From 6b4a488c8cbc290a3c0b381013b0a300f2eb637e Mon Sep 17 00:00:00 2001
From: Nanne Baars <nanne.baars@owasp.org>
Date: Tue, 1 May 2018 22:00:07 +0200
Subject: [PATCH] Users shared now between WebGoat and WebWolf by starting
 HSQLDB as standalone database

---
 pom.xml                                       |  2 +-
 .../src/main/resources/application.properties |  5 +-
 webgoat-server/Dockerfile                     |  5 +-
 .../owasp/webgoat/HSQLDBDatabaseConfig.java   | 51 +++++++++++++++++++
 .../java/org/owasp/webgoat/StartWebGoat.java  |  3 --
 .../webwolf/mailbox/MailboxController.java    |  3 +-
 .../src/main/resources/application.properties |  3 +-
 .../src/main/resources/templates/login.html   |  2 +-
 8 files changed, 63 insertions(+), 11 deletions(-)
 create mode 100644 webgoat-server/src/main/java/org/owasp/webgoat/HSQLDBDatabaseConfig.java

diff --git a/pom.xml b/pom.xml
index 170e98a18..4b75535ed 100644
--- a/pom.xml
+++ b/pom.xml
@@ -135,7 +135,7 @@
         <gatling-plugin.version>2.2.4</gatling-plugin.version>
         <guava.version>18.0</guava.version>
         <h2.version>1.4.190</h2.version>
-        <hsqldb.version>2.3.2</hsqldb.version>
+        <hsqldb.version>2.3.4</hsqldb.version>
         <j2h.version>1.3.1</j2h.version>
         <jackson-core.version>2.6.3</jackson-core.version>
         <jackson-databind.version>2.6.3</jackson-databind.version>
diff --git a/webgoat-container/src/main/resources/application.properties b/webgoat-container/src/main/resources/application.properties
index 440619b2d..35b177ddd 100644
--- a/webgoat-container/src/main/resources/application.properties
+++ b/webgoat-container/src/main/resources/application.properties
@@ -5,8 +5,10 @@ server.contextPath=/WebGoat
 server.port=8080
 server.address=127.0.0.1
 
-spring.datasource.url=jdbc:hsqldb:file:${webgoat.server.directory}/data/webgoat
+spring.datasource.url=jdbc:hsqldb:hsql://localhost:9001/webgoat
 spring.jpa.hibernate.ddl-auto=update
+spring.jpa.properties.hibernate.dialect=org.hibernate.dialect.HSQLDialect
+spring.datasource.driver-class-name=org.hsqldb.jdbc.JDBCDriver
 
 
 logging.level.org.springframework=WARN
@@ -20,6 +22,7 @@ security.enable-csrf=false
 spring.resources.cache-period=0
 spring.thymeleaf.cache=false
 
+webgoat.start.hsqldb=true
 webgoat.clean=false
 webgoat.server.directory=${user.home}/.webgoat-${webgoat.build.version}/
 webgoat.user.directory=${user.home}/.webgoat-${webgoat.build.version}/
diff --git a/webgoat-server/Dockerfile b/webgoat-server/Dockerfile
index e022e1a4a..860bb1b3f 100644
--- a/webgoat-server/Dockerfile
+++ b/webgoat-server/Dockerfile
@@ -4,12 +4,11 @@ ARG webgoat_version=8.0-SNAPSHOT
 
 RUN \
   apt-get update && apt-get install && \
-  useradd --home-dir /home/webgoat --create-home -U webgoat && \
-  cd /home/webgoat/; mkdir -p .webgoat
+  useradd --home-dir /home/webgoat --create-home -U webgoat
 
 USER webgoat
+RUN cd /home/webgoat/; mkdir -p .webgoat-${webgoat_version}
 COPY target/webgoat-server-${webgoat_version}.jar /home/webgoat/webgoat.jar
 
 ENTRYPOINT ["java", "-Djava.security.egd=file:/dev/./urandom", "-jar", "/home/webgoat/webgoat.jar", "--server.address=0.0.0.0"]
-
 EXPOSE 8080
\ No newline at end of file
diff --git a/webgoat-server/src/main/java/org/owasp/webgoat/HSQLDBDatabaseConfig.java b/webgoat-server/src/main/java/org/owasp/webgoat/HSQLDBDatabaseConfig.java
new file mode 100644
index 000000000..fe42f1c97
--- /dev/null
+++ b/webgoat-server/src/main/java/org/owasp/webgoat/HSQLDBDatabaseConfig.java
@@ -0,0 +1,51 @@
+package org.owasp.webgoat;
+
+import org.hsqldb.server.Server;
+import org.springframework.beans.factory.annotation.Value;
+import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
+import org.springframework.boot.autoconfigure.jdbc.DataSourceBuilder;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.context.annotation.DependsOn;
+import org.springframework.context.annotation.Primary;
+
+import javax.sql.DataSource;
+
+
+/**
+ * Rationale for this class: when the HSQLDB is started with jdbc:file:// it is only accessible from within the same
+ * JVM. This can only be done if you start a standalone HSQLDB. We need both WebWolf and WebGoat to use the same database
+ */
+@Configuration
+@ConditionalOnProperty(prefix = "webgoat.start", name = "hsqldb", havingValue = "true")
+public class HSQLDBDatabaseConfig {
+
+    @Value("${hsqldb.port:9001}")
+    private int hsqldbPort;
+
+    @Bean(initMethod = "start", destroyMethod = "stop")
+    public Server hsqlStandalone(@Value("${webgoat.server.directory}") String directory,
+                                 @Value("${hsqldb.silent:true}") boolean silent,
+                                 @Value("${hsqldb.trace:false}") boolean trace) {
+
+        Server server = new Server();
+        server.setDatabaseName(0, "webgoat");
+        server.setDatabasePath(0, directory + "/data/webgoat");
+        server.setDaemon(true);
+        server.setTrace(trace);
+        server.setSilent(silent);
+        server.setPort(hsqldbPort);
+        return server;
+    }
+
+    @Primary
+    @Bean
+    @DependsOn("hsqlStandalone")
+    public DataSource dataSource(@Value("${spring.datasource.driver-class-name}") String driverClass,
+                                 @Value("${spring.datasource.url}") String url) {
+        return DataSourceBuilder.create()
+                .driverClassName(driverClass)
+                .url(url)
+                .build();
+    }
+}
diff --git a/webgoat-server/src/main/java/org/owasp/webgoat/StartWebGoat.java b/webgoat-server/src/main/java/org/owasp/webgoat/StartWebGoat.java
index a615d5b74..34bde941a 100644
--- a/webgoat-server/src/main/java/org/owasp/webgoat/StartWebGoat.java
+++ b/webgoat-server/src/main/java/org/owasp/webgoat/StartWebGoat.java
@@ -37,7 +37,4 @@ public class StartWebGoat {
     public static void main(String[] args) {
         SpringApplication.run(WebGoat.class, args);
     }
-
-
-
 }
diff --git a/webwolf/src/main/java/org/owasp/webwolf/mailbox/MailboxController.java b/webwolf/src/main/java/org/owasp/webwolf/mailbox/MailboxController.java
index b4f149db2..169b5f189 100644
--- a/webwolf/src/main/java/org/owasp/webwolf/mailbox/MailboxController.java
+++ b/webwolf/src/main/java/org/owasp/webwolf/mailbox/MailboxController.java
@@ -8,6 +8,7 @@ import org.springframework.http.HttpStatus;
 import org.springframework.http.ResponseEntity;
 import org.springframework.security.core.context.SecurityContextHolder;
 import org.springframework.security.core.userdetails.User;
+import org.springframework.security.core.userdetails.UserDetails;
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.PostMapping;
 import org.springframework.web.bind.annotation.RequestBody;
@@ -30,7 +31,7 @@ public class MailboxController {
 
     @GetMapping(value = "/WebWolf/mail")
     public ModelAndView mail() {
-        User user = (User) SecurityContextHolder.getContext().getAuthentication().getPrincipal();
+        UserDetails user = (UserDetails) SecurityContextHolder.getContext().getAuthentication().getPrincipal();
         ModelAndView modelAndView = new ModelAndView();
         List<Email> emails = mailboxRepository.findByRecipientOrderByTimeDesc(user.getUsername());
         if (emails != null && !emails.isEmpty()) {
diff --git a/webwolf/src/main/resources/application.properties b/webwolf/src/main/resources/application.properties
index abc2a98e9..6ee162172 100644
--- a/webwolf/src/main/resources/application.properties
+++ b/webwolf/src/main/resources/application.properties
@@ -6,7 +6,8 @@ server.port=8081
 server.address=127.0.0.1
 server.session.cookie.name = WEBWOLFSESSION
 
-spring.datasource.url=jdbc:hsqldb:file:${webgoat.server.directory}/data/webwolf
+spring.datasource.url=jdbc:hsqldb:hsql://localhost:9001/webgoat
+spring.jpa.properties.hibernate.dialect=org.hibernate.dialect.HSQLDialect
 spring.jpa.hibernate.ddl-auto=update
 spring.messages.basename=i18n/messages
 
diff --git a/webwolf/src/main/resources/templates/login.html b/webwolf/src/main/resources/templates/login.html
index 755831691..f651a437f 100644
--- a/webwolf/src/main/resources/templates/login.html
+++ b/webwolf/src/main/resources/templates/login.html
@@ -45,7 +45,7 @@
                         <div class="col-xs-6 col-sm-6 col-md-6">
                         </div>
                     </div>
-                    <div><b><a th:href="@{/registration}" th:text="#{register.new}"></a></b></div>
+                    <!--<div><b><a th:href="@{/registration}" th:text="#{register.new}"></a></b></div>-->
                 </fieldset>
             </form>
         </div>