fix various session issues and cleanup

main change is to force spring security to always send user to welcome.mvc after login which gets their session setup properly before redirecting to start.mvc

webapp/META-INF/context.xml

@@ -1,2 +1,2 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<Context antiJARLocking="true" path=""/>
+<Context antiJARLocking="true" path="/WebGoat"/>

webapp/WEB-INF/mvc-dispatcher-servlet.xml

@@ -1,50 +1,59 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <beans xmlns="http://www.springframework.org/schema/beans"
-	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-	xmlns:p="http://www.springframework.org/schema/p" 
-	xmlns:context="http://www.springframework.org/schema/context"
-	xmlns:mvc="http://www.springframework.org/schema/mvc"
-	xsi:schemaLocation="http://www.springframework.org/schema/beans 
+       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+       xmlns:p="http://www.springframework.org/schema/p" 
+       xmlns:context="http://www.springframework.org/schema/context"
+       xmlns:mvc="http://www.springframework.org/schema/mvc"
+       xsi:schemaLocation="http://www.springframework.org/schema/beans 
 	   		http://www.springframework.org/schema/beans/spring-beans-3.2.xsd
 	   		http://www.springframework.org/schema/context
 	   		http://www.springframework.org/schema/context/spring-context-3.2.xsd
 			http://www.springframework.org/schema/mvc 
 			http://www.springframework.org/schema/mvc/spring-mvc-3.2.xsd">
 
-    	<context:component-scan base-package="org.owasp.webgoat.controller, org.owasp.webgoat.lessons, org.owasp.webgoat.service" />
+    <context:component-scan base-package="org.owasp.webgoat.controller, org.owasp.webgoat.lessons, org.owasp.webgoat.service" />
 	
-	<!--
-	put custom validators here.  E.g.:
-	<bean class="org.owasp.webgoat.validators.MyCustomValidator" />
-	-->
+    <!--
+    put custom validators here.  E.g.:
+    <bean class="org.owasp.webgoat.validators.MyCustomValidator" />
+    -->
 	
-	<!-- Activates various annotations to be detected in bean classes -->
-	<context:annotation-config />
+    <!-- Activates various annotations to be detected in bean classes -->
+    <context:annotation-config />
 	
-	<!-- Configures the annotation-driven Spring MVC Controller programming model.  -->
-	<mvc:annotation-driven /> 
+    <!-- Configures the annotation-driven Spring MVC Controller programming model.  -->
+    <mvc:annotation-driven /> 
 	
-	<!-- Import Tiles-related configuration -->
-	<!--import resource="tiles-context.xml" /-->
+    <!-- Import Tiles-related configuration -->
+    <!--import resource="tiles-context.xml" /-->
 	
 		
-	<!-- Declare a view resolver -->
-	<!-- Take note of the order. Since we're using TilesViewResolver as well 
-		 We need to define which ViewResolver is called first. 
-		 We chose this InternalResourceViewResolver to be at the bottom order -->
-	<bean 
-		id="viewResolver" 
-		class="org.springframework.web.servlet.view.InternalResourceViewResolver" 
-    	p:prefix="/WEB-INF/pages/" 
-    	p:suffix=".jsp" 
-    	p:order="1"/>
+    <!-- Declare a view resolver -->
+    <!-- Take note of the order. Since we're using TilesViewResolver as well 
+    We need to define which ViewResolver is called first. 
+    We chose this InternalResourceViewResolver to be at the bottom order -->
+    <bean 
+        id="viewResolver" 
+        class="org.springframework.web.servlet.view.InternalResourceViewResolver" 
+        p:prefix="/WEB-INF/pages/" 
+        p:suffix=".jsp" 
+        p:order="1"/>
+        
+    <mvc:interceptors>
+        <bean id="webContentInterceptor" class="org.springframework.web.servlet.mvc.WebContentInterceptor">
+            <property name="cacheSeconds" value="0" />
+            <property name="useExpiresHeader" value="true" />
+            <property name="useCacheControlHeader" value="true" />
+            <property name="useCacheControlNoStore" value="true" />
+        </bean>
+    </mvc:interceptors>
     	
 	
- 	<!-- Register the Customer.properties 
-	<bean id="messageSource"
-		class="org.springframework.context.support.ResourceBundleMessageSource">
-		<property name="basename" value="org/owasp/webgoat/properties/Customer" />
-	</bean>
-	-->
+    <!-- Register the Customer.properties 
+    <bean id="messageSource"
+            class="org.springframework.context.support.ResourceBundleMessageSource">
+            <property name="basename" value="org/owasp/webgoat/properties/Customer" />
+    </bean>
+    -->
 
 </beans>

webapp/WEB-INF/spring-security.xml

@@ -14,6 +14,9 @@
     <http pattern="/css/**" security="none"/>
     <http pattern="/images/**" security="none"/>
     <http pattern="/javascript/**" security="none"/>
+    <http pattern="/js/**" security="none"/>
+    <http pattern="/fonts/**" security="none"/>
+    <http pattern="/plugins/**" security="none"/>    
     <http pattern="/favicon.ico" security="none"/>    
     <http use-expressions="true">  
         <intercept-url pattern="/login.mvc" access="permitAll" />
@@ -26,7 +29,8 @@
             default-target-url="/welcome.mvc" 
             authentication-failure-url="/login.mvc?error" 
             username-parameter="username"
-            password-parameter="password" />
+            password-parameter="password"
+            always-use-default-target="true"/>
         <logout logout-url="/j_spring_security_logout" logout-success-url="/logout.mvc" />
         <!-- enable csrf protection -->
         <!--csrf/-->