diff --git a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/RoleBasedAccessControl/RoleBasedAccessControl.java b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/RoleBasedAccessControl/RoleBasedAccessControl.java index cc11bc8b9..2a53e2093 100644 --- a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/RoleBasedAccessControl/RoleBasedAccessControl.java +++ b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/RoleBasedAccessControl/RoleBasedAccessControl.java @@ -1,21 +1,13 @@ package org.owasp.webgoat.lessons.RoleBasedAccessControl; -import java.sql.Connection; -import java.sql.SQLException; import java.util.ArrayList; -import java.util.Hashtable; import java.util.List; -import java.util.Map; -import org.apache.ecs.Element; import org.apache.ecs.ElementContainer; -import org.apache.ecs.html.A; -import org.apache.ecs.html.IMG; import org.owasp.webgoat.lessons.Category; import org.owasp.webgoat.lessons.DefaultLessonAction; import org.owasp.webgoat.lessons.LessonAction; -import org.owasp.webgoat.lessons.LessonAdapter; -import org.owasp.webgoat.session.DatabaseUtilities; +import org.owasp.webgoat.lessons.GoatHillsFinancial.GoatHillsFinancial; import org.owasp.webgoat.session.ParameterNotFoundException; import org.owasp.webgoat.session.UnauthenticatedException; import org.owasp.webgoat.session.UnauthorizedException; @@ -51,140 +43,10 @@ import org.owasp.webgoat.session.WebSession; * * For details, please see http://code.google.com/p/webgoat/ */ -public class RoleBasedAccessControl extends LessonAdapter +public class RoleBasedAccessControl extends GoatHillsFinancial { - public final static A ASPECT_LOGO = new A().setHref("http://www.aspectsecurity.com").addElement(new IMG("images/logos/aspect.jpg").setAlt("Aspect Security").setBorder(0).setHspace(0).setVspace(0)); - - public final static String DESCRIPTION = "description"; - - public final static String DISCIPLINARY_DATE = "disciplinaryDate"; - - public final static String DISCIPLINARY_NOTES = "disciplinaryNotes"; - - public final static String CCN_LIMIT = "ccnLimit"; - - public final static String CCN = "ccn"; - - public final static String SALARY = "salary"; - - public final static String START_DATE = "startDate"; - - public final static String MANAGER = "manager"; - - public final static String ADDRESS1 = "address1"; - - public final static String ADDRESS2 = "address2"; - - public final static String PHONE_NUMBER = "phoneNumber"; - - public final static String TITLE = "title"; - - public final static String SSN = "ssn"; - - public final static String LAST_NAME = "lastName"; - - public final static String FIRST_NAME = "firstName"; - - public final static String PASSWORD = "password"; - - public final static String EMPLOYEE_ID = "employee_id"; - - public final static String USER_ID = "user_id"; - - public final static String SEARCHNAME = "search_name"; - - public final static String SEARCHRESULT_ATTRIBUTE_KEY = "SearchResult"; - - public final static String EMPLOYEE_ATTRIBUTE_KEY = "Employee"; - - public final static String STAFF_ATTRIBUTE_KEY = "Staff"; - - public final static String LOGIN_ACTION = "Login"; - - public final static String LOGOUT_ACTION = "Logout"; - - public final static String LISTSTAFF_ACTION = "ListStaff"; - - public final static String SEARCHSTAFF_ACTION = "SearchStaff"; - - public final static String FINDPROFILE_ACTION = "FindProfile"; - - public final static String VIEWPROFILE_ACTION = "ViewProfile"; - - public final static String EDITPROFILE_ACTION = "EditProfile"; - - public final static String UPDATEPROFILE_ACTION = "UpdateProfile"; - - public final static String CREATEPROFILE_ACTION = "CreateProfile"; - - public final static String DELETEPROFILE_ACTION = "DeleteProfile"; - - public final static String ERROR_ACTION = "error"; - - private final static String LESSON_NAME = "RoleBasedAccessControl"; - - private final static String JSP_PATH = "/lessons/" + LESSON_NAME + "/"; - private final static Integer DEFAULT_RANKING = new Integer(125); - private static Connection connection = null; - - private Map lessonFunctions = new Hashtable(); - - - public static synchronized Connection getConnection(WebSession s) - throws SQLException, ClassNotFoundException - { - if (connection == null) - { - connection = DatabaseUtilities.makeConnection(s); - } - - return connection; - } - - - public RoleBasedAccessControl() - { - String myClassName = parseClassName(this.getClass().getName()); - registerAction(new ListStaff(this, myClassName, LISTSTAFF_ACTION)); - registerAction(new SearchStaff(this, myClassName, SEARCHSTAFF_ACTION)); - registerAction(new ViewProfile(this, myClassName, VIEWPROFILE_ACTION)); - registerAction(new EditProfile(this, myClassName, EDITPROFILE_ACTION)); - registerAction(new EditProfile(this, myClassName, CREATEPROFILE_ACTION)); - - // These actions are special in that they chain to other actions. - registerAction(new Login(this, myClassName, LOGIN_ACTION, - getAction(LISTSTAFF_ACTION))); - registerAction(new Logout(this, myClassName, LOGOUT_ACTION, - getAction(LOGIN_ACTION))); - registerAction(new FindProfile(this, myClassName, FINDPROFILE_ACTION, - getAction(VIEWPROFILE_ACTION))); - registerAction(new UpdateProfile(this, myClassName, - UPDATEPROFILE_ACTION, getAction(VIEWPROFILE_ACTION))); - registerAction(new DeleteProfile(this, myClassName, - DELETEPROFILE_ACTION, getAction(LISTSTAFF_ACTION))); - } - - - protected static String parseClassName(String fqcn) - { - String className = fqcn; - - int lastDotIndex = fqcn.lastIndexOf('.'); - if (lastDotIndex > -1) - className = fqcn.substring(lastDotIndex + 1); - - return className; - } - - - protected void registerAction(LessonAction action) - { - lessonFunctions.put(action.getActionName(), action); - } - - /** * Gets the category attribute of the CommandInjection object * @@ -195,7 +57,6 @@ public class RoleBasedAccessControl extends LessonAdapter return Category.A2; } - /** * Gets the hints attribute of the DirectoryScreen object * @@ -284,13 +145,6 @@ public class RoleBasedAccessControl extends LessonAdapter return instructions; } - - protected LessonAction getAction(String actionName) - { - return (LessonAction) lessonFunctions.get(actionName); - } - - public void handleRequest(WebSession s) { // Here is where dispatching to the various action handlers happens. @@ -397,8 +251,6 @@ public class RoleBasedAccessControl extends LessonAdapter } } - - s.setMessage("You are not authorized to perform this function"); System.out.println("Authorization failure"); setCurrentAction(s, ERROR_ACTION); @@ -492,12 +344,53 @@ public class RoleBasedAccessControl extends LessonAdapter ue.printStackTrace(); } catch (UnauthorizedException ue2) - { - s.setMessage("You are not authorized to perform this function"); - System.out.println("Authorization failure"); - setCurrentAction(s, ERROR_ACTION); - ue2.printStackTrace(); - } + { + // Update lesson status if necessary. + if (getStage(s) == 2) + { + try + { + if (RoleBasedAccessControl.DELETEPROFILE_ACTION.equals(requestedActionName) && + !isAuthorized(s, getUserId(s), RoleBasedAccessControl.DELETEPROFILE_ACTION)) + { + s.setMessage( "Welcome to stage 3 -- exploiting the data layer" ); + setStage(s, 3); + } + } catch (ParameterNotFoundException pnfe) + { + pnfe.printStackTrace(); + } + } + //System.out.println("isAuthorized() exit stage: " + getStage(s)); + // Update lesson status if necessary. + if (getStage(s) == 4) + { + try + { + //System.out.println("Checking for stage 4 completion"); + DefaultLessonAction action = (DefaultLessonAction) getAction(getCurrentAction(s)); + int userId = Integer.parseInt((String)s.getRequest().getSession().getAttribute(getLessonName() + "." + + RoleBasedAccessControl.USER_ID)); + int employeeId = s.getParser().getIntParameter( + RoleBasedAccessControl.EMPLOYEE_ID); + + if (!action.isAuthorizedForEmployee(s, userId, employeeId)) + { + s.setMessage("Congratulations. You have successfully completed this lesson."); + getLessonTracker( s ).setCompleted( true ); + } + } catch (Exception e) + { + // swallow this - shouldn't happen inthe normal course + // e.printStackTrace(); + } + } + + s.setMessage("You are not authorized to perform this function"); + System.out.println("Authorization failure"); + setCurrentAction(s, ERROR_ACTION); + ue2.printStackTrace(); + } catch (Exception e) { // All other errors send the user to the generic error page @@ -511,47 +404,6 @@ public class RoleBasedAccessControl extends LessonAdapter setContent(new ElementContainer()); } - - public boolean isAuthorized(WebSession s, int userId, String functionId) - { - //System.out.println("Checking authorization from " + getCurrentAction(s)); - LessonAction action = (LessonAction) lessonFunctions - .get(getCurrentAction(s)); - return action.isAuthorized(s, userId, functionId); - } - - - public int getUserId(WebSession s) throws ParameterNotFoundException - { - LessonAction action = (LessonAction) lessonFunctions - .get(getCurrentAction(s)); - return action.getUserId(s); - } - - - public String getUserName(WebSession s) throws ParameterNotFoundException - { - LessonAction action = (LessonAction) lessonFunctions - .get(getCurrentAction(s)); - return action.getUserName(s); - } - - - public String getTemplatePage(WebSession s) - { - return JSP_PATH + LESSON_NAME + ".jsp"; - } - - - public String getPage(WebSession s) - { - String page = JSP_PATH + getCurrentAction(s) + ".jsp"; - //System.out.println("Retrieved sub-view page for " + this.getClass().getName() + " of " + page); - - return page; - } - - protected Integer getDefaultRanking() { return DEFAULT_RANKING; @@ -567,18 +419,4 @@ public class RoleBasedAccessControl extends LessonAdapter { return "LAB: Role Based Access Control"; } - - - public String getSourceFileName() - { - // FIXME: Need to generalize findSourceResource() and use it on the currently active - // LessonAction delegate to get its source file. - //return findSourceResource(getCurrentLessonScreen()....); - return super.getSourceFileName(); - } - - public Element getCredits() - { - return super.getCustomCredits("", ASPECT_LOGO); - } }