From 02560a2510b58c66f4dee09b5624a383001a2a7f Mon Sep 17 00:00:00 2001 From: "rogan.dawes" Date: Wed, 11 Jul 2007 10:38:55 +0000 Subject: [PATCH] Move LessonAction and DefaultLessonAction to the GoatHillsFinancial package, since it is only ever used there Also update the signature of DefaultLessonAction's constructor to take a GoatHillsFinancial, rather than an AbstractLesson git-svn-id: http://webgoat.googlecode.com/svn/trunk@156 4033779f-a91e-0410-96ef-6bf7bf53c507 --- .../lessons/CrossSiteScripting/CrossSiteScripting.java | 2 +- .../webgoat/lessons/CrossSiteScripting/EditProfile.java | 6 +++--- .../webgoat/lessons/CrossSiteScripting/FindProfile.java | 8 ++++---- .../webgoat/lessons/CrossSiteScripting/UpdateProfile.java | 8 ++++---- .../webgoat/lessons/CrossSiteScripting/ViewProfile.java | 6 +++--- .../{ => GoatHillsFinancial}/DefaultLessonAction.java | 7 ++++--- .../webgoat/lessons/GoatHillsFinancial/DeleteProfile.java | 5 +---- .../webgoat/lessons/GoatHillsFinancial/EditProfile.java | 4 +--- .../webgoat/lessons/GoatHillsFinancial/FindProfile.java | 5 +---- .../lessons/GoatHillsFinancial/GoatHillsFinancial.java | 1 - .../lessons/{ => GoatHillsFinancial}/LessonAction.java | 2 +- .../webgoat/lessons/GoatHillsFinancial/ListStaff.java | 4 +--- .../owasp/webgoat/lessons/GoatHillsFinancial/Login.java | 5 +---- .../owasp/webgoat/lessons/GoatHillsFinancial/Logout.java | 5 +---- .../webgoat/lessons/GoatHillsFinancial/SearchStaff.java | 4 +--- .../webgoat/lessons/GoatHillsFinancial/UpdateProfile.java | 5 +---- .../webgoat/lessons/GoatHillsFinancial/ViewProfile.java | 4 +--- .../lessons/RoleBasedAccessControl/DeleteProfile.java | 8 ++++---- .../lessons/RoleBasedAccessControl/EditProfile.java | 6 +++--- .../RoleBasedAccessControl/RoleBasedAccessControl.java | 4 ++-- .../lessons/RoleBasedAccessControl/UpdateProfile.java | 8 ++++---- .../lessons/RoleBasedAccessControl/ViewProfile.java | 6 +++--- .../org/owasp/webgoat/lessons/SQLInjection/ListStaff.java | 6 +++--- .../org/owasp/webgoat/lessons/SQLInjection/Login.java | 8 ++++---- .../owasp/webgoat/lessons/SQLInjection/SQLInjection.java | 2 +- .../owasp/webgoat/lessons/SQLInjection/ViewProfile.java | 6 +++--- .../instructor/CrossSiteScripting/FindProfile_i.java | 6 +++--- .../instructor/CrossSiteScripting/UpdateProfile_i.java | 6 +++--- .../instructor/CrossSiteScripting/ViewProfile_i.java | 4 ++-- .../RoleBasedAccessControl/DeleteProfile_i.java | 6 +++--- .../instructor/RoleBasedAccessControl/EditProfile_i.java | 4 ++-- .../RoleBasedAccessControl/RoleBasedAccessControl_i.java | 2 +- .../RoleBasedAccessControl/UpdateProfile_i.java | 6 +++--- .../instructor/RoleBasedAccessControl/ViewProfile_i.java | 4 ++-- .../webgoat/lessons/instructor/SQLInjection/Login_i.java | 6 +++--- .../lessons/instructor/SQLInjection/ViewProfile_i.java | 4 ++-- 36 files changed, 80 insertions(+), 103 deletions(-) rename webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/{ => GoatHillsFinancial}/DefaultLessonAction.java (93%) rename webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/{ => GoatHillsFinancial}/LessonAction.java (91%) diff --git a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/CrossSiteScripting/CrossSiteScripting.java b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/CrossSiteScripting/CrossSiteScripting.java index 4311beaec..c88cae48e 100644 --- a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/CrossSiteScripting/CrossSiteScripting.java +++ b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/CrossSiteScripting/CrossSiteScripting.java @@ -5,9 +5,9 @@ import java.util.List; import org.apache.ecs.ElementContainer; import org.owasp.webgoat.lessons.Category; -import org.owasp.webgoat.lessons.LessonAction; import org.owasp.webgoat.lessons.GoatHillsFinancial.DeleteProfile; import org.owasp.webgoat.lessons.GoatHillsFinancial.GoatHillsFinancial; +import org.owasp.webgoat.lessons.GoatHillsFinancial.LessonAction; import org.owasp.webgoat.lessons.GoatHillsFinancial.ListStaff; import org.owasp.webgoat.lessons.GoatHillsFinancial.Login; import org.owasp.webgoat.lessons.GoatHillsFinancial.Logout; diff --git a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/CrossSiteScripting/EditProfile.java b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/CrossSiteScripting/EditProfile.java index 1d3db590f..605fa82dc 100644 --- a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/CrossSiteScripting/EditProfile.java +++ b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/CrossSiteScripting/EditProfile.java @@ -4,8 +4,8 @@ import java.sql.PreparedStatement; import java.sql.ResultSet; import java.sql.SQLException; -import org.owasp.webgoat.lessons.AbstractLesson; -import org.owasp.webgoat.lessons.DefaultLessonAction; +import org.owasp.webgoat.lessons.GoatHillsFinancial.DefaultLessonAction; +import org.owasp.webgoat.lessons.GoatHillsFinancial.GoatHillsFinancial; import org.owasp.webgoat.session.Employee; import org.owasp.webgoat.session.ParameterNotFoundException; import org.owasp.webgoat.session.UnauthenticatedException; @@ -44,7 +44,7 @@ import org.owasp.webgoat.session.WebSession; public class EditProfile extends DefaultLessonAction { - public EditProfile(AbstractLesson lesson, String lessonName, + public EditProfile(GoatHillsFinancial lesson, String lessonName, String actionName) { super(lesson, lessonName, actionName); diff --git a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/CrossSiteScripting/FindProfile.java b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/CrossSiteScripting/FindProfile.java index 9a2d00b85..97b1a22e2 100644 --- a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/CrossSiteScripting/FindProfile.java +++ b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/CrossSiteScripting/FindProfile.java @@ -8,9 +8,9 @@ import java.util.Map; import java.util.regex.Matcher; import java.util.regex.Pattern; -import org.owasp.webgoat.lessons.AbstractLesson; -import org.owasp.webgoat.lessons.DefaultLessonAction; -import org.owasp.webgoat.lessons.LessonAction; +import org.owasp.webgoat.lessons.GoatHillsFinancial.DefaultLessonAction; +import org.owasp.webgoat.lessons.GoatHillsFinancial.GoatHillsFinancial; +import org.owasp.webgoat.lessons.GoatHillsFinancial.LessonAction; import org.owasp.webgoat.session.Employee; import org.owasp.webgoat.session.ParameterNotFoundException; import org.owasp.webgoat.session.UnauthenticatedException; @@ -53,7 +53,7 @@ public class FindProfile extends DefaultLessonAction private LessonAction chainedAction; - public FindProfile(AbstractLesson lesson, String lessonName, + public FindProfile(GoatHillsFinancial lesson, String lessonName, String actionName, LessonAction chainedAction) { super(lesson, lessonName, actionName); diff --git a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/CrossSiteScripting/UpdateProfile.java b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/CrossSiteScripting/UpdateProfile.java index 8d704bbbc..d04699b09 100644 --- a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/CrossSiteScripting/UpdateProfile.java +++ b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/CrossSiteScripting/UpdateProfile.java @@ -8,9 +8,9 @@ import java.util.regex.Pattern; import javax.servlet.http.HttpServletRequest; -import org.owasp.webgoat.lessons.AbstractLesson; -import org.owasp.webgoat.lessons.DefaultLessonAction; -import org.owasp.webgoat.lessons.LessonAction; +import org.owasp.webgoat.lessons.GoatHillsFinancial.DefaultLessonAction; +import org.owasp.webgoat.lessons.GoatHillsFinancial.GoatHillsFinancial; +import org.owasp.webgoat.lessons.GoatHillsFinancial.LessonAction; import org.owasp.webgoat.session.Employee; import org.owasp.webgoat.session.ParameterNotFoundException; import org.owasp.webgoat.session.ParameterParser; @@ -54,7 +54,7 @@ public class UpdateProfile extends DefaultLessonAction private LessonAction chainedAction; - public UpdateProfile(AbstractLesson lesson, String lessonName, + public UpdateProfile(GoatHillsFinancial lesson, String lessonName, String actionName, LessonAction chainedAction) { super(lesson, lessonName, actionName); diff --git a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/CrossSiteScripting/ViewProfile.java b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/CrossSiteScripting/ViewProfile.java index 5cfc8e838..d9d75f36c 100644 --- a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/CrossSiteScripting/ViewProfile.java +++ b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/CrossSiteScripting/ViewProfile.java @@ -4,8 +4,8 @@ import java.sql.ResultSet; import java.sql.SQLException; import java.sql.Statement; -import org.owasp.webgoat.lessons.AbstractLesson; -import org.owasp.webgoat.lessons.DefaultLessonAction; +import org.owasp.webgoat.lessons.GoatHillsFinancial.DefaultLessonAction; +import org.owasp.webgoat.lessons.GoatHillsFinancial.GoatHillsFinancial; import org.owasp.webgoat.session.Employee; import org.owasp.webgoat.session.ParameterNotFoundException; import org.owasp.webgoat.session.UnauthenticatedException; @@ -45,7 +45,7 @@ import org.owasp.webgoat.session.WebSession; public class ViewProfile extends DefaultLessonAction { - public ViewProfile(AbstractLesson lesson, String lessonName, + public ViewProfile(GoatHillsFinancial lesson, String lessonName, String actionName) { super(lesson, lessonName, actionName); diff --git a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/DefaultLessonAction.java b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/GoatHillsFinancial/DefaultLessonAction.java similarity index 93% rename from webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/DefaultLessonAction.java rename to webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/GoatHillsFinancial/DefaultLessonAction.java index 9bf70ce8a..1fc226e71 100644 --- a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/DefaultLessonAction.java +++ b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/GoatHillsFinancial/DefaultLessonAction.java @@ -1,10 +1,11 @@ -package org.owasp.webgoat.lessons; +package org.owasp.webgoat.lessons.GoatHillsFinancial; import java.sql.PreparedStatement; import java.sql.ResultSet; import java.sql.SQLException; import java.sql.Statement; +import org.owasp.webgoat.lessons.AbstractLesson; import org.owasp.webgoat.lessons.RoleBasedAccessControl.RoleBasedAccessControl; import org.owasp.webgoat.session.ParameterNotFoundException; import org.owasp.webgoat.session.UnauthenticatedException; @@ -46,9 +47,9 @@ public abstract class DefaultLessonAction implements LessonAction private String lessonName; private String actionName; - private AbstractLesson lesson; + private GoatHillsFinancial lesson; - public DefaultLessonAction(AbstractLesson lesson, String lessonName, String actionName) + public DefaultLessonAction(GoatHillsFinancial lesson, String lessonName, String actionName) { this.lesson = lesson; this.lessonName = lessonName; diff --git a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/GoatHillsFinancial/DeleteProfile.java b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/GoatHillsFinancial/DeleteProfile.java index 5b699eb6e..67e8a8a2e 100755 --- a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/GoatHillsFinancial/DeleteProfile.java +++ b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/GoatHillsFinancial/DeleteProfile.java @@ -4,9 +4,6 @@ import java.sql.ResultSet; import java.sql.SQLException; import java.sql.Statement; -import org.owasp.webgoat.lessons.AbstractLesson; -import org.owasp.webgoat.lessons.DefaultLessonAction; -import org.owasp.webgoat.lessons.LessonAction; import org.owasp.webgoat.session.ParameterNotFoundException; import org.owasp.webgoat.session.UnauthenticatedException; import org.owasp.webgoat.session.UnauthorizedException; @@ -47,7 +44,7 @@ public class DeleteProfile extends DefaultLessonAction private LessonAction chainedAction; - public DeleteProfile(AbstractLesson lesson, String lessonName, + public DeleteProfile(GoatHillsFinancial lesson, String lessonName, String actionName, LessonAction chainedAction) { super(lesson, lessonName, actionName); diff --git a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/GoatHillsFinancial/EditProfile.java b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/GoatHillsFinancial/EditProfile.java index 4aeebaf3c..287799439 100755 --- a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/GoatHillsFinancial/EditProfile.java +++ b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/GoatHillsFinancial/EditProfile.java @@ -4,8 +4,6 @@ import java.sql.PreparedStatement; import java.sql.ResultSet; import java.sql.SQLException; -import org.owasp.webgoat.lessons.AbstractLesson; -import org.owasp.webgoat.lessons.DefaultLessonAction; import org.owasp.webgoat.session.Employee; import org.owasp.webgoat.session.ParameterNotFoundException; import org.owasp.webgoat.session.UnauthenticatedException; @@ -44,7 +42,7 @@ import org.owasp.webgoat.session.WebSession; public class EditProfile extends DefaultLessonAction { - public EditProfile(AbstractLesson lesson, String lessonName, + public EditProfile(GoatHillsFinancial lesson, String lessonName, String actionName) { super(lesson, lessonName, actionName); diff --git a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/GoatHillsFinancial/FindProfile.java b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/GoatHillsFinancial/FindProfile.java index ddd3e50df..8e8ef5925 100755 --- a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/GoatHillsFinancial/FindProfile.java +++ b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/GoatHillsFinancial/FindProfile.java @@ -4,9 +4,6 @@ import java.sql.PreparedStatement; import java.sql.ResultSet; import java.sql.SQLException; -import org.owasp.webgoat.lessons.AbstractLesson; -import org.owasp.webgoat.lessons.DefaultLessonAction; -import org.owasp.webgoat.lessons.LessonAction; import org.owasp.webgoat.session.Employee; import org.owasp.webgoat.session.ParameterNotFoundException; import org.owasp.webgoat.session.UnauthenticatedException; @@ -49,7 +46,7 @@ public class FindProfile extends DefaultLessonAction private LessonAction chainedAction; - public FindProfile(AbstractLesson lesson, String lessonName, + public FindProfile(GoatHillsFinancial lesson, String lessonName, String actionName, LessonAction chainedAction) { super(lesson, lessonName, actionName); diff --git a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/GoatHillsFinancial/GoatHillsFinancial.java b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/GoatHillsFinancial/GoatHillsFinancial.java index f5797bb53..d04b28994 100755 --- a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/GoatHillsFinancial/GoatHillsFinancial.java +++ b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/GoatHillsFinancial/GoatHillsFinancial.java @@ -9,7 +9,6 @@ import org.apache.ecs.Element; import org.apache.ecs.ElementContainer; import org.apache.ecs.html.A; import org.apache.ecs.html.IMG; -import org.owasp.webgoat.lessons.LessonAction; import org.owasp.webgoat.lessons.LessonAdapter; import org.owasp.webgoat.session.ParameterNotFoundException; import org.owasp.webgoat.session.UnauthenticatedException; diff --git a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/LessonAction.java b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/GoatHillsFinancial/LessonAction.java similarity index 91% rename from webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/LessonAction.java rename to webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/GoatHillsFinancial/LessonAction.java index 7b43de61c..8bcf4baa8 100644 --- a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/LessonAction.java +++ b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/GoatHillsFinancial/LessonAction.java @@ -1,4 +1,4 @@ -package org.owasp.webgoat.lessons; +package org.owasp.webgoat.lessons.GoatHillsFinancial; import org.owasp.webgoat.session.ParameterNotFoundException; import org.owasp.webgoat.session.UnauthenticatedException; diff --git a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/GoatHillsFinancial/ListStaff.java b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/GoatHillsFinancial/ListStaff.java index 7434d5ae6..efee3ef10 100755 --- a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/GoatHillsFinancial/ListStaff.java +++ b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/GoatHillsFinancial/ListStaff.java @@ -6,8 +6,6 @@ import java.sql.Statement; import java.util.List; import java.util.Vector; -import org.owasp.webgoat.lessons.AbstractLesson; -import org.owasp.webgoat.lessons.DefaultLessonAction; import org.owasp.webgoat.session.EmployeeStub; import org.owasp.webgoat.session.ParameterNotFoundException; import org.owasp.webgoat.session.UnauthenticatedException; @@ -46,7 +44,7 @@ import org.owasp.webgoat.session.WebSession; public class ListStaff extends DefaultLessonAction { - public ListStaff(AbstractLesson lesson, String lessonName, String actionName) + public ListStaff(GoatHillsFinancial lesson, String lessonName, String actionName) { super(lesson, lessonName, actionName); } diff --git a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/GoatHillsFinancial/Login.java b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/GoatHillsFinancial/Login.java index 8d9f87235..d2ef4508d 100755 --- a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/GoatHillsFinancial/Login.java +++ b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/GoatHillsFinancial/Login.java @@ -6,9 +6,6 @@ import java.sql.Statement; import java.util.List; import java.util.Vector; -import org.owasp.webgoat.lessons.AbstractLesson; -import org.owasp.webgoat.lessons.DefaultLessonAction; -import org.owasp.webgoat.lessons.LessonAction; import org.owasp.webgoat.session.EmployeeStub; import org.owasp.webgoat.session.ParameterNotFoundException; import org.owasp.webgoat.session.UnauthenticatedException; @@ -51,7 +48,7 @@ public class Login extends DefaultLessonAction private LessonAction chainedAction; - public Login(AbstractLesson lesson, String lessonName, String actionName, + public Login(GoatHillsFinancial lesson, String lessonName, String actionName, LessonAction chainedAction) { super(lesson, lessonName, actionName); diff --git a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/GoatHillsFinancial/Logout.java b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/GoatHillsFinancial/Logout.java index 1f2b2a05e..c02c3cef6 100755 --- a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/GoatHillsFinancial/Logout.java +++ b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/GoatHillsFinancial/Logout.java @@ -1,8 +1,5 @@ package org.owasp.webgoat.lessons.GoatHillsFinancial; -import org.owasp.webgoat.lessons.AbstractLesson; -import org.owasp.webgoat.lessons.DefaultLessonAction; -import org.owasp.webgoat.lessons.LessonAction; import org.owasp.webgoat.session.ParameterNotFoundException; import org.owasp.webgoat.session.UnauthenticatedException; import org.owasp.webgoat.session.UnauthorizedException; @@ -44,7 +41,7 @@ public class Logout extends DefaultLessonAction private LessonAction chainedAction; - public Logout(AbstractLesson lesson, String lessonName, String actionName, + public Logout(GoatHillsFinancial lesson, String lessonName, String actionName, LessonAction chainedAction) { super(lesson, lessonName, actionName); diff --git a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/GoatHillsFinancial/SearchStaff.java b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/GoatHillsFinancial/SearchStaff.java index 91307d3f9..7113b4c76 100755 --- a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/GoatHillsFinancial/SearchStaff.java +++ b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/GoatHillsFinancial/SearchStaff.java @@ -1,7 +1,5 @@ package org.owasp.webgoat.lessons.GoatHillsFinancial; -import org.owasp.webgoat.lessons.AbstractLesson; -import org.owasp.webgoat.lessons.DefaultLessonAction; import org.owasp.webgoat.session.WebSession; /******************************************************************************* @@ -36,7 +34,7 @@ import org.owasp.webgoat.session.WebSession; public class SearchStaff extends DefaultLessonAction { - public SearchStaff(AbstractLesson lesson, String lessonName, + public SearchStaff(GoatHillsFinancial lesson, String lessonName, String actionName) { super(lesson, lessonName, actionName); diff --git a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/GoatHillsFinancial/UpdateProfile.java b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/GoatHillsFinancial/UpdateProfile.java index f93a231ea..81d3211a2 100755 --- a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/GoatHillsFinancial/UpdateProfile.java +++ b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/GoatHillsFinancial/UpdateProfile.java @@ -4,9 +4,6 @@ import java.sql.ResultSet; import java.sql.SQLException; import java.sql.Statement; -import org.owasp.webgoat.lessons.AbstractLesson; -import org.owasp.webgoat.lessons.DefaultLessonAction; -import org.owasp.webgoat.lessons.LessonAction; import org.owasp.webgoat.session.Employee; import org.owasp.webgoat.session.ParameterNotFoundException; import org.owasp.webgoat.session.UnauthenticatedException; @@ -48,7 +45,7 @@ public class UpdateProfile extends DefaultLessonAction private LessonAction chainedAction; - public UpdateProfile(AbstractLesson lesson, String lessonName, + public UpdateProfile(GoatHillsFinancial lesson, String lessonName, String actionName, LessonAction chainedAction) { super(lesson, lessonName, actionName); diff --git a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/GoatHillsFinancial/ViewProfile.java b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/GoatHillsFinancial/ViewProfile.java index 260a4f48d..baae6aa7a 100755 --- a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/GoatHillsFinancial/ViewProfile.java +++ b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/GoatHillsFinancial/ViewProfile.java @@ -4,8 +4,6 @@ import java.sql.ResultSet; import java.sql.SQLException; import java.sql.Statement; -import org.owasp.webgoat.lessons.AbstractLesson; -import org.owasp.webgoat.lessons.DefaultLessonAction; import org.owasp.webgoat.session.Employee; import org.owasp.webgoat.session.ParameterNotFoundException; import org.owasp.webgoat.session.UnauthenticatedException; @@ -44,7 +42,7 @@ import org.owasp.webgoat.session.WebSession; public class ViewProfile extends DefaultLessonAction { - public ViewProfile(AbstractLesson lesson, String lessonName, + public ViewProfile(GoatHillsFinancial lesson, String lessonName, String actionName) { super(lesson, lessonName, actionName); diff --git a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/RoleBasedAccessControl/DeleteProfile.java b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/RoleBasedAccessControl/DeleteProfile.java index acb21c77b..bc4d84e31 100644 --- a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/RoleBasedAccessControl/DeleteProfile.java +++ b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/RoleBasedAccessControl/DeleteProfile.java @@ -4,9 +4,9 @@ import java.sql.ResultSet; import java.sql.SQLException; import java.sql.Statement; -import org.owasp.webgoat.lessons.AbstractLesson; -import org.owasp.webgoat.lessons.DefaultLessonAction; -import org.owasp.webgoat.lessons.LessonAction; +import org.owasp.webgoat.lessons.GoatHillsFinancial.DefaultLessonAction; +import org.owasp.webgoat.lessons.GoatHillsFinancial.GoatHillsFinancial; +import org.owasp.webgoat.lessons.GoatHillsFinancial.LessonAction; import org.owasp.webgoat.session.ParameterNotFoundException; import org.owasp.webgoat.session.UnauthenticatedException; import org.owasp.webgoat.session.UnauthorizedException; @@ -48,7 +48,7 @@ public class DeleteProfile extends DefaultLessonAction private LessonAction chainedAction; - public DeleteProfile(AbstractLesson lesson, String lessonName, + public DeleteProfile(GoatHillsFinancial lesson, String lessonName, String actionName, LessonAction chainedAction) { super(lesson, lessonName, actionName); diff --git a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/RoleBasedAccessControl/EditProfile.java b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/RoleBasedAccessControl/EditProfile.java index 9a17c5b89..544e1786f 100644 --- a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/RoleBasedAccessControl/EditProfile.java +++ b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/RoleBasedAccessControl/EditProfile.java @@ -4,8 +4,8 @@ import java.sql.PreparedStatement; import java.sql.ResultSet; import java.sql.SQLException; -import org.owasp.webgoat.lessons.AbstractLesson; -import org.owasp.webgoat.lessons.DefaultLessonAction; +import org.owasp.webgoat.lessons.GoatHillsFinancial.DefaultLessonAction; +import org.owasp.webgoat.lessons.GoatHillsFinancial.GoatHillsFinancial; import org.owasp.webgoat.session.Employee; import org.owasp.webgoat.session.ParameterNotFoundException; import org.owasp.webgoat.session.UnauthenticatedException; @@ -44,7 +44,7 @@ import org.owasp.webgoat.session.WebSession; public class EditProfile extends DefaultLessonAction { - public EditProfile(AbstractLesson lesson, String lessonName, + public EditProfile(GoatHillsFinancial lesson, String lessonName, String actionName) { super(lesson, lessonName, actionName); diff --git a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/RoleBasedAccessControl/RoleBasedAccessControl.java b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/RoleBasedAccessControl/RoleBasedAccessControl.java index a420cc97d..6d4ceb470 100644 --- a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/RoleBasedAccessControl/RoleBasedAccessControl.java +++ b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/RoleBasedAccessControl/RoleBasedAccessControl.java @@ -5,10 +5,10 @@ import java.util.List; import org.apache.ecs.ElementContainer; import org.owasp.webgoat.lessons.Category; -import org.owasp.webgoat.lessons.DefaultLessonAction; -import org.owasp.webgoat.lessons.LessonAction; +import org.owasp.webgoat.lessons.GoatHillsFinancial.DefaultLessonAction; import org.owasp.webgoat.lessons.GoatHillsFinancial.FindProfile; import org.owasp.webgoat.lessons.GoatHillsFinancial.GoatHillsFinancial; +import org.owasp.webgoat.lessons.GoatHillsFinancial.LessonAction; import org.owasp.webgoat.lessons.GoatHillsFinancial.ListStaff; import org.owasp.webgoat.lessons.GoatHillsFinancial.Login; import org.owasp.webgoat.lessons.GoatHillsFinancial.Logout; diff --git a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/RoleBasedAccessControl/UpdateProfile.java b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/RoleBasedAccessControl/UpdateProfile.java index eb1270725..13acaa552 100644 --- a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/RoleBasedAccessControl/UpdateProfile.java +++ b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/RoleBasedAccessControl/UpdateProfile.java @@ -4,9 +4,9 @@ import java.sql.ResultSet; import java.sql.SQLException; import java.sql.Statement; -import org.owasp.webgoat.lessons.AbstractLesson; -import org.owasp.webgoat.lessons.DefaultLessonAction; -import org.owasp.webgoat.lessons.LessonAction; +import org.owasp.webgoat.lessons.GoatHillsFinancial.DefaultLessonAction; +import org.owasp.webgoat.lessons.GoatHillsFinancial.GoatHillsFinancial; +import org.owasp.webgoat.lessons.GoatHillsFinancial.LessonAction; import org.owasp.webgoat.session.Employee; import org.owasp.webgoat.session.ParameterNotFoundException; import org.owasp.webgoat.session.UnauthenticatedException; @@ -49,7 +49,7 @@ public class UpdateProfile extends DefaultLessonAction private LessonAction chainedAction; - public UpdateProfile(AbstractLesson lesson, String lessonName, + public UpdateProfile(GoatHillsFinancial lesson, String lessonName, String actionName, LessonAction chainedAction) { super(lesson, lessonName, actionName); diff --git a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/RoleBasedAccessControl/ViewProfile.java b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/RoleBasedAccessControl/ViewProfile.java index 84147a20e..384e75b4e 100644 --- a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/RoleBasedAccessControl/ViewProfile.java +++ b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/RoleBasedAccessControl/ViewProfile.java @@ -4,8 +4,8 @@ import java.sql.ResultSet; import java.sql.SQLException; import java.sql.Statement; -import org.owasp.webgoat.lessons.AbstractLesson; -import org.owasp.webgoat.lessons.DefaultLessonAction; +import org.owasp.webgoat.lessons.GoatHillsFinancial.DefaultLessonAction; +import org.owasp.webgoat.lessons.GoatHillsFinancial.GoatHillsFinancial; import org.owasp.webgoat.session.Employee; import org.owasp.webgoat.session.ParameterNotFoundException; import org.owasp.webgoat.session.UnauthenticatedException; @@ -44,7 +44,7 @@ import org.owasp.webgoat.session.WebSession; public class ViewProfile extends DefaultLessonAction { - public ViewProfile(AbstractLesson lesson, String lessonName, + public ViewProfile(GoatHillsFinancial lesson, String lessonName, String actionName) { super(lesson, lessonName, actionName); diff --git a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/SQLInjection/ListStaff.java b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/SQLInjection/ListStaff.java index 7ad45ff23..c66b050e1 100644 --- a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/SQLInjection/ListStaff.java +++ b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/SQLInjection/ListStaff.java @@ -6,8 +6,8 @@ import java.sql.Statement; import java.util.List; import java.util.Vector; -import org.owasp.webgoat.lessons.AbstractLesson; -import org.owasp.webgoat.lessons.DefaultLessonAction; +import org.owasp.webgoat.lessons.GoatHillsFinancial.DefaultLessonAction; +import org.owasp.webgoat.lessons.GoatHillsFinancial.GoatHillsFinancial; import org.owasp.webgoat.session.EmployeeStub; import org.owasp.webgoat.session.ParameterNotFoundException; import org.owasp.webgoat.session.UnauthenticatedException; @@ -46,7 +46,7 @@ import org.owasp.webgoat.session.WebSession; public class ListStaff extends DefaultLessonAction { - public ListStaff(AbstractLesson lesson, String lessonName, String actionName) + public ListStaff(GoatHillsFinancial lesson, String lessonName, String actionName) { super(lesson, lessonName, actionName); } diff --git a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/SQLInjection/Login.java b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/SQLInjection/Login.java index 95253a6a9..cfb172bce 100644 --- a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/SQLInjection/Login.java +++ b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/SQLInjection/Login.java @@ -6,9 +6,9 @@ import java.sql.Statement; import java.util.List; import java.util.Vector; -import org.owasp.webgoat.lessons.AbstractLesson; -import org.owasp.webgoat.lessons.DefaultLessonAction; -import org.owasp.webgoat.lessons.LessonAction; +import org.owasp.webgoat.lessons.GoatHillsFinancial.DefaultLessonAction; +import org.owasp.webgoat.lessons.GoatHillsFinancial.GoatHillsFinancial; +import org.owasp.webgoat.lessons.GoatHillsFinancial.LessonAction; import org.owasp.webgoat.session.EmployeeStub; import org.owasp.webgoat.session.ParameterNotFoundException; import org.owasp.webgoat.session.UnauthenticatedException; @@ -51,7 +51,7 @@ public class Login extends DefaultLessonAction private LessonAction chainedAction; - public Login(AbstractLesson lesson, String lessonName, String actionName, + public Login(GoatHillsFinancial lesson, String lessonName, String actionName, LessonAction chainedAction) { super(lesson, lessonName, actionName); diff --git a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/SQLInjection/SQLInjection.java b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/SQLInjection/SQLInjection.java index 1b77a9800..193fe1219 100644 --- a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/SQLInjection/SQLInjection.java +++ b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/SQLInjection/SQLInjection.java @@ -4,11 +4,11 @@ import java.util.ArrayList; import java.util.List; import org.apache.ecs.ElementContainer; import org.owasp.webgoat.lessons.Category; -import org.owasp.webgoat.lessons.LessonAction; import org.owasp.webgoat.lessons.GoatHillsFinancial.DeleteProfile; import org.owasp.webgoat.lessons.GoatHillsFinancial.EditProfile; import org.owasp.webgoat.lessons.GoatHillsFinancial.FindProfile; import org.owasp.webgoat.lessons.GoatHillsFinancial.GoatHillsFinancial; +import org.owasp.webgoat.lessons.GoatHillsFinancial.LessonAction; import org.owasp.webgoat.lessons.GoatHillsFinancial.Logout; import org.owasp.webgoat.lessons.GoatHillsFinancial.SearchStaff; import org.owasp.webgoat.lessons.GoatHillsFinancial.UpdateProfile; diff --git a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/SQLInjection/ViewProfile.java b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/SQLInjection/ViewProfile.java index 11dd7e241..316b8c363 100644 --- a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/SQLInjection/ViewProfile.java +++ b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/SQLInjection/ViewProfile.java @@ -4,8 +4,8 @@ import java.sql.ResultSet; import java.sql.SQLException; import java.sql.Statement; -import org.owasp.webgoat.lessons.AbstractLesson; -import org.owasp.webgoat.lessons.DefaultLessonAction; +import org.owasp.webgoat.lessons.GoatHillsFinancial.DefaultLessonAction; +import org.owasp.webgoat.lessons.GoatHillsFinancial.GoatHillsFinancial; import org.owasp.webgoat.session.Employee; import org.owasp.webgoat.session.ParameterNotFoundException; import org.owasp.webgoat.session.UnauthenticatedException; @@ -44,7 +44,7 @@ import org.owasp.webgoat.session.WebSession; public class ViewProfile extends DefaultLessonAction { - public ViewProfile(AbstractLesson lesson, String lessonName, + public ViewProfile(GoatHillsFinancial lesson, String lessonName, String actionName) { super(lesson, lessonName, actionName); diff --git a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/instructor/CrossSiteScripting/FindProfile_i.java b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/instructor/CrossSiteScripting/FindProfile_i.java index 3d2c04768..55f43c14a 100644 --- a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/instructor/CrossSiteScripting/FindProfile_i.java +++ b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/instructor/CrossSiteScripting/FindProfile_i.java @@ -3,9 +3,9 @@ package org.owasp.webgoat.lessons.instructor.CrossSiteScripting; import java.util.regex.Pattern; -import org.owasp.webgoat.lessons.AbstractLesson; -import org.owasp.webgoat.lessons.LessonAction; import org.owasp.webgoat.lessons.CrossSiteScripting.FindProfile; +import org.owasp.webgoat.lessons.GoatHillsFinancial.GoatHillsFinancial; +import org.owasp.webgoat.lessons.GoatHillsFinancial.LessonAction; import org.owasp.webgoat.session.ParameterNotFoundException; import org.owasp.webgoat.session.ValidationException; import org.owasp.webgoat.session.WebSession; @@ -31,7 +31,7 @@ Solution Steps: public class FindProfile_i extends FindProfile { - public FindProfile_i(AbstractLesson lesson, String lessonName, String actionName, LessonAction chainedAction) + public FindProfile_i(GoatHillsFinancial lesson, String lessonName, String actionName, LessonAction chainedAction) { super(lesson, lessonName, actionName, chainedAction); } diff --git a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/instructor/CrossSiteScripting/UpdateProfile_i.java b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/instructor/CrossSiteScripting/UpdateProfile_i.java index b36434dcc..77121e169 100644 --- a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/instructor/CrossSiteScripting/UpdateProfile_i.java +++ b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/instructor/CrossSiteScripting/UpdateProfile_i.java @@ -4,10 +4,10 @@ import java.util.regex.Pattern; import javax.servlet.http.HttpServletRequest; -import org.owasp.webgoat.lessons.AbstractLesson; -import org.owasp.webgoat.lessons.LessonAction; import org.owasp.webgoat.lessons.CrossSiteScripting.CrossSiteScripting; import org.owasp.webgoat.lessons.CrossSiteScripting.UpdateProfile; +import org.owasp.webgoat.lessons.GoatHillsFinancial.GoatHillsFinancial; +import org.owasp.webgoat.lessons.GoatHillsFinancial.LessonAction; import org.owasp.webgoat.session.Employee; import org.owasp.webgoat.session.ParameterNotFoundException; import org.owasp.webgoat.session.ParameterParser; @@ -41,7 +41,7 @@ Solution Steps: public class UpdateProfile_i extends UpdateProfile { - public UpdateProfile_i(AbstractLesson lesson, String lessonName, String actionName, LessonAction chainedAction) + public UpdateProfile_i(GoatHillsFinancial lesson, String lessonName, String actionName, LessonAction chainedAction) { super(lesson, lessonName, actionName, chainedAction); } diff --git a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/instructor/CrossSiteScripting/ViewProfile_i.java b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/instructor/CrossSiteScripting/ViewProfile_i.java index 7fcf7334c..1f3a727ee 100644 --- a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/instructor/CrossSiteScripting/ViewProfile_i.java +++ b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/instructor/CrossSiteScripting/ViewProfile_i.java @@ -1,7 +1,7 @@ package org.owasp.webgoat.lessons.instructor.CrossSiteScripting; -import org.owasp.webgoat.lessons.AbstractLesson; import org.owasp.webgoat.lessons.CrossSiteScripting.ViewProfile; +import org.owasp.webgoat.lessons.GoatHillsFinancial.GoatHillsFinancial; /* STAGE 4 FIXES Solution Summary: Look in the WebContent/lesson/CrossSiteScripting/ViewProfile.jsp @@ -12,7 +12,7 @@ Look for the <-- STAGE 4 - FIX in the ViewProfile.jsp public class ViewProfile_i extends ViewProfile { - public ViewProfile_i(AbstractLesson lesson, String lessonName, String actionName) + public ViewProfile_i(GoatHillsFinancial lesson, String lessonName, String actionName) { super(lesson, lessonName, actionName); } diff --git a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/instructor/RoleBasedAccessControl/DeleteProfile_i.java b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/instructor/RoleBasedAccessControl/DeleteProfile_i.java index 9c0b8043e..f0ea850ca 100644 --- a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/instructor/RoleBasedAccessControl/DeleteProfile_i.java +++ b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/instructor/RoleBasedAccessControl/DeleteProfile_i.java @@ -4,8 +4,8 @@ import java.sql.ResultSet; import java.sql.SQLException; import java.sql.Statement; -import org.owasp.webgoat.lessons.AbstractLesson; -import org.owasp.webgoat.lessons.LessonAction; +import org.owasp.webgoat.lessons.GoatHillsFinancial.GoatHillsFinancial; +import org.owasp.webgoat.lessons.GoatHillsFinancial.LessonAction; import org.owasp.webgoat.lessons.RoleBasedAccessControl.DeleteProfile; import org.owasp.webgoat.lessons.RoleBasedAccessControl.RoleBasedAccessControl; import org.owasp.webgoat.session.UnauthorizedException; @@ -15,7 +15,7 @@ public class DeleteProfile_i extends DeleteProfile { - public DeleteProfile_i(AbstractLesson lesson, String lessonName, String actionName, LessonAction chainedAction) + public DeleteProfile_i(GoatHillsFinancial lesson, String lessonName, String actionName, LessonAction chainedAction) { super(lesson, lessonName, actionName, chainedAction); } diff --git a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/instructor/RoleBasedAccessControl/EditProfile_i.java b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/instructor/RoleBasedAccessControl/EditProfile_i.java index 1e7420e8a..30920b903 100644 --- a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/instructor/RoleBasedAccessControl/EditProfile_i.java +++ b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/instructor/RoleBasedAccessControl/EditProfile_i.java @@ -4,7 +4,7 @@ import java.sql.PreparedStatement; import java.sql.ResultSet; import java.sql.SQLException; -import org.owasp.webgoat.lessons.AbstractLesson; +import org.owasp.webgoat.lessons.GoatHillsFinancial.GoatHillsFinancial; import org.owasp.webgoat.lessons.RoleBasedAccessControl.EditProfile; import org.owasp.webgoat.lessons.RoleBasedAccessControl.RoleBasedAccessControl; import org.owasp.webgoat.session.Employee; @@ -27,7 +27,7 @@ import org.owasp.webgoat.session.WebSession; public class EditProfile_i extends EditProfile { - public EditProfile_i(AbstractLesson lesson, String lessonName, String actionName) + public EditProfile_i(GoatHillsFinancial lesson, String lessonName, String actionName) { super(lesson, lessonName, actionName); } diff --git a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/instructor/RoleBasedAccessControl/RoleBasedAccessControl_i.java b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/instructor/RoleBasedAccessControl/RoleBasedAccessControl_i.java index 011453444..d99937e30 100644 --- a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/instructor/RoleBasedAccessControl/RoleBasedAccessControl_i.java +++ b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/instructor/RoleBasedAccessControl/RoleBasedAccessControl_i.java @@ -1 +1 @@ -package org.owasp.webgoat.lessons.instructor.RoleBasedAccessControl; import org.apache.ecs.ElementContainer; import org.owasp.webgoat.lessons.DefaultLessonAction; import org.owasp.webgoat.lessons.LessonAction; import org.owasp.webgoat.lessons.GoatHillsFinancial.GoatHillsFinancial; import org.owasp.webgoat.lessons.RoleBasedAccessControl.RoleBasedAccessControl; import org.owasp.webgoat.session.ParameterNotFoundException; import org.owasp.webgoat.session.UnauthenticatedException; import org.owasp.webgoat.session.UnauthorizedException; import org.owasp.webgoat.session.ValidationException; import org.owasp.webgoat.session.WebSession; /** * Copyright (c) 2006 Free Software Foundation developed under the custody of the Open Web * Application Security Project (http://www.owasp.org) This software package org.owasp.webgoat.is published by OWASP * under the GPL. You should read and accept the LICENSE before you use, modify and/or redistribute * this software. * */ /* STAGE 2 FIXES Solution Summary: Edit RoleBasedAccessControl.java and change handleRequest(). Modify handleRequest() with lines denoted by // STAGE 2 - FIX. Solution Steps: 1. This solution adds an access control check in the controller. Point out that their architecture may require the check to occur in the business function. 2. Look at the RoleBasedAccessControl class identify where execution happens of an action. a. action.handleRequest(s); is not protected by an access control check. b. look at handleRequest(s) to determine where access control check should occur. c. add protection by a programmatic authorization check before dispatching to the action: 1. Add an isAuthorized() call before dispatching to the action, and throw an unauthorized exception. Tell student this exception exists. Use eclipse command completion to find the isAuthorized() call on the action. From command completion - determine calling arguments of isAuthorized() int userId = action.getUserId(s); if (action.isAuthorized(s, userId, action.getActionName())) { action.handleRequest(s); } else throw new UnauthorizedException(); Repeat stage 1 and note that the function fails with a "Not authorized" message. Tom will be in the list again, because the DB is reset when lesson restarts. Adding the access check in the RoleBasedAccessControl:handleRequest() is putting the check in the “Controller” The access check can also be added to DeleteProfile.deleteEmployeeProfile(), which is putting the check in the “Business Function” */ public class RoleBasedAccessControl_i extends RoleBasedAccessControl { public void handleRequest(WebSession s) { //System.out.println("RoleBasedAccessControl.handleRequest()"); if (s.getLessonSession(this) == null) s.openLessonSession(this); String requestedActionName = null; try { requestedActionName = s.getParser().getStringParameter("action"); } catch (ParameterNotFoundException pnfe) { // Missing the action - send them back to login. requestedActionName = LOGIN_ACTION; } try { LessonAction action = getAction(requestedActionName); if (action != null) { // FIXME: This code has gotten much uglier //System.out.println("RoleBasedAccessControl.handleRequest() dispatching to: " + action.getActionName()); if (!action.requiresAuthentication()) { // Access to Login does not require authentication. action.handleRequest(s); } else { if (action.isAuthenticated(s)) { int userId = action.getUserId(s); // STAGE 2 - FIX // action.getActionName() returns the user requested function which // is tied to the button click from the listStaff jsp // // Checking isAuthorized() for the requested action if (action.isAuthorized(s, userId, action.getActionName())) // STAGE 2 - FIX { // Calling the handleRequest() method for the requested action action.handleRequest(s); } else throw new UnauthorizedException(); // STAGE 2 - FIX } else throw new UnauthenticatedException(); } } else setCurrentAction(s, ERROR_ACTION); } catch (ParameterNotFoundException pnfe) { System.out.println("Missing parameter"); pnfe.printStackTrace(); setCurrentAction(s, ERROR_ACTION); } catch (ValidationException ve) { System.out.println("Validation failed"); ve.printStackTrace(); setCurrentAction(s, ERROR_ACTION); } catch (UnauthenticatedException ue) { s.setMessage("Login failed"); System.out.println("Authentication failure"); ue.printStackTrace(); } catch (UnauthorizedException ue2) { // Update lesson status if necessary. if (getStage(s) == 2) { try { if (GoatHillsFinancial.DELETEPROFILE_ACTION.equals(requestedActionName) && !isAuthorized(s, getUserId(s), GoatHillsFinancial.DELETEPROFILE_ACTION)) { s.setMessage( "Welcome to stage 3 -- exploiting the data layer" ); setStage(s, 3); } } catch (ParameterNotFoundException pnfe) { pnfe.printStackTrace(); } } //System.out.println("isAuthorized() exit stage: " + getStage(s)); // Update lesson status if necessary. if (getStage(s) == 4) { try { //System.out.println("Checking for stage 4 completion"); DefaultLessonAction action = (DefaultLessonAction) getAction(getCurrentAction(s)); int userId = Integer.parseInt((String)s.getRequest().getSession().getAttribute(getLessonName() + "." + GoatHillsFinancial.USER_ID)); int employeeId = s.getParser().getIntParameter( GoatHillsFinancial.EMPLOYEE_ID); if (!action.isAuthorizedForEmployee(s, userId, employeeId)) { s.setMessage("Congratulations. You have successfully completed this lesson."); getLessonTracker( s ).setCompleted( true ); } } catch (Exception e) { // swallow this - shouldn't happen inthe normal course // e.printStackTrace(); } } s.setMessage("You are not authorized to perform this function"); System.out.println("Authorization failure"); setCurrentAction(s, ERROR_ACTION); ue2.printStackTrace(); } // All this does for this lesson is ensure that a non-null content exists. setContent(new ElementContainer()); } } \ No newline at end of file +package org.owasp.webgoat.lessons.instructor.RoleBasedAccessControl; import org.apache.ecs.ElementContainer; import org.owasp.webgoat.lessons.GoatHillsFinancial.DefaultLessonAction; import org.owasp.webgoat.lessons.GoatHillsFinancial.GoatHillsFinancial; import org.owasp.webgoat.lessons.GoatHillsFinancial.LessonAction; import org.owasp.webgoat.lessons.RoleBasedAccessControl.RoleBasedAccessControl; import org.owasp.webgoat.session.ParameterNotFoundException; import org.owasp.webgoat.session.UnauthenticatedException; import org.owasp.webgoat.session.UnauthorizedException; import org.owasp.webgoat.session.ValidationException; import org.owasp.webgoat.session.WebSession; /** * Copyright (c) 2006 Free Software Foundation developed under the custody of the Open Web * Application Security Project (http://www.owasp.org) This software package org.owasp.webgoat.is published by OWASP * under the GPL. You should read and accept the LICENSE before you use, modify and/or redistribute * this software. * */ /* STAGE 2 FIXES Solution Summary: Edit RoleBasedAccessControl.java and change handleRequest(). Modify handleRequest() with lines denoted by // STAGE 2 - FIX. Solution Steps: 1. This solution adds an access control check in the controller. Point out that their architecture may require the check to occur in the business function. 2. Look at the RoleBasedAccessControl class identify where execution happens of an action. a. action.handleRequest(s); is not protected by an access control check. b. look at handleRequest(s) to determine where access control check should occur. c. add protection by a programmatic authorization check before dispatching to the action: 1. Add an isAuthorized() call before dispatching to the action, and throw an unauthorized exception. Tell student this exception exists. Use eclipse command completion to find the isAuthorized() call on the action. From command completion - determine calling arguments of isAuthorized() int userId = action.getUserId(s); if (action.isAuthorized(s, userId, action.getActionName())) { action.handleRequest(s); } else throw new UnauthorizedException(); Repeat stage 1 and note that the function fails with a "Not authorized" message. Tom will be in the list again, because the DB is reset when lesson restarts. Adding the access check in the RoleBasedAccessControl:handleRequest() is putting the check in the “Controller” The access check can also be added to DeleteProfile.deleteEmployeeProfile(), which is putting the check in the “Business Function” */ public class RoleBasedAccessControl_i extends RoleBasedAccessControl { public void handleRequest(WebSession s) { //System.out.println("RoleBasedAccessControl.handleRequest()"); if (s.getLessonSession(this) == null) s.openLessonSession(this); String requestedActionName = null; try { requestedActionName = s.getParser().getStringParameter("action"); } catch (ParameterNotFoundException pnfe) { // Missing the action - send them back to login. requestedActionName = LOGIN_ACTION; } try { LessonAction action = getAction(requestedActionName); if (action != null) { // FIXME: This code has gotten much uglier //System.out.println("RoleBasedAccessControl.handleRequest() dispatching to: " + action.getActionName()); if (!action.requiresAuthentication()) { // Access to Login does not require authentication. action.handleRequest(s); } else { if (action.isAuthenticated(s)) { int userId = action.getUserId(s); // STAGE 2 - FIX // action.getActionName() returns the user requested function which // is tied to the button click from the listStaff jsp // // Checking isAuthorized() for the requested action if (action.isAuthorized(s, userId, action.getActionName())) // STAGE 2 - FIX { // Calling the handleRequest() method for the requested action action.handleRequest(s); } else throw new UnauthorizedException(); // STAGE 2 - FIX } else throw new UnauthenticatedException(); } } else setCurrentAction(s, ERROR_ACTION); } catch (ParameterNotFoundException pnfe) { System.out.println("Missing parameter"); pnfe.printStackTrace(); setCurrentAction(s, ERROR_ACTION); } catch (ValidationException ve) { System.out.println("Validation failed"); ve.printStackTrace(); setCurrentAction(s, ERROR_ACTION); } catch (UnauthenticatedException ue) { s.setMessage("Login failed"); System.out.println("Authentication failure"); ue.printStackTrace(); } catch (UnauthorizedException ue2) { // Update lesson status if necessary. if (getStage(s) == 2) { try { if (GoatHillsFinancial.DELETEPROFILE_ACTION.equals(requestedActionName) && !isAuthorized(s, getUserId(s), GoatHillsFinancial.DELETEPROFILE_ACTION)) { s.setMessage( "Welcome to stage 3 -- exploiting the data layer" ); setStage(s, 3); } } catch (ParameterNotFoundException pnfe) { pnfe.printStackTrace(); } } //System.out.println("isAuthorized() exit stage: " + getStage(s)); // Update lesson status if necessary. if (getStage(s) == 4) { try { //System.out.println("Checking for stage 4 completion"); DefaultLessonAction action = (DefaultLessonAction) getAction(getCurrentAction(s)); int userId = Integer.parseInt((String)s.getRequest().getSession().getAttribute(getLessonName() + "." + GoatHillsFinancial.USER_ID)); int employeeId = s.getParser().getIntParameter( GoatHillsFinancial.EMPLOYEE_ID); if (!action.isAuthorizedForEmployee(s, userId, employeeId)) { s.setMessage("Congratulations. You have successfully completed this lesson."); getLessonTracker( s ).setCompleted( true ); } } catch (Exception e) { // swallow this - shouldn't happen inthe normal course // e.printStackTrace(); } } s.setMessage("You are not authorized to perform this function"); System.out.println("Authorization failure"); setCurrentAction(s, ERROR_ACTION); ue2.printStackTrace(); } // All this does for this lesson is ensure that a non-null content exists. setContent(new ElementContainer()); } } \ No newline at end of file diff --git a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/instructor/RoleBasedAccessControl/UpdateProfile_i.java b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/instructor/RoleBasedAccessControl/UpdateProfile_i.java index c1db63cb5..1a7a03824 100644 --- a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/instructor/RoleBasedAccessControl/UpdateProfile_i.java +++ b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/instructor/RoleBasedAccessControl/UpdateProfile_i.java @@ -4,8 +4,8 @@ import java.sql.ResultSet; import java.sql.SQLException; import java.sql.Statement; -import org.owasp.webgoat.lessons.AbstractLesson; -import org.owasp.webgoat.lessons.LessonAction; +import org.owasp.webgoat.lessons.GoatHillsFinancial.GoatHillsFinancial; +import org.owasp.webgoat.lessons.GoatHillsFinancial.LessonAction; import org.owasp.webgoat.lessons.RoleBasedAccessControl.RoleBasedAccessControl; import org.owasp.webgoat.lessons.RoleBasedAccessControl.UpdateProfile; import org.owasp.webgoat.session.Employee; @@ -29,7 +29,7 @@ import org.owasp.webgoat.session.WebSession; public class UpdateProfile_i extends UpdateProfile { - public UpdateProfile_i(AbstractLesson lesson, String lessonName, String actionName, LessonAction chainedAction) + public UpdateProfile_i(GoatHillsFinancial lesson, String lessonName, String actionName, LessonAction chainedAction) { super(lesson, lessonName, actionName, chainedAction); } diff --git a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/instructor/RoleBasedAccessControl/ViewProfile_i.java b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/instructor/RoleBasedAccessControl/ViewProfile_i.java index 022d3b6b5..591c19198 100644 --- a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/instructor/RoleBasedAccessControl/ViewProfile_i.java +++ b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/instructor/RoleBasedAccessControl/ViewProfile_i.java @@ -4,7 +4,7 @@ import java.sql.ResultSet; import java.sql.SQLException; import java.sql.Statement; -import org.owasp.webgoat.lessons.AbstractLesson; +import org.owasp.webgoat.lessons.GoatHillsFinancial.GoatHillsFinancial; import org.owasp.webgoat.lessons.RoleBasedAccessControl.ViewProfile; import org.owasp.webgoat.session.Employee; import org.owasp.webgoat.session.UnauthorizedException; @@ -47,7 +47,7 @@ The same logic could've been applied after the query but isAuthorizedForEmployee public class ViewProfile_i extends ViewProfile { - public ViewProfile_i(AbstractLesson lesson, String lessonName, String actionName) + public ViewProfile_i(GoatHillsFinancial lesson, String lessonName, String actionName) { super(lesson, lessonName, actionName); } diff --git a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/instructor/SQLInjection/Login_i.java b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/instructor/SQLInjection/Login_i.java index 6ade9322a..0dea328e5 100644 --- a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/instructor/SQLInjection/Login_i.java +++ b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/instructor/SQLInjection/Login_i.java @@ -4,8 +4,8 @@ import java.sql.PreparedStatement; import java.sql.ResultSet; import java.sql.SQLException; -import org.owasp.webgoat.lessons.AbstractLesson; -import org.owasp.webgoat.lessons.LessonAction; +import org.owasp.webgoat.lessons.GoatHillsFinancial.GoatHillsFinancial; +import org.owasp.webgoat.lessons.GoatHillsFinancial.LessonAction; import org.owasp.webgoat.lessons.SQLInjection.Login; import org.owasp.webgoat.lessons.SQLInjection.SQLInjection; import org.owasp.webgoat.session.WebSession; @@ -32,7 +32,7 @@ Solution Steps: public class Login_i extends Login { - public Login_i(AbstractLesson lesson, String lessonName, String actionName, LessonAction chainedAction) + public Login_i(GoatHillsFinancial lesson, String lessonName, String actionName, LessonAction chainedAction) { super(lesson, lessonName, actionName, chainedAction); } diff --git a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/instructor/SQLInjection/ViewProfile_i.java b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/instructor/SQLInjection/ViewProfile_i.java index 68dd215f7..0ef1e3496 100644 --- a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/instructor/SQLInjection/ViewProfile_i.java +++ b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/instructor/SQLInjection/ViewProfile_i.java @@ -4,7 +4,7 @@ import java.sql.PreparedStatement; import java.sql.ResultSet; import java.sql.SQLException; -import org.owasp.webgoat.lessons.AbstractLesson; +import org.owasp.webgoat.lessons.GoatHillsFinancial.GoatHillsFinancial; import org.owasp.webgoat.lessons.SQLInjection.ViewProfile; import org.owasp.webgoat.session.Employee; import org.owasp.webgoat.session.UnauthorizedException; @@ -32,7 +32,7 @@ Solution Steps: public class ViewProfile_i extends ViewProfile { - public ViewProfile_i(AbstractLesson lesson, String lessonName, String actionName) + public ViewProfile_i(GoatHillsFinancial lesson, String lessonName, String actionName) { super(lesson, lessonName, actionName); }