Travis now builds Docker and create a Github release.

Removed ActiveMQ between WebGoat and WebWolf they now act as standalone applications
2017-10-13 23:30:22 +02:00
parent 50543a9b55
commit 3ee1a1ca16
43 changed files with 291 additions and 453 deletions
--- a/webgoat-container/src/main/java/org/owasp/webgoat/HammerHead.java
+++ b/webgoat-container/src/main/java/org/owasp/webgoat/HammerHead.java
@ -1,23 +1,15 @@
 package org.owasp.webgoat;

 import lombok.AllArgsConstructor;
-import org.owasp.webgoat.login.LoginEvent;
 import org.owasp.webgoat.session.Course;
-import org.owasp.webgoat.users.WebGoatUser;
-import org.springframework.jms.core.JmsTemplate;
 import org.springframework.security.core.Authentication;
 import org.springframework.stereotype.Controller;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestMethod;
 import org.springframework.web.servlet.ModelAndView;

-import javax.servlet.http.Cookie;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
-import java.util.Optional;
-
-import static java.util.Optional.empty;
-import static java.util.Optional.of;

 /**
 * *************************************************************************************************
@ -58,34 +50,12 @@ import static java.util.Optional.of;
 public class HammerHead {

    private final Course course;
-    private JmsTemplate jmsTemplate;

    /**
     * Entry point for WebGoat, redirects to the first lesson found within the course.
     */
    @RequestMapping(path = "/attack", method = {RequestMethod.GET, RequestMethod.POST})
    public ModelAndView attack(Authentication authentication, HttpServletRequest request, HttpServletResponse response) {
-        sendUserLoggedInMessage(request, response, authentication);
        return new ModelAndView("redirect:" + "start.mvc" + course.getFirstLesson().getLink());
    }
-
-    private void sendUserLoggedInMessage(HttpServletRequest request, HttpServletResponse response, Authentication authentication) {
-        WebGoatUser user = (WebGoatUser) authentication.getPrincipal();
-        getWebGoatCookie(request).ifPresent(c -> {
-            jmsTemplate.convertAndSend("webgoat", new LoginEvent(user.getUsername(), c.getValue()), m -> {
-                        m.setStringProperty("type", LoginEvent.class.getSimpleName());
-                        return m;
-                    }
-            );
-        });
-    }
-
-    private Optional<Cookie> getWebGoatCookie(HttpServletRequest request) {
-        for (Cookie c : request.getCookies()) {
-            if (c.getName().equals("JSESSIONID")) {
-                return of(c);
-            }
-        }
-        return empty();
-    }
 }
--- a/webgoat-container/src/main/java/org/owasp/webgoat/JmsConfig.java
+++ b/webgoat-container/src/main/java/org/owasp/webgoat/JmsConfig.java
@ -1,35 +0,0 @@
-package org.owasp.webgoat;
-
-import com.fasterxml.jackson.databind.ObjectMapper;
-import org.apache.activemq.broker.BrokerService;
-import org.springframework.context.annotation.Bean;
-import org.springframework.context.annotation.Configuration;
-import org.springframework.jms.support.converter.MappingJackson2MessageConverter;
-import org.springframework.jms.support.converter.MessageConverter;
-import org.springframework.jms.support.converter.MessageType;
-
-/**
- * @author nbaars
- * @since 8/20/17.
- */
-@Configuration
-public class JmsConfig {
-
-    @Bean(initMethod = "start", destroyMethod = "stop")
-    public BrokerService broker() throws Exception {
-        final BrokerService broker = new BrokerService();
-        broker.addConnector("tcp://localhost:61616");
-        broker.addConnector("vm://localhost");
-        broker.setPersistent(false);
-        return broker;
-    }
-
-    @Bean
-    public MessageConverter jacksonJmsMessageConverter(ObjectMapper objectMapper) {
-        MappingJackson2MessageConverter converter = new MappingJackson2MessageConverter();
-        converter.setTargetType(MessageType.TEXT);
-        converter.setObjectMapper(objectMapper);
-        converter.setTypeIdPropertyName("_type");
-        return converter;
-    }
-}
--- a/webgoat-container/src/main/java/org/owasp/webgoat/WebGoat.java
+++ b/webgoat-container/src/main/java/org/owasp/webgoat/WebGoat.java
@ -50,6 +50,7 @@ import org.springframework.context.ApplicationContext;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Scope;
 import org.springframework.context.annotation.ScopedProxyMode;
+import org.springframework.web.client.RestTemplate;

 import java.io.File;
 import java.util.Arrays;
@ -94,6 +95,11 @@ public class WebGoat extends SpringBootServletInitializer {
        return new PluginsLoader(pluginEndpointPublisher).loadPlugins();
    }

+    @Bean
+    public RestTemplate restTemplate() {
+        return new RestTemplate();
+    }
+
    @Bean
    public EmbeddedServletContainerFactory servletContainer() {
        TomcatEmbeddedServletContainerFactory factory = new TomcatEmbeddedServletContainerFactory();
--- a/webgoat-container/src/main/java/org/owasp/webgoat/WebSecurityConfig.java
+++ b/webgoat-container/src/main/java/org/owasp/webgoat/WebSecurityConfig.java
@ -31,7 +31,6 @@
 package org.owasp.webgoat;

 import lombok.AllArgsConstructor;
-import org.owasp.webgoat.login.LogoutHandler;
 import org.owasp.webgoat.users.UserService;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.context.annotation.Bean;
@ -53,7 +52,6 @@ import org.springframework.security.core.userdetails.UserDetailsService;
 public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

    private final UserService userDetailsService;
-    private final LogoutHandler logoutHandler;

    @Override
    protected void configure(HttpSecurity http) throws Exception {
@ -71,8 +69,7 @@ public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
                .passwordParameter("password")
                .permitAll();
        security.and()
-                .logout().deleteCookies("JSESSIONID").invalidateHttpSession(true)
-                .permitAll().logoutSuccessHandler(logoutHandler);
+                .logout().deleteCookies("JSESSIONID").invalidateHttpSession(true);
        security.and().csrf().disable();

        http.headers().cacheControl().disable();
--- a/webgoat-container/src/main/java/org/owasp/webgoat/login/LogoutHandler.java
+++ b/webgoat-container/src/main/java/org/owasp/webgoat/login/LogoutHandler.java
@ -1,47 +0,0 @@
-package org.owasp.webgoat.login;
-
-import lombok.AllArgsConstructor;
-import org.owasp.webgoat.users.WebGoatUser;
-import org.springframework.jms.core.JmsTemplate;
-import org.springframework.security.core.Authentication;
-import org.springframework.security.web.authentication.logout.SimpleUrlLogoutSuccessHandler;
-import org.springframework.stereotype.Component;
-
-import javax.servlet.ServletException;
-import javax.servlet.http.Cookie;
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
-import java.io.IOException;
-import java.util.Optional;
-
-/**
- * @author nbaars
- * @since 8/20/17.
- */
-@AllArgsConstructor
-@Component
-public class LogoutHandler extends SimpleUrlLogoutSuccessHandler {
-
-    private JmsTemplate jmsTemplate;
-
-    @Override
-    public void onLogoutSuccess(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Authentication authentication) throws IOException, ServletException {
-        if (authentication != null) {
-            WebGoatUser user = (WebGoatUser) authentication.getPrincipal();
-            jmsTemplate.convertAndSend("webgoat", new LogoutEvent(user.getUsername()), m -> {
-                m.setStringProperty("type", LogoutEvent.class.getSimpleName());
-                return m;
-            });
-        }
-        super.onLogoutSuccess(httpServletRequest, httpServletResponse, authentication);
-    }
-
-    private Optional<Cookie> findSessionCookie(Cookie[] cookies) {
-        for (Cookie cookie : cookies) {
-            if ("JSESSIONID".equals(cookie.getName())) {
-                return Optional.of(cookie);
-            }
-        }
-        return Optional.empty();
-    }
-}
--- a/webgoat-container/src/main/resources/application.properties
+++ b/webgoat-container/src/main/resources/application.properties
@ -28,17 +28,20 @@ webgoat.feedback.address.html=<A HREF=mailto:webgoat@owasp.org>webgoat@owasp.org
 webgoat.database.driver=org.hsqldb.jdbcDriver
 webgoat.database.connection.string=jdbc:hsqldb:mem:{USER}
 webgoat.default.language=en
+webgoat.embedded.mongo=${WG_INTERNAL_MONGO:true}

 webwolf.port=8081
 webwolf.url=http://localhost:${webwolf.port}/WebWolf
 webworf.url.landingpage=http://localhost:${webwolf.port}/landing
+webworf.url.mail=http://localhost:${webwolf.port}/mail

 spring.jackson.serialization.indent_output=true
 spring.jackson.serialization.write-dates-as-timestamps=false

-spring.activemq.brokerUrl=tcp://localhost:61616
+spring.activemq.brokerUrl=tcp://${WG_MQ_HOST:localhost}:${WG_MQ_PORT:61616}

-spring.data.mongodb.port=27017
+spring.data.mongodb.host=${WG_MONGO_HOST:localhost}
+spring.data.mongodb.port=${WG_MONGO_PORT:27017}
 spring.data.mongodb.database=webgoat
 spring.mongodb.embedded.storage.databaseDir=${webgoat.user.directory}/mongodb/