for the menu part

webgoat-container/src/main/java/org/owasp/webgoat/controller/StartLesson.java

@@ -1,44 +1,50 @@
 /**
  * ************************************************************************************************
- *
+ * <p>
- *
+ * <p>
  * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
  * please see http://www.owasp.org/
- *
+ * <p>
  * Copyright (c) 2002 - 20014 Bruce Mayhew
- *
+ * <p>
  * This program is free software; you can redistribute it and/or modify it under the terms of the
  * GNU General Public License as published by the Free Software Foundation; either version 2 of the
  * License, or (at your option) any later version.
- *
+ * <p>
  * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
  * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
  * General Public License for more details.
- *
+ * <p>
  * You should have received a copy of the GNU General Public License along with this program; if
  * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
  * 02111-1307, USA.
- *
+ * <p>
  * Getting Source ==============
- *
+ * <p>
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
  * projects.
  *
  * @author WebGoat
- * @since October 28, 2003
  * @version $Id: $Id
+ * @since October 28, 2003
  */
 package org.owasp.webgoat.controller;
 
+import org.owasp.webgoat.lessons.AbstractLesson;
 import org.owasp.webgoat.lessons.RandomLessonAdapter;
 import org.owasp.webgoat.plugins.YmlBasedLesson;
 import org.owasp.webgoat.session.WebSession;
+import org.springframework.security.core.GrantedAuthority;
+import org.springframework.security.core.context.SecurityContext;
+import org.springframework.security.core.context.SecurityContextHolder;
 import org.springframework.stereotype.Controller;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestMethod;
 import org.springframework.web.servlet.ModelAndView;
 
 import javax.servlet.http.HttpServletRequest;
+import java.util.List;
+import java.util.Optional;
 
 
 @Controller
@@ -69,4 +75,24 @@ public class StartLesson {
         model.setViewName("lesson_content");
         return model;
     }
+
+    @RequestMapping(value = {"*.lesson"}, produces = "text/html")
+    public ModelAndView lessonPage(HttpServletRequest request) {
+        // I will set here the thymeleaf fragment location based on the resource requested.
+        ModelAndView model = new ModelAndView();
+        SecurityContext context = SecurityContextHolder.getContext();
+        GrantedAuthority authority = context.getAuthentication().getAuthorities().iterator().next();
+        String path = request.getServletPath(); // we now got /a/b/c/AccessControlMatrix.lesson
+        String lessonName = path.substring(path.lastIndexOf('/') + 1, path.indexOf(".lesson"));
+        WebSession ws = (WebSession) request.getSession().getAttribute(WebSession.SESSION);
+        List<AbstractLesson> lessons = ws.getCourse()
+                .getLessons(ws, AbstractLesson.USER_ROLE);//TODO this should work with the security roles of Spring
+        Optional<AbstractLesson> lesson = lessons.stream()
+                .filter(l -> l instanceof YmlBasedLesson)
+                .filter(l -> ((YmlBasedLesson) l).getHtml().equals(lessonName))
+                .findFirst();
+        model.setViewName("lesson_content");
+        model.addObject("lesson", lesson.get());
+        return model;
+    }
 }

webgoat-container/src/main/java/org/owasp/webgoat/lessons/AbstractLesson.java

@@ -998,4 +998,8 @@ public abstract class AbstractLesson extends Screen implements Comparable<Object
         }
         return labelManager;
     }
+
+    public String getHtml() {
+        return "";
+    }
 }