Added doc directory back into main project root. Build script moves doc to webcontent.

Changed how to work with WebGoat picture to have original buttons 

git-svn-id: http://webgoat.googlecode.com/svn/trunk/webgoat@348 4033779f-a91e-0410-96ef-6bf7bf53c507

main/project/WebContent/lesson_plans/HowToWork.html

@@ -14,15 +14,18 @@ in the Introduction section.</p>
 <h2>The Interface Of WebGoat</h2>
 <p>
 <img src="/WebGoat/images/introduction/interface.jpg"><br><br>
-1. Here you see all Categories of Lessons in WebGoat. Click on the Categories to see all Lessons in it.<br>
+1. These are Lesson Categories in WebGoat. Click on a Category to see all Lessons in it.<br>
-2. This link will give you the technical background to solve the lesson.<br>
+2. This will show technical hints to solve the lesson.<br>
-3. Do you need some help to find the solution? Here you will find useful hints.<br>
+3. This will show the HTTP Request Parameters<br>
-4. Here you will find a complete solution of the selected lesson.<br>
+4. This will show the HTTP Request Cookies<br>
-5. If you want to restart a lesson you can use this link.</p>
+5. This will show goals and objectives of the lesson.<br>
+6. This will show the underlying Java source code.<br>
+7. This will show the complete solution of the selected lesson.<br>
+8. If you want to restart a lesson you can use this link.</p>
 <h2>Solve The Lesson</h2>
 <p>
-Always read first the lessons plan. Then try to solve the lesson and if necessary, 
+Always start with the lessons plan. Then try to solve the lesson and if necessary, 
-use the hints. If you cannot solve the lesson using the hints, you may watch the 
+use the hints. If you cannot solve the lesson using the hints, you may view the 
 solution. Every step is explained there.</p>
 <h2>Read And Edit Parameters</h2>
 <p>

main/project/WebContent/main.jsp

@@ -122,11 +122,6 @@ StringBuffer buildList = new StringBuffer();
 				if (webSession.isAuthorizedInLesson(webSession.getRole(), WebSession.SHOWHINTS))
 				{
 				%>
-				<a href="javascript:toggle('lessonPlans')" target="_top" onclick="MM_nbGroup('down','group1','plans','',1)" 
-				onmouseover="MM_nbGroup('over','plans','images/buttons/plansOver.jpg','',1)" 
-				onmouseout="MM_nbGroup('out')">
-				<img src="images/buttons/plans.jpg" alt="Lesson Plans" width="89" height="20" border="0" id="plans"/>
-				</a>
 				<a href="<%= webSession.getCurrentLesson().getLink() %>&show=PreviousHint" target="_top" onclick="MM_nbGroup('down','group1','hintLeft','',1)" 
 				onmouseover="MM_nbGroup('over','hintLeft','images/buttons/hintLeftOver.jpg','',1)" 
 				onmouseout="MM_nbGroup('out')">
@@ -143,25 +138,30 @@ StringBuffer buildList = new StringBuffer();
 				<img src="images/buttons/hintRight.jpg" alt="Next Hint" name="hintRight" width="20" height="20" border="0" id="hintRight"/>
 				</a>
 				<%}%>
-<!--				<a href="<%= webSession.getCurrentLesson().getLink() %>&show=Params" target="_top" onclick="MM_nbGroup('down','group1','params','',1)" -->
+				<a href="<%= webSession.getCurrentLesson().getLink() %>&show=Params" target="_top" onclick="MM_nbGroup('down','group1','params','',1)" 
-<!--				onmouseover="MM_nbGroup('over','params','images/buttons/paramsOver.jpg','',1)" -->
+				onmouseover="MM_nbGroup('over','params','images/buttons/paramsOver.jpg','',1)" 
-<!--				onmouseout="MM_nbGroup('out')">-->
+				onmouseout="MM_nbGroup('out')">
-<!--				<img src="images/buttons/params.jpg" alt="Show Params" name="<%= webSession.getCurrentLesson().getLink() %>&show=Params" width="87" height="20" border="0" id="params"/>-->
+				<img src="images/buttons/params.jpg" alt="Show Params" name="<%= webSession.getCurrentLesson().getLink() %>&show=Params" width="87" height="20" border="0" id="params"/>
-<!--				</a>-->
+				</a>
-<!--				<a href="<%= webSession.getCurrentLesson().getLink() %>&show=Cookies" target="_top" onclick="MM_nbGroup('down','group1','cookies','',1)" -->
+				<a href="<%= webSession.getCurrentLesson().getLink() %>&show=Cookies" target="_top" onclick="MM_nbGroup('down','group1','cookies','',1)" 
-<!--				onmouseover="MM_nbGroup('over','cookies','images/buttons/cookiesOver.jpg','',1)" -->
+				onmouseover="MM_nbGroup('over','cookies','images/buttons/cookiesOver.jpg','',1)" 
-<!--				onmouseout="MM_nbGroup('out')">-->
+				onmouseout="MM_nbGroup('out')">
-<!--				<img src="images/buttons/cookies.jpg" alt="Show Cookies" name="cookies" width="99" height="20" border="0" id="cookies"/>-->
+				<img src="images/buttons/cookies.jpg" alt="Show Cookies" name="cookies" width="99" height="20" border="0" id="cookies"/>
-<!--				</a>-->
+				</a>
+				<a href="javascript:toggle('lessonPlans')" target="_top" onclick="MM_nbGroup('down','group1','plans','',1)" 
+				onmouseover="MM_nbGroup('over','plans','images/buttons/plansOver.jpg','',1)" 
+				onmouseout="MM_nbGroup('out')">
+				<img src="images/buttons/plans.jpg" alt="Lesson Plans" width="89" height="20" border="0" id="plans"/>
+				</a>
 				<% 
 				if (webSession.isAuthorizedInLesson(webSession.getRole(), WebSession.SHOWSOURCE))
 				{
 				%>
-<!--				<a href="source" onclick="makeWindow(this.href+ '?source=true', 'Java Source');return false;" target="javaWin"-->
+				<a href="source" onclick="makeWindow(this.href+ '?source=true', 'Java Source');return false;" target="javaWin"
-<!--				onmouseover="MM_nbGroup('over','java','images/buttons/javaOver.jpg','',1)" -->
+				onmouseover="MM_nbGroup('over','java','images/buttons/javaOver.jpg','',1)" 
-<!--				onmouseout="MM_nbGroup('out')">-->
+				onmouseout="MM_nbGroup('out')">
-<!--				<img src="images/buttons/java.jpg" alt="Show Java" name="java" width="75" height="20" border="0" id="java"/>-->
+				<img src="images/buttons/java.jpg" alt="Show Java" name="java" width="75" height="20" border="0" id="java"/>
-<!--				</a>-->
+				</a>
 				<a href="source" onclick="makeWindow(this.href + '?solution=true', 'Java Solution');return false;" target="javaWin"
 				onmouseover="MM_nbGroup('over','solutions','images/buttons/solutionsOver.jpg','',1)" 
 				onmouseout="MM_nbGroup('out')">

main/project/doc/New Lesson Instructions.txt

@@ -0,0 +1,189 @@
+Detailed instructions for adding a lesson
+
+All you have to do is implement the abstract methods in LessonAdapter.  
+Follow the outline below.
+
+WebGoat uses the Element Construction Set from the Jakarta project.  
+You should read up on the API for ECS at 
+http://jakarta.apache.org/site/downloads/downloads_ecs.cgi.
+In addition you can look at the other lessons for examples of how to use the ECS.
+
+
+
+Step 1: Set up the framework
+
+import java.util.*;
+import org.apache.ecs.*;
+import org.apache.ecs.html.*;
+
+// Add copyright text - use text from another lesson 
+
+public class NewLesson extends LessonAdapter
+{
+
+	protected Element createContent(WebSession s)
+	{
+		return( new StringElement( "Hello World" ) );
+	}
+
+	public String getCategory()
+	{
+	}
+
+	protected List getHints()
+	{
+	}
+
+	protected String getInstructions()
+	{
+	}
+
+	protected Element getMenuItem()
+	{
+	}
+
+	protected Integer getRanking()
+	{
+	}
+
+	public String getTitle()
+	{
+	}
+}
+		
+
+
+Step 2: Implement createContent
+
+Creating the content for a lesson is fairly simple. There are two main parts: 
+	(1) handling the input from the user's last request, 
+	(2) generating the next screen for the user.  
+This all happens within the createContent method.  Remember that each lesson 
+should be handled on a single page, so you'll need to design your lesson to 
+work that way.  A good generic pattern for the createContent method is shown 
+below:
+
+// define a constant for the field name
+private static final String INPUT = "input";
+	
+protected Element createContent(WebSession s)
+{
+	ElementContainer ec = new ElementContainer();
+	try
+	{
+		// get some input from the user -- see ParameterParser 
+		// for details
+		String userInput = s.getParser().getStringParameter(INPUT, "");
+
+		// do something with the input
+		//   -- SQL query?
+		//   -- Runtime.exec?
+		//   -- Some other dangerous thing
+			
+		// generate some output -- a string and an input field
+		ec.addElement(new StringElement("Enter a string: "));
+		ec.addElement( new Input(Input.TEXT, INPUT, userInput) );
+			
+		// Tell the lesson tracker the lesson has completed.
+		// This should occur when the user has 'hacked' the lesson.
+		makeSuccess(s);
+
+	}
+	catch (Exception e)
+	{
+		s.setMessage("Error generating " + this.getClass().getName());
+		e.printStackTrace();
+	}
+	return (ec);
+}
+	
+ECS is quite powerful -- see the Encoding lesson for an example of how 
+to use it to create a table with rows and rows of output.
+
+
+Step 3: Implement the other methods
+
+The other methods in the LessonAdapter class help the lesson plug into 
+the overall WebGoat framework.  They are simple and should only take a 
+few minutes to implement.
+
+public String getCategory()
+{
+	// The default category is "General" Only override this
+	// method if you wish to create a new category or if you
+	// wish this lesson to reside within a category other the
+	// "General"
+		
+	return( "NewCategory" );  // or use an existing category
+}
+
+protected List getHints()
+{
+	// Hints will be returned to the user in the order they 
+	// appear below.  The user must click on the "next hint"
+	// button before the hint will be displayed.
+		
+	List hints = new ArrayList();
+	hints.add("A general hint to put users on the right track");
+	hints.add("A hint that gives away a little piece of the problem");
+	hints.add("A hint that basically gives the answer");
+	return hints;
+}
+
+protected String getInstructions()
+{
+	// Instructions will rendered as html and will appear below
+	// the area and above the actual lesson area.
+	// Instructions should provide the user with the general setup
+	// and goal of the lesson.
+		
+	return("The text that goes at the top of the page");
+}
+
+protected Element getMenuItem()
+{
+	// This is the text of the link that will appear on
+	// the left hand menus under the appropriate category.
+	// Their is a limited amount of horizontal space in
+	// this area before wrapping will occur.
+		
+	return( "MyLesson" );
+}
+
+protected Integer getRanking()
+{
+	// The ranking denotes the order in which the menu item
+	// will appear in menu list for each category.  The lowest
+	// number will appear as the first lesson.
+		
+	return new Integer(10);
+}
+
+public String getTitle()
+{
+	// The title of the lesson.  This will appear above the
+	// control area at the top of the page.  This field will
+	// be rendered as html.
+		
+	return ("My Lesson's Short Title");
+}
+
+
+Step 4: Build and test
+
+Once you've implemented your new lesson, you can test the lesson by
+starting the Tomcat server (within Eclipse). See the
+"HOW TO create the WebGoat workspace.txt" document in the WebGoat root.
+
+
+
+	
+Step 5: Give back to the community
+
+If you've come up with a lesson that you think helps to teach people about 
+web application security, please contribute it by sending it to the people 
+who maintain the WebGoat application.
+
+Thanks!
+
+The WebGoat Team.