Refactoring (#1201)

* Some initial refactoring

* Make it one application

* Got it working

* Fix problem on Windows

* Move WebWolf

* Move first lesson

* Moved all lessons

* Fix pom.xml

* Fix tests

* Add option to initialize a lesson

This way we can create content for each user inside a lesson. The initialize method will be called when a new user is created or when a lesson reset happens

* Clean up pom.xml files

* Remove fetching labels based on language.

We only support English at the moment, all the lesson explanations are written in English which makes it very difficult to translate. If we only had labels it would make sense to support multiple languages

* Fix SonarLint issues

* And move it all to the main project

* Fix for documentation paths

* Fix pom warnings

* Remove PMD as it does not work

* Update release notes about refactoring

Update release notes about refactoring

Update release notes about refactoring

* Fix lesson template

* Update release notes

* Keep it in the same repo in Dockerhub

* Update documentation to show how the connection is obtained.

Resolves: #1180

* Rename all integration tests

* Remove command from Dockerfile

* Simplify GitHub actions

Currently, we use a separate actions for pull-requests and branch build.
This is now consolidated in one action.
The PR action triggers always, it now only trigger when the PR is
opened and not in draft.
Running all platforms on a branch build is a bit too much, it is better
 to only run all platforms when someone opens a PR.

* Remove duplicate entry from release notes

* Add explicit registry for base image

* Lesson scanner not working when fat jar

When running the fat jar we have to take into account we
are reading from the jar file and not the filesystem. In
this case you cannot use `getFile` for example.

* added info in README and fixed release docker

* changed base image and added ignore file

Co-authored-by: Zubcevic.com <rene@zubcevic.com>

src/main/java/org/owasp/webgoat/container/service/EnvironmentService.java

@@ -0,0 +1,19 @@
+package org.owasp.webgoat.container.service;
+
+import lombok.RequiredArgsConstructor;
+import org.springframework.context.ApplicationContext;
+import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.RestController;
+
+@RestController("/environment")
+@RequiredArgsConstructor
+public class EnvironmentService {
+
+    private final ApplicationContext context;
+
+    @GetMapping("/server-directory")
+    public String homeDirectory() {
+        return context.getEnvironment().getProperty("webgoat.server.directory");
+    }
+
+}

src/main/java/org/owasp/webgoat/container/service/HintService.java

@@ -0,0 +1,61 @@
+/*
+ * To change this license header, choose License Headers in Project Properties.
+ * To change this template file, choose Tools | Templates
+ * and open the template in the editor.
+ */
+
+package org.owasp.webgoat.container.service;
+
+import org.owasp.webgoat.container.lessons.Assignment;
+import org.owasp.webgoat.container.lessons.Hint;
+import org.owasp.webgoat.container.lessons.Lesson;
+import org.owasp.webgoat.container.session.WebSession;
+import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.ResponseBody;
+import org.springframework.web.bind.annotation.RestController;
+
+import java.util.Collection;
+import java.util.List;
+
+/**
+ * <p>HintService class.</p>
+ *
+ * @author rlawson
+ * @version $Id: $Id
+ */
+@RestController
+public class HintService {
+
+    public static final String URL_HINTS_MVC = "/service/hint.mvc";
+    private final WebSession webSession;
+
+    public HintService(WebSession webSession) {
+        this.webSession = webSession;
+    }
+
+    /**
+     * Returns hints for current lesson
+     *
+     * @return a {@link java.util.List} object.
+     */
+    @GetMapping(path = URL_HINTS_MVC, produces = "application/json")
+    @ResponseBody
+    public List<Hint> getHints() {
+        Lesson l = webSession.getCurrentLesson();
+        return createAssignmentHints(l);
+    }
+
+    private List<Hint> createAssignmentHints(Lesson l) {
+        if (l != null) {
+            return l.getAssignments().stream()
+                    .map(this::createHint)
+                    .flatMap(Collection::stream)
+                    .toList();
+        }
+        return List.of();
+    }
+
+    private List<Hint> createHint(Assignment a) {
+        return a.getHints().stream().map(h -> new Hint(h, a.getPath())).toList();
+    }
+}

src/main/java/org/owasp/webgoat/container/service/LabelDebugService.java

@@ -0,0 +1,97 @@
+/**
+ * *************************************************************************************************
+ * <p>
+ * <p>
+ * This file is part of WebGoat, an Open Web Application Security Project
+ * utility. For details, please see http://www.owasp.org/
+ * <p>
+ * Copyright (c) 2002 - 2014 Bruce Mayhew
+ * <p>
+ * This program is free software; you can redistribute it and/or modify it under
+ * the terms of the GNU General Public License as published by the Free Software
+ * Foundation; either version 2 of the License, or (at your option) any later
+ * version.
+ * <p>
+ * This program is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
+ * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
+ * details.
+ * <p>
+ * You should have received a copy of the GNU General Public License along with
+ * this program; if not, write to the Free Software Foundation, Inc., 59 Temple
+ * Place - Suite 330, Boston, MA 02111-1307, USA.
+ * <p>
+ * Getting Source ==============
+ * <p>
+ * Source for this application is maintained at
+ * https://github.com/WebGoat/WebGoat, a repository for free software projects.
+ */
+
+package org.owasp.webgoat.container.service;
+
+import lombok.AllArgsConstructor;
+import lombok.extern.slf4j.Slf4j;
+import org.owasp.webgoat.container.session.LabelDebugger;
+import org.springframework.http.HttpStatus;
+import org.springframework.http.MediaType;
+import org.springframework.http.ResponseEntity;
+import org.springframework.stereotype.Controller;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RequestParam;
+import org.springframework.web.bind.annotation.ResponseBody;
+
+import java.util.Map;
+
+/**
+ * <p>LabelDebugService class.</p>
+ *
+ * @author nbaars
+ * @version $Id: $Id
+ */
+@Controller
+@Slf4j
+@AllArgsConstructor
+public class LabelDebugService {
+
+    private static final String URL_DEBUG_LABELS_MVC = "/service/debug/labels.mvc";
+    private static final String KEY_ENABLED = "enabled";
+    private static final String KEY_SUCCESS = "success";
+
+    private LabelDebugger labelDebugger;
+
+    /**
+     * Checks if debugging of labels is enabled or disabled
+     *
+     * @return a {@link org.springframework.http.ResponseEntity} object.
+     */
+    @RequestMapping(path = URL_DEBUG_LABELS_MVC, produces = MediaType.APPLICATION_JSON_VALUE)
+    public @ResponseBody
+    ResponseEntity<Map<String, Object>> checkDebuggingStatus() {
+        log.debug("Checking label debugging, it is {}", labelDebugger.isEnabled());
+        Map<String, Object> result = createResponse(labelDebugger.isEnabled());
+        return new ResponseEntity<>(result, HttpStatus.OK);
+    }
+
+    /**
+     * Sets the enabled flag on the label debugger to the given parameter
+     *
+     * @param enabled {@link org.owasp.webgoat.container.session.LabelDebugger} object
+     * @return a {@link org.springframework.http.ResponseEntity} object.
+     */
+    @RequestMapping(value = URL_DEBUG_LABELS_MVC, produces = MediaType.APPLICATION_JSON_VALUE, params = KEY_ENABLED)
+    public @ResponseBody
+    ResponseEntity<Map<String, Object>> setDebuggingStatus(@RequestParam("enabled") Boolean enabled) {
+        log.debug("Setting label debugging to {} ", labelDebugger.isEnabled());
+        Map<String, Object> result = createResponse(enabled);
+        labelDebugger.setEnabled(enabled);
+        return new ResponseEntity<>(result, HttpStatus.OK);
+    }
+
+    /**
+     * @param enabled {@link org.owasp.webgoat.container.session.LabelDebugger} object
+     * @return a {@link java.util.Map} object.
+     */
+    private Map<String, Object> createResponse(Boolean enabled) {
+        return Map.of(KEY_SUCCESS, Boolean.TRUE, KEY_ENABLED, enabled);
+    }
+}

src/main/java/org/owasp/webgoat/container/service/LabelService.java

@@ -0,0 +1,71 @@
+/**
+ * *************************************************************************************************
+ * <p>
+ * <p>
+ * This file is part of WebGoat, an Open Web Application Security Project
+ * utility. For details, please see http://www.owasp.org/
+ * <p>
+ * Copyright (c) 2002 - 2014 Bruce Mayhew
+ * <p>
+ * This program is free software; you can redistribute it and/or modify it under
+ * the terms of the GNU General Public License as published by the Free Software
+ * Foundation; either version 2 of the License, or (at your option) any later
+ * version.
+ * <p>
+ * This program is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
+ * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
+ * details.
+ * <p>
+ * You should have received a copy of the GNU General Public License along with
+ * this program; if not, write to the Free Software Foundation, Inc., 59 Temple
+ * Place - Suite 330, Boston, MA 02111-1307, USA.
+ * <p>
+ * Getting Source ==============
+ * <p>
+ * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository
+ * for free software projects.
+ */
+
+package org.owasp.webgoat.container.service;
+
+import lombok.RequiredArgsConstructor;
+import lombok.extern.slf4j.Slf4j;
+import org.owasp.webgoat.container.i18n.Messages;
+import org.owasp.webgoat.container.i18n.PluginMessages;
+import org.springframework.http.HttpStatus;
+import org.springframework.http.MediaType;
+import org.springframework.http.ResponseEntity;
+import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.ResponseBody;
+import org.springframework.web.bind.annotation.RestController;
+
+import java.util.Properties;
+
+
+/**
+ * <p>LabelService class.</p>
+ *
+ * @author zupzup
+ */
+@RestController
+@Slf4j
+@RequiredArgsConstructor
+public class LabelService {
+
+    public static final String URL_LABELS_MVC = "/service/labels.mvc";
+    private final Messages messages;
+    private final PluginMessages pluginMessages;
+
+    /**
+     * @return a map of all the labels
+     */
+    @GetMapping(path = URL_LABELS_MVC, produces = MediaType.APPLICATION_JSON_VALUE)
+    @ResponseBody
+    public ResponseEntity<Properties> fetchLabels() {
+        var allProperties = new Properties();
+        allProperties.putAll(messages.getMessages());
+        allProperties.putAll(pluginMessages.getMessages());
+        return new ResponseEntity<>(allProperties, HttpStatus.OK);
+    }
+}

src/main/java/org/owasp/webgoat/container/service/LessonInfoService.java

@@ -0,0 +1,36 @@
+package org.owasp.webgoat.container.service;
+
+import lombok.AllArgsConstructor;
+import org.owasp.webgoat.container.lessons.Lesson;
+import org.owasp.webgoat.container.lessons.LessonInfoModel;
+import org.owasp.webgoat.container.session.WebSession;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.ResponseBody;
+import org.springframework.web.bind.annotation.RestController;
+
+
+/**
+ * <p>LessonInfoService class.</p>
+ *
+ * @author dm
+ * @version $Id: $Id
+ */
+@RestController
+@AllArgsConstructor
+public class LessonInfoService {
+
+    private final WebSession webSession;
+
+    /**
+     * <p>getLessonInfo.</p>
+     *
+     * @return a {@link LessonInfoModel} object.
+     */
+    @RequestMapping(path = "/service/lessoninfo.mvc", produces = "application/json")
+    public @ResponseBody
+    LessonInfoModel getLessonInfo() {
+        Lesson lesson = webSession.getCurrentLesson();
+        return new LessonInfoModel(lesson.getTitle(), false, false, false);
+    }
+
+}

src/main/java/org/owasp/webgoat/container/service/LessonMenuService.java

@@ -0,0 +1,131 @@
+/**
+ * *************************************************************************************************
+ * <p>
+ * <p>
+ * This file is part of WebGoat, an Open Web Application Security Project
+ * utility. For details, please see http://www.owasp.org/
+ * <p>
+ * Copyright (c) 2002 - 2014 Bruce Mayhew
+ * <p>
+ * This program is free software; you can redistribute it and/or modify it under
+ * the terms of the GNU General Public License as published by the Free Software
+ * Foundation; either version 2 of the License, or (at your option) any later
+ * version.
+ * <p>
+ * This program is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
+ * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
+ * details.
+ * <p>
+ * You should have received a copy of the GNU General Public License along with
+ * this program; if not, write to the Free Software Foundation, Inc., 59 Temple
+ * Place - Suite 330, Boston, MA 02111-1307, USA.
+ * <p>
+ * Getting Source ==============
+ * <p>
+ * Source for this application is maintained at
+ * https://github.com/WebGoat/WebGoat, a repository for free software projects.
+ */
+
+package org.owasp.webgoat.container.service;
+
+import lombok.AllArgsConstructor;
+import org.owasp.webgoat.container.lessons.Assignment;
+import org.owasp.webgoat.container.lessons.Category;
+import org.owasp.webgoat.container.lessons.Lesson;
+import org.owasp.webgoat.container.lessons.LessonMenuItem;
+import org.owasp.webgoat.container.lessons.LessonMenuItemType;
+import org.owasp.webgoat.container.session.Course;
+import org.owasp.webgoat.container.session.WebSession;
+import org.owasp.webgoat.container.users.LessonTracker;
+import org.owasp.webgoat.container.users.UserTracker;
+import org.owasp.webgoat.container.users.UserTrackerRepository;
+import org.springframework.beans.factory.annotation.Value;
+import org.springframework.stereotype.Controller;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.ResponseBody;
+
+import java.util.ArrayList;
+import java.util.Comparator;
+import java.util.List;
+import java.util.Map;
+
+/**
+ * <p>LessonMenuService class.</p>
+ *
+ * @author rlawson
+ * @version $Id: $Id
+ */
+@Controller
+@AllArgsConstructor
+public class LessonMenuService {
+
+    public static final String URL_LESSONMENU_MVC = "/service/lessonmenu.mvc";
+    private final Course course;
+    private final WebSession webSession;
+    private UserTrackerRepository userTrackerRepository;
+
+    @Value("#{'${exclude.categories}'.split(',')}")
+    private List<String> excludeCategories;
+
+    @Value("#{'${exclude.lessons}'.split(',')}")
+    private List<String> excludeLessons;
+
+    /**
+     * Returns the lesson menu which is used to build the left nav
+     *
+     * @return a {@link java.util.List} object.
+     */
+    @RequestMapping(path = URL_LESSONMENU_MVC, produces = "application/json")
+    public
+    @ResponseBody
+    List<LessonMenuItem> showLeftNav() {
+        List<LessonMenuItem> menu = new ArrayList<>();
+        List<Category> categories = course.getCategories();
+        UserTracker userTracker = userTrackerRepository.findByUser(webSession.getUserName());
+
+        for (Category category : categories) {
+            if (excludeCategories.contains(category.name())) {
+                continue;
+            }
+            LessonMenuItem categoryItem = new LessonMenuItem();
+            categoryItem.setName(category.getName());
+            categoryItem.setType(LessonMenuItemType.CATEGORY);
+            // check for any lessons for this category
+            List<Lesson> lessons = course.getLessons(category);
+            lessons = lessons.stream().sorted(Comparator.comparing(Lesson::getTitle)).toList();
+            for (Lesson lesson : lessons) {
+                if (excludeLessons.contains(lesson.getName())) {
+                    continue;
+                }
+                LessonMenuItem lessonItem = new LessonMenuItem();
+                lessonItem.setName(lesson.getTitle());
+                lessonItem.setLink(lesson.getLink());
+                lessonItem.setType(LessonMenuItemType.LESSON);
+                LessonTracker lessonTracker = userTracker.getLessonTracker(lesson);
+                boolean lessonSolved = lessonCompleted(lessonTracker.getLessonOverview(), lesson);
+                lessonItem.setComplete(lessonSolved);
+                categoryItem.addChild(lessonItem);
+            }
+            categoryItem.getChildren().sort((o1, o2) -> o1.getRanking() - o2.getRanking());
+            menu.add(categoryItem);
+        }
+        return menu;
+
+    }
+
+    private boolean lessonCompleted(Map<Assignment, Boolean> map, Lesson currentLesson) {
+        boolean result = true;
+        for (Map.Entry<Assignment, Boolean> entry : map.entrySet()) {
+            Assignment storedAssignment = entry.getKey();
+            for (Assignment lessonAssignment : currentLesson.getAssignments()) {
+                if (lessonAssignment.getName().equals(storedAssignment.getName())) {
+                    result = result && entry.getValue();
+                    break;
+                }
+            }
+
+        }
+        return result;
+    }
+}

src/main/java/org/owasp/webgoat/container/service/LessonProgressService.java

@@ -0,0 +1,59 @@
+package org.owasp.webgoat.container.service;
+
+import lombok.AllArgsConstructor;
+import lombok.Getter;
+import lombok.RequiredArgsConstructor;
+import org.owasp.webgoat.container.lessons.Assignment;
+import org.owasp.webgoat.container.session.WebSession;
+import org.owasp.webgoat.container.users.UserTrackerRepository;
+import org.springframework.stereotype.Controller;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.ResponseBody;
+
+import java.util.List;
+
+
+/**
+ * <p>LessonProgressService class.</p>
+ *
+ * @author webgoat
+ */
+@Controller
+@RequiredArgsConstructor
+public class LessonProgressService {
+
+    private final UserTrackerRepository userTrackerRepository;
+    private final WebSession webSession;
+
+    /**
+     * Endpoint for fetching the complete lesson overview which informs the user about whether all the assignments are solved.
+     * Used as the last page of the lesson to generate a lesson overview.
+     *
+     * @return list of assignments
+     */
+    @RequestMapping(value = "/service/lessonoverview.mvc", produces = "application/json")
+    @ResponseBody
+    public List<LessonOverview> lessonOverview() {
+        var userTracker = userTrackerRepository.findByUser(webSession.getUserName());
+        var currentLesson = webSession.getCurrentLesson();
+
+        if (currentLesson != null) {
+            var lessonTracker = userTracker.getLessonTracker(currentLesson);
+            return lessonTracker.getLessonOverview().entrySet().stream()
+                    .map(entry -> new LessonOverview(entry.getKey(), entry.getValue()))
+                    .toList();
+        }
+        return List.of();
+    }
+
+    @AllArgsConstructor
+    @Getter
+    //Jackson does not really like returning a map of <Assignment, Boolean> directly, see http://stackoverflow.com/questions/11628698/can-we-make-object-as-key-in-map-when-using-json
+    //so creating intermediate object is the easiest solution
+    private static class LessonOverview {
+
+        private Assignment assignment;
+        private Boolean solved;
+
+    }
+}

src/main/java/org/owasp/webgoat/container/service/LessonTitleService.java

@@ -0,0 +1,38 @@
+package org.owasp.webgoat.container.service;
+
+import org.owasp.webgoat.container.lessons.Lesson;
+import org.owasp.webgoat.container.session.WebSession;
+import org.springframework.stereotype.Controller;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.ResponseBody;
+
+
+/**
+ * <p>LessonTitleService class.</p>
+ *
+ * @author dm
+ * @version $Id: $Id
+ */
+@Controller
+public class LessonTitleService {
+
+    private final WebSession webSession;
+
+    public LessonTitleService(final WebSession webSession) {
+        this.webSession = webSession;
+    }
+
+    /**
+     * Returns the title for the current attack
+     *
+     * @return a {@link java.lang.String} object.
+     */
+    @RequestMapping(path = "/service/lessontitle.mvc", produces = "application/html")
+    public
+    @ResponseBody
+    String showPlan() {
+        Lesson lesson = webSession.getCurrentLesson();
+        return lesson != null ? lesson.getTitle() : "";
+    }
+
+}

src/main/java/org/owasp/webgoat/container/service/ReportCardService.java

@@ -0,0 +1,107 @@
+/**
+ * *************************************************************************************************
+ * <p>
+ * <p>
+ * This file is part of WebGoat, an Open Web Application Security Project
+ * utility. For details, please see http://www.owasp.org/
+ * <p>
+ * Copyright (c) 2002 - 2014 Bruce Mayhew
+ * <p>
+ * This program is free software; you can redistribute it and/or modify it under
+ * the terms of the GNU General Public License as published by the Free Software
+ * Foundation; either version 2 of the License, or (at your option) any later
+ * version.
+ * <p>
+ * This program is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
+ * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
+ * details.
+ * <p>
+ * You should have received a copy of the GNU General Public License along with
+ * this program; if not, write to the Free Software Foundation, Inc., 59 Temple
+ * Place - Suite 330, Boston, MA 02111-1307, USA.
+ * <p>
+ * Getting Source ==============
+ * <p>
+ * Source for this application is maintained at
+ * https://github.com/WebGoat/WebGoat, a repository for free software projects.
+ */
+
+package org.owasp.webgoat.container.service;
+
+import lombok.AllArgsConstructor;
+import lombok.Getter;
+import lombok.Setter;
+import org.owasp.webgoat.container.i18n.PluginMessages;
+import org.owasp.webgoat.container.lessons.Lesson;
+import org.owasp.webgoat.container.session.Course;
+import org.owasp.webgoat.container.session.WebSession;
+import org.owasp.webgoat.container.users.LessonTracker;
+import org.owasp.webgoat.container.users.UserTracker;
+import org.owasp.webgoat.container.users.UserTrackerRepository;
+import org.springframework.stereotype.Controller;
+import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.ResponseBody;
+
+import java.util.ArrayList;
+import java.util.List;
+
+/**
+ * <p>ReportCardService</p>
+ *
+ * @author nbaars
+ * @version $Id: $Id
+ */
+@Controller
+@AllArgsConstructor
+public class ReportCardService {
+
+    private final WebSession webSession;
+    private final UserTrackerRepository userTrackerRepository;
+    private final Course course;
+    private final PluginMessages pluginMessages;
+
+    /**
+     * Endpoint which generates the report card for the current use to show the stats on the solved lessons
+     */
+    @GetMapping(path = "/service/reportcard.mvc", produces = "application/json")
+    @ResponseBody
+    public ReportCard reportCard() {
+        final ReportCard reportCard = new ReportCard();
+        reportCard.setTotalNumberOfLessons(course.getTotalOfLessons());
+        reportCard.setTotalNumberOfAssignments(course.getTotalOfAssignments());
+
+        UserTracker userTracker = userTrackerRepository.findByUser(webSession.getUserName());
+        reportCard.setNumberOfAssignmentsSolved(userTracker.numberOfAssignmentsSolved());
+        reportCard.setNumberOfLessonsSolved(userTracker.numberOfLessonsSolved());
+        for (Lesson lesson : course.getLessons()) {
+            LessonTracker lessonTracker = userTracker.getLessonTracker(lesson);
+            final LessonStatistics lessonStatistics = new LessonStatistics();
+            lessonStatistics.setName(pluginMessages.getMessage(lesson.getTitle()));
+            lessonStatistics.setNumberOfAttempts(lessonTracker.getNumberOfAttempts());
+            lessonStatistics.setSolved(lessonTracker.isLessonSolved());
+            reportCard.lessonStatistics.add(lessonStatistics);
+        }
+        return reportCard;
+    }
+
+    @Getter
+    @Setter
+    private final class ReportCard {
+
+        private int totalNumberOfLessons;
+        private int totalNumberOfAssignments;
+        private int solvedLessons;
+        private int numberOfAssignmentsSolved;
+        private int numberOfLessonsSolved;
+        private List<LessonStatistics> lessonStatistics =  new ArrayList<>();
+    }
+
+    @Setter
+    @Getter
+    private final class LessonStatistics {
+        private String name;
+        private boolean solved;
+        private int numberOfAttempts;
+    }
+}

src/main/java/org/owasp/webgoat/container/service/RestartLessonService.java

@@ -0,0 +1,69 @@
+/***************************************************************************************************
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
+ * please see http://www.owasp.org/
+ * <p>
+ * Copyright (c) 2002 - 2014 Bruce Mayhew
+ * <p>
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
+ * <p>
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ * <p>
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
+ * <p>
+ * Getting Source ==============
+ * <p>
+ * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
+ * projects.
+ */
+
+package org.owasp.webgoat.container.service;
+
+import lombok.AllArgsConstructor;
+import lombok.extern.slf4j.Slf4j;
+import org.flywaydb.core.Flyway;
+import org.owasp.webgoat.container.lessons.Initializeable;
+import org.owasp.webgoat.container.lessons.Lesson;
+import org.owasp.webgoat.container.session.WebSession;
+import org.owasp.webgoat.container.users.UserTracker;
+import org.owasp.webgoat.container.users.UserTrackerRepository;
+import org.springframework.http.HttpStatus;
+import org.springframework.stereotype.Controller;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.ResponseStatus;
+
+import java.util.List;
+import java.util.function.Function;
+
+@Controller
+@AllArgsConstructor
+@Slf4j
+public class RestartLessonService {
+
+    private final WebSession webSession;
+    private final UserTrackerRepository userTrackerRepository;
+    private final Function<String, Flyway> flywayLessons;
+    private final List<Initializeable> lessonsToInitialize;
+
+    @RequestMapping(path = "/service/restartlesson.mvc", produces = "text/text")
+    @ResponseStatus(value = HttpStatus.OK)
+    public void restartLesson() {
+        Lesson al = webSession.getCurrentLesson();
+        log.debug("Restarting lesson: " + al);
+
+        UserTracker userTracker = userTrackerRepository.findByUser(webSession.getUserName());
+        userTracker.reset(al);
+        userTrackerRepository.save(userTracker);
+
+        var flyway = flywayLessons.apply(webSession.getUserName());
+        flyway.clean();
+        flyway.migrate();
+
+        lessonsToInitialize.forEach(i -> i.initialize(webSession.getUser()));
+    }
+}

src/main/java/org/owasp/webgoat/container/service/SessionService.java

@@ -0,0 +1,33 @@
+/*
+ * To change this license header, choose License Headers in Project Properties.
+ * To change this template file, choose Tools | Templates
+ * and open the template in the editor.
+ */
+
+package org.owasp.webgoat.container.service;
+
+import lombok.RequiredArgsConstructor;
+import org.owasp.webgoat.container.i18n.Messages;
+import org.owasp.webgoat.container.session.WebSession;
+import org.springframework.stereotype.Controller;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.ResponseBody;
+
+@Controller
+@RequiredArgsConstructor
+public class SessionService {
+
+    private final WebSession webSession;
+    private final RestartLessonService restartLessonService;
+    private final Messages messages;
+
+    @RequestMapping(path = "/service/enable-security.mvc", produces = "application/json")
+    @ResponseBody
+    public String applySecurity() {
+        webSession.toggleSecurity();
+        restartLessonService.restartLesson();
+
+        var msg = webSession.isSecurityEnabled() ? "security.enabled" : "security.disabled";
+        return messages.getMessage(msg);
+    }
+}