Make per-user in-memory databases actually work

Previously we would just get a connection to the same database, regardless
of the user specified in the connect string. Trying to create
HSQLDB users did not seem to work. Non-ADMIN users don't have
CREATE TABLE privileges, it seems, and I couldn't find docs that
describe how to GRANT CREATE TABLE privileges. Go figure.


git-svn-id: http://webgoat.googlecode.com/svn/trunk@192 4033779f-a91e-0410-96ef-6bf7bf53c507

webgoat/main/project/JavaSource/org/owasp/webgoat/session/DatabaseUtilities.java

@@ -6,6 +6,7 @@ import java.sql.DriverManager;
 import java.sql.ResultSet;
 import java.sql.ResultSetMetaData;
 import java.sql.SQLException;
+import java.sql.Statement;
 import java.util.HashMap;
 import java.util.Map;
 
@@ -92,21 +93,26 @@ public class DatabaseUtilities
 		}
 	}
 	
-    public static Connection makeConnection(String user, WebgoatContext context)
+    private static Connection makeConnection(String user, WebgoatContext context)
     	throws ClassNotFoundException, SQLException
     {
-	Class.forName(context.getDatabaseDriver());
+		Class.forName(context.getDatabaseDriver());
 
-	String password = context.getDatabasePassword();
+		if (context.getDatabaseConnectionString().contains("hsqldb"))
-	String conn = context.getDatabaseConnectionString();
+    		return getHsqldbConnection(user, context);
-	if (password == null || password.equals("")) {
+		
-		return (DriverManager.getConnection(conn));
+		String userPrefix = context.getDatabaseUser();
-	} else {
+		String password = context.getDatabasePassword();
-		String userPrefix = context.getDatabaseUser();
+		String url = context.getDatabaseConnectionString();
-		return DriverManager.getConnection(conn, userPrefix + "_" + user, password);
+		return DriverManager.getConnection(url, userPrefix + "_" + user, password);
-	}
     }
 
+    private static Connection getHsqldbConnection(String user, WebgoatContext context)
+	throws ClassNotFoundException, SQLException
+	{
+		String url = context.getDatabaseConnectionString().replaceAll("\\$\\{USER\\}", user);
+		return DriverManager.getConnection(url, "sa", "");
+	}
     /**
      * Description of the Method
      *
@@ -162,4 +168,5 @@ public class DatabaseUtilities
 		    "Query Successful; however no data was returned from this query."));
 	}
     }
+    
 }

webgoat/main/project/WebContent/WEB-INF/web.xml

@@ -151,8 +151,12 @@
 
       <init-param>
             <param-name>DatabaseConnectionString</param-name>
+            <!-- 
+            The string "${USER}" in the connection string will be replaced by the active username
+            when making a connection.
+             -->
             <param-value>
-				jdbc:hsqldb:.
+				jdbc:hsqldb:${USER}
 		    </param-value>
       </init-param>
 

webgoat/main/project/WebContent/webgoat.jsp

@@ -31,10 +31,11 @@
                 </tr>
                 <tr>
                   <td  valign="top">
-	                 <div align="center" class="style2">Bruce Mayhew</div>                    
+	                 <div align="center" class="style2">Bruce Mayhew</div>
-	                 <div align="center" class="style2">Laurence Casey</div>                    
+	                 <div align="center" class="style2">Laurence Casey</div>
-	                 <div align="center" class="style2">David Anderson</div>                    
+	                 <div align="center" class="style2">David Anderson</div>
 	                 <div align="center" class="style2">Eric Sheridan</div>
+	                 <div align="center" class="style2">Rogan Dawes</div>
 	              </td>
                   <td  valign="top">
                   	<div align="center" class="style2">Aspect Security</div>