dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

migrate from container managed authentication to spring security

Browse Source 
updated spring and spring security versions
This commit is contained in:
lawson89 2014-05-29 18:43:40 -04:00
parent 204bfce794
commit 617d16d8a7
6 changed files with 501 additions and 478 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.gitignore vendored Normal file
View File

@ -0,0 +1,2 @@
/nb-configuration.xml
/nbactions.xml

2
pom.xml
View File

@ -17,7 +17,7 @@
<!-- Shared version number properties --> <!-- Shared version number properties -->
<properties> <properties>
<org.springframework.version>3.2.4.RELEASE</org.springframework.version> <org.springframework.version>3.2.4.RELEASE</org.springframework.version>
<spring.security.version>3.1.2.RELEASE</spring.security.version> <spring.security.version>3.2.4.RELEASE</spring.security.version>
<tiles.version>2.2.2</tiles.version> <tiles.version>2.2.2</tiles.version>
</properties> </properties>

2
webapp/META-INF/context.xml Normal file
View File

@ -0,0 +1,2 @@
<?xml version="1.0" encoding="UTF-8"?>
<Context antiJARLocking="true" path=""/>

98
webapp/WEB-INF/mvc-dispatcher-servlet.xml
View File

@ -1,50 +1,50 @@
<?xml version="1.0" encoding="UTF-8"?> <?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans" <beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:p="http://www.springframework.org/schema/p" xmlns:p="http://www.springframework.org/schema/p"
xmlns:context="http://www.springframework.org/schema/context" xmlns:context="http://www.springframework.org/schema/context"
xmlns:mvc="http://www.springframework.org/schema/mvc" xmlns:mvc="http://www.springframework.org/schema/mvc"
xsi:schemaLocation="http://www.springframework.org/schema/beans xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd http://www.springframework.org/schema/beans/spring-beans-3.2.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context
http://www.springframework.org/schema/context/spring-context-3.0.xsd http://www.springframework.org/schema/context/spring-context-3.2.xsd
http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc
http://www.springframework.org/schema/mvc/spring-mvc-3.0.xsd"> http://www.springframework.org/schema/mvc/spring-mvc-3.2.xsd">
<context:component-scan base-package="org.owasp.webgoat.lessons" /> <context:component-scan base-package="org.owasp.webgoat.lessons" />
<!-- <!--
put custom validators here. E.g.: put custom validators here. E.g.:
<bean class="org.owasp.webgoat.validators.MyCustomValidator" /> <bean class="org.owasp.webgoat.validators.MyCustomValidator" />
--> -->
<!-- Activates various annotations to be detected in bean classes --> <!-- Activates various annotations to be detected in bean classes -->
<context:annotation-config /> <context:annotation-config />
<!-- Configures the annotation-driven Spring MVC Controller programming model. --> <!-- Configures the annotation-driven Spring MVC Controller programming model. -->
<mvc:annotation-driven /> <mvc:annotation-driven />
<!-- Import Tiles-related configuration --> <!-- Import Tiles-related configuration -->
<import resource="tiles-context.xml" /> <import resource="tiles-context.xml" />
<!-- Declare a view resolver --> <!-- Declare a view resolver -->
<!-- Take note of the order. Since we're using TilesViewResolver as well <!-- Take note of the order. Since we're using TilesViewResolver as well
We need to define which ViewResolver is called first. We need to define which ViewResolver is called first.
We chose this InternalResourceViewResolver to be at the bottom order --> We chose this InternalResourceViewResolver to be at the bottom order -->
<bean <bean
id="viewResolver" id="viewResolver"
class="org.springframework.web.servlet.view.InternalResourceViewResolver" class="org.springframework.web.servlet.view.InternalResourceViewResolver"
p:prefix="/WEB-INF/pages/" p:prefix="/WEB-INF/pages/"
p:suffix=".jsp" p:suffix=".jsp"
p:order="1"/> p:order="1"/>
<!-- Register the Customer.properties <!-- Register the Customer.properties
<bean id="messageSource" <bean id="messageSource"
class="org.springframework.context.support.ResourceBundleMessageSource"> class="org.springframework.context.support.ResourceBundleMessageSource">
<property name="basename" value="org/owasp/webgoat/properties/Customer" /> <property name="basename" value="org/owasp/webgoat/properties/Customer" />
</bean> </bean>
--> -->
</beans> </beans>

71
webapp/WEB-INF/spring-security.xml
View File

@ -1,28 +1,45 @@
<beans:beans xmlns="http://www.springframework.org/schema/security" <beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd http://www.springframework.org/schema/beans/spring-beans-3.2.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.1.xsd"> http://www.springframework.org/schema/security/spring-security-3.2.xsd">
<!-- <!--
PCS 8/27/2012 PCS 8/27/2012
NOTE: Without Spring security, HttpServletRequest.getUserPrincipal() returns null when called from pages under Spring's control. NOTE: Without Spring security, HttpServletRequest.getUserPrincipal() returns null when called from pages under Spring's control.
That method is used extensively in legacy webgoat code. Integrating Spring security into the application resolves this issue. That method is used extensively in legacy webgoat code. Integrating Spring security into the application resolves this issue.
--> -->
<http auto-config='true'> <http>
<intercept-url pattern="/**" access="ROLE_USER" /> <intercept-url pattern="/servlet/AdminServlet/**" access="ROLE_WEBGOAT_ADMIN" />
<http-basic/> <intercept-url pattern="/JavaSource/**" access="ROLE_SERVER_ADMIN" />
</http> <intercept-url pattern="/**" access="ROLE_WEBGOAT_USER" />
<http-basic />
<!-- Authentication Manager --> </http>
<authentication-manager alias="authenticationManager">
<authentication-provider> <!-- Authentication Manager -->
<user-service> <authentication-manager alias="authenticationManager">
<!-- TODO: credentials in the config - this isn't something I'm proud of - get rid of this ASAP --> <authentication-provider>
<user name="guest" password="guest" authorities="ROLE_USER" /> <user-service>
</user-service> <!-- TODO: credentials in the config - this isn't something I'm proud of - get rid of this ASAP -->
</authentication-provider> <user name="guest" password="guest" authorities="ROLE_WEBGOAT_USER" />
</authentication-manager> <user name="webgoat" password="webgoat" authorities="ROLE_WEBGOAT_ADMIN" />
<user name="server" password="server" authorities="ROLE_SERVER_ADMIN" />
</user-service>
</authentication-provider>
</authentication-manager>
<!-- Role hierarchy -->
<!--
<beans:bean id="roleHierarchy"
class="org.springframework.security.access.hierarchicalroles.RoleHierarchyImpl">
<beans:property name="hierarchy">
<beans:value>
server_admin > webgoat_admin
webgoat_admin > webgoat_challenge
webgoat_challenge > webgoat_user
</beans:value>
</beans:property>
</beans:bean>
-->
</beans:beans> </beans:beans>

804
webapp/WEB-INF/web.xml
View File

@ -1,401 +1,403 @@
<?xml version="1.0" encoding="ISO-8859-1"?> <?xml version="1.0" encoding="ISO-8859-1"?>
<web-app <web-app
xmlns="http://java.sun.com/xml/ns/javaee" xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
version="2.5"> version="2.5">
<!-- General description of your web application --> <!-- General description of your web application -->
<display-name>WebGoat</display-name> <display-name>WebGoat</display-name>
<description> <description>
This web application is designed to demonstrate web This web application is designed to demonstrate web
application security flaws for the purpose of educating application security flaws for the purpose of educating
developers and security professionals about web developers and security professionals about web
application security problems. Please contact Bruce Mayhew application security problems. Please contact Bruce Mayhew
(webgoat@owasp.org) if you have any questions. (webgoat@owasp.org) if you have any questions.
</description> </description>
<!-- Context initialization parameters that define shared <!-- Context initialization parameters that define shared
String constants used within your application, which String constants used within your application, which
can be customized by the system administrator who is can be customized by the system administrator who is
installing your application. The values actually installing your application. The values actually
assigned to these parameters can be retrieved in a assigned to these parameters can be retrieved in a
servlet or JSP page by calling: servlet or JSP page by calling:
String value = String value =
getServletContext().getInitParameter("name"); getServletContext().getInitParameter("name");
where "name" matches the <param-name> element of where "name" matches the <param-name> element of
one of these initialization parameters. one of these initialization parameters.
You can define any number of context initialization You can define any number of context initialization
parameters, including zero. parameters, including zero.
--> -->
<context-param> <context-param>
<param-name>email</param-name> <param-name>email</param-name>
<param-value>WebGoat@owasp.org</param-value> <param-value>WebGoat@owasp.org</param-value>
<description> <description>
The EMAIL address of the administrator to whom questions The EMAIL address of the administrator to whom questions
and comments about this application should be addressed. and comments about this application should be addressed.
</description> </description>
</context-param> </context-param>
<!-- spring MVC --> <!-- spring MVC -->
<context-param> <context-param>
<param-name>contextConfigLocation</param-name> <param-name>contextConfigLocation</param-name>
<param-value> <param-value>
/WEB-INF/mvc-dispatcher-servlet.xml, /WEB-INF/mvc-dispatcher-servlet.xml,
/WEB-INF/spring-security.xml /WEB-INF/spring-security.xml
</param-value> </param-value>
</context-param> </context-param>
<!-- Servlet definitions for the servlets that make up <!-- Servlet definitions for the servlets that make up
your web application, including initialization your web application, including initialization
parameters. With Tomcat, you can also send requests parameters. With Tomcat, you can also send requests
to servlets not listed here with a request like this: to servlets not listed here with a request like this:
http://localhost:8080/{context-path}/servlet/{classname} http://localhost:8080/{context-path}/servlet/{classname}
but this usage is not guaranteed to be portable. It also but this usage is not guaranteed to be portable. It also
makes relative references to images and other resources makes relative references to images and other resources
required by your servlet more complicated, so defining required by your servlet more complicated, so defining
all of your servlets (and defining a mapping to them with all of your servlets (and defining a mapping to them with
a servlet-mapping element) is recommended. a servlet-mapping element) is recommended.
Servlet initialization parameters can be retrieved in a Servlet initialization parameters can be retrieved in a
servlet or JSP page by calling: servlet or JSP page by calling:
String value = String value =
getServletConfig().getInitParameter("name"); getServletConfig().getInitParameter("name");
where "name" matches the <param-name> element of where "name" matches the <param-name> element of
one of these initialization parameters. one of these initialization parameters.
You can define any number of servlets, including zero. You can define any number of servlets, including zero.
--> -->
<servlet> <servlet>
<servlet-name>AxisServlet</servlet-name> <servlet-name>AxisServlet</servlet-name>
<display-name>Apache-Axis Servlet</display-name> <display-name>Apache-Axis Servlet</display-name>
<servlet-class> <servlet-class>
org.apache.axis.transport.http.AxisServlet org.apache.axis.transport.http.AxisServlet
</servlet-class> </servlet-class>
</servlet> </servlet>
<servlet> <servlet>
<servlet-name>AdminServlet</servlet-name> <servlet-name>AdminServlet</servlet-name>
<display-name>Axis Admin Servlet</display-name> <display-name>Axis Admin Servlet</display-name>
<servlet-class> <servlet-class>
org.apache.axis.transport.http.AdminServlet org.apache.axis.transport.http.AdminServlet
</servlet-class> </servlet-class>
<load-on-startup>100</load-on-startup> <load-on-startup>100</load-on-startup>
</servlet> </servlet>
<servlet> <servlet>
<servlet-name>SOAPMonitorService</servlet-name> <servlet-name>SOAPMonitorService</servlet-name>
<display-name>SOAPMonitorService</display-name> <display-name>SOAPMonitorService</display-name>
<servlet-class> <servlet-class>
org.apache.axis.monitor.SOAPMonitorService org.apache.axis.monitor.SOAPMonitorService
</servlet-class> </servlet-class>
<init-param> <init-param>
<param-name>SOAPMonitorPort</param-name> <param-name>SOAPMonitorPort</param-name>
<param-value>5001</param-value> <param-value>5001</param-value>
</init-param> </init-param>
<load-on-startup>100</load-on-startup> <load-on-startup>100</load-on-startup>
</servlet> </servlet>
<servlet> <servlet>
<servlet-name>WebGoat</servlet-name> <servlet-name>WebGoat</servlet-name>
<description> <description>
This servlet plays the "controller" role in the MVC architecture This servlet plays the "controller" role in the MVC architecture
used in this application. used in this application.
The initialization parameter namess for this servlet are the The initialization parameter namess for this servlet are the
"servlet path" that will be received by this servlet (after the "servlet path" that will be received by this servlet (after the
filename extension is removed). The corresponding value is the filename extension is removed). The corresponding value is the
name of the action class that will be used to process this request. name of the action class that will be used to process this request.
</description> </description>
<servlet-class>org.owasp.webgoat.HammerHead</servlet-class> <servlet-class>org.owasp.webgoat.HammerHead</servlet-class>
<init-param> <init-param>
<param-name>email</param-name> <param-name>email</param-name>
<param-value>WebGoat@owasp.org</param-value> <param-value>WebGoat@owasp.org</param-value>
<description> <description>
The EMAIL address of the administrator to whom questions The EMAIL address of the administrator to whom questions
and comments about this application should be addressed. and comments about this application should be addressed.
</description> </description>
</init-param> </init-param>
<init-param> <init-param>
<param-name>debug</param-name> <param-name>debug</param-name>
<param-value>false</param-value> <param-value>false</param-value>
</init-param> </init-param>
<init-param> <init-param>
<param-name>CookieDebug</param-name> <param-name>CookieDebug</param-name>
<param-value>true</param-value> <param-value>true</param-value>
</init-param> </init-param>
<init-param> <init-param>
<param-name>DefuseOSCommands</param-name> <param-name>DefuseOSCommands</param-name>
<param-value>false</param-value> <param-value>false</param-value>
</init-param> </init-param>
<init-param> <init-param>
<param-name>Enterprise</param-name> <param-name>Enterprise</param-name>
<param-value>true</param-value> <param-value>true</param-value>
</init-param> </init-param>
<init-param> <init-param>
<param-name>CodingExercises</param-name> <param-name>CodingExercises</param-name>
<param-value>true</param-value> <param-value>true</param-value>
</init-param> </init-param>
<init-param> <init-param>
<!-- Specify an address where you would like comments to be sent. --> <!-- Specify an address where you would like comments to be sent. -->
<!-- This can be any URL or HTML tags, and will appear on the report card and lesson incomplete pages --> <!-- This can be any URL or HTML tags, and will appear on the report card and lesson incomplete pages -->
<!-- Use iso8859-1 encoding to represent special characters that might confuse XML parser. For <!-- Use iso8859-1 encoding to represent special characters that might confuse XML parser. For
example, replace "<" with "&lt;" and ">" with "&gt;". --> example, replace "<" with "&lt;" and ">" with "&gt;". -->
<param-name>FeedbackAddress</param-name> <param-name>FeedbackAddress</param-name>
<param-value> <param-value>
&lt;A HREF=mailto:webgoat@owasp.org&gt;webgoat@owasp.org&lt;/A&gt; &lt;A HREF=mailto:webgoat@owasp.org&gt;webgoat@owasp.org&lt;/A&gt;
</param-value> </param-value>
</init-param> </init-param>
<init-param> <init-param>
<param-name>DatabaseDriver</param-name> <param-name>DatabaseDriver</param-name>
<param-value> <param-value>
org.hsqldb.jdbcDriver org.hsqldb.jdbcDriver
</param-value> </param-value>
</init-param> </init-param>
<init-param> <init-param>
<param-name>DatabaseConnectionString</param-name> <param-name>DatabaseConnectionString</param-name>
<!-- <!--
The string "${USER}" in the connection string will be replaced by the active username The string "${USER}" in the connection string will be replaced by the active username
when making a connection. when making a connection.
--> -->
<param-value> <param-value>
jdbc:hsqldb:mem:${USER} jdbc:hsqldb:mem:${USER}
</param-value> </param-value>
</init-param> </init-param>
<!-- Load this servlet at server startup time --> <!-- Load this servlet at server startup time -->
<load-on-startup>5</load-on-startup> <load-on-startup>5</load-on-startup>
</servlet> </servlet>
<servlet> <servlet>
<servlet-name>LessonSource</servlet-name> <servlet-name>LessonSource</servlet-name>
<description> <description>
This servlet returns the Java source of the current lesson. This servlet returns the Java source of the current lesson.
</description> </description>
<servlet-class>org.owasp.webgoat.LessonSource</servlet-class> <servlet-class>org.owasp.webgoat.LessonSource</servlet-class>
</servlet> </servlet>
<servlet> <servlet>
<servlet-name>Catcher</servlet-name> <servlet-name>Catcher</servlet-name>
<description> <description>
This servlet catches any posts and marks the appropriate lesson property. This servlet catches any posts and marks the appropriate lesson property.
</description> </description>
<servlet-class>org.owasp.webgoat.Catcher</servlet-class> <servlet-class>org.owasp.webgoat.Catcher</servlet-class>
</servlet> </servlet>
<servlet> <servlet>
<servlet-name>conf</servlet-name> <servlet-name>conf</servlet-name>
<jsp-file>/lessons/ConfManagement/config.jsp</jsp-file> <jsp-file>/lessons/ConfManagement/config.jsp</jsp-file>
</servlet> </servlet>
<!-- spring MVC --> <!-- spring MVC -->
<servlet> <servlet>
<servlet-name>mvc-dispatcher</servlet-name> <servlet-name>mvc-dispatcher</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class> <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<load-on-startup>1</load-on-startup> <load-on-startup>1</load-on-startup>
</servlet> </servlet>
<servlet-mapping> <servlet-mapping>
<servlet-name>mvc-dispatcher</servlet-name> <servlet-name>mvc-dispatcher</servlet-name>
<url-pattern>*.do</url-pattern> <url-pattern>*.do</url-pattern>
</servlet-mapping> </servlet-mapping>
<listener> <listener>
<listener-class> <listener-class>
org.springframework.web.context.ContextLoaderListener org.springframework.web.context.ContextLoaderListener
</listener-class> </listener-class>
</listener> </listener>
<!-- end spring MVC --> <!-- end spring MVC -->
<!-- spring security --> <!-- spring security -->
<filter> <filter>
<filter-name>springSecurityFilterChain</filter-name> <filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class> <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter> </filter>
<filter-mapping> <filter-mapping>
<filter-name>springSecurityFilterChain</filter-name> <filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern> <url-pattern>/*</url-pattern>
</filter-mapping> </filter-mapping>
<!-- end spring security --> <!-- end spring security -->
<!-- Define mappings that are used by the servlet container to <!-- Define mappings that are used by the servlet container to
translate a particular request URI (context-relative) to a translate a particular request URI (context-relative) to a
particular servlet. The examples below correspond to the particular servlet. The examples below correspond to the
servlet descriptions above. Thus, a request URI like: servlet descriptions above. Thus, a request URI like:
http://localhost:8080/{contextpath}/graph http://localhost:8080/{contextpath}/graph
will be mapped to the "graph" servlet, while a request like: will be mapped to the "graph" servlet, while a request like:
http://localhost:8080/{contextpath}/saveCustomer.do http://localhost:8080/{contextpath}/saveCustomer.do
will be mapped to the "controller" servlet. will be mapped to the "controller" servlet.
You may define any number of servlet mappings, including zero. You may define any number of servlet mappings, including zero.
It is also legal to define more than one mapping for the same It is also legal to define more than one mapping for the same
servlet, if you wish to. servlet, if you wish to.
--> -->
<servlet-mapping> <servlet-mapping>
<servlet-name>AxisServlet</servlet-name> <servlet-name>AxisServlet</servlet-name>
<url-pattern>/servlet/AxisServlet</url-pattern> <url-pattern>/servlet/AxisServlet</url-pattern>
</servlet-mapping> </servlet-mapping>
<servlet-mapping> <servlet-mapping>
<servlet-name>AxisServlet</servlet-name> <servlet-name>AxisServlet</servlet-name>
<url-pattern>*.jws</url-pattern> <url-pattern>*.jws</url-pattern>
</servlet-mapping> </servlet-mapping>
<servlet-mapping> <servlet-mapping>
<servlet-name>AxisServlet</servlet-name> <servlet-name>AxisServlet</servlet-name>
<url-pattern>/services/*</url-pattern> <url-pattern>/services/*</url-pattern>
</servlet-mapping> </servlet-mapping>
<servlet-mapping> <servlet-mapping>
<servlet-name>SOAPMonitorService</servlet-name> <servlet-name>SOAPMonitorService</servlet-name>
<url-pattern>/SOAPMonitor</url-pattern> <url-pattern>/SOAPMonitor</url-pattern>
</servlet-mapping> </servlet-mapping>
<!-- uncomment this if you want the admin servlet --> <!-- uncomment this if you want the admin servlet -->
<!-- <servlet-mapping>
<servlet-mapping> <servlet-name>AdminServlet</servlet-name>
<servlet-name>AdminServlet</servlet-name> <url-pattern>/servlet/AdminServlet</url-pattern>
<url-pattern>/servlet/AdminServlet</url-pattern> </servlet-mapping>
</servlet-mapping>
--> <servlet-mapping>
<servlet-name>WebGoat</servlet-name>
<servlet-mapping> <url-pattern>/attack</url-pattern>
<servlet-name>WebGoat</servlet-name> </servlet-mapping>
<url-pattern>/attack</url-pattern>
</servlet-mapping> <servlet-mapping>
<servlet-name>LessonSource</servlet-name>
<servlet-mapping> <url-pattern>/source</url-pattern>
<servlet-name>LessonSource</servlet-name> </servlet-mapping>
<url-pattern>/source</url-pattern>
</servlet-mapping> <servlet-mapping>
<servlet-name>Catcher</servlet-name>
<servlet-mapping> <url-pattern>/catcher</url-pattern>
<servlet-name>Catcher</servlet-name> </servlet-mapping>
<url-pattern>/catcher</url-pattern>
</servlet-mapping> <servlet-mapping>
<servlet-name>conf</servlet-name>
<servlet-mapping> <url-pattern>/conf</url-pattern>
<servlet-name>conf</servlet-name> </servlet-mapping>
<url-pattern>/conf</url-pattern>
</servlet-mapping>
<!-- Define the default session timeout for your application,
in minutes. From a servlet or JSP page, you can modify
<!-- Define the default session timeout for your application, the timeout for a particular session dynamically by using
in minutes. From a servlet or JSP page, you can modify HttpSession.getMaxInactiveInterval(). -->
the timeout for a particular session dynamically by using
HttpSession.getMaxInactiveInterval(). --> <session-config>
<!-- 2 days -->
<session-config> <session-timeout>2880</session-timeout>
<!-- 2 days --> </session-config>
<session-timeout>2880</session-timeout>
</session-config> <mime-mapping>
<extension>wmv</extension>
<mime-mapping> <mime-type>video/x-ms-wmv</mime-type>
<extension>wmv</extension> </mime-mapping>
<mime-type>video/x-ms-wmv</mime-type>
</mime-mapping> <!-- Define reference to the user database for looking up roles -->
<!--
<!-- Define reference to the user database for looking up roles --> <resource-env-ref>
<resource-env-ref> <description>
<description> Link to the UserDatabase instance from which we request lists of
Link to the UserDatabase instance from which we request lists of defined role names. Typically, this will be connected to the global
defined role names. Typically, this will be connected to the global user database with a ResourceLink element in server.xml or the context
user database with a ResourceLink element in server.xml or the context configuration file for the Manager web application.
configuration file for the Manager web application. </description>
</description> <resource-env-ref-name>users</resource-env-ref-name>
<resource-env-ref-name>users</resource-env-ref-name> <resource-env-ref-type>
<resource-env-ref-type> org.apache.catalina.UserDatabase
org.apache.catalina.UserDatabase </resource-env-ref-type>
</resource-env-ref-type> </resource-env-ref>
</resource-env-ref> -->
<!-- Define a Security Constraint on this Application -->
<!-- Define a Security Constraint on this Application --> <!--
<security-constraint> <security-constraint>
<web-resource-collection> <web-resource-collection>
<web-resource-name>WebGoat Application</web-resource-name> <web-resource-name>WebGoat Application</web-resource-name>
<url-pattern>/*</url-pattern> <url-pattern>/*</url-pattern>
</web-resource-collection> </web-resource-collection>
<auth-constraint> <auth-constraint>
<role-name>webgoat_user</role-name> <role-name>webgoat_user</role-name>
<role-name>webgoat_admin</role-name> <role-name>webgoat_admin</role-name>
<role-name>webgoat_challenge</role-name> <role-name>webgoat_challenge</role-name>
</auth-constraint> </auth-constraint>
</security-constraint> </security-constraint>
<security-constraint> <security-constraint>
<web-resource-collection> <web-resource-collection>
<web-resource-name>WebGoat Application Source</web-resource-name> <web-resource-name>WebGoat Application Source</web-resource-name>
<url-pattern>/JavaSource/*</url-pattern> <url-pattern>/JavaSource/*</url-pattern>
</web-resource-collection> </web-resource-collection>
<auth-constraint> <auth-constraint>
<role-name>server_admin</role-name> <role-name>server_admin</role-name>
</auth-constraint> </auth-constraint>
</security-constraint> </security-constraint>
-->
<!-- Login configuration uses BASIC authentication --> <!-- Login configuration uses BASIC authentication -->
<login-config> <!--
<auth-method>BASIC</auth-method> <login-config>
<realm-name>WebGoat Application</realm-name> <auth-method>BASIC</auth-method>
</login-config> <realm-name>WebGoat Application</realm-name>
</login-config>
<!-- Security roles referenced by this web application --> -->
<security-role> <!-- Security roles referenced by this web application -->
<description>The role that is required to administrate WebGoat</description> <!--
<role-name>webgoat_admin</role-name> <security-role>
</security-role> <description>The role that is required to administrate WebGoat</description>
<role-name>webgoat_admin</role-name>
<security-role> </security-role>
<description>The role that is required to start the challenge log viewer</description>
<role-name>webgoat_challenge</role-name> <security-role>
</security-role> <description>The role that is required to start the challenge log viewer</description>
<role-name>webgoat_challenge</role-name>
<security-role> </security-role>
<description>The role that is required to use WebGoat</description>
<role-name>webgoat_user</role-name> <security-role>
</security-role> <description>The role that is required to use WebGoat</description>
<role-name>webgoat_user</role-name>
<security-role> </security-role>
<description>This role is for admins only</description>
<role-name>server_admin</role-name> <security-role>
</security-role> <description>This role is for admins only</description>
<role-name>server_admin</role-name>
</web-app> </security-role>
-->
</web-app>