Moved Maven multiproject setup

webgoat-container/src/main/java/org/owasp/webgoat/controller/About.java

@@ -0,0 +1,49 @@
+/*
+ * To change this license header, choose License Headers in Project Properties.
+ * To change this template file, choose Tools | Templates
+ * and open the template in the editor.
+ */
+package org.owasp.webgoat.controller;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpSession;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.stereotype.Controller;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RequestMethod;
+import org.springframework.web.bind.annotation.RequestParam;
+import org.springframework.web.servlet.ModelAndView;
+
+/**
+ *
+ * @author rlawson
+ */
+@Controller
+public class About {
+    
+    final Logger logger = LoggerFactory.getLogger(About.class);
+    private static final String WELCOMED = "welcomed";
+    
+    @RequestMapping(value = "about.mvc", method = RequestMethod.GET)
+    public ModelAndView welcome(HttpServletRequest request,
+            @RequestParam(value = "error", required = false) String error,
+            @RequestParam(value = "logout", required = false) String logout) {
+
+        // set the welcome attribute
+        // this is so the attack servlet does not also 
+        // send them to the welcome page
+        HttpSession session = request.getSession();
+        if (session.getAttribute(WELCOMED) == null) {
+            session.setAttribute(WELCOMED, "true");
+        }
+        
+        //go ahead and send them to webgoat (skip the welcome page)
+        ModelAndView model = new ModelAndView();
+        //model.setViewName("welcome");
+        //model.setViewName("main_new");
+        model.setViewName("about");
+        return model;
+    }
+    
+}

webgoat-container/src/main/java/org/owasp/webgoat/controller/Login.java

@@ -0,0 +1,39 @@
+/*
+ * To change this license header, choose License Headers in Project Properties.
+ * To change this template file, choose Tools | Templates
+ * and open the template in the editor.
+ */
+package org.owasp.webgoat.controller;
+
+import org.springframework.stereotype.Controller;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RequestMethod;
+import org.springframework.web.bind.annotation.RequestParam;
+import org.springframework.web.servlet.ModelAndView;
+
+/**
+ *
+ * @author rlawson
+ */
+@Controller
+public class Login {
+
+    @RequestMapping(value = "login.mvc", method = RequestMethod.GET)
+    public ModelAndView login(
+            @RequestParam(value = "error", required = false) String error,
+            @RequestParam(value = "logout", required = false) String logout) {
+
+        ModelAndView model = new ModelAndView();
+        if (error != null) {
+            model.addObject("error", "Invalid username and password!");
+        }
+
+        if (logout != null) {
+            model.addObject("msg", "You've been logged out successfully.");
+        }
+        model.setViewName("login");
+
+        return model;
+
+    }
+}

webgoat-container/src/main/java/org/owasp/webgoat/controller/Logout.java

@@ -0,0 +1,45 @@
+/*
+ * To change this license header, choose License Headers in Project Properties.
+ * To change this template file, choose Tools | Templates
+ * and open the template in the editor.
+ */
+package org.owasp.webgoat.controller;
+
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.stereotype.Controller;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RequestMethod;
+import org.springframework.web.bind.annotation.RequestParam;
+import org.springframework.web.servlet.ModelAndView;
+
+/**
+ *
+ * @author rlawson
+ */
+@Controller
+public class Logout {
+
+    final Logger logger = LoggerFactory.getLogger(Logout.class);
+
+    @RequestMapping(value = "logout.mvc", method = RequestMethod.GET)
+    public ModelAndView logout(
+            @RequestParam(value = "error", required = false) String error,
+            @RequestParam(value = "logout", required = false) String logout) {
+        
+        logger.info("Logging user out");
+
+        ModelAndView model = new ModelAndView();
+        if (error != null) {
+            model.addObject("error", "Invalid username and password!");
+        }
+
+        if (logout != null) {
+            model.addObject("msg", "You've been logged out successfully.");
+        }
+        model.setViewName("logout");
+
+        return model;
+
+    }
+}

webgoat-container/src/main/java/org/owasp/webgoat/controller/Start.java

@@ -0,0 +1,97 @@
+/*
+ * To change this license header, choose License Headers in Project Properties.
+ * To change this template file, choose Tools | Templates
+ * and open the template in the editor.
+ */
+package org.owasp.webgoat.controller;
+
+import java.util.Collection;
+import javax.servlet.ServletContext;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpSession;
+import org.apache.commons.lang3.StringUtils;
+import org.owasp.webgoat.application.Application;
+import org.owasp.webgoat.session.WebSession;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.security.core.GrantedAuthority;
+import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.stereotype.Controller;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RequestMethod;
+import org.springframework.web.bind.annotation.RequestParam;
+import org.springframework.web.servlet.ModelAndView;
+
+/**
+ *
+ * @author rlawson
+ */
+@Controller
+public class Start {
+
+    final Logger logger = LoggerFactory.getLogger(Start.class);
+
+    private static final String WELCOMED = "welcomed";
+
+    @Autowired
+    private ServletContext servletContext;
+
+    @RequestMapping(value = "start.mvc", method = {RequestMethod.GET, RequestMethod.POST})
+    public ModelAndView start(HttpServletRequest request,
+            @RequestParam(value = "error", required = false) String error,
+            @RequestParam(value = "logout", required = false) String logout) {
+
+        ModelAndView model = new ModelAndView();
+        // make sure session is set up correctly
+        // if not redirect user to login
+        if (checkWebSession(request.getSession()) == false) {
+            model.setViewName("redirect:/login.mvc");
+            return model;
+        }
+        String role = getRole();
+        String user = request.getUserPrincipal().getName();
+        model.addObject("role", role);
+        model.addObject("user", user);
+
+        String contactEmail = servletContext.getInitParameter("email");
+        model.addObject("contactEmail", contactEmail);
+        String emailList = servletContext.getInitParameter("emaillist");
+        model.addObject("emailList", emailList);
+
+        Application app = Application.getInstance();
+        logger.info("Setting application properties: " + app);
+        model.addObject("version", app.getVersion());
+        model.addObject("build", app.getBuild());
+
+        // if everything ok then go to webgoat UI
+        model.setViewName("main_new");
+        return model;
+    }
+
+    private String getRole() {
+        Collection<GrantedAuthority> authorities = (Collection<GrantedAuthority>) SecurityContextHolder.getContext().getAuthentication().getAuthorities();
+        String role = "N/A";
+        for (GrantedAuthority authority : authorities) {
+            authority.getAuthority();
+            role = authority.getAuthority();
+            role = StringUtils.lowerCase(role);
+            role = StringUtils.remove(role, "role_");
+            break;
+        }
+        return role;
+    }
+
+    public boolean checkWebSession(HttpSession session) {
+        Object o = session.getAttribute(WebSession.SESSION);
+        if (o == null) {
+            logger.error("No valid WebSession object found, has session timed out? [" + session.getId() + "]");
+            return false;
+        }
+        if (!(o instanceof WebSession)) {
+            logger.error("Invalid WebSession object found, this is probably a bug! [" + o.getClass() + " | " + session.getId() + "]");
+            return false;
+        }
+        return true;
+    }
+}

webgoat-container/src/main/java/org/owasp/webgoat/controller/Welcome.java

@@ -0,0 +1,49 @@
+/*
+ * To change this license header, choose License Headers in Project Properties.
+ * To change this template file, choose Tools | Templates
+ * and open the template in the editor.
+ */
+package org.owasp.webgoat.controller;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpSession;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.stereotype.Controller;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RequestMethod;
+import org.springframework.web.bind.annotation.RequestParam;
+import org.springframework.web.servlet.ModelAndView;
+
+/**
+ *
+ * @author rlawson
+ */
+@Controller
+public class Welcome {
+    
+    final Logger logger = LoggerFactory.getLogger(Welcome.class);
+    private static final String WELCOMED = "welcomed";
+    
+    @RequestMapping(value = "welcome.mvc", method = RequestMethod.GET)
+    public ModelAndView welcome(HttpServletRequest request,
+            @RequestParam(value = "error", required = false) String error,
+            @RequestParam(value = "logout", required = false) String logout) {
+
+        // set the welcome attribute
+        // this is so the attack servlet does not also 
+        // send them to the welcome page
+        HttpSession session = request.getSession();
+        if (session.getAttribute(WELCOMED) == null) {
+            session.setAttribute(WELCOMED, "true");
+        }
+        
+        //go ahead and send them to webgoat (skip the welcome page)
+        ModelAndView model = new ModelAndView();
+        //model.setViewName("welcome");
+        //model.setViewName("main_new");
+        model.setViewName("forward:/attack?start=true");
+        return model;
+    }
+    
+}