Extend GoatHillsFinancial, and remove duplicated inherited methods
git-svn-id: http://webgoat.googlecode.com/svn/trunk@152 4033779f-a91e-0410-96ef-6bf7bf53c507
This commit is contained in:
		| @ -1,21 +1,13 @@ | |||||||
| package org.owasp.webgoat.lessons.RoleBasedAccessControl; | package org.owasp.webgoat.lessons.RoleBasedAccessControl; | ||||||
|  |  | ||||||
| import java.sql.Connection; |  | ||||||
| import java.sql.SQLException; |  | ||||||
| import java.util.ArrayList; | import java.util.ArrayList; | ||||||
| import java.util.Hashtable; |  | ||||||
| import java.util.List; | import java.util.List; | ||||||
| import java.util.Map; |  | ||||||
|  |  | ||||||
| import org.apache.ecs.Element; |  | ||||||
| import org.apache.ecs.ElementContainer; | import org.apache.ecs.ElementContainer; | ||||||
| import org.apache.ecs.html.A; |  | ||||||
| import org.apache.ecs.html.IMG; |  | ||||||
| import org.owasp.webgoat.lessons.Category; | import org.owasp.webgoat.lessons.Category; | ||||||
| import org.owasp.webgoat.lessons.DefaultLessonAction; | import org.owasp.webgoat.lessons.DefaultLessonAction; | ||||||
| import org.owasp.webgoat.lessons.LessonAction; | import org.owasp.webgoat.lessons.LessonAction; | ||||||
| import org.owasp.webgoat.lessons.LessonAdapter; | import org.owasp.webgoat.lessons.GoatHillsFinancial.GoatHillsFinancial; | ||||||
| import org.owasp.webgoat.session.DatabaseUtilities; |  | ||||||
| import org.owasp.webgoat.session.ParameterNotFoundException; | import org.owasp.webgoat.session.ParameterNotFoundException; | ||||||
| import org.owasp.webgoat.session.UnauthenticatedException; | import org.owasp.webgoat.session.UnauthenticatedException; | ||||||
| import org.owasp.webgoat.session.UnauthorizedException; | import org.owasp.webgoat.session.UnauthorizedException; | ||||||
| @ -51,140 +43,10 @@ import org.owasp.webgoat.session.WebSession; | |||||||
|  *  |  *  | ||||||
|  * For details, please see http://code.google.com/p/webgoat/ |  * For details, please see http://code.google.com/p/webgoat/ | ||||||
|  */ |  */ | ||||||
| public class RoleBasedAccessControl extends LessonAdapter | public class RoleBasedAccessControl extends GoatHillsFinancial | ||||||
| { | { | ||||||
| 	public final static A ASPECT_LOGO = new A().setHref("http://www.aspectsecurity.com").addElement(new IMG("images/logos/aspect.jpg").setAlt("Aspect Security").setBorder(0).setHspace(0).setVspace(0)); |  | ||||||
|  |  | ||||||
|     public final static String DESCRIPTION = "description"; |  | ||||||
|  |  | ||||||
|     public final static String DISCIPLINARY_DATE = "disciplinaryDate"; |  | ||||||
|  |  | ||||||
|     public final static String DISCIPLINARY_NOTES = "disciplinaryNotes"; |  | ||||||
|  |  | ||||||
|     public final static String CCN_LIMIT = "ccnLimit"; |  | ||||||
|  |  | ||||||
|     public final static String CCN = "ccn"; |  | ||||||
|  |  | ||||||
|     public final static String SALARY = "salary"; |  | ||||||
|  |  | ||||||
|     public final static String START_DATE = "startDate"; |  | ||||||
|  |  | ||||||
|     public final static String MANAGER = "manager"; |  | ||||||
|  |  | ||||||
|     public final static String ADDRESS1 = "address1"; |  | ||||||
|  |  | ||||||
|     public final static String ADDRESS2 = "address2"; |  | ||||||
|  |  | ||||||
|     public final static String PHONE_NUMBER = "phoneNumber"; |  | ||||||
|  |  | ||||||
|     public final static String TITLE = "title"; |  | ||||||
|  |  | ||||||
|     public final static String SSN = "ssn"; |  | ||||||
|  |  | ||||||
|     public final static String LAST_NAME = "lastName"; |  | ||||||
|  |  | ||||||
|     public final static String FIRST_NAME = "firstName"; |  | ||||||
|  |  | ||||||
|     public final static String PASSWORD = "password"; |  | ||||||
|  |  | ||||||
|     public final static String EMPLOYEE_ID = "employee_id"; |  | ||||||
|  |  | ||||||
|     public final static String USER_ID = "user_id"; |  | ||||||
|  |  | ||||||
|     public final static String SEARCHNAME = "search_name"; |  | ||||||
|  |  | ||||||
|     public final static String SEARCHRESULT_ATTRIBUTE_KEY = "SearchResult"; |  | ||||||
|  |  | ||||||
|     public final static String EMPLOYEE_ATTRIBUTE_KEY = "Employee"; |  | ||||||
|  |  | ||||||
|     public final static String STAFF_ATTRIBUTE_KEY = "Staff"; |  | ||||||
|  |  | ||||||
|     public final static String LOGIN_ACTION = "Login"; |  | ||||||
|  |  | ||||||
|     public final static String LOGOUT_ACTION = "Logout"; |  | ||||||
|  |  | ||||||
|     public final static String LISTSTAFF_ACTION = "ListStaff"; |  | ||||||
|  |  | ||||||
|     public final static String SEARCHSTAFF_ACTION = "SearchStaff"; |  | ||||||
|  |  | ||||||
|     public final static String FINDPROFILE_ACTION = "FindProfile"; |  | ||||||
|  |  | ||||||
|     public final static String VIEWPROFILE_ACTION = "ViewProfile"; |  | ||||||
|  |  | ||||||
|     public final static String EDITPROFILE_ACTION = "EditProfile"; |  | ||||||
|  |  | ||||||
|     public final static String UPDATEPROFILE_ACTION = "UpdateProfile"; |  | ||||||
|  |  | ||||||
|     public final static String CREATEPROFILE_ACTION = "CreateProfile"; |  | ||||||
|  |  | ||||||
|     public final static String DELETEPROFILE_ACTION = "DeleteProfile"; |  | ||||||
|  |  | ||||||
|     public final static String ERROR_ACTION = "error"; |  | ||||||
|  |  | ||||||
|     private final static String LESSON_NAME = "RoleBasedAccessControl"; |  | ||||||
|  |  | ||||||
|     private final static String JSP_PATH = "/lessons/" + LESSON_NAME + "/"; |  | ||||||
|  |  | ||||||
|     private final static Integer DEFAULT_RANKING = new Integer(125); |     private final static Integer DEFAULT_RANKING = new Integer(125); | ||||||
|  |  | ||||||
|     private static Connection connection = null; |  | ||||||
|  |  | ||||||
|     private Map lessonFunctions = new Hashtable(); |  | ||||||
|  |  | ||||||
|  |  | ||||||
|     public static synchronized Connection getConnection(WebSession s) |  | ||||||
| 	    throws SQLException, ClassNotFoundException |  | ||||||
|     { |  | ||||||
| 	if (connection == null) |  | ||||||
| 	{ |  | ||||||
| 	    connection = DatabaseUtilities.makeConnection(s); |  | ||||||
| 	} |  | ||||||
|  |  | ||||||
| 	return connection; |  | ||||||
|     } |  | ||||||
|  |  | ||||||
|  |  | ||||||
|     public RoleBasedAccessControl() |  | ||||||
|     { |  | ||||||
| 	String myClassName = parseClassName(this.getClass().getName()); |  | ||||||
| 	registerAction(new ListStaff(this, myClassName, LISTSTAFF_ACTION)); |  | ||||||
| 	registerAction(new SearchStaff(this, myClassName, SEARCHSTAFF_ACTION)); |  | ||||||
| 	registerAction(new ViewProfile(this, myClassName, VIEWPROFILE_ACTION)); |  | ||||||
| 	registerAction(new EditProfile(this, myClassName, EDITPROFILE_ACTION)); |  | ||||||
| 	registerAction(new EditProfile(this, myClassName, CREATEPROFILE_ACTION)); |  | ||||||
|  |  | ||||||
| 	// These actions are special in that they chain to other actions. |  | ||||||
| 	registerAction(new Login(this, myClassName, LOGIN_ACTION, |  | ||||||
| 		getAction(LISTSTAFF_ACTION))); |  | ||||||
| 	registerAction(new Logout(this, myClassName, LOGOUT_ACTION, |  | ||||||
| 		getAction(LOGIN_ACTION))); |  | ||||||
| 	registerAction(new FindProfile(this, myClassName, FINDPROFILE_ACTION, |  | ||||||
| 		getAction(VIEWPROFILE_ACTION))); |  | ||||||
| 	registerAction(new UpdateProfile(this, myClassName, |  | ||||||
| 		UPDATEPROFILE_ACTION, getAction(VIEWPROFILE_ACTION))); |  | ||||||
| 	registerAction(new DeleteProfile(this, myClassName, |  | ||||||
| 		DELETEPROFILE_ACTION, getAction(LISTSTAFF_ACTION))); |  | ||||||
|     } |  | ||||||
|  |  | ||||||
|  |  | ||||||
|     protected static String parseClassName(String fqcn) |  | ||||||
|     { |  | ||||||
| 	String className = fqcn; |  | ||||||
|  |  | ||||||
| 	int lastDotIndex = fqcn.lastIndexOf('.'); |  | ||||||
| 	if (lastDotIndex > -1) |  | ||||||
| 	    className = fqcn.substring(lastDotIndex + 1); |  | ||||||
|  |  | ||||||
| 	return className; |  | ||||||
|     } |  | ||||||
|  |  | ||||||
|  |  | ||||||
|     protected void registerAction(LessonAction action) |  | ||||||
|     { |  | ||||||
| 	lessonFunctions.put(action.getActionName(), action); |  | ||||||
|     } |  | ||||||
|  |  | ||||||
|  |  | ||||||
|     /** |     /** | ||||||
|      *  Gets the category attribute of the CommandInjection object |      *  Gets the category attribute of the CommandInjection object | ||||||
|      * |      * | ||||||
| @ -195,7 +57,6 @@ public class RoleBasedAccessControl extends LessonAdapter | |||||||
| 	return Category.A2; | 	return Category.A2; | ||||||
|     } |     } | ||||||
|  |  | ||||||
|  |  | ||||||
|     /** |     /** | ||||||
|      *  Gets the hints attribute of the DirectoryScreen object |      *  Gets the hints attribute of the DirectoryScreen object | ||||||
|      * |      * | ||||||
| @ -284,13 +145,6 @@ public class RoleBasedAccessControl extends LessonAdapter | |||||||
| 	return instructions; | 	return instructions; | ||||||
|     } |     } | ||||||
|  |  | ||||||
|  |  | ||||||
|     protected LessonAction getAction(String actionName) |  | ||||||
|     { |  | ||||||
| 	return (LessonAction) lessonFunctions.get(actionName); |  | ||||||
|     } |  | ||||||
|  |  | ||||||
|  |  | ||||||
|     public void handleRequest(WebSession s) |     public void handleRequest(WebSession s) | ||||||
|     { |     { | ||||||
| 	// Here is where dispatching to the various action handlers happens. | 	// Here is where dispatching to the various action handlers happens. | ||||||
| @ -397,8 +251,6 @@ public class RoleBasedAccessControl extends LessonAdapter | |||||||
| 			} | 			} | ||||||
| 		} | 		} | ||||||
| 		 | 		 | ||||||
|  |  | ||||||
|  |  | ||||||
| 	    s.setMessage("You are not authorized to perform this function"); | 	    s.setMessage("You are not authorized to perform this function"); | ||||||
| 	    System.out.println("Authorization failure"); | 	    System.out.println("Authorization failure"); | ||||||
| 	    setCurrentAction(s, ERROR_ACTION); | 	    setCurrentAction(s, ERROR_ACTION); | ||||||
| @ -492,12 +344,53 @@ public class RoleBasedAccessControl extends LessonAdapter | |||||||
| 		ue.printStackTrace(); | 		ue.printStackTrace(); | ||||||
| 	    } | 	    } | ||||||
| 	    catch (UnauthorizedException ue2) | 	    catch (UnauthorizedException ue2) | ||||||
| 	    { | 		{ | ||||||
| 		s.setMessage("You are not authorized to perform this function"); | 			// Update lesson status if necessary. | ||||||
| 		System.out.println("Authorization failure"); | 			if (getStage(s) == 2) | ||||||
| 		setCurrentAction(s, ERROR_ACTION); | 			{ | ||||||
| 		ue2.printStackTrace(); | 				try | ||||||
| 	    } | 				{ | ||||||
|  | 				if (RoleBasedAccessControl.DELETEPROFILE_ACTION.equals(requestedActionName) && | ||||||
|  | 						!isAuthorized(s, getUserId(s), RoleBasedAccessControl.DELETEPROFILE_ACTION)) | ||||||
|  | 				{ | ||||||
|  | 					s.setMessage( "Welcome to stage 3 -- exploiting the data layer" ); | ||||||
|  | 					setStage(s, 3); | ||||||
|  | 				} | ||||||
|  | 				} catch (ParameterNotFoundException pnfe) | ||||||
|  | 				{ | ||||||
|  | 				pnfe.printStackTrace(); | ||||||
|  | 				} | ||||||
|  | 			} | ||||||
|  | 			//System.out.println("isAuthorized() exit stage: " + getStage(s)); | ||||||
|  | 			// Update lesson status if necessary. | ||||||
|  | 			if (getStage(s) == 4) | ||||||
|  | 			{ | ||||||
|  | 				try | ||||||
|  | 				{ | ||||||
|  | 				//System.out.println("Checking for stage 4 completion"); | ||||||
|  | 				DefaultLessonAction action = (DefaultLessonAction) getAction(getCurrentAction(s)); | ||||||
|  | 				int userId = Integer.parseInt((String)s.getRequest().getSession().getAttribute(getLessonName() + "." | ||||||
|  | 						+ RoleBasedAccessControl.USER_ID)); | ||||||
|  | 				int employeeId = s.getParser().getIntParameter( | ||||||
|  | 					RoleBasedAccessControl.EMPLOYEE_ID); | ||||||
|  |  | ||||||
|  | 				if (!action.isAuthorizedForEmployee(s, userId, employeeId)) | ||||||
|  | 				{ | ||||||
|  | 				    s.setMessage("Congratulations. You have successfully completed this lesson."); | ||||||
|  | 				    getLessonTracker( s ).setCompleted( true ); | ||||||
|  | 				} | ||||||
|  | 				} catch (Exception e) | ||||||
|  | 				{ | ||||||
|  | 					// swallow this - shouldn't happen inthe normal course | ||||||
|  | 					// e.printStackTrace(); | ||||||
|  | 				} | ||||||
|  | 			} | ||||||
|  | 			 | ||||||
|  | 		    s.setMessage("You are not authorized to perform this function"); | ||||||
|  | 		    System.out.println("Authorization failure"); | ||||||
|  | 		    setCurrentAction(s, ERROR_ACTION); | ||||||
|  | 		    ue2.printStackTrace(); | ||||||
|  | 		} | ||||||
| 	    catch (Exception e) | 	    catch (Exception e) | ||||||
| 	    { | 	    { | ||||||
| 		// All other errors send the user to the generic error page | 		// All other errors send the user to the generic error page | ||||||
| @ -511,47 +404,6 @@ public class RoleBasedAccessControl extends LessonAdapter | |||||||
| 	setContent(new ElementContainer()); | 	setContent(new ElementContainer()); | ||||||
|     } |     } | ||||||
|  |  | ||||||
|  |  | ||||||
|     public boolean isAuthorized(WebSession s, int userId, String functionId) |  | ||||||
|     { |  | ||||||
| 	//System.out.println("Checking authorization from " + getCurrentAction(s)); |  | ||||||
| 	LessonAction action = (LessonAction) lessonFunctions |  | ||||||
| 		.get(getCurrentAction(s)); |  | ||||||
| 	return action.isAuthorized(s, userId, functionId); |  | ||||||
|     } |  | ||||||
|  |  | ||||||
|  |  | ||||||
|     public int getUserId(WebSession s) throws ParameterNotFoundException |  | ||||||
|     { |  | ||||||
| 	LessonAction action = (LessonAction) lessonFunctions |  | ||||||
| 		.get(getCurrentAction(s)); |  | ||||||
| 	return action.getUserId(s); |  | ||||||
|     } |  | ||||||
|  |  | ||||||
|  |  | ||||||
|     public String getUserName(WebSession s) throws ParameterNotFoundException |  | ||||||
|     { |  | ||||||
| 	LessonAction action = (LessonAction) lessonFunctions |  | ||||||
| 		.get(getCurrentAction(s)); |  | ||||||
| 	return action.getUserName(s); |  | ||||||
|     } |  | ||||||
|  |  | ||||||
|  |  | ||||||
|     public String getTemplatePage(WebSession s) |  | ||||||
|     { |  | ||||||
| 	return JSP_PATH + LESSON_NAME + ".jsp"; |  | ||||||
|     } |  | ||||||
|  |  | ||||||
|  |  | ||||||
|     public String getPage(WebSession s) |  | ||||||
|     { |  | ||||||
| 	String page = JSP_PATH + getCurrentAction(s) + ".jsp"; |  | ||||||
| 	//System.out.println("Retrieved sub-view page for " + this.getClass().getName() + " of " + page); |  | ||||||
|  |  | ||||||
| 	return page; |  | ||||||
|     } |  | ||||||
|  |  | ||||||
|  |  | ||||||
|     protected Integer getDefaultRanking() |     protected Integer getDefaultRanking() | ||||||
|     { |     { | ||||||
| 	return DEFAULT_RANKING; | 	return DEFAULT_RANKING; | ||||||
| @ -567,18 +419,4 @@ public class RoleBasedAccessControl extends LessonAdapter | |||||||
|     { |     { | ||||||
| 	return "LAB: Role Based Access Control"; | 	return "LAB: Role Based Access Control"; | ||||||
|     } |     } | ||||||
|  |  | ||||||
|  |  | ||||||
|     public String getSourceFileName() |  | ||||||
|     { |  | ||||||
| 	// FIXME: Need to generalize findSourceResource() and use it on the currently active  |  | ||||||
| 	// LessonAction delegate to get its source file. |  | ||||||
| 	//return findSourceResource(getCurrentLessonScreen()....); |  | ||||||
| 	return super.getSourceFileName(); |  | ||||||
|     } |  | ||||||
|      |  | ||||||
|     public Element getCredits() |  | ||||||
|     { |  | ||||||
|     	return super.getCustomCredits("", ASPECT_LOGO); |  | ||||||
|     } |  | ||||||
| } | } | ||||||
|  | |||||||
		Reference in New Issue
	
	Block a user