From 7af27f7d1bf948acaa8fed782d4d25b4cb4291c0 Mon Sep 17 00:00:00 2001 From: "rogan.dawes" Date: Wed, 18 Jul 2007 13:34:53 +0000 Subject: [PATCH] Make per-user in-memory databases actually work Previously we would just get a connection to the same database, regardless of the user specified in the connect string. Trying to create HSQLDB users did not seem to work. Non-ADMIN users don't have CREATE TABLE privileges, it seems, and I couldn't find docs that describe how to GRANT CREATE TABLE privileges. Go figure. git-svn-id: http://webgoat.googlecode.com/svn/trunk@192 4033779f-a91e-0410-96ef-6bf7bf53c507 --- .../webgoat/session/DatabaseUtilities.java | 27 ++++++++++++------- .../main/project/WebContent/WEB-INF/web.xml | 6 ++++- webgoat/main/project/WebContent/webgoat.jsp | 7 ++--- 3 files changed, 26 insertions(+), 14 deletions(-) diff --git a/ webgoat/main/project/JavaSource/org/owasp/webgoat/session/DatabaseUtilities.java b/ webgoat/main/project/JavaSource/org/owasp/webgoat/session/DatabaseUtilities.java index e9c072be3..c712d50cc 100644 --- a/ webgoat/main/project/JavaSource/org/owasp/webgoat/session/DatabaseUtilities.java +++ b/ webgoat/main/project/JavaSource/org/owasp/webgoat/session/DatabaseUtilities.java @@ -6,6 +6,7 @@ import java.sql.DriverManager; import java.sql.ResultSet; import java.sql.ResultSetMetaData; import java.sql.SQLException; +import java.sql.Statement; import java.util.HashMap; import java.util.Map; @@ -92,21 +93,26 @@ public class DatabaseUtilities } } - public static Connection makeConnection(String user, WebgoatContext context) + private static Connection makeConnection(String user, WebgoatContext context) throws ClassNotFoundException, SQLException { - Class.forName(context.getDatabaseDriver()); + Class.forName(context.getDatabaseDriver()); - String password = context.getDatabasePassword(); - String conn = context.getDatabaseConnectionString(); - if (password == null || password.equals("")) { - return (DriverManager.getConnection(conn)); - } else { - String userPrefix = context.getDatabaseUser(); - return DriverManager.getConnection(conn, userPrefix + "_" + user, password); - } + if (context.getDatabaseConnectionString().contains("hsqldb")) + return getHsqldbConnection(user, context); + + String userPrefix = context.getDatabaseUser(); + String password = context.getDatabasePassword(); + String url = context.getDatabaseConnectionString(); + return DriverManager.getConnection(url, userPrefix + "_" + user, password); } + private static Connection getHsqldbConnection(String user, WebgoatContext context) + throws ClassNotFoundException, SQLException + { + String url = context.getDatabaseConnectionString().replaceAll("\\$\\{USER\\}", user); + return DriverManager.getConnection(url, "sa", ""); + } /** * Description of the Method * @@ -162,4 +168,5 @@ public class DatabaseUtilities "Query Successful; however no data was returned from this query.")); } } + } diff --git a/ webgoat/main/project/WebContent/WEB-INF/web.xml b/ webgoat/main/project/WebContent/WEB-INF/web.xml index 5bf4fe126..f5e0b5151 100755 --- a/ webgoat/main/project/WebContent/WEB-INF/web.xml +++ b/ webgoat/main/project/WebContent/WEB-INF/web.xml @@ -151,8 +151,12 @@ DatabaseConnectionString + - jdbc:hsqldb:. + jdbc:hsqldb:${USER} diff --git a/ webgoat/main/project/WebContent/webgoat.jsp b/ webgoat/main/project/WebContent/webgoat.jsp index bf2d5bfaa..45aef327b 100644 --- a/ webgoat/main/project/WebContent/webgoat.jsp +++ b/ webgoat/main/project/WebContent/webgoat.jsp @@ -31,10 +31,11 @@ -
Bruce Mayhew
-
Laurence Casey
-
David Anderson
+
Bruce Mayhew
+
Laurence Casey
+
David Anderson
Eric Sheridan
+
Rogan Dawes
Aspect Security