fix various session issues and cleanup

main change is to force spring security to always send user to welcome.mvc after login which gets their session setup properly before redirecting to start.mvc

java/org/owasp/webgoat/HammerHead.java

@@ -182,9 +182,10 @@ public class HammerHead extends HttpServlet {
                 clientBrowser = userAgent;
             }
             request.setAttribute("client.browser", clientBrowser);
-            request.getSession().setAttribute(WebSession.SESSION, mySession);
+            // removed - this is being done in updateSession call
+            //request.getSession().setAttribute(WebSession.SESSION, mySession);
             // not sure why this is being set in the session?
-            request.getSession().setAttribute(WebSession.COURSE, mySession.getCourse());
+            //request.getSession().setAttribute(WebSession.COURSE, mySession.getCourse());
             String viewPage = getViewPage(mySession);
             logger.debug("Forwarding to view: " + viewPage);
             logger.debug("Screen: " + screen);
@@ -374,7 +375,8 @@ public class HammerHead extends HttpServlet {
     protected WebSession updateSession(HttpServletRequest request, HttpServletResponse response, ServletContext context)
             throws IOException {
         HttpSession hs;
-        hs = request.getSession(true);
+        // session should already be created by spring security
+        hs = request.getSession(false);
 
         logger.debug("HH Entering Session_id: " + hs.getId());
         // dumpSession( hs );
@@ -384,6 +386,7 @@ public class HammerHead extends HttpServlet {
 
         if ((o != null) && o instanceof WebSession) {
             session = (WebSession) o;
+            hs.setAttribute(WebSession.COURSE, session.getCourse());
         } else {
             // Create new custom session and save it in the HTTP session
             logger.warn("HH Creating new WebSession");
@@ -394,13 +397,12 @@ public class HammerHead extends HttpServlet {
             hs.setAttribute(WebSession.SESSION, session);
             // reset timeout
             hs.setMaxInactiveInterval(sessionTimeoutSeconds);
-
         }
 
+        session.update(request, response, this.getServletName());
         // update last attack request info (cookies, parms)
         // this is so the REST services can have access to them via the session 
         session.updateLastAttackRequestInfo(request);
-        session.update(request, response, this.getServletName());
 
         // to authenticate
         logger.debug("HH Leaving Session_id: " + hs.getId());

java/org/owasp/webgoat/service/BaseService.java

@@ -67,8 +67,11 @@ public abstract class BaseService {
     public WebSession getWebSession(HttpSession session) {
         WebSession ws;
         Object o = session.getAttribute(WebSession.SESSION);
-        if (o == null || !(o instanceof WebSession)) {
-            throw new IllegalArgumentException("No valid session object found, has session timed out? [" + session.getId() + "]");
+        if (o == null) {
+            throw new IllegalArgumentException("No valid WebSession object found, has session timed out? [" + session.getId() + "]");
+        }
+        if (!(o instanceof WebSession)) {
+            throw new IllegalArgumentException("Invalid WebSession object found, this is probably a bug! [" + o.getClass() + " | " + session.getId() + "]");
         }
         ws = (WebSession) o;
         return ws;

java/org/owasp/webgoat/session/WebSession.java

@@ -782,6 +782,8 @@ public class WebSession {
         // System.out.println("Previous Screen 1: " + previousScreen );
         // FIXME: requires ?Logout=true
         // FIXME: doesn't work right -- no reauthentication
+        // REMOVED - we have explicit logout now via spriing security
+        /*
         if (myParser.getRawParameter(LOGOUT, null) != null) {
             System.out.println("Logout " + request.getUserPrincipal());
             eatCookies();
@@ -789,6 +791,7 @@ public class WebSession {
             currentScreen = WELCOME;
             previousScreen = ERROR;
         }
+        */
 
         // There are several scenarios where we want the first lesson to be loaded
         // 1) Previous screen is Welcome - Start of the course

webapp/META-INF/context.xml

@@ -1,2 +1,2 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<Context antiJARLocking="true" path=""/>
+<Context antiJARLocking="true" path="/WebGoat"/>

webapp/WEB-INF/mvc-dispatcher-servlet.xml

@@ -39,6 +39,15 @@
         p:suffix=".jsp" 
         p:order="1"/>
         
+    <mvc:interceptors>
+        <bean id="webContentInterceptor" class="org.springframework.web.servlet.mvc.WebContentInterceptor">
+            <property name="cacheSeconds" value="0" />
+            <property name="useExpiresHeader" value="true" />
+            <property name="useCacheControlHeader" value="true" />
+            <property name="useCacheControlNoStore" value="true" />
+        </bean>
+    </mvc:interceptors>
+    	
 	
     <!-- Register the Customer.properties 
     <bean id="messageSource"

webapp/WEB-INF/spring-security.xml

@@ -14,6 +14,9 @@
     <http pattern="/css/**" security="none"/>
     <http pattern="/images/**" security="none"/>
     <http pattern="/javascript/**" security="none"/>
+    <http pattern="/js/**" security="none"/>
+    <http pattern="/fonts/**" security="none"/>
+    <http pattern="/plugins/**" security="none"/>    
     <http pattern="/favicon.ico" security="none"/>    
     <http use-expressions="true">  
         <intercept-url pattern="/login.mvc" access="permitAll" />
@@ -26,7 +29,8 @@
             default-target-url="/welcome.mvc" 
             authentication-failure-url="/login.mvc?error" 
             username-parameter="username"
-            password-parameter="password" />
+            password-parameter="password"
+            always-use-default-target="true"/>
         <logout logout-url="/j_spring_security_logout" logout-success-url="/logout.mvc" />
         <!-- enable csrf protection -->
         <!--csrf/-->