dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

migrate from container managed authentication to spring security

Browse Source 
updated spring and spring security versions
This commit is contained in:
lawson89 2014-05-29 18:43:40 -04:00
parent 204bfce794
commit 617d16d8a7
6 changed files with 501 additions and 478 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.gitignore vendored Normal file
View File

@ -0,0 +1,2 @@
/nb-configuration.xml
/nbactions.xml

2
pom.xml
View File

@ -17,7 +17,7 @@
<!-- Shared version number properties --> <!-- Shared version number properties -->
<properties> <properties>
<org.springframework.version>3.2.4.RELEASE</org.springframework.version> <org.springframework.version>3.2.4.RELEASE</org.springframework.version>
<spring.security.version>3.1.2.RELEASE</spring.security.version> <spring.security.version>3.2.4.RELEASE</spring.security.version>
<tiles.version>2.2.2</tiles.version> <tiles.version>2.2.2</tiles.version>
</properties> </properties>

2
webapp/META-INF/context.xml Normal file
View File

@ -0,0 +1,2 @@
<?xml version="1.0" encoding="UTF-8"?>
<Context antiJARLocking="true" path=""/>

6
webapp/WEB-INF/mvc-dispatcher-servlet.xml
View File

@ -5,11 +5,11 @@
xmlns:context="http://www.springframework.org/schema/context" xmlns:context="http://www.springframework.org/schema/context"
xmlns:mvc="http://www.springframework.org/schema/mvc" xmlns:mvc="http://www.springframework.org/schema/mvc"
xsi:schemaLocation="http://www.springframework.org/schema/beans xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd http://www.springframework.org/schema/beans/spring-beans-3.2.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context
http://www.springframework.org/schema/context/spring-context-3.0.xsd http://www.springframework.org/schema/context/spring-context-3.2.xsd
http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc
http://www.springframework.org/schema/mvc/spring-mvc-3.0.xsd"> http://www.springframework.org/schema/mvc/spring-mvc-3.2.xsd">
<context:component-scan base-package="org.owasp.webgoat.lessons" /> <context:component-scan base-package="org.owasp.webgoat.lessons" />

51
webapp/WEB-INF/spring-security.xml
View File

@ -1,28 +1,45 @@
<beans:beans xmlns="http://www.springframework.org/schema/security" <beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd http://www.springframework.org/schema/beans/spring-beans-3.2.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.1.xsd"> http://www.springframework.org/schema/security/spring-security-3.2.xsd">
<!-- <!--
PCS 8/27/2012 PCS 8/27/2012
NOTE: Without Spring security, HttpServletRequest.getUserPrincipal() returns null when called from pages under Spring's control. NOTE: Without Spring security, HttpServletRequest.getUserPrincipal() returns null when called from pages under Spring's control.
That method is used extensively in legacy webgoat code. Integrating Spring security into the application resolves this issue. That method is used extensively in legacy webgoat code. Integrating Spring security into the application resolves this issue.
--> -->
<http auto-config='true'> <http>
<intercept-url pattern="/**" access="ROLE_USER" /> <intercept-url pattern="/servlet/AdminServlet/**" access="ROLE_WEBGOAT_ADMIN" />
<http-basic/> <intercept-url pattern="/JavaSource/**" access="ROLE_SERVER_ADMIN" />
<intercept-url pattern="/**" access="ROLE_WEBGOAT_USER" />
<http-basic />
</http> </http>
<!-- Authentication Manager --> <!-- Authentication Manager -->
<authentication-manager alias="authenticationManager"> <authentication-manager alias="authenticationManager">
<authentication-provider> <authentication-provider>
<user-service> <user-service>
<!-- TODO: credentials in the config - this isn't something I'm proud of - get rid of this ASAP --> <!-- TODO: credentials in the config - this isn't something I'm proud of - get rid of this ASAP -->
<user name="guest" password="guest" authorities="ROLE_USER" /> <user name="guest" password="guest" authorities="ROLE_WEBGOAT_USER" />
</user-service> <user name="webgoat" password="webgoat" authorities="ROLE_WEBGOAT_ADMIN" />
</authentication-provider> <user name="server" password="server" authorities="ROLE_SERVER_ADMIN" />
</user-service>
</authentication-provider>
</authentication-manager> </authentication-manager>
<!-- Role hierarchy -->
<!--
<beans:bean id="roleHierarchy"
class="org.springframework.security.access.hierarchicalroles.RoleHierarchyImpl">
<beans:property name="hierarchy">
<beans:value>
server_admin > webgoat_admin
webgoat_admin > webgoat_challenge
webgoat_challenge > webgoat_user
</beans:value>
</beans:property>
</beans:bean>
-->
</beans:beans> </beans:beans>

22
webapp/WEB-INF/web.xml
View File

@ -287,12 +287,10 @@
</servlet-mapping> </servlet-mapping>
<!-- uncomment this if you want the admin servlet --> <!-- uncomment this if you want the admin servlet -->
<!--
<servlet-mapping> <servlet-mapping>
<servlet-name>AdminServlet</servlet-name> <servlet-name>AdminServlet</servlet-name>
<url-pattern>/servlet/AdminServlet</url-pattern> <url-pattern>/servlet/AdminServlet</url-pattern>
</servlet-mapping> </servlet-mapping>
-->
<servlet-mapping> <servlet-mapping>
<servlet-name>WebGoat</servlet-name> <servlet-name>WebGoat</servlet-name>
@ -332,6 +330,7 @@
</mime-mapping> </mime-mapping>
<!-- Define reference to the user database for looking up roles --> <!-- Define reference to the user database for looking up roles -->
<!--
<resource-env-ref> <resource-env-ref>
<description> <description>
Link to the UserDatabase instance from which we request lists of Link to the UserDatabase instance from which we request lists of
@ -344,9 +343,10 @@
org.apache.catalina.UserDatabase org.apache.catalina.UserDatabase
</resource-env-ref-type> </resource-env-ref-type>
</resource-env-ref> </resource-env-ref>
-->
<!-- Define a Security Constraint on this Application --> <!-- Define a Security Constraint on this Application -->
<!--
<security-constraint> <security-constraint>
<web-resource-collection> <web-resource-collection>
<web-resource-name>WebGoat Application</web-resource-name> <web-resource-name>WebGoat Application</web-resource-name>
@ -368,15 +368,17 @@
<role-name>server_admin</role-name> <role-name>server_admin</role-name>
</auth-constraint> </auth-constraint>
</security-constraint> </security-constraint>
-->
<!-- Login configuration uses BASIC authentication --> <!-- Login configuration uses BASIC authentication -->
<!--
<login-config> <login-config>
<auth-method>BASIC</auth-method> <auth-method>BASIC</auth-method>
<realm-name>WebGoat Application</realm-name> <realm-name>WebGoat Application</realm-name>
</login-config> </login-config>
-->
<!-- Security roles referenced by this web application --> <!-- Security roles referenced by this web application -->
<!--
<security-role> <security-role>
<description>The role that is required to administrate WebGoat</description> <description>The role that is required to administrate WebGoat</description>
<role-name>webgoat_admin</role-name> <role-name>webgoat_admin</role-name>
@ -392,10 +394,10 @@
<role-name>webgoat_user</role-name> <role-name>webgoat_user</role-name>
</security-role> </security-role>
<security-role> <security-role>
<description>This role is for admins only</description> <description>This role is for admins only</description>
<role-name>server_admin</role-name> <role-name>server_admin</role-name>
</security-role> </security-role>
-->
</web-app> </web-app>