Make per-user in-memory databases actually work

Previously we would just get a connection to the same database, regardless of the user specified in the connect string. Trying to create HSQLDB users did not seem to work. Non-ADMIN users don't have CREATE TABLE privileges, it seems, and I couldn't find docs that describe how to GRANT CREATE TABLE privileges. Go figure. git-svn-id: http://webgoat.googlecode.com/svn/trunk@192 4033779f-a91e-0410-96ef-6bf7bf53c507
2007-07-18 13:34:53 +00:00 · 2007-07-18 13:34:53 +00:00 · 7af27f7d1b
commit 7af27f7d1b
parent cf047786f3
3 changed files with 26 additions and 14 deletions
--- a/webgoat/main/project/JavaSource/org/owasp/webgoat/session/DatabaseUtilities.java
+++ b/webgoat/main/project/JavaSource/org/owasp/webgoat/session/DatabaseUtilities.java
@ -6,6 +6,7 @@ import java.sql.DriverManager;
 import java.sql.ResultSet;
 import java.sql.ResultSetMetaData;
 import java.sql.SQLException;
+import java.sql.Statement;
 import java.util.HashMap;
 import java.util.Map;

@ -92,21 +93,26 @@ public class DatabaseUtilities
 		}
 	}
 	
-    public static Connection makeConnection(String user, WebgoatContext context)
+    private static Connection makeConnection(String user, WebgoatContext context)
    	throws ClassNotFoundException, SQLException
    {
 		Class.forName(context.getDatabaseDriver());

-	String password = context.getDatabasePassword();
-	String conn = context.getDatabaseConnectionString();
-	if (password == null || password.equals("")) {
-		return (DriverManager.getConnection(conn));
-	} else {
+		if (context.getDatabaseConnectionString().contains("hsqldb"))
+    		return getHsqldbConnection(user, context);
+		
 		String userPrefix = context.getDatabaseUser();
-		return DriverManager.getConnection(conn, userPrefix + "_" + user, password);
-	}
+		String password = context.getDatabasePassword();
+		String url = context.getDatabaseConnectionString();
+		return DriverManager.getConnection(url, userPrefix + "_" + user, password);
    }

+    private static Connection getHsqldbConnection(String user, WebgoatContext context)
+	throws ClassNotFoundException, SQLException
+	{
+		String url = context.getDatabaseConnectionString().replaceAll("\\$\\{USER\\}", user);
+		return DriverManager.getConnection(url, "sa", "");
+	}
    /**
     * Description of the Method
     *
@ -162,4 +168,5 @@ public class DatabaseUtilities
 		    "Query Successful; however no data was returned from this query."));
 	}
    }
+    
 }
--- a/webgoat/main/project/WebContent/WEB-INF/web.xml
+++ b/webgoat/main/project/WebContent/WEB-INF/web.xml
@ -151,8 +151,12 @@

      <init-param>
            <param-name>DatabaseConnectionString</param-name>
+            <!-- 
+            The string "${USER}" in the connection string will be replaced by the active username
+            when making a connection.
+             -->
            <param-value>
-				jdbc:hsqldb:.
+				jdbc:hsqldb:${USER}
 		    </param-value>
      </init-param>

--- a/webgoat/main/project/WebContent/webgoat.jsp
+++ b/webgoat/main/project/WebContent/webgoat.jsp
@ -35,6 +35,7 @@
 	                 <div align="center" class="style2">Laurence Casey</div>
 	                 <div align="center" class="style2">David Anderson</div>
 	                 <div align="center" class="style2">Eric Sheridan</div>
+	                 <div align="center" class="style2">Rogan Dawes</div>
 	              </td>
                  <td  valign="top">
                  	<div align="center" class="style2">Aspect Security</div>