) .sendKeys(password); // Turnstile is not on /auth/login (scoped to principal register + // forgot-password only), so the button is enabled on render. WebElement submitBtn = driver.findElement( By.xpath("//button[contains(translate(., 'LOGIN', 'login'), 'log in')]") ); submitBtn.click(); WebElement userMenu = wait.until(ExpectedConditions .visibilityOfElementLocated(By.cssSelector("[data-testid='header-user-menu']"))); assertTrue(userMenu.isDisplayed()); } }

For the same flow in Playwright (TypeScript), see the Playwright login recipe. For the broader Playwright vs Selenium vs Cypress picture, see the QA Shop testing guide.

The Python and TypeScript Selenium login counterparts are coming soon — placeholder slugs are /recipes/selenium/python-login and /recipes/selenium/typescript-login.

Frequently asked questions

Last verified: May 3, 2026

Log in to QA Shop with Selenium 4 + Java

Prerequisites

The script

FAQ

Related

Frequently asked questions

Log in to QA Shop with Selenium 4 + Java

Prerequisites

The script

FAQ

Related

Frequently asked questions