fix various session issues and cleanup

main change is to force spring security to always send user to welcome.mvc after login which gets their session setup properly before redirecting to start.mvc

java/org/owasp/webgoat/HammerHead.java

@@ -182,9 +182,10 @@ public class HammerHead extends HttpServlet {
                 clientBrowser = userAgent;
             }
             request.setAttribute("client.browser", clientBrowser);
-            request.getSession().setAttribute(WebSession.SESSION, mySession);
+            // removed - this is being done in updateSession call
+            //request.getSession().setAttribute(WebSession.SESSION, mySession);
             // not sure why this is being set in the session?
-            request.getSession().setAttribute(WebSession.COURSE, mySession.getCourse());
+            //request.getSession().setAttribute(WebSession.COURSE, mySession.getCourse());
             String viewPage = getViewPage(mySession);
             logger.debug("Forwarding to view: " + viewPage);
             logger.debug("Screen: " + screen);
@@ -374,7 +375,8 @@ public class HammerHead extends HttpServlet {
     protected WebSession updateSession(HttpServletRequest request, HttpServletResponse response, ServletContext context)
             throws IOException {
         HttpSession hs;
-        hs = request.getSession(true);
+        // session should already be created by spring security
+        hs = request.getSession(false);
 
         logger.debug("HH Entering Session_id: " + hs.getId());
         // dumpSession( hs );
@@ -384,6 +386,7 @@ public class HammerHead extends HttpServlet {
 
         if ((o != null) && o instanceof WebSession) {
             session = (WebSession) o;
+            hs.setAttribute(WebSession.COURSE, session.getCourse());
         } else {
             // Create new custom session and save it in the HTTP session
             logger.warn("HH Creating new WebSession");
@@ -394,13 +397,12 @@ public class HammerHead extends HttpServlet {
             hs.setAttribute(WebSession.SESSION, session);
             // reset timeout
             hs.setMaxInactiveInterval(sessionTimeoutSeconds);
-
         }
 
+        session.update(request, response, this.getServletName());
         // update last attack request info (cookies, parms)
         // this is so the REST services can have access to them via the session 
         session.updateLastAttackRequestInfo(request);
-        session.update(request, response, this.getServletName());
 
         // to authenticate
         logger.debug("HH Leaving Session_id: " + hs.getId());

java/org/owasp/webgoat/service/BaseService.java

@@ -67,8 +67,11 @@ public abstract class BaseService {
     public WebSession getWebSession(HttpSession session) {
         WebSession ws;
         Object o = session.getAttribute(WebSession.SESSION);
-        if (o == null || !(o instanceof WebSession)) {
+        if (o == null) {
-            throw new IllegalArgumentException("No valid session object found, has session timed out? [" + session.getId() + "]");
+            throw new IllegalArgumentException("No valid WebSession object found, has session timed out? [" + session.getId() + "]");
+        }
+        if (!(o instanceof WebSession)) {
+            throw new IllegalArgumentException("Invalid WebSession object found, this is probably a bug! [" + o.getClass() + " | " + session.getId() + "]");
         }
         ws = (WebSession) o;
         return ws;

java/org/owasp/webgoat/session/WebSession.java

@@ -782,6 +782,8 @@ public class WebSession {
         // System.out.println("Previous Screen 1: " + previousScreen );
         // FIXME: requires ?Logout=true
         // FIXME: doesn't work right -- no reauthentication
+        // REMOVED - we have explicit logout now via spriing security
+        /*
         if (myParser.getRawParameter(LOGOUT, null) != null) {
             System.out.println("Logout " + request.getUserPrincipal());
             eatCookies();
@@ -789,6 +791,7 @@ public class WebSession {
             currentScreen = WELCOME;
             previousScreen = ERROR;
         }
+        */
 
         // There are several scenarios where we want the first lesson to be loaded
         // 1) Previous screen is Welcome - Start of the course

webapp/META-INF/context.xml

@@ -1,2 +1,2 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<Context antiJARLocking="true" path=""/>
+<Context antiJARLocking="true" path="/WebGoat"/>

webapp/WEB-INF/mvc-dispatcher-servlet.xml

@@ -1,50 +1,59 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <beans xmlns="http://www.springframework.org/schema/beans"
-	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-	xmlns:p="http://www.springframework.org/schema/p" 
+       xmlns:p="http://www.springframework.org/schema/p" 
-	xmlns:context="http://www.springframework.org/schema/context"
+       xmlns:context="http://www.springframework.org/schema/context"
-	xmlns:mvc="http://www.springframework.org/schema/mvc"
+       xmlns:mvc="http://www.springframework.org/schema/mvc"
-	xsi:schemaLocation="http://www.springframework.org/schema/beans 
+       xsi:schemaLocation="http://www.springframework.org/schema/beans 
 	   		http://www.springframework.org/schema/beans/spring-beans-3.2.xsd
 	   		http://www.springframework.org/schema/context
 	   		http://www.springframework.org/schema/context/spring-context-3.2.xsd
 			http://www.springframework.org/schema/mvc 
 			http://www.springframework.org/schema/mvc/spring-mvc-3.2.xsd">
 
-    	<context:component-scan base-package="org.owasp.webgoat.controller, org.owasp.webgoat.lessons, org.owasp.webgoat.service" />
+    <context:component-scan base-package="org.owasp.webgoat.controller, org.owasp.webgoat.lessons, org.owasp.webgoat.service" />
 	
-	<!--
+    <!--
-	put custom validators here.  E.g.:
+    put custom validators here.  E.g.:
-	<bean class="org.owasp.webgoat.validators.MyCustomValidator" />
+    <bean class="org.owasp.webgoat.validators.MyCustomValidator" />
-	-->
+    -->
 	
-	<!-- Activates various annotations to be detected in bean classes -->
+    <!-- Activates various annotations to be detected in bean classes -->
-	<context:annotation-config />
+    <context:annotation-config />
 	
-	<!-- Configures the annotation-driven Spring MVC Controller programming model.  -->
+    <!-- Configures the annotation-driven Spring MVC Controller programming model.  -->
-	<mvc:annotation-driven /> 
+    <mvc:annotation-driven /> 
 	
-	<!-- Import Tiles-related configuration -->
+    <!-- Import Tiles-related configuration -->
-	<!--import resource="tiles-context.xml" /-->
+    <!--import resource="tiles-context.xml" /-->
 	
 		
-	<!-- Declare a view resolver -->
+    <!-- Declare a view resolver -->
-	<!-- Take note of the order. Since we're using TilesViewResolver as well 
+    <!-- Take note of the order. Since we're using TilesViewResolver as well 
-		 We need to define which ViewResolver is called first. 
+    We need to define which ViewResolver is called first. 
-		 We chose this InternalResourceViewResolver to be at the bottom order -->
+    We chose this InternalResourceViewResolver to be at the bottom order -->
-	<bean 
+    <bean 
-		id="viewResolver" 
+        id="viewResolver" 
-		class="org.springframework.web.servlet.view.InternalResourceViewResolver" 
+        class="org.springframework.web.servlet.view.InternalResourceViewResolver" 
-    	p:prefix="/WEB-INF/pages/" 
+        p:prefix="/WEB-INF/pages/" 
-    	p:suffix=".jsp" 
+        p:suffix=".jsp" 
-    	p:order="1"/>
+        p:order="1"/>
+        
+    <mvc:interceptors>
+        <bean id="webContentInterceptor" class="org.springframework.web.servlet.mvc.WebContentInterceptor">
+            <property name="cacheSeconds" value="0" />
+            <property name="useExpiresHeader" value="true" />
+            <property name="useCacheControlHeader" value="true" />
+            <property name="useCacheControlNoStore" value="true" />
+        </bean>
+    </mvc:interceptors>
     	
 	
- 	<!-- Register the Customer.properties 
+    <!-- Register the Customer.properties 
-	<bean id="messageSource"
+    <bean id="messageSource"
-		class="org.springframework.context.support.ResourceBundleMessageSource">
+            class="org.springframework.context.support.ResourceBundleMessageSource">
-		<property name="basename" value="org/owasp/webgoat/properties/Customer" />
+            <property name="basename" value="org/owasp/webgoat/properties/Customer" />
-	</bean>
+    </bean>
-	-->
+    -->
 
 </beans>

webapp/WEB-INF/spring-security.xml

@@ -14,6 +14,9 @@
     <http pattern="/css/**" security="none"/>
     <http pattern="/images/**" security="none"/>
     <http pattern="/javascript/**" security="none"/>
+    <http pattern="/js/**" security="none"/>
+    <http pattern="/fonts/**" security="none"/>
+    <http pattern="/plugins/**" security="none"/>    
     <http pattern="/favicon.ico" security="none"/>    
     <http use-expressions="true">  
         <intercept-url pattern="/login.mvc" access="permitAll" />
@@ -26,7 +29,8 @@
             default-target-url="/welcome.mvc" 
             authentication-failure-url="/login.mvc?error" 
             username-parameter="username"
-            password-parameter="password" />
+            password-parameter="password"
+            always-use-default-target="true"/>
         <logout logout-url="/j_spring_security_logout" logout-success-url="/logout.mvc" />
         <!-- enable csrf protection -->
         <!--csrf/-->