Fix Java 11 issue where the order of methods returned in AssignmentEndpoint subclasses returned wrong method for determining the mapping of an assignment. Now we walk over all methods until we find one which has for example a @GetMapping with AttackResult or ResponseEntity<AttackResult as return type. If no such method is found an exception is thrown

webgoat-container/src/main/java/org/owasp/webgoat/lessons/CourseConfiguration.java

@@ -27,8 +27,6 @@ import org.apache.commons.lang3.ArrayUtils;
 import org.owasp.webgoat.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.assignments.AssignmentHints;
 import org.owasp.webgoat.assignments.AttackResult;
-import org.owasp.webgoat.lessons.Lesson;
-import org.owasp.webgoat.lessons.Assignment;
 import org.owasp.webgoat.session.Course;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
@@ -39,6 +37,7 @@ import org.springframework.web.bind.annotation.PutMapping;
 import org.springframework.web.bind.annotation.RequestMapping;
 
 import java.lang.reflect.Method;
+import java.lang.reflect.ParameterizedType;
 import java.util.*;
 
 import static java.util.stream.Collectors.groupingBy;
@@ -75,16 +74,26 @@ public class CourseConfiguration {
 
     private String getPath(Class<? extends AssignmentEndpoint> e) {
         for (Method m : e.getMethods()) {
-            if (m.getReturnType() == AttackResult.class) {
+            if (methodReturnTypeIsOfTypeAttackResult(m)) {
                 var mapping = getMapping(m);
-                if (mapping == null) {
+                if (mapping != null) {
-                    log.error("AttackResult method found without mapping in: {}", e.getSimpleName());
-                } else {
                     return mapping;
                 }
             }
         }
-        return "none";
+        throw new IllegalStateException("Assignment endpoint: " + e + " has no mapping like @GetMapping/@PostMapping etc," +
+                "with return type 'AttackResult' or 'ResponseEntity<AttackResult>' please consider adding one");
+    }
+
+    private boolean methodReturnTypeIsOfTypeAttackResult(Method m) {
+        if (m.getReturnType() == AttackResult.class) {
+            return true;
+        }
+        var genericType = m.getGenericReturnType();
+        if (genericType instanceof ParameterizedType) {
+            return ((ParameterizedType) m.getGenericReturnType()).getActualTypeArguments()[0] == AttackResult.class;
+        }
+        return false;
     }
 
     private String getMapping(Method m) {
@@ -100,9 +109,9 @@ public class CourseConfiguration {
             paths = ArrayUtils.addAll(m.getAnnotation(PutMapping.class).value(), m.getAnnotation(PutMapping.class).path());
         }
         if (paths == null) {
-            return "";
+            return null;
         } else {
-            return Arrays.stream(paths).filter(path -> !"".equals(path)).findFirst().orElseGet(() -> "");
+            return Arrays.stream(paths).filter(path -> !"".equals(path)).findFirst().orElse("");
         }
     }
 

webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTRefreshEndpoint.java

@@ -26,6 +26,7 @@ import io.jsonwebtoken.*;
 import org.apache.commons.lang3.RandomStringUtils;
 import org.owasp.webgoat.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.assignments.AssignmentHints;
+import org.owasp.webgoat.assignments.AttackResult;
 import org.springframework.http.HttpStatus;
 import org.springframework.http.MediaType;
 import org.springframework.http.ResponseEntity;
@@ -82,7 +83,7 @@ public class JWTRefreshEndpoint extends AssignmentEndpoint {
 
     @PostMapping("/JWT/refresh/checkout")
     @ResponseBody
-    public ResponseEntity<?> checkout(@RequestHeader(value = "Authorization", required = false) String token) {
+    public ResponseEntity<AttackResult> checkout(@RequestHeader(value = "Authorization", required = false) String token) {
         if (token == null) {
             return ResponseEntity.status(HttpStatus.UNAUTHORIZED).build();
         }