exclude web assets from spring security

format reportBug.jsp
2014-06-11 21:56:43 -04:00 · 2014-06-11 21:56:43 -04:00 · 80dae15f70
commit 80dae15f70
parent a0d4a02f0a
4 changed files with 215 additions and 210 deletions
--- a/java/org/owasp/webgoat/HammerHead.java
+++ b/java/org/owasp/webgoat/HammerHead.java
@ -180,6 +180,7 @@ public class HammerHead extends HttpServlet {
            request.getSession().setAttribute("course", mySession.getCourse());
            String viewPage = getViewPage(mySession);
            logger.debug("Forwarding to view: " + viewPage);
+            logger.debug("Screen: " + screen);
            request.getRequestDispatcher(viewPage).forward(request, response);              
        } catch (Throwable t) {
            logger.error("Error handling request", t);
--- a/webapp/WEB-INF/spring-security.xml
+++ b/webapp/WEB-INF/spring-security.xml
@ -11,6 +11,10 @@
            NOTE: Without Spring security, HttpServletRequest.getUserPrincipal() returns null when called from pages under Spring's control.
            That method is used extensively in legacy webgoat code.  Integrating Spring security into the application resolves this issue.
    -->  
+    <http pattern="/css/**" security="none"/>
+    <http pattern="/images/**" security="none"/>
+    <http pattern="/javascript/**" security="none"/>
+    <http pattern="/favicon.ico" security="none"/>    
    <http auto-config="true"  use-expressions="true">  
        <intercept-url pattern="/login.do" access="permitAll" />
        <intercept-url pattern="/logout.do" access="permitAll" />