From a71b6af562c6aeb70a0f7ad910d387cd03160a12 Mon Sep 17 00:00:00 2001 From: "rogan.dawes" Date: Tue, 10 Jul 2007 11:57:24 +0000 Subject: [PATCH] Fix thinko. Each LAB nees to use its own local LessonActions when defined Each lesson simply overrides registerActions(classname) to do the necessary. Also delete Actions which already exist in the base class package git-svn-id: http://webgoat.googlecode.com/svn/trunk@154 4033779f-a91e-0410-96ef-6bf7bf53c507 --- .../GoatHillsFinancial.java | 37 +-- .../RoleBasedAccessControl/FindProfile.java | 193 --------------- .../RoleBasedAccessControl/ListStaff.java | 175 -------------- .../lessons/RoleBasedAccessControl/Login.java | 222 ------------------ .../RoleBasedAccessControl/Logout.java | 87 ------- .../RoleBasedAccessControl.java | 25 ++ .../RoleBasedAccessControl/SearchStaff.java | 51 ---- 7 files changed, 45 insertions(+), 745 deletions(-) delete mode 100644 webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/RoleBasedAccessControl/FindProfile.java delete mode 100644 webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/RoleBasedAccessControl/ListStaff.java delete mode 100644 webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/RoleBasedAccessControl/Login.java delete mode 100644 webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/RoleBasedAccessControl/Logout.java delete mode 100644 webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/RoleBasedAccessControl/SearchStaff.java diff --git a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/GoatHillsFinancial/GoatHillsFinancial.java b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/GoatHillsFinancial/GoatHillsFinancial.java index eccc4aa14..f5797bb53 100755 --- a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/GoatHillsFinancial/GoatHillsFinancial.java +++ b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/GoatHillsFinancial/GoatHillsFinancial.java @@ -123,26 +123,29 @@ public class GoatHillsFinancial extends LessonAdapter public GoatHillsFinancial() { String myClassName = parseClassName(this.getClass().getName()); - registerAction(new ListStaff(this, myClassName, LISTSTAFF_ACTION)); - registerAction(new SearchStaff(this, myClassName, SEARCHSTAFF_ACTION)); - registerAction(new ViewProfile(this, myClassName, VIEWPROFILE_ACTION)); - registerAction(new EditProfile(this, myClassName, EDITPROFILE_ACTION)); - registerAction(new EditProfile(this, myClassName, CREATEPROFILE_ACTION)); - - // These actions are special in that they chain to other actions. - registerAction(new Login(this, myClassName, LOGIN_ACTION, - getAction(LISTSTAFF_ACTION))); - registerAction(new Logout(this, myClassName, LOGOUT_ACTION, - getAction(LOGIN_ACTION))); - registerAction(new FindProfile(this, myClassName, FINDPROFILE_ACTION, - getAction(VIEWPROFILE_ACTION))); - registerAction(new UpdateProfile(this, myClassName, - UPDATEPROFILE_ACTION, getAction(VIEWPROFILE_ACTION))); - registerAction(new DeleteProfile(this, myClassName, - DELETEPROFILE_ACTION, getAction(LISTSTAFF_ACTION))); + registerActions(myClassName); } + protected void registerActions(String className) { + registerAction(new ListStaff(this, className, LISTSTAFF_ACTION)); + registerAction(new SearchStaff(this, className, SEARCHSTAFF_ACTION)); + registerAction(new ViewProfile(this, className, VIEWPROFILE_ACTION)); + registerAction(new EditProfile(this, className, EDITPROFILE_ACTION)); + registerAction(new EditProfile(this, className, CREATEPROFILE_ACTION)); + // These actions are special in that they chain to other actions. + registerAction(new Login(this, className, LOGIN_ACTION, + getAction(LISTSTAFF_ACTION))); + registerAction(new Logout(this, className, LOGOUT_ACTION, + getAction(LOGIN_ACTION))); + registerAction(new FindProfile(this, className, FINDPROFILE_ACTION, + getAction(VIEWPROFILE_ACTION))); + registerAction(new UpdateProfile(this, className, + UPDATEPROFILE_ACTION, getAction(VIEWPROFILE_ACTION))); + registerAction(new DeleteProfile(this, className, + DELETEPROFILE_ACTION, getAction(LISTSTAFF_ACTION))); + } + protected final String parseClassName(String fqcn) { String className = fqcn; diff --git a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/RoleBasedAccessControl/FindProfile.java b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/RoleBasedAccessControl/FindProfile.java deleted file mode 100644 index 3166573dd..000000000 --- a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/RoleBasedAccessControl/FindProfile.java +++ /dev/null @@ -1,193 +0,0 @@ -package org.owasp.webgoat.lessons.RoleBasedAccessControl; - -import java.sql.PreparedStatement; -import java.sql.ResultSet; -import java.sql.SQLException; - -import org.owasp.webgoat.lessons.AbstractLesson; -import org.owasp.webgoat.lessons.DefaultLessonAction; -import org.owasp.webgoat.lessons.LessonAction; -import org.owasp.webgoat.session.Employee; -import org.owasp.webgoat.session.ParameterNotFoundException; -import org.owasp.webgoat.session.UnauthenticatedException; -import org.owasp.webgoat.session.UnauthorizedException; -import org.owasp.webgoat.session.ValidationException; -import org.owasp.webgoat.session.WebSession; - -/******************************************************************************* - * - * - * This file is part of WebGoat, an Open Web Application Security Project - * utility. For details, please see http://www.owasp.org/ - * - * Copyright (c) 2002 - 2007 Bruce Mayhew - * - * This program is free software; you can redistribute it and/or modify it under - * the terms of the GNU General Public License as published by the Free Software - * Foundation; either version 2 of the License, or (at your option) any later - * version. - * - * This program is distributed in the hope that it will be useful, but WITHOUT - * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS - * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more - * details. - * - * You should have received a copy of the GNU General Public License along with - * this program; if not, write to the Free Software Foundation, Inc., 59 Temple - * Place - Suite 330, Boston, MA 02111-1307, USA. - * - * Getting Source ============== - * - * Source for this application is maintained at code.google.com, a repository - * for free software projects. - * - * For details, please see http://code.google.com/p/webgoat/ - */ -public class FindProfile extends DefaultLessonAction -{ - - private LessonAction chainedAction; - - - public FindProfile(AbstractLesson lesson, String lessonName, - String actionName, LessonAction chainedAction) - { - super(lesson, lessonName, actionName); - this.chainedAction = chainedAction; - } - - - public void handleRequest(WebSession s) throws ParameterNotFoundException, - UnauthenticatedException, UnauthorizedException, - ValidationException - { - if (isAuthenticated(s)) - { - int userId = getIntSessionAttribute(s, getLessonName() + "." - + RoleBasedAccessControl.USER_ID); - - String pattern = s.getParser().getRawParameter( - RoleBasedAccessControl.SEARCHNAME); - - findEmployeeProfile(s, userId, pattern); - - // Execute the chained Action if the employee was found. - if (foundEmployee(s)) - { - try - { - chainedAction.handleRequest(s); - } - catch (UnauthenticatedException ue1) - { - System.out.println("Internal server error"); - ue1.printStackTrace(); - } - catch (UnauthorizedException ue2) - { - System.out.println("Internal server error"); - ue2.printStackTrace(); - } - } - } - else - throw new UnauthenticatedException(); - } - - - public String getNextPage(WebSession s) - { - String page = RoleBasedAccessControl.SEARCHSTAFF_ACTION; - - if (foundEmployee(s)) - page = RoleBasedAccessControl.VIEWPROFILE_ACTION; - - return page; - } - - - private boolean foundEmployee(WebSession s) - { - boolean found = false; - try - { - int id = getIntRequestAttribute(s, getLessonName() + "." - + RoleBasedAccessControl.EMPLOYEE_ID); - found = true; - } - catch (ParameterNotFoundException e) - {} - - return found; - } - - - public Employee findEmployeeProfile(WebSession s, int userId, String pattern) - throws UnauthorizedException - { - Employee profile = null; - // Clear any residual employee id's in the session now. - removeSessionAttribute(s, getLessonName() + "." - + RoleBasedAccessControl.EMPLOYEE_ID); - - // Query the database for the profile data of the given employee - try - { - String query = "SELECT * FROM employee WHERE first_name like ? OR last_name = ?"; - - try - { - PreparedStatement answer_statement = WebSession - .getConnection(s).prepareStatement(query, - ResultSet.TYPE_SCROLL_INSENSITIVE, - ResultSet.CONCUR_READ_ONLY); - answer_statement.setString(1, "%" + pattern + "%"); - answer_statement.setString(2, "%" + pattern + "%"); - ResultSet answer_results = answer_statement.executeQuery(); - - // Just use the first hit. - if (answer_results.next()) - { - int id = answer_results.getInt("userid"); - // Note: Do NOT get the password field. - profile = new Employee(id, answer_results - .getString("first_name"), answer_results - .getString("last_name"), answer_results - .getString("ssn"), answer_results - .getString("title"), answer_results - .getString("phone"), answer_results - .getString("address1"), answer_results - .getString("address2"), answer_results - .getInt("manager"), answer_results - .getString("start_date"), answer_results - .getInt("salary"), answer_results.getString("ccn"), - answer_results.getInt("ccn_limit"), answer_results - .getString("disciplined_date"), - answer_results.getString("disciplined_notes"), - answer_results.getString("personal_description")); - - /* System.out.println("Retrieved employee from db: " + - profile.getFirstName() + " " + profile.getLastName() + - " (" + profile.getId() + ")"); - */ - setRequestAttribute(s, getLessonName() + "." - + RoleBasedAccessControl.EMPLOYEE_ID, Integer - .toString(id)); - } - } - catch (SQLException sqle) - { - s.setMessage("Error finding employee profile"); - sqle.printStackTrace(); - } - } - catch (Exception e) - { - s.setMessage("Error finding employee profile"); - e.printStackTrace(); - } - - return profile; - } - -} diff --git a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/RoleBasedAccessControl/ListStaff.java b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/RoleBasedAccessControl/ListStaff.java deleted file mode 100644 index 5c5575bcd..000000000 --- a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/RoleBasedAccessControl/ListStaff.java +++ /dev/null @@ -1,175 +0,0 @@ -package org.owasp.webgoat.lessons.RoleBasedAccessControl; - -import java.sql.ResultSet; -import java.sql.SQLException; -import java.sql.Statement; -import java.util.List; -import java.util.Vector; - -import org.owasp.webgoat.lessons.AbstractLesson; -import org.owasp.webgoat.lessons.DefaultLessonAction; -import org.owasp.webgoat.session.EmployeeStub; -import org.owasp.webgoat.session.ParameterNotFoundException; -import org.owasp.webgoat.session.UnauthenticatedException; -import org.owasp.webgoat.session.UnauthorizedException; -import org.owasp.webgoat.session.WebSession; - -/******************************************************************************* - * - * - * This file is part of WebGoat, an Open Web Application Security Project - * utility. For details, please see http://www.owasp.org/ - * - * Copyright (c) 2002 - 2007 Bruce Mayhew - * - * This program is free software; you can redistribute it and/or modify it under - * the terms of the GNU General Public License as published by the Free Software - * Foundation; either version 2 of the License, or (at your option) any later - * version. - * - * This program is distributed in the hope that it will be useful, but WITHOUT - * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS - * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more - * details. - * - * You should have received a copy of the GNU General Public License along with - * this program; if not, write to the Free Software Foundation, Inc., 59 Temple - * Place - Suite 330, Boston, MA 02111-1307, USA. - * - * Getting Source ============== - * - * Source for this application is maintained at code.google.com, a repository - * for free software projects. - * - * For details, please see http://code.google.com/p/webgoat/ - */ -public class ListStaff extends DefaultLessonAction -{ - - public ListStaff(AbstractLesson lesson, String lessonName, String actionName) - { - super(lesson, lessonName, actionName); - } - - - public void handleRequest(WebSession s) throws ParameterNotFoundException, - UnauthenticatedException, UnauthorizedException - { - getLesson().setCurrentAction(s, getActionName()); - - if (isAuthenticated(s)) - { - int userId = getIntSessionAttribute(s, getLessonName() + "." - + RoleBasedAccessControl.USER_ID); - - List employees = getAllEmployees(s, userId); - setSessionAttribute(s, getLessonName() + "." - + RoleBasedAccessControl.STAFF_ATTRIBUTE_KEY, employees); - } - else - throw new UnauthenticatedException(); - } - - - public String getNextPage(WebSession s) - { - return RoleBasedAccessControl.LISTSTAFF_ACTION; - } - - - public List getAllEmployees(WebSession s, int userId) - throws UnauthorizedException - { - // Query the database for all employees "owned" by the given employee - - List employees = new Vector(); - - try - { - String query = "SELECT employee.userid,first_name,last_name,role FROM employee,roles WHERE employee.userid=roles.userid and employee.userid in " - + "(SELECT employee_id FROM ownership WHERE employer_id = " - + userId + ")"; - - try - { - Statement answer_statement = WebSession.getConnection(s) - .createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE, - ResultSet.CONCUR_READ_ONLY); - ResultSet answer_results = answer_statement.executeQuery(query); - answer_results.beforeFirst(); - while (answer_results.next()) - { - int employeeId = answer_results.getInt("userid"); - String firstName = answer_results.getString("first_name"); - String lastName = answer_results.getString("last_name"); - String role = answer_results.getString("role"); - //System.out.println("Retrieving employee stub for role " + role); - EmployeeStub stub = new EmployeeStub(employeeId, firstName, - lastName, role); - employees.add(stub); - } - } - catch (SQLException sqle) - { - s.setMessage("Error getting employees"); - sqle.printStackTrace(); - } - } - catch (Exception e) - { - s.setMessage("Error getting employees"); - e.printStackTrace(); - } - - return employees; - } - - - public List getAllEmployees_BACKUP(WebSession s, int userId) - throws UnauthorizedException - { - // Query the database for all employees "owned" by the given employee - - List employees = new Vector(); - - try - { - String query = "SELECT employee.userid,first_name,last_name,role FROM employee,roles WHERE employee.userid=roles.userid and employee.userid in " - + "(SELECT employee_id FROM ownership WHERE employer_id = " - + userId + ")"; - - try - { - Statement answer_statement = WebSession.getConnection(s) - .createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE, - ResultSet.CONCUR_READ_ONLY); - ResultSet answer_results = answer_statement.executeQuery(query); - answer_results.beforeFirst(); - while (answer_results.next()) - { - int employeeId = answer_results.getInt("userid"); - String firstName = answer_results.getString("first_name"); - String lastName = answer_results.getString("last_name"); - String role = answer_results.getString("role"); - //System.out.println("Retrieving employee stub for role " + role); - EmployeeStub stub = new EmployeeStub(employeeId, firstName, - lastName, role); - employees.add(stub); - } - } - catch (SQLException sqle) - { - s.setMessage("Error getting employees"); - sqle.printStackTrace(); - } - } - catch (Exception e) - { - s.setMessage("Error getting employees"); - e.printStackTrace(); - } - - return employees; - } - -} diff --git a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/RoleBasedAccessControl/Login.java b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/RoleBasedAccessControl/Login.java deleted file mode 100644 index a6da42a16..000000000 --- a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/RoleBasedAccessControl/Login.java +++ /dev/null @@ -1,222 +0,0 @@ -package org.owasp.webgoat.lessons.RoleBasedAccessControl; - -import java.sql.ResultSet; -import java.sql.SQLException; -import java.sql.Statement; -import java.util.List; -import java.util.Vector; - -import org.owasp.webgoat.lessons.AbstractLesson; -import org.owasp.webgoat.lessons.DefaultLessonAction; -import org.owasp.webgoat.lessons.LessonAction; -import org.owasp.webgoat.session.EmployeeStub; -import org.owasp.webgoat.session.ParameterNotFoundException; -import org.owasp.webgoat.session.UnauthenticatedException; -import org.owasp.webgoat.session.UnauthorizedException; -import org.owasp.webgoat.session.ValidationException; -import org.owasp.webgoat.session.WebSession; - -/******************************************************************************* - * - * - * This file is part of WebGoat, an Open Web Application Security Project - * utility. For details, please see http://www.owasp.org/ - * - * Copyright (c) 2002 - 2007 Bruce Mayhew - * - * This program is free software; you can redistribute it and/or modify it under - * the terms of the GNU General Public License as published by the Free Software - * Foundation; either version 2 of the License, or (at your option) any later - * version. - * - * This program is distributed in the hope that it will be useful, but WITHOUT - * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS - * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more - * details. - * - * You should have received a copy of the GNU General Public License along with - * this program; if not, write to the Free Software Foundation, Inc., 59 Temple - * Place - Suite 330, Boston, MA 02111-1307, USA. - * - * Getting Source ============== - * - * Source for this application is maintained at code.google.com, a repository - * for free software projects. - * - * For details, please see http://code.google.com/p/webgoat/ - */ -public class Login extends DefaultLessonAction -{ - - private LessonAction chainedAction; - - - public Login(AbstractLesson lesson, String lessonName, String actionName, - LessonAction chainedAction) - { - super(lesson, lessonName, actionName); - this.chainedAction = chainedAction; - } - - - public void handleRequest(WebSession s) throws ParameterNotFoundException, - ValidationException - { - //System.out.println("Login.handleRequest()"); - getLesson().setCurrentAction(s, getActionName()); - - List employees = getAllEmployees(s); - setSessionAttribute(s, getLessonName() + "." - + RoleBasedAccessControl.STAFF_ATTRIBUTE_KEY, employees); - - int employeeId = -1; - try - { - employeeId = s.getParser().getIntParameter( - RoleBasedAccessControl.EMPLOYEE_ID); - String password = s.getParser().getStringParameter( - RoleBasedAccessControl.PASSWORD); - - // Attempt authentication - if (login(s, employeeId, password)) - { - // Execute the chained Action if authentication succeeded. - try - { - chainedAction.handleRequest(s); - } - catch (UnauthenticatedException ue1) - { - System.out.println("Internal server error"); - ue1.printStackTrace(); - } - catch (UnauthorizedException ue2) - { - System.out.println("Internal server error"); - ue2.printStackTrace(); - } - } - else - s.setMessage("Login failed"); - } - catch (ParameterNotFoundException pnfe) - { - // No credentials offered, so we log them out - setSessionAttribute(s, getLessonName() + ".isAuthenticated", - Boolean.FALSE); - } - } - - - /** - * After this.handleRequest() is called, when the View asks for the current JSP to load, - * it will get one initialized by this call. - */ - public String getNextPage(WebSession s) - { - String nextPage = RoleBasedAccessControl.LOGIN_ACTION; - - if (isAuthenticated(s)) - nextPage = chainedAction.getNextPage(s); - - return nextPage; - - } - - - public boolean requiresAuthentication() - { - return false; - } - - - public boolean login(WebSession s, int userId, String password) - { - //System.out.println("Logging in to lesson"); - boolean authenticated = false; - - try - { - String query = "SELECT * FROM employee WHERE userid = " + userId - + " and password = '" + password + "'"; - - try - { - Statement answer_statement = WebSession.getConnection(s) - .createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE, - ResultSet.CONCUR_READ_ONLY); - ResultSet answer_results = answer_statement.executeQuery(query); - if (answer_results.first()) - { - setSessionAttribute(s, - getLessonName() + ".isAuthenticated", Boolean.TRUE); - setSessionAttribute(s, getLessonName() + "." - + RoleBasedAccessControl.USER_ID, Integer - .toString(userId)); - authenticated = true; - } - - } - catch (SQLException sqle) - { - s.setMessage("Error logging in"); - sqle.printStackTrace(); - } - } - catch (Exception e) - { - s.setMessage("Error logging in"); - e.printStackTrace(); - } - - //System.out.println("Lesson login result: " + authenticated); - return authenticated; - } - - - public List getAllEmployees(WebSession s) - { - List employees = new Vector(); - - // Query the database for all roles the given employee belongs to - // Query the database for all employees "owned" by these roles - - try - { - String query = "SELECT employee.userid,first_name,last_name,role FROM employee,roles " - + "where employee.userid=roles.userid"; - - try - { - Statement answer_statement = WebSession.getConnection(s) - .createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE, - ResultSet.CONCUR_READ_ONLY); - ResultSet answer_results = answer_statement.executeQuery(query); - answer_results.beforeFirst(); - while (answer_results.next()) - { - int employeeId = answer_results.getInt("userid"); - String firstName = answer_results.getString("first_name"); - String lastName = answer_results.getString("last_name"); - String role = answer_results.getString("role"); - EmployeeStub stub = new EmployeeStub(employeeId, firstName, - lastName, role); - employees.add(stub); - } - } - catch (SQLException sqle) - { - s.setMessage("Error getting employees"); - sqle.printStackTrace(); - } - } - catch (Exception e) - { - s.setMessage("Error getting employees"); - e.printStackTrace(); - } - - return employees; - } - -} diff --git a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/RoleBasedAccessControl/Logout.java b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/RoleBasedAccessControl/Logout.java deleted file mode 100644 index 309c0b8c5..000000000 --- a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/RoleBasedAccessControl/Logout.java +++ /dev/null @@ -1,87 +0,0 @@ -package org.owasp.webgoat.lessons.RoleBasedAccessControl; - -import org.owasp.webgoat.lessons.AbstractLesson; -import org.owasp.webgoat.lessons.DefaultLessonAction; -import org.owasp.webgoat.lessons.LessonAction; -import org.owasp.webgoat.session.ParameterNotFoundException; -import org.owasp.webgoat.session.UnauthenticatedException; -import org.owasp.webgoat.session.UnauthorizedException; -import org.owasp.webgoat.session.ValidationException; -import org.owasp.webgoat.session.WebSession; - -/******************************************************************************* - * - * - * This file is part of WebGoat, an Open Web Application Security Project - * utility. For details, please see http://www.owasp.org/ - * - * Copyright (c) 2002 - 2007 Bruce Mayhew - * - * This program is free software; you can redistribute it and/or modify it under - * the terms of the GNU General Public License as published by the Free Software - * Foundation; either version 2 of the License, or (at your option) any later - * version. - * - * This program is distributed in the hope that it will be useful, but WITHOUT - * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS - * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more - * details. - * - * You should have received a copy of the GNU General Public License along with - * this program; if not, write to the Free Software Foundation, Inc., 59 Temple - * Place - Suite 330, Boston, MA 02111-1307, USA. - * - * Getting Source ============== - * - * Source for this application is maintained at code.google.com, a repository - * for free software projects. - * - * For details, please see http://code.google.com/p/webgoat/ - */ -public class Logout extends DefaultLessonAction -{ - - private LessonAction chainedAction; - - - public Logout(AbstractLesson lesson, String lessonName, String actionName, - LessonAction chainedAction) - { - super(lesson, lessonName, actionName); - this.chainedAction = chainedAction; - } - - - public void handleRequest(WebSession s) throws ParameterNotFoundException, - ValidationException - { - //System.out.println("Logging out"); - - setSessionAttribute(s, getLessonName() + ".isAuthenticated", - Boolean.FALSE); - - // FIXME: Maybe we should forward to Login. - try - { - chainedAction.handleRequest(s); - } - catch (UnauthenticatedException ue1) - { - System.out.println("Internal server error"); - ue1.printStackTrace(); - } - catch (UnauthorizedException ue2) - { - System.out.println("Internal server error"); - ue2.printStackTrace(); - } - - } - - - public String getNextPage(WebSession s) - { - return chainedAction.getNextPage(s); - } - -} diff --git a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/RoleBasedAccessControl/RoleBasedAccessControl.java b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/RoleBasedAccessControl/RoleBasedAccessControl.java index 2a53e2093..a420cc97d 100644 --- a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/RoleBasedAccessControl/RoleBasedAccessControl.java +++ b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/RoleBasedAccessControl/RoleBasedAccessControl.java @@ -7,7 +7,12 @@ import org.apache.ecs.ElementContainer; import org.owasp.webgoat.lessons.Category; import org.owasp.webgoat.lessons.DefaultLessonAction; import org.owasp.webgoat.lessons.LessonAction; +import org.owasp.webgoat.lessons.GoatHillsFinancial.FindProfile; import org.owasp.webgoat.lessons.GoatHillsFinancial.GoatHillsFinancial; +import org.owasp.webgoat.lessons.GoatHillsFinancial.ListStaff; +import org.owasp.webgoat.lessons.GoatHillsFinancial.Login; +import org.owasp.webgoat.lessons.GoatHillsFinancial.Logout; +import org.owasp.webgoat.lessons.GoatHillsFinancial.SearchStaff; import org.owasp.webgoat.session.ParameterNotFoundException; import org.owasp.webgoat.session.UnauthenticatedException; import org.owasp.webgoat.session.UnauthorizedException; @@ -47,6 +52,26 @@ public class RoleBasedAccessControl extends GoatHillsFinancial { private final static Integer DEFAULT_RANKING = new Integer(125); + protected void registerActions(String className) { + registerAction(new ListStaff(this, className, LISTSTAFF_ACTION)); + registerAction(new SearchStaff(this, className, SEARCHSTAFF_ACTION)); + registerAction(new ViewProfile(this, className, VIEWPROFILE_ACTION)); + registerAction(new EditProfile(this, className, EDITPROFILE_ACTION)); + registerAction(new EditProfile(this, className, CREATEPROFILE_ACTION)); + + // These actions are special in that they chain to other actions. + registerAction(new Login(this, className, LOGIN_ACTION, + getAction(LISTSTAFF_ACTION))); + registerAction(new Logout(this, className, LOGOUT_ACTION, + getAction(LOGIN_ACTION))); + registerAction(new FindProfile(this, className, FINDPROFILE_ACTION, + getAction(VIEWPROFILE_ACTION))); + registerAction(new UpdateProfile(this, className, + UPDATEPROFILE_ACTION, getAction(VIEWPROFILE_ACTION))); + registerAction(new DeleteProfile(this, className, + DELETEPROFILE_ACTION, getAction(LISTSTAFF_ACTION))); + } + /** * Gets the category attribute of the CommandInjection object * diff --git a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/RoleBasedAccessControl/SearchStaff.java b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/RoleBasedAccessControl/SearchStaff.java deleted file mode 100644 index a6853d29c..000000000 --- a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/RoleBasedAccessControl/SearchStaff.java +++ /dev/null @@ -1,51 +0,0 @@ -package org.owasp.webgoat.lessons.RoleBasedAccessControl; - -import org.owasp.webgoat.lessons.AbstractLesson; -import org.owasp.webgoat.lessons.DefaultLessonAction; -import org.owasp.webgoat.session.WebSession; - -/******************************************************************************* - * - * - * This file is part of WebGoat, an Open Web Application Security Project - * utility. For details, please see http://www.owasp.org/ - * - * Copyright (c) 2002 - 2007 Bruce Mayhew - * - * This program is free software; you can redistribute it and/or modify it under - * the terms of the GNU General Public License as published by the Free Software - * Foundation; either version 2 of the License, or (at your option) any later - * version. - * - * This program is distributed in the hope that it will be useful, but WITHOUT - * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS - * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more - * details. - * - * You should have received a copy of the GNU General Public License along with - * this program; if not, write to the Free Software Foundation, Inc., 59 Temple - * Place - Suite 330, Boston, MA 02111-1307, USA. - * - * Getting Source ============== - * - * Source for this application is maintained at code.google.com, a repository - * for free software projects. - * - * For details, please see http://code.google.com/p/webgoat/ - */ -public class SearchStaff extends DefaultLessonAction -{ - - public SearchStaff(AbstractLesson lesson, String lessonName, - String actionName) - { - super(lesson, lessonName, actionName); - } - - - public String getNextPage(WebSession s) - { - return RoleBasedAccessControl.SEARCHSTAFF_ACTION; - } - -}