migrate from container managed authentication to spring security

updated spring and spring security versions
2014-05-29 18:43:40 -04:00 · 2014-05-29 18:43:40 -04:00 · 617d16d8a7
commit 617d16d8a7
parent 204bfce794
6 changed files with 501 additions and 478 deletions
--- a/.gitignore
+++ b/.gitignore
@ -0,0 +1,2 @@
+/nb-configuration.xml
+/nbactions.xml
--- a/pom.xml
+++ b/pom.xml
@ -17,7 +17,7 @@
 	<!-- Shared version number properties -->
 	<properties>
 		<org.springframework.version>3.2.4.RELEASE</org.springframework.version>
-		<spring.security.version>3.1.2.RELEASE</spring.security.version>
+		<spring.security.version>3.2.4.RELEASE</spring.security.version>
 		<tiles.version>2.2.2</tiles.version>
 	</properties>

--- a/webapp/META-INF/context.xml
+++ b/webapp/META-INF/context.xml
@ -0,0 +1,2 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<Context antiJARLocking="true" path=""/>
--- a/webapp/WEB-INF/mvc-dispatcher-servlet.xml
+++ b/webapp/WEB-INF/mvc-dispatcher-servlet.xml
@ -5,11 +5,11 @@
 	xmlns:context="http://www.springframework.org/schema/context"
 	xmlns:mvc="http://www.springframework.org/schema/mvc"
 	xsi:schemaLocation="http://www.springframework.org/schema/beans 
-	   		http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
+	   		http://www.springframework.org/schema/beans/spring-beans-3.2.xsd
 	   		http://www.springframework.org/schema/context
-	   		http://www.springframework.org/schema/context/spring-context-3.0.xsd
+	   		http://www.springframework.org/schema/context/spring-context-3.2.xsd
 			http://www.springframework.org/schema/mvc 
-			http://www.springframework.org/schema/mvc/spring-mvc-3.0.xsd">
+			http://www.springframework.org/schema/mvc/spring-mvc-3.2.xsd">

 	<context:component-scan base-package="org.owasp.webgoat.lessons" />
 	
--- a/webapp/WEB-INF/spring-security.xml
+++ b/webapp/WEB-INF/spring-security.xml
@ -1,18 +1,20 @@
 <beans:beans xmlns="http://www.springframework.org/schema/security"
             xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
             xsi:schemaLocation="http://www.springframework.org/schema/beans
-	http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
+	http://www.springframework.org/schema/beans/spring-beans-3.2.xsd
 	http://www.springframework.org/schema/security
-	http://www.springframework.org/schema/security/spring-security-3.1.xsd">
+	http://www.springframework.org/schema/security/spring-security-3.2.xsd">

    <!--
            PCS 8/27/2012
            NOTE: Without Spring security, HttpServletRequest.getUserPrincipal() returns null when called from pages under Spring's control.
            That method is used extensively in legacy webgoat code.  Integrating Spring security into the application resolves this issue.
    -->  
-    <http auto-config='true'>    	
-        <intercept-url pattern="/**" access="ROLE_USER" />
-        <http-basic/>
+    <http>     
+        <intercept-url pattern="/servlet/AdminServlet/**" access="ROLE_WEBGOAT_ADMIN" />
+        <intercept-url pattern="/JavaSource/**" access="ROLE_SERVER_ADMIN" />          	
+        <intercept-url pattern="/**" access="ROLE_WEBGOAT_USER" />
+        <http-basic />
    </http>

    <!-- Authentication Manager -->
@ -20,9 +22,24 @@
        <authentication-provider>
            <user-service>
                <!-- TODO: credentials in the config - this isn't something I'm proud of - get rid of this ASAP --> 
-            	<user name="guest" password="guest" authorities="ROLE_USER" />
+                <user name="guest" password="guest" authorities="ROLE_WEBGOAT_USER" />
+                <user name="webgoat" password="webgoat" authorities="ROLE_WEBGOAT_ADMIN" />
+                <user name="server" password="server" authorities="ROLE_SERVER_ADMIN" />
            </user-service>
        </authentication-provider>
    </authentication-manager>  
    
+    <!-- Role hierarchy -->
+    <!--
+    <beans:bean id="roleHierarchy"
+          class="org.springframework.security.access.hierarchicalroles.RoleHierarchyImpl">
+        <beans:property name="hierarchy">
+            <beans:value>
+                server_admin > webgoat_admin
+                webgoat_admin > webgoat_challenge
+                webgoat_challenge > webgoat_user
+            </beans:value>
+        </beans:property>
+    </beans:bean>
+    -->
 </beans:beans>
--- a/webapp/WEB-INF/web.xml
+++ b/webapp/WEB-INF/web.xml
@ -287,12 +287,10 @@
    </servlet-mapping>
 
    <!-- uncomment this if you want the admin servlet -->
-    <!--
    <servlet-mapping>
      <servlet-name>AdminServlet</servlet-name>
      <url-pattern>/servlet/AdminServlet</url-pattern>
    </servlet-mapping>
-     -->

    <servlet-mapping>
      <servlet-name>WebGoat</servlet-name>
@ -332,6 +330,7 @@
    </mime-mapping>

 	<!-- Define reference to the user database for looking up roles -->
+        <!--
 	<resource-env-ref>
 	    <description>
 	      Link to the UserDatabase instance from which we request lists of
@ -344,9 +343,10 @@
 	      org.apache.catalina.UserDatabase
 	    </resource-env-ref-type>
 	</resource-env-ref>
-	
+	-->

 	<!-- Define a Security Constraint on this Application -->
+        <!--
 	<security-constraint>
 	    <web-resource-collection>
 	      <web-resource-name>WebGoat Application</web-resource-name>
@ -368,15 +368,17 @@
 	       <role-name>server_admin</role-name>
 	    </auth-constraint>
 	</security-constraint>
-   
+   -->
 	
 	<!-- Login configuration uses BASIC authentication -->
+        <!--
 	<login-config>
 	    <auth-method>BASIC</auth-method>
 	    <realm-name>WebGoat Application</realm-name>
 	</login-config>
-	
+	-->
 	<!-- Security roles referenced by this web application -->
+        <!--
 	<security-role>
 	    <description>The role that is required to administrate WebGoat</description>
 	    <role-name>webgoat_admin</role-name>
@ -396,6 +398,6 @@
                <description>This role is for admins only</description>
                <role-name>server_admin</role-name>
            </security-role>
-
+    -->
 </web-app>