diff --git a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/GoatHillsFinancial/GoatHillsFinancial.java b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/GoatHillsFinancial/GoatHillsFinancial.java index eccc4aa14..f5797bb53 100755 --- a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/GoatHillsFinancial/GoatHillsFinancial.java +++ b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/GoatHillsFinancial/GoatHillsFinancial.java @@ -123,26 +123,29 @@ public class GoatHillsFinancial extends LessonAdapter public GoatHillsFinancial() { String myClassName = parseClassName(this.getClass().getName()); - registerAction(new ListStaff(this, myClassName, LISTSTAFF_ACTION)); - registerAction(new SearchStaff(this, myClassName, SEARCHSTAFF_ACTION)); - registerAction(new ViewProfile(this, myClassName, VIEWPROFILE_ACTION)); - registerAction(new EditProfile(this, myClassName, EDITPROFILE_ACTION)); - registerAction(new EditProfile(this, myClassName, CREATEPROFILE_ACTION)); - - // These actions are special in that they chain to other actions. - registerAction(new Login(this, myClassName, LOGIN_ACTION, - getAction(LISTSTAFF_ACTION))); - registerAction(new Logout(this, myClassName, LOGOUT_ACTION, - getAction(LOGIN_ACTION))); - registerAction(new FindProfile(this, myClassName, FINDPROFILE_ACTION, - getAction(VIEWPROFILE_ACTION))); - registerAction(new UpdateProfile(this, myClassName, - UPDATEPROFILE_ACTION, getAction(VIEWPROFILE_ACTION))); - registerAction(new DeleteProfile(this, myClassName, - DELETEPROFILE_ACTION, getAction(LISTSTAFF_ACTION))); + registerActions(myClassName); } + protected void registerActions(String className) { + registerAction(new ListStaff(this, className, LISTSTAFF_ACTION)); + registerAction(new SearchStaff(this, className, SEARCHSTAFF_ACTION)); + registerAction(new ViewProfile(this, className, VIEWPROFILE_ACTION)); + registerAction(new EditProfile(this, className, EDITPROFILE_ACTION)); + registerAction(new EditProfile(this, className, CREATEPROFILE_ACTION)); + // These actions are special in that they chain to other actions. + registerAction(new Login(this, className, LOGIN_ACTION, + getAction(LISTSTAFF_ACTION))); + registerAction(new Logout(this, className, LOGOUT_ACTION, + getAction(LOGIN_ACTION))); + registerAction(new FindProfile(this, className, FINDPROFILE_ACTION, + getAction(VIEWPROFILE_ACTION))); + registerAction(new UpdateProfile(this, className, + UPDATEPROFILE_ACTION, getAction(VIEWPROFILE_ACTION))); + registerAction(new DeleteProfile(this, className, + DELETEPROFILE_ACTION, getAction(LISTSTAFF_ACTION))); + } + protected final String parseClassName(String fqcn) { String className = fqcn; diff --git a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/RoleBasedAccessControl/FindProfile.java b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/RoleBasedAccessControl/FindProfile.java deleted file mode 100644 index 3166573dd..000000000 --- a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/RoleBasedAccessControl/FindProfile.java +++ /dev/null @@ -1,193 +0,0 @@ -package org.owasp.webgoat.lessons.RoleBasedAccessControl; - -import java.sql.PreparedStatement; -import java.sql.ResultSet; -import java.sql.SQLException; - -import org.owasp.webgoat.lessons.AbstractLesson; -import org.owasp.webgoat.lessons.DefaultLessonAction; -import org.owasp.webgoat.lessons.LessonAction; -import org.owasp.webgoat.session.Employee; -import org.owasp.webgoat.session.ParameterNotFoundException; -import org.owasp.webgoat.session.UnauthenticatedException; -import org.owasp.webgoat.session.UnauthorizedException; -import org.owasp.webgoat.session.ValidationException; -import org.owasp.webgoat.session.WebSession; - -/******************************************************************************* - * - * - * This file is part of WebGoat, an Open Web Application Security Project - * utility. For details, please see http://www.owasp.org/ - * - * Copyright (c) 2002 - 2007 Bruce Mayhew - * - * This program is free software; you can redistribute it and/or modify it under - * the terms of the GNU General Public License as published by the Free Software - * Foundation; either version 2 of the License, or (at your option) any later - * version. - * - * This program is distributed in the hope that it will be useful, but WITHOUT - * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS - * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more - * details. - * - * You should have received a copy of the GNU General Public License along with - * this program; if not, write to the Free Software Foundation, Inc., 59 Temple - * Place - Suite 330, Boston, MA 02111-1307, USA. - * - * Getting Source ============== - * - * Source for this application is maintained at code.google.com, a repository - * for free software projects. - * - * For details, please see http://code.google.com/p/webgoat/ - */ -public class FindProfile extends DefaultLessonAction -{ - - private LessonAction chainedAction; - - - public FindProfile(AbstractLesson lesson, String lessonName, - String actionName, LessonAction chainedAction) - { - super(lesson, lessonName, actionName); - this.chainedAction = chainedAction; - } - - - public void handleRequest(WebSession s) throws ParameterNotFoundException, - UnauthenticatedException, UnauthorizedException, - ValidationException - { - if (isAuthenticated(s)) - { - int userId = getIntSessionAttribute(s, getLessonName() + "." - + RoleBasedAccessControl.USER_ID); - - String pattern = s.getParser().getRawParameter( - RoleBasedAccessControl.SEARCHNAME); - - findEmployeeProfile(s, userId, pattern); - - // Execute the chained Action if the employee was found. - if (foundEmployee(s)) - { - try - { - chainedAction.handleRequest(s); - } - catch (UnauthenticatedException ue1) - { - System.out.println("Internal server error"); - ue1.printStackTrace(); - } - catch (UnauthorizedException ue2) - { - System.out.println("Internal server error"); - ue2.printStackTrace(); - } - } - } - else - throw new UnauthenticatedException(); - } - - - public String getNextPage(WebSession s) - { - String page = RoleBasedAccessControl.SEARCHSTAFF_ACTION; - - if (foundEmployee(s)) - page = RoleBasedAccessControl.VIEWPROFILE_ACTION; - - return page; - } - - - private boolean foundEmployee(WebSession s) - { - boolean found = false; - try - { - int id = getIntRequestAttribute(s, getLessonName() + "." - + RoleBasedAccessControl.EMPLOYEE_ID); - found = true; - } - catch (ParameterNotFoundException e) - {} - - return found; - } - - - public Employee findEmployeeProfile(WebSession s, int userId, String pattern) - throws UnauthorizedException - { - Employee profile = null; - // Clear any residual employee id's in the session now. - removeSessionAttribute(s, getLessonName() + "." - + RoleBasedAccessControl.EMPLOYEE_ID); - - // Query the database for the profile data of the given employee - try - { - String query = "SELECT * FROM employee WHERE first_name like ? OR last_name = ?"; - - try - { - PreparedStatement answer_statement = WebSession - .getConnection(s).prepareStatement(query, - ResultSet.TYPE_SCROLL_INSENSITIVE, - ResultSet.CONCUR_READ_ONLY); - answer_statement.setString(1, "%" + pattern + "%"); - answer_statement.setString(2, "%" + pattern + "%"); - ResultSet answer_results = answer_statement.executeQuery(); - - // Just use the first hit. - if (answer_results.next()) - { - int id = answer_results.getInt("userid"); - // Note: Do NOT get the password field. - profile = new Employee(id, answer_results - .getString("first_name"), answer_results - .getString("last_name"), answer_results - .getString("ssn"), answer_results - .getString("title"), answer_results - .getString("phone"), answer_results - .getString("address1"), answer_results - .getString("address2"), answer_results - .getInt("manager"), answer_results - .getString("start_date"), answer_results - .getInt("salary"), answer_results.getString("ccn"), - answer_results.getInt("ccn_limit"), answer_results - .getString("disciplined_date"), - answer_results.getString("disciplined_notes"), - answer_results.getString("personal_description")); - - /* System.out.println("Retrieved employee from db: " + - profile.getFirstName() + " " + profile.getLastName() + - " (" + profile.getId() + ")"); - */ - setRequestAttribute(s, getLessonName() + "." - + RoleBasedAccessControl.EMPLOYEE_ID, Integer - .toString(id)); - } - } - catch (SQLException sqle) - { - s.setMessage("Error finding employee profile"); - sqle.printStackTrace(); - } - } - catch (Exception e) - { - s.setMessage("Error finding employee profile"); - e.printStackTrace(); - } - - return profile; - } - -} diff --git a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/RoleBasedAccessControl/ListStaff.java b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/RoleBasedAccessControl/ListStaff.java deleted file mode 100644 index 5c5575bcd..000000000 --- a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/RoleBasedAccessControl/ListStaff.java +++ /dev/null @@ -1,175 +0,0 @@ -package org.owasp.webgoat.lessons.RoleBasedAccessControl; - -import java.sql.ResultSet; -import java.sql.SQLException; -import java.sql.Statement; -import java.util.List; -import java.util.Vector; - -import org.owasp.webgoat.lessons.AbstractLesson; -import org.owasp.webgoat.lessons.DefaultLessonAction; -import org.owasp.webgoat.session.EmployeeStub; -import org.owasp.webgoat.session.ParameterNotFoundException; -import org.owasp.webgoat.session.UnauthenticatedException; -import org.owasp.webgoat.session.UnauthorizedException; -import org.owasp.webgoat.session.WebSession; - -/******************************************************************************* - * - * - * This file is part of WebGoat, an Open Web Application Security Project - * utility. For details, please see http://www.owasp.org/ - * - * Copyright (c) 2002 - 2007 Bruce Mayhew - * - * This program is free software; you can redistribute it and/or modify it under - * the terms of the GNU General Public License as published by the Free Software - * Foundation; either version 2 of the License, or (at your option) any later - * version. - * - * This program is distributed in the hope that it will be useful, but WITHOUT - * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS - * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more - * details. - * - * You should have received a copy of the GNU General Public License along with - * this program; if not, write to the Free Software Foundation, Inc., 59 Temple - * Place - Suite 330, Boston, MA 02111-1307, USA. - * - * Getting Source ============== - * - * Source for this application is maintained at code.google.com, a repository - * for free software projects. - * - * For details, please see http://code.google.com/p/webgoat/ - */ -public class ListStaff extends DefaultLessonAction -{ - - public ListStaff(AbstractLesson lesson, String lessonName, String actionName) - { - super(lesson, lessonName, actionName); - } - - - public void handleRequest(WebSession s) throws ParameterNotFoundException, - UnauthenticatedException, UnauthorizedException - { - getLesson().setCurrentAction(s, getActionName()); - - if (isAuthenticated(s)) - { - int userId = getIntSessionAttribute(s, getLessonName() + "." - + RoleBasedAccessControl.USER_ID); - - List employees = getAllEmployees(s, userId); - setSessionAttribute(s, getLessonName() + "." - + RoleBasedAccessControl.STAFF_ATTRIBUTE_KEY, employees); - } - else - throw new UnauthenticatedException(); - } - - - public String getNextPage(WebSession s) - { - return RoleBasedAccessControl.LISTSTAFF_ACTION; - } - - - public List getAllEmployees(WebSession s, int userId) - throws UnauthorizedException - { - // Query the database for all employees "owned" by the given employee - - List employees = new Vector(); - - try - { - String query = "SELECT employee.userid,first_name,last_name,role FROM employee,roles WHERE employee.userid=roles.userid and employee.userid in " - + "(SELECT employee_id FROM ownership WHERE employer_id = " - + userId + ")"; - - try - { - Statement answer_statement = WebSession.getConnection(s) - .createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE, - ResultSet.CONCUR_READ_ONLY); - ResultSet answer_results = answer_statement.executeQuery(query); - answer_results.beforeFirst(); - while (answer_results.next()) - { - int employeeId = answer_results.getInt("userid"); - String firstName = answer_results.getString("first_name"); - String lastName = answer_results.getString("last_name"); - String role = answer_results.getString("role"); - //System.out.println("Retrieving employee stub for role " + role); - EmployeeStub stub = new EmployeeStub(employeeId, firstName, - lastName, role); - employees.add(stub); - } - } - catch (SQLException sqle) - { - s.setMessage("Error getting employees"); - sqle.printStackTrace(); - } - } - catch (Exception e) - { - s.setMessage("Error getting employees"); - e.printStackTrace(); - } - - return employees; - } - - - public List getAllEmployees_BACKUP(WebSession s, int userId) - throws UnauthorizedException - { - // Query the database for all employees "owned" by the given employee - - List employees = new Vector(); - - try - { - String query = "SELECT employee.userid,first_name,last_name,role FROM employee,roles WHERE employee.userid=roles.userid and employee.userid in " - + "(SELECT employee_id FROM ownership WHERE employer_id = " - + userId + ")"; - - try - { - Statement answer_statement = WebSession.getConnection(s) - .createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE, - ResultSet.CONCUR_READ_ONLY); - ResultSet answer_results = answer_statement.executeQuery(query); - answer_results.beforeFirst(); - while (answer_results.next()) - { - int employeeId = answer_results.getInt("userid"); - String firstName = answer_results.getString("first_name"); - String lastName = answer_results.getString("last_name"); - String role = answer_results.getString("role"); - //System.out.println("Retrieving employee stub for role " + role); - EmployeeStub stub = new EmployeeStub(employeeId, firstName, - lastName, role); - employees.add(stub); - } - } - catch (SQLException sqle) - { - s.setMessage("Error getting employees"); - sqle.printStackTrace(); - } - } - catch (Exception e) - { - s.setMessage("Error getting employees"); - e.printStackTrace(); - } - - return employees; - } - -} diff --git a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/RoleBasedAccessControl/Login.java b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/RoleBasedAccessControl/Login.java deleted file mode 100644 index a6da42a16..000000000 --- a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/RoleBasedAccessControl/Login.java +++ /dev/null @@ -1,222 +0,0 @@ -package org.owasp.webgoat.lessons.RoleBasedAccessControl; - -import java.sql.ResultSet; -import java.sql.SQLException; -import java.sql.Statement; -import java.util.List; -import java.util.Vector; - -import org.owasp.webgoat.lessons.AbstractLesson; -import org.owasp.webgoat.lessons.DefaultLessonAction; -import org.owasp.webgoat.lessons.LessonAction; -import org.owasp.webgoat.session.EmployeeStub; -import org.owasp.webgoat.session.ParameterNotFoundException; -import org.owasp.webgoat.session.UnauthenticatedException; -import org.owasp.webgoat.session.UnauthorizedException; -import org.owasp.webgoat.session.ValidationException; -import org.owasp.webgoat.session.WebSession; - -/******************************************************************************* - * - * - * This file is part of WebGoat, an Open Web Application Security Project - * utility. For details, please see http://www.owasp.org/ - * - * Copyright (c) 2002 - 2007 Bruce Mayhew - * - * This program is free software; you can redistribute it and/or modify it under - * the terms of the GNU General Public License as published by the Free Software - * Foundation; either version 2 of the License, or (at your option) any later - * version. - * - * This program is distributed in the hope that it will be useful, but WITHOUT - * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS - * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more - * details. - * - * You should have received a copy of the GNU General Public License along with - * this program; if not, write to the Free Software Foundation, Inc., 59 Temple - * Place - Suite 330, Boston, MA 02111-1307, USA. - * - * Getting Source ============== - * - * Source for this application is maintained at code.google.com, a repository - * for free software projects. - * - * For details, please see http://code.google.com/p/webgoat/ - */ -public class Login extends DefaultLessonAction -{ - - private LessonAction chainedAction; - - - public Login(AbstractLesson lesson, String lessonName, String actionName, - LessonAction chainedAction) - { - super(lesson, lessonName, actionName); - this.chainedAction = chainedAction; - } - - - public void handleRequest(WebSession s) throws ParameterNotFoundException, - ValidationException - { - //System.out.println("Login.handleRequest()"); - getLesson().setCurrentAction(s, getActionName()); - - List employees = getAllEmployees(s); - setSessionAttribute(s, getLessonName() + "." - + RoleBasedAccessControl.STAFF_ATTRIBUTE_KEY, employees); - - int employeeId = -1; - try - { - employeeId = s.getParser().getIntParameter( - RoleBasedAccessControl.EMPLOYEE_ID); - String password = s.getParser().getStringParameter( - RoleBasedAccessControl.PASSWORD); - - // Attempt authentication - if (login(s, employeeId, password)) - { - // Execute the chained Action if authentication succeeded. - try - { - chainedAction.handleRequest(s); - } - catch (UnauthenticatedException ue1) - { - System.out.println("Internal server error"); - ue1.printStackTrace(); - } - catch (UnauthorizedException ue2) - { - System.out.println("Internal server error"); - ue2.printStackTrace(); - } - } - else - s.setMessage("Login failed"); - } - catch (ParameterNotFoundException pnfe) - { - // No credentials offered, so we log them out - setSessionAttribute(s, getLessonName() + ".isAuthenticated", - Boolean.FALSE); - } - } - - - /** - * After this.handleRequest() is called, when the View asks for the current JSP to load, - * it will get one initialized by this call. - */ - public String getNextPage(WebSession s) - { - String nextPage = RoleBasedAccessControl.LOGIN_ACTION; - - if (isAuthenticated(s)) - nextPage = chainedAction.getNextPage(s); - - return nextPage; - - } - - - public boolean requiresAuthentication() - { - return false; - } - - - public boolean login(WebSession s, int userId, String password) - { - //System.out.println("Logging in to lesson"); - boolean authenticated = false; - - try - { - String query = "SELECT * FROM employee WHERE userid = " + userId - + " and password = '" + password + "'"; - - try - { - Statement answer_statement = WebSession.getConnection(s) - .createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE, - ResultSet.CONCUR_READ_ONLY); - ResultSet answer_results = answer_statement.executeQuery(query); - if (answer_results.first()) - { - setSessionAttribute(s, - getLessonName() + ".isAuthenticated", Boolean.TRUE); - setSessionAttribute(s, getLessonName() + "." - + RoleBasedAccessControl.USER_ID, Integer - .toString(userId)); - authenticated = true; - } - - } - catch (SQLException sqle) - { - s.setMessage("Error logging in"); - sqle.printStackTrace(); - } - } - catch (Exception e) - { - s.setMessage("Error logging in"); - e.printStackTrace(); - } - - //System.out.println("Lesson login result: " + authenticated); - return authenticated; - } - - - public List getAllEmployees(WebSession s) - { - List employees = new Vector(); - - // Query the database for all roles the given employee belongs to - // Query the database for all employees "owned" by these roles - - try - { - String query = "SELECT employee.userid,first_name,last_name,role FROM employee,roles " - + "where employee.userid=roles.userid"; - - try - { - Statement answer_statement = WebSession.getConnection(s) - .createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE, - ResultSet.CONCUR_READ_ONLY); - ResultSet answer_results = answer_statement.executeQuery(query); - answer_results.beforeFirst(); - while (answer_results.next()) - { - int employeeId = answer_results.getInt("userid"); - String firstName = answer_results.getString("first_name"); - String lastName = answer_results.getString("last_name"); - String role = answer_results.getString("role"); - EmployeeStub stub = new EmployeeStub(employeeId, firstName, - lastName, role); - employees.add(stub); - } - } - catch (SQLException sqle) - { - s.setMessage("Error getting employees"); - sqle.printStackTrace(); - } - } - catch (Exception e) - { - s.setMessage("Error getting employees"); - e.printStackTrace(); - } - - return employees; - } - -} diff --git a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/RoleBasedAccessControl/Logout.java b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/RoleBasedAccessControl/Logout.java deleted file mode 100644 index 309c0b8c5..000000000 --- a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/RoleBasedAccessControl/Logout.java +++ /dev/null @@ -1,87 +0,0 @@ -package org.owasp.webgoat.lessons.RoleBasedAccessControl; - -import org.owasp.webgoat.lessons.AbstractLesson; -import org.owasp.webgoat.lessons.DefaultLessonAction; -import org.owasp.webgoat.lessons.LessonAction; -import org.owasp.webgoat.session.ParameterNotFoundException; -import org.owasp.webgoat.session.UnauthenticatedException; -import org.owasp.webgoat.session.UnauthorizedException; -import org.owasp.webgoat.session.ValidationException; -import org.owasp.webgoat.session.WebSession; - -/******************************************************************************* - * - * - * This file is part of WebGoat, an Open Web Application Security Project - * utility. For details, please see http://www.owasp.org/ - * - * Copyright (c) 2002 - 2007 Bruce Mayhew - * - * This program is free software; you can redistribute it and/or modify it under - * the terms of the GNU General Public License as published by the Free Software - * Foundation; either version 2 of the License, or (at your option) any later - * version. - * - * This program is distributed in the hope that it will be useful, but WITHOUT - * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS - * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more - * details. - * - * You should have received a copy of the GNU General Public License along with - * this program; if not, write to the Free Software Foundation, Inc., 59 Temple - * Place - Suite 330, Boston, MA 02111-1307, USA. - * - * Getting Source ============== - * - * Source for this application is maintained at code.google.com, a repository - * for free software projects. - * - * For details, please see http://code.google.com/p/webgoat/ - */ -public class Logout extends DefaultLessonAction -{ - - private LessonAction chainedAction; - - - public Logout(AbstractLesson lesson, String lessonName, String actionName, - LessonAction chainedAction) - { - super(lesson, lessonName, actionName); - this.chainedAction = chainedAction; - } - - - public void handleRequest(WebSession s) throws ParameterNotFoundException, - ValidationException - { - //System.out.println("Logging out"); - - setSessionAttribute(s, getLessonName() + ".isAuthenticated", - Boolean.FALSE); - - // FIXME: Maybe we should forward to Login. - try - { - chainedAction.handleRequest(s); - } - catch (UnauthenticatedException ue1) - { - System.out.println("Internal server error"); - ue1.printStackTrace(); - } - catch (UnauthorizedException ue2) - { - System.out.println("Internal server error"); - ue2.printStackTrace(); - } - - } - - - public String getNextPage(WebSession s) - { - return chainedAction.getNextPage(s); - } - -} diff --git a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/RoleBasedAccessControl/RoleBasedAccessControl.java b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/RoleBasedAccessControl/RoleBasedAccessControl.java index 2a53e2093..a420cc97d 100644 --- a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/RoleBasedAccessControl/RoleBasedAccessControl.java +++ b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/RoleBasedAccessControl/RoleBasedAccessControl.java @@ -7,7 +7,12 @@ import org.apache.ecs.ElementContainer; import org.owasp.webgoat.lessons.Category; import org.owasp.webgoat.lessons.DefaultLessonAction; import org.owasp.webgoat.lessons.LessonAction; +import org.owasp.webgoat.lessons.GoatHillsFinancial.FindProfile; import org.owasp.webgoat.lessons.GoatHillsFinancial.GoatHillsFinancial; +import org.owasp.webgoat.lessons.GoatHillsFinancial.ListStaff; +import org.owasp.webgoat.lessons.GoatHillsFinancial.Login; +import org.owasp.webgoat.lessons.GoatHillsFinancial.Logout; +import org.owasp.webgoat.lessons.GoatHillsFinancial.SearchStaff; import org.owasp.webgoat.session.ParameterNotFoundException; import org.owasp.webgoat.session.UnauthenticatedException; import org.owasp.webgoat.session.UnauthorizedException; @@ -47,6 +52,26 @@ public class RoleBasedAccessControl extends GoatHillsFinancial { private final static Integer DEFAULT_RANKING = new Integer(125); + protected void registerActions(String className) { + registerAction(new ListStaff(this, className, LISTSTAFF_ACTION)); + registerAction(new SearchStaff(this, className, SEARCHSTAFF_ACTION)); + registerAction(new ViewProfile(this, className, VIEWPROFILE_ACTION)); + registerAction(new EditProfile(this, className, EDITPROFILE_ACTION)); + registerAction(new EditProfile(this, className, CREATEPROFILE_ACTION)); + + // These actions are special in that they chain to other actions. + registerAction(new Login(this, className, LOGIN_ACTION, + getAction(LISTSTAFF_ACTION))); + registerAction(new Logout(this, className, LOGOUT_ACTION, + getAction(LOGIN_ACTION))); + registerAction(new FindProfile(this, className, FINDPROFILE_ACTION, + getAction(VIEWPROFILE_ACTION))); + registerAction(new UpdateProfile(this, className, + UPDATEPROFILE_ACTION, getAction(VIEWPROFILE_ACTION))); + registerAction(new DeleteProfile(this, className, + DELETEPROFILE_ACTION, getAction(LISTSTAFF_ACTION))); + } + /** * Gets the category attribute of the CommandInjection object * diff --git a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/RoleBasedAccessControl/SearchStaff.java b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/RoleBasedAccessControl/SearchStaff.java deleted file mode 100644 index a6853d29c..000000000 --- a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/RoleBasedAccessControl/SearchStaff.java +++ /dev/null @@ -1,51 +0,0 @@ -package org.owasp.webgoat.lessons.RoleBasedAccessControl; - -import org.owasp.webgoat.lessons.AbstractLesson; -import org.owasp.webgoat.lessons.DefaultLessonAction; -import org.owasp.webgoat.session.WebSession; - -/******************************************************************************* - * - * - * This file is part of WebGoat, an Open Web Application Security Project - * utility. For details, please see http://www.owasp.org/ - * - * Copyright (c) 2002 - 2007 Bruce Mayhew - * - * This program is free software; you can redistribute it and/or modify it under - * the terms of the GNU General Public License as published by the Free Software - * Foundation; either version 2 of the License, or (at your option) any later - * version. - * - * This program is distributed in the hope that it will be useful, but WITHOUT - * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS - * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more - * details. - * - * You should have received a copy of the GNU General Public License along with - * this program; if not, write to the Free Software Foundation, Inc., 59 Temple - * Place - Suite 330, Boston, MA 02111-1307, USA. - * - * Getting Source ============== - * - * Source for this application is maintained at code.google.com, a repository - * for free software projects. - * - * For details, please see http://code.google.com/p/webgoat/ - */ -public class SearchStaff extends DefaultLessonAction -{ - - public SearchStaff(AbstractLesson lesson, String lessonName, - String actionName) - { - super(lesson, lessonName, actionName); - } - - - public String getNextPage(WebSession s) - { - return RoleBasedAccessControl.SEARCHSTAFF_ACTION; - } - -}