diff --git a/src/it/java/org/owasp/webgoat/playwright/webgoat/RegistrationUITest.java b/src/it/java/org/owasp/webgoat/playwright/webgoat/RegistrationUITest.java
new file mode 100644
index 000000000..e8dfff715
--- /dev/null
+++ b/src/it/java/org/owasp/webgoat/playwright/webgoat/RegistrationUITest.java
@@ -0,0 +1,48 @@
+/*
+ * SPDX-FileCopyrightText: Copyright © 2025 WebGoat authors
+ * SPDX-License-Identifier: GPL-2.0-or-later
+ */
+package org.owasp.webgoat.playwright.webgoat;
+
+import static org.assertj.core.api.Assertions.assertThat;
+
+import com.microsoft.playwright.Browser;
+import org.junit.jupiter.api.DisplayName;
+import org.junit.jupiter.api.Test;
+import org.owasp.webgoat.playwright.webgoat.helpers.Authentication;
+import org.owasp.webgoat.playwright.webgoat.pages.RegistrationPage;
+import org.owasp.webgoat.playwright.webgoat.pages.WebGoatLoginPage;
+
+public class RegistrationUITest extends PlaywrightTest {
+
+ @Test
+ @DisplayName("Should register a new user while logged in as other user")
+ void registerWhileLoggedIn(Browser browser) {
+ var page = Authentication.tweety(browser);
+ var loginPage = new WebGoatLoginPage(page);
+ loginPage.open();
+ loginPage.login(Authentication.getTweety().name(), Authentication.getTweety().password());
+
+ var newUsername = "newuser" + System.currentTimeMillis();
+ var password = "password123";
+ var registrationPage = new RegistrationPage(page);
+ registrationPage.open();
+ registrationPage.register(newUsername, password);
+
+ assertThat(page.content()).contains(newUsername);
+ }
+
+ @Test
+ @DisplayName("Should register a new user")
+ void registerNewUser(Browser browser) {
+ var page = browser.newContext().newPage();
+ var registrationPage = new RegistrationPage(page);
+ registrationPage.open();
+
+ var newUsername = "newuser" + System.currentTimeMillis();
+ var password = "password123";
+ registrationPage.register(newUsername, password);
+
+ assertThat(page.content()).contains(newUsername);
+ }
+}
diff --git a/src/main/java/org/owasp/webgoat/container/users/RegistrationController.java b/src/main/java/org/owasp/webgoat/container/users/RegistrationController.java
index 7b776a267..5097320c8 100644
--- a/src/main/java/org/owasp/webgoat/container/users/RegistrationController.java
+++ b/src/main/java/org/owasp/webgoat/container/users/RegistrationController.java
@@ -6,11 +6,14 @@ package org.owasp.webgoat.container.users;
import jakarta.servlet.ServletException;
import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
import jakarta.validation.Valid;
import java.util.UUID;
-import lombok.AllArgsConstructor;
+import lombok.RequiredArgsConstructor;
import lombok.extern.slf4j.Slf4j;
import org.springframework.security.core.Authentication;
+import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler;
import org.springframework.stereotype.Controller;
import org.springframework.validation.BindingResult;
import org.springframework.web.bind.annotation.GetMapping;
@@ -22,12 +25,12 @@ import org.springframework.web.bind.annotation.PostMapping;
* @since 3/19/17.
*/
@Controller
-@AllArgsConstructor
+@RequiredArgsConstructor
@Slf4j
public class RegistrationController {
- private UserValidator userValidator;
- private UserService userService;
+ private final UserValidator userValidator;
+ private final UserService userService;
@GetMapping("/registration")
public String showForm(UserForm userForm) {
@@ -38,13 +41,21 @@ public class RegistrationController {
public String registration(
@ModelAttribute("userForm") @Valid UserForm userForm,
BindingResult bindingResult,
- HttpServletRequest request)
+ HttpServletRequest request,
+ HttpServletResponse response)
throws ServletException {
userValidator.validate(userForm, bindingResult);
if (bindingResult.hasErrors()) {
return "registration";
}
+
+ // Logout current user if any
+ Authentication auth = SecurityContextHolder.getContext().getAuthentication();
+ if (auth != null) {
+ new SecurityContextLogoutHandler().logout(request, response, auth);
+ }
+
userService.addUser(userForm.getUsername(), userForm.getPassword());
request.login(userForm.getUsername(), userForm.getPassword());