fix session timeout issue

removed tiles
various small cleanups
added session service to aid in debugging session issues

java/org/owasp/webgoat/service/BaseService.java

@@ -1,35 +1,41 @@
-/***************************************************************************************************
- * 
- * 
- * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
- * please see http://www.owasp.org/
- * 
+/**
+ * *************************************************************************************************
+ *
+ *
+ * This file is part of WebGoat, an Open Web Application Security Project
+ * utility. For details, please see http://www.owasp.org/
+ *
  * Copyright (c) 2002 - 2007 Bruce Mayhew
- * 
- * This program is free software; you can redistribute it and/or modify it under the terms of the
- * GNU General Public License as published by the Free Software Foundation; either version 2 of the
- * License, or (at your option) any later version.
- * 
- * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
- * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * General Public License for more details.
- * 
- * You should have received a copy of the GNU General Public License along with this program; if
- * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
- * 02111-1307, USA.
- * 
+ *
+ * This program is free software; you can redistribute it and/or modify it under
+ * the terms of the GNU General Public License as published by the Free Software
+ * Foundation; either version 2 of the License, or (at your option) any later
+ * version.
+ *
+ * This program is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
+ * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
+ * details.
+ *
+ * You should have received a copy of the GNU General Public License along with
+ * this program; if not, write to the Free Software Foundation, Inc., 59 Temple
+ * Place - Suite 330, Boston, MA 02111-1307, USA.
+ *
  * Getting Source ==============
- * 
- * Source for this application is maintained at code.google.com, a repository for free software
- * projects.
- * 
+ *
+ * Source for this application is maintained at code.google.com, a repository
+ * for free software projects.
+ *
  * For details, please see http://code.google.com/p/webgoat/
  */
 package org.owasp.webgoat.service;
 
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpSession;
+import org.owasp.webgoat.controller.Welcome;
 import org.owasp.webgoat.session.WebSession;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
 import org.springframework.http.HttpStatus;
 import org.springframework.web.bind.annotation.ExceptionHandler;
 import org.springframework.web.bind.annotation.RequestMapping;
@@ -43,23 +49,26 @@ import org.springframework.web.bind.annotation.ResponseStatus;
 @RequestMapping("/service")
 public abstract class BaseService {
 
+    final Logger logger = LoggerFactory.getLogger(BaseService.class);
+
     @ExceptionHandler(Exception.class)
     @ResponseStatus(value = HttpStatus.I_AM_A_TEAPOT)
     public @ResponseBody
     ExceptionInfo handleException(HttpServletRequest request, Exception ex) {
-
+        String url = request.getRequestURL().toString();
+        logger.error("Exception handler for service caught exception when processing: " + url, ex);
         ExceptionInfo response = new ExceptionInfo();
-        response.setUrl(request.getRequestURL().toString());
-        response.setMessage(ex.getMessage());
+        response.setUrl(url);
+        response.setMessage(ex.toString());
 
         return response;
     }
 
-    public WebSession getWebSesion(HttpSession session) {
+    public WebSession getWebSession(HttpSession session) {
         WebSession ws;
         Object o = session.getAttribute(WebSession.SESSION);
         if (o == null || !(o instanceof WebSession)) {
-            throw new IllegalArgumentException("No valid session object found, has session timed out?");
+            throw new IllegalArgumentException("No valid session object found, has session timed out? [" + session.getId() + "]");
         }
         ws = (WebSession) o;
         return ws;

java/org/owasp/webgoat/service/CookieService.java

@@ -54,7 +54,7 @@ public class CookieService extends BaseService {
     @RequestMapping(value = "/cookie.mvc", produces = "application/json")
     public @ResponseBody
     List<Cookie> showCookies(HttpSession session) {
-        WebSession ws = getWebSesion(session);
+        WebSession ws = getWebSession(session);
         List<Cookie> cookies = ws.getCookiesOnLastRequest();
         return cookies;
     }

java/org/owasp/webgoat/service/HintService.java

@@ -32,7 +32,7 @@ public class HintService extends BaseService {
     public @ResponseBody
     List<Hint> showHint(HttpSession session) {
         List<Hint> listHints = new ArrayList<Hint>();
-        WebSession ws = getWebSesion(session);
+        WebSession ws = getWebSession(session);
         AbstractLesson l = ws.getCurrentLesson();
         if (l == null) {
             return listHints;

java/org/owasp/webgoat/service/LessonMenuService.java

@@ -58,9 +58,9 @@ public class LessonMenuService extends BaseService {
     public @ResponseBody
     List<LessonMenuItem> showLeftNav(HttpSession session) {
         List<LessonMenuItem> menu = new ArrayList<LessonMenuItem>();
-        WebSession ws = getWebSesion(session);
+        WebSession ws = getWebSession(session);
         // Get the categories, these are the main menu items
-        Course course = ((Course) session.getAttribute("course"));
+        Course course = ws.getCourse();
         List<Category> categories = course.getCategories();
 
         for (Category category : categories) {

java/org/owasp/webgoat/service/LessonPlanService.java

@@ -0,0 +1,94 @@
+/**
+ * *************************************************************************************************
+ *
+ *
+ * This file is part of WebGoat, an Open Web Application Security Project
+ * utility. For details, please see http://www.owasp.org/
+ *
+ * Copyright (c) 2002 - 2007 Bruce Mayhew
+ *
+ * This program is free software; you can redistribute it and/or modify it under
+ * the terms of the GNU General Public License as published by the Free Software
+ * Foundation; either version 2 of the License, or (at your option) any later
+ * version.
+ *
+ * This program is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
+ * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
+ * details.
+ *
+ * You should have received a copy of the GNU General Public License along with
+ * this program; if not, write to the Free Software Foundation, Inc., 59 Temple
+ * Place - Suite 330, Boston, MA 02111-1307, USA.
+ *
+ * Getting Source ==============
+ *
+ * Source for this application is maintained at code.google.com, a repository
+ * for free software projects.
+ *
+ * For details, please see http://code.google.com/p/webgoat/
+ */
+package org.owasp.webgoat.service;
+
+import javax.servlet.http.HttpSession;
+import static org.owasp.webgoat.LessonSource.END_SOURCE_SKIP;
+import static org.owasp.webgoat.LessonSource.START_SOURCE_SKIP;
+import org.owasp.webgoat.lessons.AbstractLesson;
+import org.owasp.webgoat.lessons.model.SourceListing;
+import org.owasp.webgoat.session.Course;
+import org.owasp.webgoat.session.WebSession;
+import org.springframework.stereotype.Controller;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.ResponseBody;
+
+/**
+ *
+ * @author rlawson
+ */
+@Controller
+public class LessonPlanService extends BaseService {
+
+    /**
+     * Returns source for current attack
+     *
+     * @param session
+     * @return
+     */
+    @RequestMapping(value = "/lessonplan.mvc", produces = "application/json")
+    public @ResponseBody
+    SourceListing showSource(HttpSession session) {
+        WebSession ws = getWebSession(session);
+        String source = getSource(ws);
+        SourceListing sl = new SourceListing();
+        sl.setSource(source);
+        return sl;
+    }
+
+    /**
+     * Description of the Method
+     *
+     * @param s Description of the Parameter
+     * @return Description of the Return Value
+     */
+    protected String getSource(WebSession s) {
+
+        String source = null;
+        int scr = s.getCurrentScreen();
+        Course course = s.getCourse();
+
+        if (s.isUser() || s.isChallenge()) {
+
+            AbstractLesson lesson = course.getLesson(s, scr, AbstractLesson.USER_ROLE);
+
+            if (lesson != null) {
+                source = lesson.getRawSource(s);
+            }
+        }
+        if (source == null) {
+            return "Source code is not available. Contact "
+                    + s.getWebgoatContext().getFeedbackAddressHTML();
+        }
+        return (source.replaceAll("(?s)" + START_SOURCE_SKIP + ".*" + END_SOURCE_SKIP,
+                "Code Section Deliberately Omitted"));
+    }
+}

java/org/owasp/webgoat/service/ParameterService.java

@@ -62,7 +62,7 @@ public class ParameterService extends BaseService {
     public @ResponseBody
     List<RequestParameter> showParameters(HttpSession session) {
         List<RequestParameter> listParms = new ArrayList<RequestParameter>();
-        WebSession ws = getWebSesion(session);
+        WebSession ws = getWebSession(session);
         listParms = ws.getParmsOnLastRequest();
         Collections.sort(listParms);
         return listParms;

java/org/owasp/webgoat/service/SessionService.java

@@ -0,0 +1,57 @@
+/*
+ * To change this license header, choose License Headers in Project Properties.
+ * To change this template file, choose Tools | Templates
+ * and open the template in the editor.
+ */
+package org.owasp.webgoat.service;
+
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.Date;
+import java.util.Enumeration;
+import java.util.List;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpSession;
+import org.springframework.stereotype.Controller;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.ResponseBody;
+
+/**
+ *
+ * @author rlawson
+ */
+@Controller
+public class SessionService extends BaseService {
+
+    /**
+     * Returns hints for current lesson
+     *
+     * @param session
+     * @return
+     */
+    @RequestMapping(value = "/session.mvc", produces = "application/json")
+    public @ResponseBody
+    String showSession(HttpServletRequest request, HttpSession session) {
+        StringBuilder sb = new StringBuilder();
+        sb.append("id").append(" = ").append(session.getId()).append("\n");
+        sb.append("created").append(" = ").append(new Date(session.getCreationTime())).append("\n");
+        sb.append("last access").append(" = ").append(new Date(session.getLastAccessedTime())).append("\n");
+        sb.append("timeout (secs)").append(" = ").append(session.getMaxInactiveInterval()).append("\n");
+        sb.append("session from cookie?").append(" = ").append(request.isRequestedSessionIdFromCookie()).append("\n");
+        sb.append("session from url?").append(" = ").append(request.isRequestedSessionIdFromURL()).append("\n");
+        sb.append("=====================================\n");
+        // get attributes
+        List<String> attributes = new ArrayList<String>();
+        Enumeration keys = session.getAttributeNames();
+        while (keys.hasMoreElements()) {
+            String name = (String) keys.nextElement();
+            attributes.add(name);
+        }
+        Collections.sort(attributes);
+        for (String attribute : attributes) {
+            String value = session.getAttribute(attribute) + "";
+            sb.append(attribute).append(" = ").append(value).append("\n");
+        }
+        return sb.toString();
+    }
+}

java/org/owasp/webgoat/service/SolutionService.java

@@ -0,0 +1,85 @@
+/**
+ * *************************************************************************************************
+ *
+ *
+ * This file is part of WebGoat, an Open Web Application Security Project
+ * utility. For details, please see http://www.owasp.org/
+ *
+ * Copyright (c) 2002 - 2007 Bruce Mayhew
+ *
+ * This program is free software; you can redistribute it and/or modify it under
+ * the terms of the GNU General Public License as published by the Free Software
+ * Foundation; either version 2 of the License, or (at your option) any later
+ * version.
+ *
+ * This program is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
+ * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
+ * details.
+ *
+ * You should have received a copy of the GNU General Public License along with
+ * this program; if not, write to the Free Software Foundation, Inc., 59 Temple
+ * Place - Suite 330, Boston, MA 02111-1307, USA.
+ *
+ * Getting Source ==============
+ *
+ * Source for this application is maintained at code.google.com, a repository
+ * for free software projects.
+ *
+ * For details, please see http://code.google.com/p/webgoat/
+ */
+package org.owasp.webgoat.service;
+
+import javax.servlet.http.HttpSession;
+import static org.owasp.webgoat.LessonSource.END_SOURCE_SKIP;
+import static org.owasp.webgoat.LessonSource.START_SOURCE_SKIP;
+import org.owasp.webgoat.lessons.AbstractLesson;
+import org.owasp.webgoat.lessons.model.SourceListing;
+import org.owasp.webgoat.session.Course;
+import org.owasp.webgoat.session.WebSession;
+import org.springframework.stereotype.Controller;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.ResponseBody;
+
+/**
+ *
+ * @author rlawson
+ */
+@Controller
+public class SolutionService extends BaseService {
+
+    /**
+     * Returns solution for current attack
+     *
+     * @param session
+     * @return
+     */
+    @RequestMapping(value = "/solution.mvc", produces = "text/html")
+    public @ResponseBody
+    String showSolution(HttpSession session) {
+        WebSession ws = getWebSession(session);
+        String source = getSolution(ws);
+        return source;
+    }
+
+    protected String getSolution(WebSession s) {
+
+        String source = null;
+        int scr = s.getCurrentScreen();
+        Course course = s.getCourse();
+
+        if (s.isUser() || s.isChallenge()) {
+
+            AbstractLesson lesson = course.getLesson(s, scr, AbstractLesson.USER_ROLE);
+
+            if (lesson != null) {
+                source = lesson.getSolution(s);
+            }
+        }
+        if (source == null) {
+            return "Solution  is not available. Contact "
+                    + s.getWebgoatContext().getFeedbackAddressHTML();
+        }
+        return (source);
+    }
+}

java/org/owasp/webgoat/service/SourceService.java

@@ -57,7 +57,7 @@ public class SourceService extends BaseService {
     @RequestMapping(value = "/source.mvc", produces = "application/json")
     public @ResponseBody
     SourceListing showSource(HttpSession session) {
-        WebSession ws = getWebSesion(session);
+        WebSession ws = getWebSession(session);
         String source = getSource(ws);
         SourceListing sl = new SourceListing();
         sl.setSource(source);