- Introduced user registration

- Now using Spring Boot for classloading, this way local development does not need to restart the complete server - Fixed all kinds of dependencies on the names of the lessons necessary to keep in mind during the creation of a lesson. - Simplied loading of resources, by adding resource mappings in MvcConfig. - Refactored plugin loading, now only one class is left for loading the lessons.
2017-02-25 12:15:07 +01:00
parent 9b86aaba05
commit 259fd19c1b
221 changed files with 1179 additions and 1083 deletions
--- a/webgoat-container/src/main/java/org/owasp/webgoat/WebSecurityConfig.java
+++ b/webgoat-container/src/main/java/org/owasp/webgoat/WebSecurityConfig.java
@ -1,6 +1,6 @@

 /**
- *************************************************************************************************
+ * ************************************************************************************************
 * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
 * please see http://www.owasp.org/
 * <p>
@ -25,11 +25,13 @@
 * <p>
 *
 * @author WebGoat
- * @since  December 12, 2015
 * @version $Id: $Id
+ * @since December 12, 2015
 */
 package org.owasp.webgoat;

+import lombok.AllArgsConstructor;
+import org.owasp.webgoat.users.UserService;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
@ -45,16 +47,20 @@ import org.springframework.security.core.userdetails.UserDetailsService;
 * Security configuration for WebGoat.
 */
@Configuration
+@AllArgsConstructor
@EnableWebSecurity
 public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
+
+    private final UserService userDetailsService;
+
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        ExpressionUrlAuthorizationConfigurer<HttpSecurity>.ExpressionInterceptUrlRegistry security = http
                .authorizeRequests()
-                .antMatchers("/css/**", "/images/**", "/js/**", "fonts/**", "/plugins/**").permitAll()
+                .antMatchers("/css/**", "/images/**", "/js/**", "fonts/**", "/plugins/**", "/registration", "/register.mvc").permitAll()
                .antMatchers("/servlet/AdminServlet/**").hasAnyRole("WEBGOAT_ADMIN", "SERVER_ADMIN") //
                .antMatchers("/JavaSource/**").hasRole("SERVER_ADMIN") //
-                .anyRequest().hasAnyRole("WEBGOAT_USER", "WEBGOAT_ADMIN", "SERVER_ADMIN");
+                .anyRequest().authenticated();
        security.and()
                .formLogin()
                .loginPage("/login")
@ -79,15 +85,12 @@ public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

    @Autowired
    public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
-        auth.inMemoryAuthentication()
-                .withUser("guest").password("guest").roles("WEBGOAT_USER").and() //
-                .withUser("webgoat").password("webgoat").roles("WEBGOAT_ADMIN").and() //
-                .withUser("server").password("server").roles("SERVER_ADMIN");
+        auth.userDetailsService(userDetailsService); //.passwordEncoder(bCryptPasswordEncoder());
    }

    @Bean
    @Override
    public UserDetailsService userDetailsServiceBean() throws Exception {
-        return super.userDetailsServiceBean();
+        return userDetailsService;
    }
 }