Images from solutions are loading again

webgoat-container/pom.xml

@@ -110,8 +110,8 @@
                 <artifactId>maven-compiler-plugin</artifactId>
                 <version>${maven-compiler-plugin.version}</version>
                 <configuration>
-                    <source>1.7</source>
+                    <source>1.8</source>
-                    <target>1.7</target>
+                    <target>1.8</target>
                     <encoding>ISO-8859-1</encoding>
                 </configuration>
             </plugin>

webgoat-container/src/main/java/org/owasp/webgoat/MvcConfiguration.java

@@ -5,9 +5,15 @@ import org.owasp.webgoat.session.WebgoatContext;
 import org.springframework.boot.context.embedded.ServletRegistrationBean;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
+import org.springframework.core.io.ClassPathResource;
+import org.springframework.core.io.Resource;
+import org.springframework.web.servlet.config.annotation.ResourceHandlerRegistry;
 import org.springframework.web.servlet.config.annotation.ViewControllerRegistry;
 import org.springframework.web.servlet.config.annotation.WebMvcConfigurerAdapter;
 
+import java.io.File;
+import java.io.IOException;
+
 /**
  *
  */
@@ -25,6 +31,18 @@ public class MvcConfiguration extends WebMvcConfigurerAdapter {
         return new ServletRegistrationBean(hammerHead, "/attack/*");
     }
 
+    @Override
+    public void addResourceHandlers(ResourceHandlerRegistry registry) {
+        Resource resource = new ClassPathResource("/plugin_lessons/plugin_lessons_marker.txt");
+        try {
+            File pluginsDir = resource.getFile().getParentFile();
+            registry.addResourceHandler("/plugin_lessons/**").addResourceLocations("file:///" + pluginsDir.toString() + "/");
+        } catch (IOException e) {
+            e.printStackTrace();
+        }
+
+    }
+
     @Bean
     public HammerHead hammerHead(WebgoatContext context) {
         return new HammerHead(context);

webgoat-container/src/main/java/org/owasp/webgoat/WebSecurityConfig.java

@@ -17,7 +17,7 @@ public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
     protected void configure(HttpSecurity http) throws Exception {
         ExpressionUrlAuthorizationConfigurer<HttpSecurity>.ExpressionInterceptUrlRegistry security = http
                 .authorizeRequests()
-                .antMatchers("/css/**", "/images/**", "/js/**", "fonts/**", "/plugins/**").permitAll()
+                .antMatchers("/css/**", "/images/**", "/js/**", "fonts/**", "/plugins/**", "plugin_lessons/**").permitAll()
                 .antMatchers("/servlet/AdminServlet/**").hasAnyRole("WEBGOAT_ADMIN", "SERVER_ADMIN") //
                 .antMatchers("/JavaSource/**").hasRole("SERVER_ADMIN") //
                 .anyRequest().hasAnyRole("WEBGOAT_USER", "WEBGOAT_ADMIN", "SERVER_ADMIN");

webgoat-container/src/main/java/org/owasp/webgoat/controller/Login.java

@@ -1,42 +0,0 @@
-/*
- * To change this license header, choose License Headers in Project Properties.
- * To change this template file, choose Tools | Templates
- * and open the template in the editor.
- */
-package org.owasp.webgoat.controller;
-
-/**
- * <p>Login class.</p>
- *
- * @author rlawson
- * @version $Id: $Id
- */
-//@Controller
-public class Login {
-
-//    /**
-//     * <p>login.</p>
-//     *
-//     * @param error a {@link java.lang.String} object.
-//     * @param logout a {@link java.lang.String} object.
-//     * @return a {@link org.springframework.web.servlet.ModelAndView} object.
-//     */
-//    @RequestMapping(path = "login.mvc", method = RequestMethod.GET)
-//    public ModelAndView login(
-//            @RequestParam(value = "error", required = false) String error,
-//            @RequestParam(value = "logout", required = false) String logout) {
-//
-//        ModelAndView model = new ModelAndView();
-//        if (error != null) {
-//            model.addObject("error", "Invalid username and password!");
-//        }
-//
-//        if (logout != null) {
-//            model.addObject("msg", "You've been logged out successfully.");
-//        }
-//        model.setViewName("login");
-//
-//        return model;
-//
-//    }
-}

webgoat-container/src/main/java/org/owasp/webgoat/controller/Logout.java

@@ -1,54 +0,0 @@
-/*
- * To change this license header, choose License Headers in Project Properties.
- * To change this template file, choose Tools | Templates
- * and open the template in the editor.
- */
-package org.owasp.webgoat.controller;
-
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-import org.springframework.stereotype.Controller;
-import org.springframework.web.bind.annotation.RequestMapping;
-import org.springframework.web.bind.annotation.RequestMethod;
-import org.springframework.web.bind.annotation.RequestParam;
-import org.springframework.web.servlet.ModelAndView;
-
-/**
- * <p>Logout class.</p>
- *
- * @author rlawson
- * @version $Id: $Id
- */
-@Controller
-public class Logout {
-
-    final Logger logger = LoggerFactory.getLogger(Logout.class);
-
-    /**
-     * <p>logout.</p>
-     *
-     * @param error a {@link java.lang.String} object.
-     * @param logout a {@link java.lang.String} object.
-     * @return a {@link org.springframework.web.servlet.ModelAndView} object.
-     */
-    @RequestMapping(path = "logout.mvc", method = RequestMethod.GET)
-    public ModelAndView logout(
-            @RequestParam(value = "error", required = false) String error,
-            @RequestParam(value = "logout", required = false) String logout) {
-        
-        logger.info("Logging user out");
-
-        ModelAndView model = new ModelAndView();
-        if (error != null) {
-            model.addObject("error", "Invalid username and password!");
-        }
-
-        if (logout != null) {
-            model.addObject("msg", "You've been logged out successfully.");
-        }
-        model.setViewName("logout");
-
-        return model;
-
-    }
-}

webgoat-container/src/main/java/org/owasp/webgoat/lessons/AbstractLesson.java

@@ -10,10 +10,10 @@ import org.apache.ecs.html.Html;
 import org.apache.ecs.html.IMG;
 import org.apache.ecs.html.PRE;
 import org.apache.ecs.html.Title;
-import org.owasp.webgoat.session.WebgoatContext;
 import org.owasp.webgoat.session.ParameterNotFoundException;
 import org.owasp.webgoat.session.Screen;
 import org.owasp.webgoat.session.WebSession;
+import org.owasp.webgoat.session.WebgoatContext;
 import org.owasp.webgoat.session.WebgoatProperties;
 import org.owasp.webgoat.util.BeanProvider;
 import org.owasp.webgoat.util.LabelManager;
@@ -36,34 +36,34 @@ import java.util.List;
 import java.util.Map;
 
 /**
- *************************************************************************************************
+ * ************************************************************************************************
- *
+ * <p>
- *
+ * <p>
  * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
  * please see http://www.owasp.org/
- *
+ * <p>
  * Copyright (c) 2002 - 20014 Bruce Mayhew
- *
+ * <p>
  * This program is free software; you can redistribute it and/or modify it under the terms of the
  * GNU General Public License as published by the Free Software Foundation; either version 2 of the
  * License, or (at your option) any later version.
- *
+ * <p>
  * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
  * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
  * General Public License for more details.
- *
+ * <p>
  * You should have received a copy of the GNU General Public License along with this program; if
  * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
  * 02111-1307, USA.
- *
+ * <p>
  * Getting Source ==============
- *
+ * <p>
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
  * projects.
  *
  * @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
- * @since October 28, 2003
  * @version $Id: $Id
+ * @since October 28, 2003
  */
 public abstract class AbstractLesson extends Screen implements Comparable<Object> {
 
@@ -74,7 +74,9 @@ public abstract class AbstractLesson extends Screen implements Comparable<Object
      */
     public final static String ADMIN_ROLE = "admin";
 
-    /** Constant <code>CHALLENGE_ROLE="challenge"</code> */
+    /**
+     * Constant <code>CHALLENGE_ROLE="challenge"</code>
+     */
     public final static String CHALLENGE_ROLE = "challenge";
 
     /**
@@ -185,7 +187,7 @@ public abstract class AbstractLesson extends Screen implements Comparable<Object
 
     /**
      * {@inheritDoc}
-     *
+     * <p>
      * Description of the Method
      */
     public int compareTo(Object obj) {
@@ -194,7 +196,7 @@ public abstract class AbstractLesson extends Screen implements Comparable<Object
 
     /**
      * {@inheritDoc}
-     *
+     * <p>
      * Description of the Method
      */
     public boolean equals(Object obj) {
@@ -368,6 +370,7 @@ public abstract class AbstractLesson extends Screen implements Comparable<Object
 
     // @TODO we need to restrict access at the service layer
     // rather than passing session object around
+
     /**
      * <p>getHintsPublic.</p>
      *
@@ -384,8 +387,8 @@ public abstract class AbstractLesson extends Screen implements Comparable<Object
      * stuck on somthing silly.
      *
      * @param s          The users WebSession
-     * @return The hint1 value
      * @param hintNumber a int.
+     * @return The hint1 value
      */
     public String getHint(WebSession s, int hintNumber) {
         return "Hint: " + getHints(s).get(hintNumber);
@@ -394,8 +397,8 @@ public abstract class AbstractLesson extends Screen implements Comparable<Object
     /**
      * Gets the instructions attribute of the AbstractLesson object
      *
-     * @return The instructions value
      * @param s a {@link org.owasp.webgoat.session.WebSession} object.
+     * @return The instructions value
      */
     public abstract String getInstructions(WebSession s);
 
@@ -567,11 +570,13 @@ public abstract class AbstractLesson extends Screen implements Comparable<Object
      * @return a {@link java.lang.String} object.
      */
     public String getRawSource(WebSession s) {
-        String src;
+        String src = "";
 
         try {
             logger.debug("Loading source file: " + getSourceFileName());
+            if (getSourceFileName() != null) {
                 src = readFromFile(new BufferedReader(new FileReader(getSourceFileName())), false);
+            }
 
         } catch (FileNotFoundException e) {
             s.setMessage("Could not find source file");
@@ -613,12 +618,12 @@ public abstract class AbstractLesson extends Screen implements Comparable<Object
 
     /**
      * <p>Returns the default "path" portion of a lesson's URL.</p>
-     *
+     * <p>
-     *
+     * <p>
      * Legacy webgoat lesson links are of the form
      * "attack?Screen=Xmenu=Ystage=Z". This method returns the path portion of
      * the url, i.e., "attack" in the string above.
-     *
+     * <p>
      * Newer, Spring-Controller-based classes will override this method to
      * return "*.do"-styled paths.
      *
@@ -630,7 +635,7 @@ public abstract class AbstractLesson extends Screen implements Comparable<Object
 
     /**
      * Get the link that can be used to request this screen.
-     *
+     * <p>
      * Rendering the link in the browser may result in Javascript sending
      * additional requests to perform necessary actions or to obtain data
      * relevant to the lesson or the element of the lesson selected by the
@@ -651,7 +656,7 @@ public abstract class AbstractLesson extends Screen implements Comparable<Object
 
     /**
      * Get the link to the target servlet.
-     *
+     * <p>
      * Unlike getLink() this method does not require rendering the output of
      * the request to the link in order to execute the servlet's method with
      * conventional HTTP query parameters.
@@ -999,6 +1004,4 @@ public abstract class AbstractLesson extends Screen implements Comparable<Object
     }
 
 
-
-
 }

webgoat-container/src/main/java/org/owasp/webgoat/lessons/model/HttpBasicsModel.java

@@ -1,59 +0,0 @@
-/***************************************************************************************************
- * 
- * 
- * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
- * please see http://www.owasp.org/
- * 
- * Copyright (c) 2002 - 20014 Bruce Mayhew
- * 
- * This program is free software; you can redistribute it and/or modify it under the terms of the
- * GNU General Public License as published by the Free Software Foundation; either version 2 of the
- * License, or (at your option) any later version.
- * 
- * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
- * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * General Public License for more details.
- * 
- * You should have received a copy of the GNU General Public License along with this program; if
- * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
- * 02111-1307, USA.
- * 
- * Getting Source ==============
- * 
- * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
- * projects.
- * 
- */
-package org.owasp.webgoat.lessons.model;
-
-/**
- * Model component for the Http Basics lesson.  Using a model
- * for that simple lesson is architectural overkill.  We do it anyway
- * for illustrative purposes - to demonstrate the pattern that we will
- * use for more complex lessons.
- *
- * @version $Id: $Id
- * @author dm
- */
-public class HttpBasicsModel {
-
-    private String personName;
-
-    /**
-     * <p>Getter for the field <code>personName</code>.</p>
-     *
-     * @return a {@link java.lang.String} object.
-     */
-    public String getPersonName() {
-        return personName;
-    }
-
-    /**
-     * <p>Setter for the field <code>personName</code>.</p>
-     *
-     * @param personName a {@link java.lang.String} object.
-     */
-    public void setPersonName(String personName) {
-        this.personName = personName;
-    }
-}

webgoat-container/src/main/java/org/owasp/webgoat/lessons/model/SourceListing.java

@@ -1,37 +0,0 @@
-/*
- * To change this license header, choose License Headers in Project Properties.
- * To change this template file, choose Tools | Templates
- * and open the template in the editor.
- */
-
-package org.owasp.webgoat.lessons.model;
-
-/**
- * <p>SourceListing class.</p>
- *
- * @author rlawson
- * @version $Id: $Id
- */
-public class SourceListing {
-    
-    private String source;
-
-    /**
-     * <p>Getter for the field <code>source</code>.</p>
-     *
-     * @return the source
-     */
-    public String getSource() {
-        return source;
-    }
-
-    /**
-     * <p>Setter for the field <code>source</code>.</p>
-     *
-     * @param source the source to set
-     */
-    public void setSource(String source) {
-        this.source = source;
-    }
-    
-}

webgoat-container/src/main/java/org/owasp/webgoat/service/ApplicationService.java

@@ -1,61 +0,0 @@
-/**
- * *************************************************************************************************
- *
- *
- * This file is part of WebGoat, an Open Web Application Security Project
- * utility. For details, please see http://www.owasp.org/
- *
- * Copyright (c) 2002 - 20014 Bruce Mayhew
- *
- * This program is free software; you can redistribute it and/or modify it under
- * the terms of the GNU General Public License as published by the Free Software
- * Foundation; either version 2 of the License, or (at your option) any later
- * version.
- *
- * This program is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
- * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
- *
- * You should have received a copy of the GNU General Public License along with
- * this program; if not, write to the Free Software Foundation, Inc., 59 Temple
- * Place - Suite 330, Boston, MA 02111-1307, USA.
- *
- * Getting Source ==============
- *
- * Source for this application is maintained at
- * https://github.com/WebGoat/WebGoat, a repository for free software projects.
- *
- */
-package org.owasp.webgoat.service;
-
-import org.owasp.webgoat.application.Application;
-import org.springframework.stereotype.Controller;
-import org.springframework.web.bind.annotation.RequestMapping;
-import org.springframework.web.bind.annotation.ResponseBody;
-
-import javax.servlet.http.HttpSession;
-
-/**
- * <p>ApplicationService class.</p>
- *
- * @author rlawson
- * @version $Id: $Id
- */
-@Controller
-public class ApplicationService extends BaseService {
-
-    /**
-     * Returns global application info
-     *
-     * @param session a {@link javax.servlet.http.HttpSession} object.
-     * @return a {@link org.owasp.webgoat.application.Application} object.
-     */
-    @RequestMapping(path = "/application.mvc", produces = "application/json")
-    public @ResponseBody
-    Application showApplication(HttpSession session) {
-        Application app = Application.getInstance();
-        return app;
-    }
-
-}

webgoat-container/src/main/java/org/owasp/webgoat/session/WebgoatContext.java

@@ -70,17 +70,19 @@ public class WebgoatContext {
      * @return The databaseConnectionString value
      */
     public String getDatabaseConnectionString() {
-        if (realConnectionString == null) {
+        return this.databaseConnectionString;
-            try {
+//
-                String path = servlet.getServletContext().getRealPath("/database").replace('\\', '/');
+//        if (realConnectionString == null) {
-                System.out.println("PATH: " + path);
+//            try {
-                realConnectionString = databaseConnectionString.replaceAll("PATH", path);
+//                String path = servlet.getServletContext().getRealPath("/database").replace('\\', '/');
-                System.out.println("Database Connection String: " + realConnectionString);
+//                System.out.println("PATH: " + path);
-            } catch (Exception e) {
+//                realConnectionString = databaseConnectionString.replaceAll("PATH", path);
-                logger.error("Couldn't open database: check web.xml database parameters", e);
+//                System.out.println("Database Connection String: " + realConnectionString);
-            }
+//            } catch (Exception e) {
-        }
+//                logger.error("Couldn't open database: check web.xml database parameters", e);
-        return realConnectionString;
+//            }
+//        }
+//        return realConnectionString;
     }
 
     /**

webgoat-container/src/main/resources/plugin_lessons/ReadMe.txt

@@ -0,0 +1 @@
+Lesson plugins stored under this directory.

webgoat-container/src/main/resources/templates/lesson_content.html

@@ -2,7 +2,7 @@
 <html xmlns:th="http://www.thymeleaf.org">
 
 <div id="lessonInstructions" th:utext="${instructions}"></div>
-<div id="message" class="info" th:text="${message}"></div>
+<div id="message" class="info" th:utext="${message}"></div>
 <br/>
 <div th:utext="${lesson.content}"></div>
 </html>