diff --git a/webapp/lesson_plans/English/TomcatSetup.html b/webapp/lesson_plans/English/TomcatSetup.html index 2f33d253c..79999b46d 100644 --- a/webapp/lesson_plans/English/TomcatSetup.html +++ b/webapp/lesson_plans/English/TomcatSetup.html @@ -78,17 +78,22 @@ only discussed the whitebox approach. You have to add following lines to the Hos

In this case only localhost, ip1 and ip2 are permitted to connect.

-

WebGoat Default Users and Roles for Tomcat

+

Configuring new WebGoat users

-WebGoat requires the following users and roles to be configured in order for the application to run. +WebGoat uses spring-security.xml to configure users. 

-  >role rolename="webgoat_basic"/<
-  >role rolename="webgoat_admin"/<
-  >role rolename="webgoat_user"/<
-  >user username="webgoat" password="webgoat" roles="webgoat_admin"/<
-  >user username="basic" password="basic" roles="webgoat_user,webgoat_basic"/<
-  >user username="guest" password="guest" roles="webgoat_user"/<
+    <!-- Authentication Manager -->
+    <authentication-manager alias="authenticationManager">
+        <authentication-provider>
+            <user-service>
+                <!-- TODO: credentials in the config - this isn't something I'm proud of - get rid of this ASAP --> 
+                <user name="guest" password="guest" authorities="ROLE_WEBGOAT_USER" />
+                <user name="webgoat" password="webgoat" authorities="ROLE_WEBGOAT_ADMIN" />
+                <user name="server" password="server" authorities="ROLE_SERVER_ADMIN" />
+            </user-service>
+        </authentication-provider>
+    </authentication-manager>

Adding Users

@@ -96,18 +101,17 @@ WebGoat requires the following users and roles to be configured in order for the Usually using WebGoat you just use the user guest with the password guest. But maybe in laboratory you have made a setup with one server and a lot of clients. In this case you might want to have a user for every client - and you have to alter tomcat-users.xml -in tomcat/conf as the users are stored there. We recommend not to use real passwords + and you have to alter /WEB-INF/spring-security.xml as the users are stored there. We recommend not to use real passwords as the passwords are stored in plain text in this file!

Add User

Adding a user is straight forward. You can use the guest entry as an example. The added -users should have the same role as the guest user. Add lines like this to the file: +users should have the same role as the guest user. The new user/password will not show on the login page. +Add lines like this to the file: 

-	<user name="student1" password="password1" roles="webgoat_user"/>
-	<user name="student2" password="password2" roles="webgoat_user"/>
+                <user name="guest2" password="guest2" authorities="ROLE_WEBGOAT_USER" />
 	...