diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/Catcher.java b/webgoat-container/src/main/java/org/owasp/webgoat/Catcher.java deleted file mode 100644 index 074c61c91..000000000 --- a/webgoat-container/src/main/java/org/owasp/webgoat/Catcher.java +++ /dev/null @@ -1,120 +0,0 @@ - -package org.owasp.webgoat; - -import java.io.IOException; -import java.util.Enumeration; -import javax.servlet.ServletException; -import javax.servlet.http.HttpServletRequest; -import javax.servlet.http.HttpServletResponse; -import org.owasp.webgoat.lessons.AbstractLesson; -import org.owasp.webgoat.session.Course; -import org.owasp.webgoat.session.WebSession; - - -/** - ************************************************************************************************* - * - * - * This file is part of WebGoat, an Open Web Application Security Project utility. For details, - * please see http://www.owasp.org/ - * - * Copyright (c) 2002 - 20014 Bruce Mayhew - * - * This program is free software; you can redistribute it and/or modify it under the terms of the - * GNU General Public License as published by the Free Software Foundation; either version 2 of the - * License, or (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without - * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - * General Public License for more details. - * - * You should have received a copy of the GNU General Public License along with this program; if - * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA - * 02111-1307, USA. - * - * Getting Source ============== - * - * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software - * projects. - * - * @author Bruce Mayhew WebGoat - * @since March 13, 2007 - * @version $Id: $Id - */ -public class Catcher extends HammerHead -{ - - /** - * - */ - private static final long serialVersionUID = 7441856110845727651L; - - /** - * Description of the Field - */ - public final static String START_SOURCE_SKIP = "START_OMIT_SOURCE"; - - /** Constant END_SOURCE_SKIP="END_OMIT_SOURCE" */ - public final static String END_SOURCE_SKIP = "END_OMIT_SOURCE"; - - /** Constant PROPERTY="PROPERTY" */ - public static final String PROPERTY = "PROPERTY"; - - /** Constant EMPTY_STRING="" */ - public static final String EMPTY_STRING = ""; - - /** - * {@inheritDoc} - * - * Description of the Method - * @exception IOException - * Description of the Exception - * @exception ServletException - * Description of the Exception - */ - public void doPost(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException - { - try - { - // System.out.println( "Entering doPost: " ); - // System.out.println( " - request " + request); - // System.out.println( " - principle: " + request.getUserPrincipal() ); - // setCacheHeaders(response, 0); - WebSession session = (WebSession) request.getSession(true).getAttribute(WebSession.SESSION); - session.update(request, response, this.getServletName()); // FIXME: Too much in this - // call. - - int scr = session.getCurrentScreen(); - Course course = session.getCourse(); - AbstractLesson lesson = course.getLesson(session, scr, AbstractLesson.USER_ROLE); - - log(request, lesson.getClass().getName() + " | " + session.getParser().toString()); - - String property = new String(session.getParser().getStringParameter(PROPERTY, EMPTY_STRING)); - - // if the PROPERTY parameter is available - write all the parameters to the - // property file. No other control parameters are supported at this time. - if (!property.equals(EMPTY_STRING)) - { - Enumeration e = session.getParser().getParameterNames(); - - while (e.hasMoreElements()) - { - String name = (String) e.nextElement(); - String value = session.getParser().getParameterValues(name)[0]; - lesson.getLessonTracker(session).getLessonProperties().setProperty(name, value); - } - } - lesson.getLessonTracker(session).store(session, lesson); - - // BDM MC -// WEB-173 - removed for testing, as plugin architecture would not allow this -// if ( request.getParameter("Deleter") != null ){org.owasp.webgoat.lessons.BlindScript.StaticDeleter();} - - } catch (Throwable t) - { - t.printStackTrace(); - log("ERROR: " + t); - } - } -} diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/HammerHead.java b/webgoat-container/src/main/java/org/owasp/webgoat/HammerHead.java index e8f2cb828..9180277ad 100644 --- a/webgoat-container/src/main/java/org/owasp/webgoat/HammerHead.java +++ b/webgoat-container/src/main/java/org/owasp/webgoat/HammerHead.java @@ -1,398 +1,60 @@ package org.owasp.webgoat; -import org.owasp.webgoat.lessons.AbstractLesson; -import org.owasp.webgoat.lessons.WelcomeScreen; -import org.owasp.webgoat.lessons.admin.WelcomeAdminScreen; import org.owasp.webgoat.session.Course; -import org.owasp.webgoat.session.ErrorScreen; -import org.owasp.webgoat.session.Screen; -import org.owasp.webgoat.session.UserTracker; -import org.owasp.webgoat.session.WebSession; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; - -import javax.servlet.ServletContext; -import javax.servlet.ServletException; -import javax.servlet.http.HttpServlet; -import javax.servlet.http.HttpServletRequest; -import javax.servlet.http.HttpServletResponse; -import javax.servlet.http.HttpSession; -import java.io.IOException; -import java.io.PrintWriter; -import java.text.SimpleDateFormat; -import java.util.Date; -import java.util.Locale; -import java.util.TimeZone; +import org.springframework.stereotype.Controller; +import org.springframework.web.bind.annotation.RequestMapping; +import org.springframework.web.bind.annotation.RequestMethod; +import org.springframework.web.servlet.ModelAndView; /** * ************************************************************************************************* - * - * + *

+ *

* This file is part of WebGoat, an Open Web Application Security Project * utility. For details, please see http://www.owasp.org/ - * + *

* Copyright (c) 2002 - 20014 Bruce Mayhew - * + *

* This program is free software; you can redistribute it and/or modify it under * the terms of the GNU General Public License as published by the Free Software * Foundation; either version 2 of the License, or (at your option) any later * version. - * + *

* This program is distributed in the hope that it will be useful, but WITHOUT * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more * details. - * + *

* You should have received a copy of the GNU General Public License along with * this program; if not, write to the Free Software Foundation, Inc., 59 Temple * Place - Suite 330, Boston, MA 02111-1307, USA. - * + *

* Getting Source ============== - * + *

* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository * for free software projects. * - * @author Jeff Williams Aspect - * Security - * @author Bruce Mayhew WebGoat - * @since October 28, 2003 + * @author Jeff Williams + * @author Bruce Mayhew + * @author Nanne Baars * @version $Id: $Id + * @since October 28, 2003 */ -public class HammerHead extends HttpServlet { +@Controller +public class HammerHead { - private static final long serialVersionUID = 645640331343188020L; - private static SimpleDateFormat httpDateFormat; - private final Logger logger = LoggerFactory.getLogger(HammerHead.class); - private WebSession webSession; + private final Course course; - public HammerHead() { - //for catcher subclass - } - - public HammerHead(WebSession webSession) { - this.webSession = webSession; + public HammerHead(Course course) { + this.course = course; } /** - * {@inheritDoc} - * - * Description of the Method - * @exception IOException Description of the Exception - * @exception ServletException Description of the Exception + * Entry point for WebGoat, redirects to the first lesson found within the course. */ - @Override - public void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException { - doPost(request, response); - } - - /** - * {@inheritDoc} - * - * Description of the Method - * @exception IOException Description of the Exception - * @exception ServletException Description of the Exception - */ - @Override - public void doPost(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException { - Screen screen = null; - - WebSession mySession = null; - try { - logger.debug("Entering doPost"); - logger.debug("request: " + request); - logger.debug("principle: " + request.getUserPrincipal()); - // setCacheHeaders(response, 0); - ServletContext context = getServletContext(); - - // FIXME: If a response is written by updateSession(), do not - // call makeScreen() and writeScreen() - mySession = updateSession(request, response, context); - - if (response.isCommitted()) { - logger.debug("Response already committed, exiting"); - return; - } - - if ("true".equals(request.getParameter("start")) || request.getQueryString() == null) { - logger.warn("Redirecting to first lesson"); - response.sendRedirect("start.mvc" + mySession.getCourse().getFirstLesson().getLink()); - return; - } - - // Note: For the lesson to track the status, we need to update - // the lesson tracker object - // from the screen.createContent() method. The create content is - // the only point - // where the lesson "knows" what has happened. To track it at a - // latter point would - // require the lesson to have memory. - screen = makeScreen(mySession); - // This calls the lesson's - // handleRequest() - if (response.isCommitted()) { - return; - } - - // perform lesson-specific tracking activities - if (screen instanceof AbstractLesson) { - AbstractLesson lesson = (AbstractLesson) screen; - - // we do not count the initial display of the lesson screen as a visit - if ("GET".equals(request.getMethod())) { - String uri = request.getRequestURI() + "?" + request.getQueryString(); - if (!uri.endsWith(lesson.getLink())) { - screen.getLessonTracker(mySession).incrementNumVisits(); - } - } else if ("POST".equals(request.getMethod()) - && mySession.getPreviousScreen() == mySession.getCurrentScreen()) { - screen.getLessonTracker(mySession).incrementNumVisits(); - } - } - - // log the access to this screen for this user - UserTracker userTracker = UserTracker.instance(); - userTracker.update(mySession, screen); - log(request, screen.getClass().getName() + " | " + mySession.getParser().toString()); - - // Redirect the request to our View servlet - String userAgent = request.getHeader("user-agent"); - String clientBrowser = "Not known!"; - if (userAgent != null) { - clientBrowser = userAgent; - } - request.setAttribute("client.browser", clientBrowser); - // removed - this is being done in updateSession call - //request.getSession().setAttribute(WebSession.SESSION, mySession); - // not sure why this is being set in the session? - //request.getSession().setAttribute(WebSession.COURSE, mySession.getCourse()); - String viewPage = getViewPage(mySession); - logger.debug("Forwarding to view: " + viewPage); - logger.debug("Screen: " + screen); - response.sendRedirect("startlesson.mvc"); -// request.getRequestDispatcher(viewPage).forward(request, response); - } catch (Throwable t) { - logger.error("Error handling request", t); screen = new ErrorScreen(mySession, t); - } finally { - try { - if (screen instanceof ErrorScreen) { - this.writeScreen(mySession, screen, response); - } - } catch (Throwable thr) { - logger.error("Could not write error screen", thr); - } - WebSession.returnConnection(mySession); - logger.debug("Leaving doPost: "); - } - } - - private String getViewPage(WebSession webSession) { - // now always display the lesson content - String page = "lesson_content"; - //page = "/main.jsp"; - return page; - } - - /** - * Description of the Method - * - * @param date Description of the Parameter - * @return RFC 1123 http date format - */ - protected static String formatHttpDate(Date date) { - synchronized (httpDateFormat) { - return httpDateFormat.format(date); - } - } - - /** - * {@inheritDoc} - * - * Return information about this servlet - */ - @Override - public String getServletInfo() { - return "WebGoat is sponsored by Aspect Security."; - } - - /** - * {@inheritDoc} - * - * Return properties path - */ - @Override - public void init() throws ServletException { - logger.info("Initializing main webgoat servlet"); - httpDateFormat = new SimpleDateFormat("EEE, dd MMM yyyyy HH:mm:ss z", Locale.US); - httpDateFormat.setTimeZone(TimeZone.getTimeZone("GMT")); - } - - /** - * Description of the Method - * - * @param request Description of the Parameter - * @param message Description of the Parameter - */ - public void log(HttpServletRequest request, String message) { - String output = new Date() + " | " + request.getRemoteHost() + ":" + request.getRemoteAddr() + " | " + message; - log(output); - logger.debug(output); - } - - /* - * public List getLessons(Category category, String role) { Course course = - * mySession.getCourse(); // May need to clone the List before returning it. //return new - * ArrayList(course.getLessons(category, role)); return course.getLessons(category, role); } - */ - /** - * Description of the Method - * - * @param s Description of the Parameter - * @return Description of the Return Value - */ - protected Screen makeScreen(WebSession s) { - Screen screen = null; - int scr = s.getCurrentScreen(); - Course course = s.getCourse(); - - if (s.isUser() || s.isChallenge()) { - if (scr == WebSession.WELCOME) { - screen = new WelcomeScreen(s); - } else { - AbstractLesson lesson = course.getLesson(s, scr, AbstractLesson.USER_ROLE); - if (lesson == null && s.isHackedAdmin()) { - // If admin was hacked, let the user see some of the - // admin screens - lesson = course.getLesson(s, scr, AbstractLesson.HACKED_ADMIN_ROLE); - } - - if (lesson != null) { - screen = lesson; - - // We need to do some bookkeeping for the hackable admin - // interface. - // This is the only place we can tell if the user - // successfully hacked the hackable - // admin and has actually accessed an admin screen. You - // need BOTH pieces of information - // in order to satisfy the remote admin lesson. - s.setHasHackableAdmin(screen.getRole()); - - lesson.handleRequest(s); - s.setCurrentMenu(lesson.getCategory().getRanking()); - } else { - screen = new ErrorScreen(s, "Invalid screen requested. Try: http://localhost/WebGoat/attack"); - } - } - } else if (s.isAdmin()) { - if (scr == WebSession.WELCOME) { - screen = new WelcomeAdminScreen(s); - } else { - // Admin can see all roles. - // FIXME: should be able to pass a list of roles. - AbstractLesson lesson = course.getLesson(s, scr, AbstractLesson.ADMIN_ROLE); - if (lesson == null) { - lesson = course.getLesson(s, scr, AbstractLesson.HACKED_ADMIN_ROLE); - } - if (lesson == null) { - lesson = course.getLesson(s, scr, AbstractLesson.USER_ROLE); - } - - if (lesson != null) { - screen = lesson; - - // We need to do some bookkeeping for the hackable admin - // interface. - // This is the only place we can tell if the user - // successfully hacked the hackable - // admin and has actually accessed an admin screen. You - // need BOTH pieces of information - // in order to satisfy the remote admin lesson. - s.setHasHackableAdmin(screen.getRole()); - - lesson.handleRequest(s); - s.setCurrentMenu(lesson.getCategory().getRanking()); - } else { - screen = new ErrorScreen(s, - "Invalid screen requested. Try Setting Admin to false or Try: http://localhost/WebGoat/attack"); - } - } - } - - return (screen); - } - - /** - * Description of the Method - * - * @param request Description of the Parameter - * @param response Description of the Parameter - * @param context Description of the Parameter - * @return Description of the Return Value - * @throws java.io.IOException if any. - */ - protected WebSession updateSession(HttpServletRequest request, HttpServletResponse response, ServletContext context) - throws IOException { - HttpSession hs; - // session should already be created by spring security - hs = request.getSession(false); - - //TODO rewrite this logic - logger.debug("HH Entering Session_id: " + hs.getId()); - // dumpSession( hs ); - // Get our session object out of the HTTP session - WebSession session = this.webSession; - Object o = hs.getAttribute(WebSession.SESSION); - - if ((o != null) && o instanceof WebSession) { - session = (WebSession) o; - hs.setAttribute(WebSession.COURSE, session.getCourse()); - } else { - // Create new custom session and save it in the HTTP session - logger.warn("HH Creating new WebSession"); - // Ensure splash screen shows on any restart - // rlawson - removed this since we show splash screen at login now - //hs.removeAttribute(WELCOMED); - //@TODO NO NEED TO PUT IN THE HTTP SESSION, FOCUS WILL FIX LATER - hs.setAttribute(WebSession.SESSION, session); - } - - session.update(request, response, this.getServletName()); - // update last attack request info (cookies, parms) - // this is so the REST services can have access to them via the session - session.updateLastAttackRequestInfo(request); - - // to authenticate - logger.debug("HH Leaving Session_id: " + hs.getId()); - //dumpSession( hs ); - return (session); - } - - /** - * Description of the Method - * - * @param s Description of the Parameter - * @param screen a {@link org.owasp.webgoat.session.Screen} object. - * @param screen a {@link org.owasp.webgoat.session.Screen} object. - * @param response Description of the Parameter - * @exception IOException Description of the Exception - * @throws java.io.IOException if any. - */ - protected void writeScreen(WebSession s, Screen screen, HttpServletResponse response) throws IOException { - response.setContentType("text/html"); - - PrintWriter out = response.getWriter(); - - if (s == null) { - screen = new ErrorScreen(s, "Page to display was null"); - } - - // set the content-length of the response. - // Trying to avoid chunked-encoding. (Aspect required) - response.setContentLength(screen.getContentLength()); - response.setHeader("Content-Length", screen.getContentLength() + ""); - - screen.output(out); - out.flush(); - out.close(); + //// TODO: 11/6/2016 course necessary? + @RequestMapping(path = "/attack", method = {RequestMethod.GET, RequestMethod.POST}) + public ModelAndView attack() { + return new ModelAndView("redirect:" + "start.mvc" + course.getFirstLesson().getLink()); } } diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/MvcConfiguration.java b/webgoat-container/src/main/java/org/owasp/webgoat/MvcConfiguration.java index 5f7fc0fd8..02ab81b6d 100644 --- a/webgoat-container/src/main/java/org/owasp/webgoat/MvcConfiguration.java +++ b/webgoat-container/src/main/java/org/owasp/webgoat/MvcConfiguration.java @@ -31,11 +31,10 @@ package org.owasp.webgoat; import com.google.common.collect.Sets; +import org.owasp.webgoat.session.Course; import org.owasp.webgoat.session.LabelDebugger; -import org.owasp.webgoat.session.WebSession; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.beans.factory.annotation.Qualifier; -import org.springframework.boot.web.servlet.ServletRegistrationBean; import org.springframework.context.ApplicationContext; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; @@ -103,12 +102,6 @@ public class MvcConfiguration extends WebMvcConfigurerAdapter { return engine; } - - @Bean - public ServletRegistrationBean servletRegistrationBean(HammerHead hammerHead) { - return new ServletRegistrationBean(hammerHead, "/attack/*"); - } - /** * This way we expose the plugins target directory as a resource within the web application. * @@ -120,8 +113,8 @@ public class MvcConfiguration extends WebMvcConfigurerAdapter { } @Bean - public HammerHead hammerHead(WebSession webSession) { - return new HammerHead(webSession); + public HammerHead hammerHead(Course course) { + return new HammerHead(course); } @Bean diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/WebGoat.java b/webgoat-container/src/main/java/org/owasp/webgoat/WebGoat.java index 444ee08fb..7fde94e7e 100644 --- a/webgoat-container/src/main/java/org/owasp/webgoat/WebGoat.java +++ b/webgoat-container/src/main/java/org/owasp/webgoat/WebGoat.java @@ -35,26 +35,21 @@ import org.owasp.webgoat.plugins.PluginClassLoader; import org.owasp.webgoat.plugins.PluginEndpointPublisher; import org.owasp.webgoat.plugins.PluginsLoader; import org.owasp.webgoat.session.Course; -import org.owasp.webgoat.session.UserTracker; import org.owasp.webgoat.session.WebSession; import org.owasp.webgoat.session.WebgoatContext; -import org.owasp.webgoat.session.WebgoatProperties; import org.springframework.beans.factory.annotation.Qualifier; import org.springframework.boot.SpringApplication; import org.springframework.boot.autoconfigure.SpringBootApplication; import org.springframework.boot.builder.SpringApplicationBuilder; import org.springframework.boot.web.support.SpringBootServletInitializer; import org.springframework.context.annotation.Bean; -import org.springframework.context.annotation.PropertySource; import org.springframework.context.annotation.Scope; import org.springframework.context.annotation.ScopedProxyMode; -import javax.servlet.ServletContext; import java.io.File; import java.util.List; @SpringBootApplication -@PropertySource("classpath:/webgoat.properties") public class WebGoat extends SpringBootServletInitializer { @Override @@ -68,13 +63,16 @@ public class WebGoat extends SpringBootServletInitializer { @Bean(name = "pluginTargetDirectory") public File pluginTargetDirectory() { - File tempDir = com.google.common.io.Files.createTempDir(); - tempDir.deleteOnExit(); - return tempDir; + return com.google.common.io.Files.createTempDir(); } +// @Bean +// public ApplicationListener closeEvent(@Qualifier("pluginTargetDirectory") File pluginTargetDirectory) { +// return e -> pluginTargetDirectory.delete(); +// } + @Bean - public PluginClassLoader pluginClassLoader(@Qualifier("pluginTargetDirectory") File pluginTargetDirectory) { + public PluginClassLoader pluginClassLoader() { return new PluginClassLoader(PluginClassLoader.class.getClassLoader()); } @@ -85,25 +83,17 @@ public class WebGoat extends SpringBootServletInitializer { @Bean @Scope(value = "session", proxyMode = ScopedProxyMode.TARGET_CLASS) - public WebSession webSession(Course course, WebgoatContext webgoatContext, ServletContext context) { - return new WebSession(course, webgoatContext, context); + public WebSession webSession(WebgoatContext webgoatContext) { + return new WebSession(webgoatContext); } @Bean - public Course course(PluginsLoader pluginsLoader, WebgoatContext webgoatContext, ServletContext context, WebgoatProperties webgoatProperties, - PluginEndpointPublisher pluginEndpointPublisher) { - Course course = new Course(webgoatProperties); - course.loadCourses(webgoatContext, context, "/"); + public Course course(PluginsLoader pluginsLoader, PluginEndpointPublisher pluginEndpointPublisher) { + Course course = new Course(); List plugins = pluginsLoader.loadPlugins(); - course.loadLessonFromPlugin(plugins); + course.createLessonsFromPlugins(plugins); plugins.forEach(p -> pluginEndpointPublisher.publish(p)); return course; } - - @Bean - public UserTracker userTracker() { - UserTracker userTracker = UserTracker.instance(); - return userTracker; - } } diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/controller/StartLesson.java b/webgoat-container/src/main/java/org/owasp/webgoat/controller/StartLesson.java index 94e00fb9d..6af1770f3 100644 --- a/webgoat-container/src/main/java/org/owasp/webgoat/controller/StartLesson.java +++ b/webgoat-container/src/main/java/org/owasp/webgoat/controller/StartLesson.java @@ -31,8 +31,7 @@ package org.owasp.webgoat.controller; import org.owasp.webgoat.lessons.AbstractLesson; -import org.owasp.webgoat.lessons.NewLesson; -import org.owasp.webgoat.lessons.RandomLessonAdapter; +import org.owasp.webgoat.session.Course; import org.owasp.webgoat.session.WebSession; import org.springframework.security.core.GrantedAuthority; import org.springframework.security.core.context.SecurityContext; @@ -50,24 +49,25 @@ import java.util.Optional; @Controller public class StartLesson { + private final WebSession ws; + private final Course course; + + public StartLesson(final WebSession ws, final Course course) { + this.ws = ws; + this.course = course; + } + /** *

start.

* - * @param request a {@link HttpServletRequest} object. * @return a {@link ModelAndView} object. */ @RequestMapping(path = "startlesson.mvc", method = {RequestMethod.GET, RequestMethod.POST}) - public ModelAndView start(HttpServletRequest request) { + public ModelAndView start() { ModelAndView model = new ModelAndView(); - WebSession ws = (WebSession) request.getSession().getAttribute(WebSession.SESSION); - model.addObject("has_stages", ws.getCurrentLesson() instanceof RandomLessonAdapter); - model.addObject("course", ws.getCourse()); + model.addObject("course", course); model.addObject("lesson", ws.getCurrentLesson()); - model.addObject("message", ws.getMessage()); - model.addObject("instructions", ws.getInstructions()); - boolean isMigrated = ws.getCurrentLesson() instanceof NewLesson; - model.addObject("migrated", isMigrated); //remove after ECS removal otherwise you will see the lesson twice model.setViewName("lesson_content"); return model; } @@ -80,13 +80,11 @@ public class StartLesson { GrantedAuthority authority = context.getAuthentication().getAuthorities().iterator().next(); String path = request.getServletPath(); // we now got /a/b/c/AccessControlMatrix.lesson String lessonName = path.substring(path.lastIndexOf('/') + 1, path.indexOf(".lesson")); - WebSession ws = (WebSession) request.getSession().getAttribute(WebSession.SESSION); - List lessons = ws.getCourse() - .getLessons(ws, AbstractLesson.USER_ROLE);//TODO this should work with the security roles of Spring + List lessons = course.getLessons(); Optional lesson = lessons.stream() .filter(l -> l.getId().equals(lessonName)) .findFirst(); - ws.setCurrentScreen(lesson.get().getScreenId()); + ws.setCurrentLesson(lesson.get()); model.setViewName("lesson_content"); model.addObject("lesson", lesson.get()); return model; diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/util/LabelManager.java b/webgoat-container/src/main/java/org/owasp/webgoat/i18n/LabelManager.java similarity index 98% rename from webgoat-container/src/main/java/org/owasp/webgoat/util/LabelManager.java rename to webgoat-container/src/main/java/org/owasp/webgoat/i18n/LabelManager.java index a0f42adc9..21990bf6e 100644 --- a/webgoat-container/src/main/java/org/owasp/webgoat/util/LabelManager.java +++ b/webgoat-container/src/main/java/org/owasp/webgoat/i18n/LabelManager.java @@ -1,5 +1,5 @@ -package org.owasp.webgoat.util; +package org.owasp.webgoat.i18n; import java.util.Locale; diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/util/LabelManagerImpl.java b/webgoat-container/src/main/java/org/owasp/webgoat/i18n/LabelManagerImpl.java similarity index 81% rename from webgoat-container/src/main/java/org/owasp/webgoat/util/LabelManagerImpl.java rename to webgoat-container/src/main/java/org/owasp/webgoat/i18n/LabelManagerImpl.java index f98b1a981..0e3ed00c4 100644 --- a/webgoat-container/src/main/java/org/owasp/webgoat/util/LabelManagerImpl.java +++ b/webgoat-container/src/main/java/org/owasp/webgoat/i18n/LabelManagerImpl.java @@ -1,8 +1,7 @@ -package org.owasp.webgoat.util; +package org.owasp.webgoat.i18n; import org.owasp.webgoat.session.LabelDebugger; -import org.springframework.beans.factory.annotation.Autowired; import org.springframework.stereotype.Component; import java.io.Serializable; @@ -38,30 +37,22 @@ import java.util.Locale; * @version $Id: $Id * @author dm */ -@Component("labelManager") +@Component public class LabelManagerImpl implements LabelManager, Serializable { private static final long serialVersionUID = 1L; - @Autowired - private transient LabelProvider labelProvider; - @Autowired + private LabelProvider labelProvider; private LabelDebugger labelDebugger; - - /** Locale mapped with current session. */ private Locale locale = new Locale(LabelProvider.DEFAULT_LANGUAGE); - /** - *

Constructor for LabelManagerImpl.

- */ - protected LabelManagerImpl() {} - /** *

Constructor for LabelManagerImpl.

* - * @param labelProvider a {@link org.owasp.webgoat.util.LabelProvider} object. + * @param labelProvider a {@link LabelProvider} object. */ - protected LabelManagerImpl(LabelProvider labelProvider) { + protected LabelManagerImpl(LabelProvider labelProvider, LabelDebugger labelDebugger) { + this.labelDebugger = labelDebugger; this.labelProvider = labelProvider; } diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/util/LabelProvider.java b/webgoat-container/src/main/java/org/owasp/webgoat/i18n/LabelProvider.java similarity index 99% rename from webgoat-container/src/main/java/org/owasp/webgoat/util/LabelProvider.java rename to webgoat-container/src/main/java/org/owasp/webgoat/i18n/LabelProvider.java index 05fb9c4f2..c1fa62ae0 100644 --- a/webgoat-container/src/main/java/org/owasp/webgoat/util/LabelProvider.java +++ b/webgoat-container/src/main/java/org/owasp/webgoat/i18n/LabelProvider.java @@ -1,5 +1,5 @@ -package org.owasp.webgoat.util; +package org.owasp.webgoat.i18n; import org.springframework.context.support.ReloadableResourceBundleMessageSource; import org.springframework.core.io.Resource; diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/lessons/AbstractLesson.java b/webgoat-container/src/main/java/org/owasp/webgoat/lessons/AbstractLesson.java index 0e22ee5aa..978fc293e 100644 --- a/webgoat-container/src/main/java/org/owasp/webgoat/lessons/AbstractLesson.java +++ b/webgoat-container/src/main/java/org/owasp/webgoat/lessons/AbstractLesson.java @@ -1,39 +1,8 @@ package org.owasp.webgoat.lessons; -import org.apache.ecs.Element; -import org.apache.ecs.ElementContainer; -import org.apache.ecs.StringElement; -import org.apache.ecs.html.Body; -import org.apache.ecs.html.Form; -import org.apache.ecs.html.Head; -import org.apache.ecs.html.Html; -import org.apache.ecs.html.IMG; -import org.apache.ecs.html.PRE; -import org.apache.ecs.html.Title; -import org.owasp.webgoat.session.ParameterNotFoundException; import org.owasp.webgoat.session.Screen; -import org.owasp.webgoat.session.WebSession; -import org.owasp.webgoat.session.WebgoatContext; -import org.owasp.webgoat.session.WebgoatProperties; -import org.owasp.webgoat.util.BeanProvider; -import org.owasp.webgoat.util.LabelManager; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; -import java.io.BufferedReader; -import java.io.FileNotFoundException; -import java.io.FileReader; -import java.io.InputStreamReader; -import java.io.StringReader; -import java.net.HttpURLConnection; -import java.net.URL; -import java.sql.ResultSet; -import java.sql.SQLException; -import java.sql.Statement; -import java.util.HashMap; -import java.util.LinkedList; import java.util.List; -import java.util.Map; /** * ************************************************************************************************ @@ -67,57 +36,12 @@ import java.util.Map; */ public abstract class AbstractLesson extends Screen implements Comparable { - private static final Logger logger = LoggerFactory.getLogger(AbstractLesson.class); - - /** - * Description of the Field - */ - public final static String ADMIN_ROLE = "admin"; - - /** - * Constant CHALLENGE_ROLE="challenge" - */ - public final static String CHALLENGE_ROLE = "challenge"; - - /** - * Description of the Field - */ - public final static String HACKED_ADMIN_ROLE = "hacked_admin"; - - /** - * Description of the Field - */ - public final static String USER_ROLE = "user"; - private static int count = 1; private Integer id = null; - final static IMG nextGrey = new IMG("images/right16.gif").setAlt("Next").setBorder(0).setHspace(0).setVspace(0); - - final static IMG previousGrey = new IMG("images/left14.gif").setAlt("Previous").setBorder(0).setHspace(0) - .setVspace(0); - private Integer ranking; - private Category category; - - private boolean hidden; - - private String sourceFileName; - - private Map lessonPlanFileName = new HashMap(); - - private String lessonSolutionFileName; - - private WebgoatContext webgoatContext; - - private LinkedList availableLanguages = new LinkedList(); - - private String defaultLanguage = "en"; - - private LabelManager labelManager = null; - /** * Constructor for the Lesson object */ @@ -144,42 +68,6 @@ public abstract class AbstractLesson extends Screen implements ComparableSetter for the field hidden.

- * - * @param hidden a boolean. - */ - public void setHidden(boolean hidden) { - this.hidden = hidden; - } - - /** - *

update.

- * - * @param properties a {@link org.owasp.webgoat.session.WebgoatProperties} object. - */ - public void update(WebgoatProperties properties) { - String className = getClass().getName(); - className = className.substring(className.lastIndexOf(".") + 1); - setRanking(new Integer(properties.getIntProperty("lesson." + className + ".ranking", getDefaultRanking() - .intValue()))); - String categoryRankingKey = "category." + getDefaultCategory().getName() + ".ranking"; - Category tempCategory = Category.getCategory(getDefaultCategory().getName()); - tempCategory.setRanking(new Integer(properties.getIntProperty(categoryRankingKey, getDefaultCategory() - .getRanking().intValue()))); - category = tempCategory; - setHidden(properties.getBooleanProperty("lesson." + className + ".hidden", getDefaultHidden())); - } - - /** - *

isCompleted.

- * - * @param s a {@link org.owasp.webgoat.session.WebSession} object. - * @return a boolean. - */ - public boolean isCompleted(WebSession s) { - return getLessonTracker(s, this).getCompleted(); - } /** * {@inheritDoc} @@ -205,7 +93,7 @@ public abstract class AbstractLesson extends Screen implements ComparablegetHints.

- * - * @param s a {@link org.owasp.webgoat.session.WebSession} object. * @return a {@link java.util.List} object. */ - protected abstract List getHints(WebSession s); - - // @TODO we need to restrict access at the service layer - // rather than passing session object around - - /** - *

getHintsPublic.

- * - * @param s a {@link org.owasp.webgoat.session.WebSession} object. - * @return a {@link java.util.List} object. - */ - public List getHintsPublic(WebSession s) { - List hints = getHints(s); - return hints; - } - - /** - * Fill in a minor hint that will help people who basically get it, but are - * stuck on somthing silly. - * - * @param s The users WebSession - * @param hintNumber a int. - * @return The hint1 value - */ - public String getHint(WebSession s, int hintNumber) { - return "Hint: " + getHints(s).get(hintNumber); - } - - /** - * Gets the instructions attribute of the AbstractLesson object - * - * @param s a {@link org.owasp.webgoat.session.WebSession} object. - * @return The instructions value - */ - public abstract String getInstructions(WebSession s); - - /** - * Gets the lessonPlan attribute of the Lesson object - * - * @return The lessonPlan value - */ - public String getLessonName() { - return this.getClass().getSimpleName(); - } + public abstract List getHints(); /** * Gets the title attribute of the HelloScreen object @@ -414,36 +146,6 @@ public abstract class AbstractLesson extends Screen implements Comparable