Miscellaneous bug fixes
divide by zero, inaccurate discount and totals, reflection of user input git-svn-id: http://webgoat.googlecode.com/svn/trunk/webgoat@273 4033779f-a91e-0410-96ef-6bf7bf53c507
This commit is contained in:
@ -0,0 +1,179 @@
|
||||
package org.owasp.webgoat.lessons.RoleBasedAccessControl;
|
||||
|
||||
import java.sql.ResultSet;
|
||||
import java.sql.SQLException;
|
||||
import java.sql.Statement;
|
||||
|
||||
import org.owasp.webgoat.lessons.GoatHillsFinancial.DefaultLessonAction;
|
||||
import org.owasp.webgoat.lessons.GoatHillsFinancial.GoatHillsFinancial;
|
||||
import org.owasp.webgoat.lessons.GoatHillsFinancial.LessonAction;
|
||||
import org.owasp.webgoat.session.ParameterNotFoundException;
|
||||
import org.owasp.webgoat.session.UnauthenticatedException;
|
||||
import org.owasp.webgoat.session.UnauthorizedException;
|
||||
import org.owasp.webgoat.session.ValidationException;
|
||||
import org.owasp.webgoat.session.WebSession;
|
||||
|
||||
/*******************************************************************************
|
||||
*
|
||||
*
|
||||
* This file is part of WebGoat, an Open Web Application Security Project
|
||||
* utility. For details, please see http://www.owasp.org/
|
||||
*
|
||||
* Copyright (c) 2002 - 2007 Bruce Mayhew
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify it under
|
||||
* the terms of the GNU General Public License as published by the Free Software
|
||||
* Foundation; either version 2 of the License, or (at your option) any later
|
||||
* version.
|
||||
*
|
||||
* This program is distributed in the hope that it will be useful, but WITHOUT
|
||||
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
|
||||
* FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
|
||||
* details.
|
||||
*
|
||||
* You should have received a copy of the GNU General Public License along with
|
||||
* this program; if not, write to the Free Software Foundation, Inc., 59 Temple
|
||||
* Place - Suite 330, Boston, MA 02111-1307, USA.
|
||||
*
|
||||
* Getting Source ==============
|
||||
*
|
||||
* Source for this application is maintained at code.google.com, a repository
|
||||
* for free software projects.
|
||||
*
|
||||
* For details, please see http://code.google.com/p/webgoat/
|
||||
*/
|
||||
public class DeleteProfile extends DefaultLessonAction
|
||||
{
|
||||
|
||||
private LessonAction chainedAction;
|
||||
|
||||
|
||||
public DeleteProfile(GoatHillsFinancial lesson, String lessonName,
|
||||
String actionName, LessonAction chainedAction)
|
||||
{
|
||||
super(lesson, lessonName, actionName);
|
||||
this.chainedAction = chainedAction;
|
||||
}
|
||||
|
||||
|
||||
public void handleRequest(WebSession s) throws ParameterNotFoundException,
|
||||
UnauthenticatedException, UnauthorizedException,
|
||||
ValidationException
|
||||
{
|
||||
getLesson().setCurrentAction(s, getActionName());
|
||||
|
||||
int userId = getIntSessionAttribute(s, getLessonName() + "."
|
||||
+ RoleBasedAccessControl.USER_ID);
|
||||
int employeeId = s.getParser().getIntParameter(
|
||||
RoleBasedAccessControl.EMPLOYEE_ID);
|
||||
|
||||
if (isAuthenticated(s))
|
||||
{
|
||||
deleteEmployeeProfile(s, userId, employeeId);
|
||||
|
||||
try
|
||||
{
|
||||
chainedAction.handleRequest(s);
|
||||
}
|
||||
catch (UnauthenticatedException ue1)
|
||||
{
|
||||
System.out.println("Internal server error");
|
||||
ue1.printStackTrace();
|
||||
}
|
||||
catch (UnauthorizedException ue2)
|
||||
{
|
||||
System.out.println("Internal server error");
|
||||
ue2.printStackTrace();
|
||||
}
|
||||
}
|
||||
else
|
||||
throw new UnauthenticatedException();
|
||||
|
||||
updateLessonStatus(s);
|
||||
}
|
||||
|
||||
|
||||
public String getNextPage(WebSession s)
|
||||
{
|
||||
return RoleBasedAccessControl.LISTSTAFF_ACTION;
|
||||
}
|
||||
|
||||
|
||||
public void deleteEmployeeProfile(WebSession s, int userId, int employeeId)
|
||||
throws UnauthorizedException
|
||||
{
|
||||
try
|
||||
{
|
||||
// Note: The password field is ONLY set by ChangePassword
|
||||
String query = "DELETE FROM employee WHERE userid = " + employeeId;
|
||||
//System.out.println("Query: " + query);
|
||||
try
|
||||
{
|
||||
Statement statement = WebSession.getConnection(s)
|
||||
.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE,
|
||||
ResultSet.CONCUR_READ_ONLY);
|
||||
statement.executeUpdate(query);
|
||||
}
|
||||
catch (SQLException sqle)
|
||||
{
|
||||
s.setMessage("Error deleting employee profile");
|
||||
sqle.printStackTrace();
|
||||
}
|
||||
}
|
||||
catch (Exception e)
|
||||
{
|
||||
s.setMessage("Error deleting employee profile");
|
||||
e.printStackTrace();
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
public void deleteEmployeeProfile_BACKUP(WebSession s, int userId,
|
||||
int employeeId) throws UnauthorizedException
|
||||
{
|
||||
try
|
||||
{
|
||||
// Note: The password field is ONLY set by ChangePassword
|
||||
String query = "DELETE FROM employee WHERE userid = " + employeeId;
|
||||
//System.out.println("Query: " + query);
|
||||
try
|
||||
{
|
||||
Statement statement = WebSession.getConnection(s)
|
||||
.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE,
|
||||
ResultSet.CONCUR_READ_ONLY);
|
||||
statement.executeUpdate(query);
|
||||
}
|
||||
catch (SQLException sqle)
|
||||
{
|
||||
s.setMessage("Error deleting employee profile");
|
||||
sqle.printStackTrace();
|
||||
}
|
||||
}
|
||||
catch (Exception e)
|
||||
{
|
||||
s.setMessage("Error deleting employee profile");
|
||||
e.printStackTrace();
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
private void updateLessonStatus(WebSession s)
|
||||
{
|
||||
// If the logged in user is not authorized to be here, stage 1 is complete.
|
||||
if (RoleBasedAccessControl.STAGE1.equals(getStage(s)))
|
||||
try
|
||||
{
|
||||
int userId = getIntSessionAttribute(s, getLessonName() + "."
|
||||
+ RoleBasedAccessControl.USER_ID);
|
||||
|
||||
if (!isAuthorized(s, userId,
|
||||
RoleBasedAccessControl.DELETEPROFILE_ACTION))
|
||||
{
|
||||
setStageComplete(s, RoleBasedAccessControl.STAGE1);
|
||||
}
|
||||
}
|
||||
catch (ParameterNotFoundException e)
|
||||
{}
|
||||
}
|
||||
|
||||
}
|
@ -0,0 +1,198 @@
|
||||
package org.owasp.webgoat.lessons.RoleBasedAccessControl;
|
||||
|
||||
import java.sql.PreparedStatement;
|
||||
import java.sql.ResultSet;
|
||||
import java.sql.SQLException;
|
||||
|
||||
import org.owasp.webgoat.lessons.GoatHillsFinancial.DefaultLessonAction;
|
||||
import org.owasp.webgoat.lessons.GoatHillsFinancial.GoatHillsFinancial;
|
||||
import org.owasp.webgoat.session.Employee;
|
||||
import org.owasp.webgoat.session.ParameterNotFoundException;
|
||||
import org.owasp.webgoat.session.UnauthenticatedException;
|
||||
import org.owasp.webgoat.session.UnauthorizedException;
|
||||
import org.owasp.webgoat.session.WebSession;
|
||||
|
||||
/*******************************************************************************
|
||||
*
|
||||
*
|
||||
* This file is part of WebGoat, an Open Web Application Security Project
|
||||
* utility. For details, please see http://www.owasp.org/
|
||||
*
|
||||
* Copyright (c) 2002 - 2007 Bruce Mayhew
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify it under
|
||||
* the terms of the GNU General Public License as published by the Free Software
|
||||
* Foundation; either version 2 of the License, or (at your option) any later
|
||||
* version.
|
||||
*
|
||||
* This program is distributed in the hope that it will be useful, but WITHOUT
|
||||
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
|
||||
* FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
|
||||
* details.
|
||||
*
|
||||
* You should have received a copy of the GNU General Public License along with
|
||||
* this program; if not, write to the Free Software Foundation, Inc., 59 Temple
|
||||
* Place - Suite 330, Boston, MA 02111-1307, USA.
|
||||
*
|
||||
* Getting Source ==============
|
||||
*
|
||||
* Source for this application is maintained at code.google.com, a repository
|
||||
* for free software projects.
|
||||
*
|
||||
* For details, please see http://code.google.com/p/webgoat/
|
||||
*/
|
||||
public class EditProfile extends DefaultLessonAction
|
||||
{
|
||||
|
||||
public EditProfile(GoatHillsFinancial lesson, String lessonName,
|
||||
String actionName)
|
||||
{
|
||||
super(lesson, lessonName, actionName);
|
||||
}
|
||||
|
||||
|
||||
public void handleRequest(WebSession s) throws ParameterNotFoundException,
|
||||
UnauthenticatedException, UnauthorizedException
|
||||
{
|
||||
getLesson().setCurrentAction(s, getActionName());
|
||||
|
||||
if (isAuthenticated(s))
|
||||
{
|
||||
int userId = getUserId(s);
|
||||
int employeeId = s.getParser().getIntParameter(
|
||||
RoleBasedAccessControl.EMPLOYEE_ID);
|
||||
|
||||
Employee employee = getEmployeeProfile(s, userId, employeeId);
|
||||
setSessionAttribute(s, getLessonName() + "."
|
||||
+ RoleBasedAccessControl.EMPLOYEE_ATTRIBUTE_KEY, employee);
|
||||
}
|
||||
else
|
||||
throw new UnauthenticatedException();
|
||||
}
|
||||
|
||||
|
||||
public String getNextPage(WebSession s)
|
||||
{
|
||||
return RoleBasedAccessControl.EDITPROFILE_ACTION;
|
||||
}
|
||||
|
||||
|
||||
public Employee getEmployeeProfile(WebSession s, int userId,
|
||||
int subjectUserId) throws UnauthorizedException
|
||||
{
|
||||
Employee profile = null;
|
||||
|
||||
// Query the database for the profile data of the given employee
|
||||
try
|
||||
{
|
||||
String query = "SELECT * FROM employee WHERE userid = ?";
|
||||
|
||||
try
|
||||
{
|
||||
PreparedStatement answer_statement = WebSession
|
||||
.getConnection(s).prepareStatement(query,
|
||||
ResultSet.TYPE_SCROLL_INSENSITIVE,
|
||||
ResultSet.CONCUR_READ_ONLY);
|
||||
answer_statement.setInt(1, subjectUserId);
|
||||
ResultSet answer_results = answer_statement.executeQuery();
|
||||
if (answer_results.next())
|
||||
{
|
||||
// Note: Do NOT get the password field.
|
||||
profile = new Employee(answer_results.getInt("userid"),
|
||||
answer_results.getString("first_name"),
|
||||
answer_results.getString("last_name"),
|
||||
answer_results.getString("ssn"), answer_results
|
||||
.getString("title"), answer_results
|
||||
.getString("phone"), answer_results
|
||||
.getString("address1"), answer_results
|
||||
.getString("address2"), answer_results
|
||||
.getInt("manager"), answer_results
|
||||
.getString("start_date"), answer_results
|
||||
.getInt("salary"), answer_results
|
||||
.getString("ccn"), answer_results
|
||||
.getInt("ccn_limit"), answer_results
|
||||
.getString("disciplined_date"),
|
||||
answer_results.getString("disciplined_notes"),
|
||||
answer_results.getString("personal_description"));
|
||||
/* System.out.println("Retrieved employee from db: " +
|
||||
profile.getFirstName() + " " + profile.getLastName() +
|
||||
" (" + profile.getId() + ")");
|
||||
*/}
|
||||
}
|
||||
catch (SQLException sqle)
|
||||
{
|
||||
s.setMessage("Error getting employee profile");
|
||||
sqle.printStackTrace();
|
||||
}
|
||||
}
|
||||
catch (Exception e)
|
||||
{
|
||||
s.setMessage("Error getting employee profile");
|
||||
e.printStackTrace();
|
||||
}
|
||||
|
||||
return profile;
|
||||
}
|
||||
|
||||
|
||||
public Employee getEmployeeProfile_BACKUP(WebSession s, int userId,
|
||||
int subjectUserId) throws UnauthorizedException
|
||||
{
|
||||
// Query the database to determine if this employee has access to this function
|
||||
// Query the database for the profile data of the given employee if "owned" by the given user
|
||||
|
||||
Employee profile = null;
|
||||
|
||||
// Query the database for the profile data of the given employee
|
||||
try
|
||||
{
|
||||
String query = "SELECT * FROM employee WHERE userid = ?";
|
||||
|
||||
try
|
||||
{
|
||||
PreparedStatement answer_statement = WebSession
|
||||
.getConnection(s).prepareStatement(query,
|
||||
ResultSet.TYPE_SCROLL_INSENSITIVE,
|
||||
ResultSet.CONCUR_READ_ONLY);
|
||||
answer_statement.setInt(1, subjectUserId);
|
||||
ResultSet answer_results = answer_statement.executeQuery();
|
||||
if (answer_results.next())
|
||||
{
|
||||
// Note: Do NOT get the password field.
|
||||
profile = new Employee(answer_results.getInt("userid"),
|
||||
answer_results.getString("first_name"),
|
||||
answer_results.getString("last_name"),
|
||||
answer_results.getString("ssn"), answer_results
|
||||
.getString("title"), answer_results
|
||||
.getString("phone"), answer_results
|
||||
.getString("address1"), answer_results
|
||||
.getString("address2"), answer_results
|
||||
.getInt("manager"), answer_results
|
||||
.getString("start_date"), answer_results
|
||||
.getInt("salary"), answer_results
|
||||
.getString("ccn"), answer_results
|
||||
.getInt("ccn_limit"), answer_results
|
||||
.getString("disciplined_date"),
|
||||
answer_results.getString("disciplined_notes"),
|
||||
answer_results.getString("personal_description"));
|
||||
/* System.out.println("Retrieved employee from db: " +
|
||||
profile.getFirstName() + " " + profile.getLastName() +
|
||||
" (" + profile.getId() + ")");
|
||||
*/}
|
||||
}
|
||||
catch (SQLException sqle)
|
||||
{
|
||||
s.setMessage("Error getting employee profile");
|
||||
sqle.printStackTrace();
|
||||
}
|
||||
}
|
||||
catch (Exception e)
|
||||
{
|
||||
s.setMessage("Error getting employee profile");
|
||||
e.printStackTrace();
|
||||
}
|
||||
|
||||
return profile;
|
||||
}
|
||||
|
||||
}
|
@ -0,0 +1,444 @@
|
||||
package org.owasp.webgoat.lessons.RoleBasedAccessControl;
|
||||
|
||||
import java.util.ArrayList;
|
||||
import java.util.List;
|
||||
|
||||
import org.apache.ecs.ElementContainer;
|
||||
import org.owasp.webgoat.lessons.Category;
|
||||
import org.owasp.webgoat.lessons.GoatHillsFinancial.DefaultLessonAction;
|
||||
import org.owasp.webgoat.lessons.GoatHillsFinancial.FindProfile;
|
||||
import org.owasp.webgoat.lessons.GoatHillsFinancial.GoatHillsFinancial;
|
||||
import org.owasp.webgoat.lessons.GoatHillsFinancial.LessonAction;
|
||||
import org.owasp.webgoat.lessons.GoatHillsFinancial.ListStaff;
|
||||
import org.owasp.webgoat.lessons.GoatHillsFinancial.Login;
|
||||
import org.owasp.webgoat.lessons.GoatHillsFinancial.Logout;
|
||||
import org.owasp.webgoat.lessons.GoatHillsFinancial.SearchStaff;
|
||||
import org.owasp.webgoat.session.ParameterNotFoundException;
|
||||
import org.owasp.webgoat.session.UnauthenticatedException;
|
||||
import org.owasp.webgoat.session.UnauthorizedException;
|
||||
import org.owasp.webgoat.session.ValidationException;
|
||||
import org.owasp.webgoat.session.WebSession;
|
||||
|
||||
/*******************************************************************************
|
||||
*
|
||||
*
|
||||
* This file is part of WebGoat, an Open Web Application Security Project
|
||||
* utility. For details, please see http://www.owasp.org/
|
||||
*
|
||||
* Copyright (c) 2002 - 2007 Bruce Mayhew
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify it under
|
||||
* the terms of the GNU General Public License as published by the Free Software
|
||||
* Foundation; either version 2 of the License, or (at your option) any later
|
||||
* version.
|
||||
*
|
||||
* This program is distributed in the hope that it will be useful, but WITHOUT
|
||||
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
|
||||
* FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
|
||||
* details.
|
||||
*
|
||||
* You should have received a copy of the GNU General Public License along with
|
||||
* this program; if not, write to the Free Software Foundation, Inc., 59 Temple
|
||||
* Place - Suite 330, Boston, MA 02111-1307, USA.
|
||||
*
|
||||
* Getting Source ==============
|
||||
*
|
||||
* Source for this application is maintained at code.google.com, a repository
|
||||
* for free software projects.
|
||||
*
|
||||
* For details, please see http://code.google.com/p/webgoat/
|
||||
*/
|
||||
public class RoleBasedAccessControl extends GoatHillsFinancial
|
||||
{
|
||||
private final static Integer DEFAULT_RANKING = new Integer(125);
|
||||
|
||||
public final static String STAGE1 = "Bypass Business Layer Access Control";
|
||||
|
||||
public final static String STAGE2 = "Add Business Layer Access Control";
|
||||
|
||||
public final static String STAGE3 = "Bypass Data Layer Access Control";
|
||||
|
||||
public final static String STAGE4 = "Add Data Layer Access Control";
|
||||
|
||||
protected void registerActions(String className) {
|
||||
registerAction(new ListStaff(this, className, LISTSTAFF_ACTION));
|
||||
registerAction(new SearchStaff(this, className, SEARCHSTAFF_ACTION));
|
||||
registerAction(new ViewProfile(this, className, VIEWPROFILE_ACTION));
|
||||
registerAction(new EditProfile(this, className, EDITPROFILE_ACTION));
|
||||
registerAction(new EditProfile(this, className, CREATEPROFILE_ACTION));
|
||||
|
||||
// These actions are special in that they chain to other actions.
|
||||
registerAction(new Login(this, className, LOGIN_ACTION,
|
||||
getAction(LISTSTAFF_ACTION)));
|
||||
registerAction(new Logout(this, className, LOGOUT_ACTION,
|
||||
getAction(LOGIN_ACTION)));
|
||||
registerAction(new FindProfile(this, className, FINDPROFILE_ACTION,
|
||||
getAction(VIEWPROFILE_ACTION)));
|
||||
registerAction(new UpdateProfile(this, className,
|
||||
UPDATEPROFILE_ACTION, getAction(VIEWPROFILE_ACTION)));
|
||||
registerAction(new DeleteProfile(this, className,
|
||||
DELETEPROFILE_ACTION, getAction(LISTSTAFF_ACTION)));
|
||||
}
|
||||
|
||||
/**
|
||||
* Gets the category attribute of the CommandInjection object
|
||||
*
|
||||
* @return The category value
|
||||
*/
|
||||
public Category getDefaultCategory()
|
||||
{
|
||||
return Category.ACCESS_CONTROL;
|
||||
}
|
||||
|
||||
/**
|
||||
* Gets the hints attribute of the DirectoryScreen object
|
||||
*
|
||||
* @return The hints value
|
||||
*/
|
||||
protected List<String> getHints(WebSession s)
|
||||
{
|
||||
List<String> hints = new ArrayList<String>();
|
||||
hints
|
||||
.add("Many sites attempt to restrict access to resources by role.");
|
||||
hints
|
||||
.add("Developers frequently make mistakes implementing this scheme.");
|
||||
hints.add("Attempt combinations of users, roles, and resources.");
|
||||
|
||||
// Stage 1
|
||||
hints
|
||||
.add("How does the application know that the user selected the delete function?");
|
||||
|
||||
// Stage 2
|
||||
|
||||
// Stage 3
|
||||
hints
|
||||
.add("How does the application know that the user selected any particular employee to view?");
|
||||
|
||||
// Stage 4
|
||||
hints
|
||||
.add("Note that the contents of the staff listing change depending on who is logged in.");
|
||||
|
||||
return hints;
|
||||
}
|
||||
|
||||
@Override
|
||||
public String[] getStages() {
|
||||
if (getWebgoatContext().isCodingExercises())
|
||||
return new String[] {STAGE1, STAGE2, STAGE3, STAGE4};
|
||||
return new String[] {STAGE1, STAGE3};
|
||||
}
|
||||
|
||||
/**
|
||||
* Gets the instructions attribute of the ParameterInjection object
|
||||
*
|
||||
* @return The instructions value
|
||||
*/
|
||||
public String getInstructions(WebSession s)
|
||||
{
|
||||
String instructions = "";
|
||||
|
||||
if (!getLessonTracker(s).getCompleted())
|
||||
{
|
||||
String stage = getStage(s);
|
||||
if (STAGE1.equals(stage))
|
||||
{
|
||||
instructions = "Stage 1: Bypass Presentational Layer Access Control.<br>"
|
||||
+ "As regular employee 'Tom', exploit weak access control to use the Delete function from the Staff List page. "
|
||||
+ "Verify that Tom's profile can be deleted.";
|
||||
}
|
||||
else if (STAGE2.equals(stage))
|
||||
{
|
||||
instructions = "Stage 2: Add Business Layer Access Control.<br>"
|
||||
+ "Implement a fix to deny unauthorized access to the Delete function. "
|
||||
+ "Repeat stage 1. Verify that access to Delete is properly denied.";
|
||||
}
|
||||
else if (STAGE3.equals(stage))
|
||||
{
|
||||
instructions = "Stage 3: Breaking Data Layer Access Control.<br>"
|
||||
+ "As regular employee 'Tom', exploit weak access control to View another employee's profile. Verify the access.";
|
||||
}
|
||||
else if (STAGE4.equals(stage))
|
||||
{
|
||||
instructions = "Stage 4: Add Data Layer Access Control.<br>"
|
||||
+ "Implement a fix to deny unauthorized access to this data. "
|
||||
+ "Repeat stage 3. Verify that access to other employee's profiles is properly denied.";
|
||||
}
|
||||
}
|
||||
|
||||
return instructions;
|
||||
}
|
||||
|
||||
public void handleRequest(WebSession s)
|
||||
{
|
||||
// Here is where dispatching to the various action handlers happens.
|
||||
// It would be a good place verify authorization to use an action.
|
||||
|
||||
//System.out.println("RoleBasedAccessControl.handleRequest()");
|
||||
if (s.getLessonSession(this) == null)
|
||||
s.openLessonSession(this);
|
||||
|
||||
String requestedActionName = null;
|
||||
try
|
||||
{
|
||||
requestedActionName = s.getParser().getStringParameter("action");
|
||||
}
|
||||
catch (ParameterNotFoundException pnfe)
|
||||
{
|
||||
// Let them eat login page.
|
||||
requestedActionName = LOGIN_ACTION;
|
||||
}
|
||||
//System.out.println("Requested lesson action: " + requestedActionName);
|
||||
|
||||
try
|
||||
{
|
||||
LessonAction action = getAction(requestedActionName);
|
||||
if (action != null)
|
||||
{
|
||||
//System.out.println("RoleBasedAccessControl.handleRequest() dispatching to: " + action.getActionName());
|
||||
if (!action.requiresAuthentication())
|
||||
{
|
||||
// Access to Login does not require authentication.
|
||||
action.handleRequest(s);
|
||||
}
|
||||
else
|
||||
{
|
||||
if (action.isAuthenticated(s))
|
||||
{
|
||||
action.handleRequest(s);
|
||||
}
|
||||
else
|
||||
throw new UnauthenticatedException();
|
||||
}
|
||||
}
|
||||
else
|
||||
setCurrentAction(s, ERROR_ACTION);
|
||||
}
|
||||
catch (ParameterNotFoundException pnfe)
|
||||
{
|
||||
System.out.println("Missing parameter");
|
||||
pnfe.printStackTrace();
|
||||
setCurrentAction(s, ERROR_ACTION);
|
||||
}
|
||||
catch (ValidationException ve)
|
||||
{
|
||||
System.out.println("Validation failed");
|
||||
ve.printStackTrace();
|
||||
setCurrentAction(s, ERROR_ACTION);
|
||||
}
|
||||
catch (UnauthenticatedException ue)
|
||||
{
|
||||
s.setMessage("Login failed");
|
||||
System.out.println("Authentication failure");
|
||||
ue.printStackTrace();
|
||||
}
|
||||
catch (UnauthorizedException ue2)
|
||||
{
|
||||
s.setMessage("You are not authorized to perform this function");
|
||||
|
||||
// Update lesson status if necessary.
|
||||
String stage = getStage(s);
|
||||
if (STAGE2.equals(stage))
|
||||
{
|
||||
try
|
||||
{
|
||||
if (RoleBasedAccessControl.DELETEPROFILE_ACTION.equals(requestedActionName) &&
|
||||
!isAuthorized(s, getUserId(s), RoleBasedAccessControl.DELETEPROFILE_ACTION))
|
||||
{
|
||||
setStageComplete(s, STAGE2);
|
||||
}
|
||||
} catch (ParameterNotFoundException pnfe)
|
||||
{
|
||||
pnfe.printStackTrace();
|
||||
}
|
||||
}
|
||||
//System.out.println("isAuthorized() exit stage: " + getStage(s));
|
||||
// Update lesson status if necessary.
|
||||
if (STAGE4.equals(stage))
|
||||
{
|
||||
try
|
||||
{
|
||||
//System.out.println("Checking for stage 4 completion");
|
||||
DefaultLessonAction action = (DefaultLessonAction) getAction(getCurrentAction(s));
|
||||
int userId = Integer.parseInt((String)s.getRequest().getSession().getAttribute(getLessonName() + "."
|
||||
+ RoleBasedAccessControl.USER_ID));
|
||||
int employeeId = s.getParser().getIntParameter(
|
||||
RoleBasedAccessControl.EMPLOYEE_ID);
|
||||
|
||||
if (!action.isAuthorizedForEmployee(s, userId, employeeId))
|
||||
{
|
||||
setStageComplete(s, STAGE4);
|
||||
}
|
||||
} catch (Exception e)
|
||||
{
|
||||
// swallow this - shouldn't happen inthe normal course
|
||||
// e.printStackTrace();
|
||||
}
|
||||
}
|
||||
|
||||
System.out.println("Authorization failure");
|
||||
setCurrentAction(s, ERROR_ACTION);
|
||||
ue2.printStackTrace();
|
||||
}
|
||||
catch (Exception e)
|
||||
{
|
||||
// All other errors send the user to the generic error page
|
||||
System.out.println("handleRequest() error");
|
||||
e.printStackTrace();
|
||||
setCurrentAction(s, ERROR_ACTION);
|
||||
}
|
||||
|
||||
// All this does for this lesson is ensure that a non-null content exists.
|
||||
setContent(new ElementContainer());
|
||||
}
|
||||
|
||||
|
||||
public void handleRequest_BACKUP(WebSession s)
|
||||
{
|
||||
// Here is where dispatching to the various action handlers happens.
|
||||
// It would be a good place verify authorization to use an action.
|
||||
|
||||
//System.out.println("RoleBasedAccessControl.handleRequest()");
|
||||
if (s.getLessonSession(this) == null)
|
||||
s.openLessonSession(this);
|
||||
|
||||
String requestedActionName = null;
|
||||
try
|
||||
{
|
||||
requestedActionName = s.getParser().getStringParameter("action");
|
||||
}
|
||||
catch (ParameterNotFoundException pnfe)
|
||||
{
|
||||
// Let them eat login page.
|
||||
requestedActionName = LOGIN_ACTION;
|
||||
}
|
||||
//System.out.println("Requested lesson action: " + requestedActionName);
|
||||
|
||||
if (requestedActionName != null)
|
||||
{
|
||||
try
|
||||
{
|
||||
LessonAction action = getAction(requestedActionName);
|
||||
if (action != null)
|
||||
{
|
||||
//System.out.println("RoleBasedAccessControl.handleRequest() dispatching to: " + action.getActionName());
|
||||
if (!action.requiresAuthentication())
|
||||
{
|
||||
// Access to Login does not require authentication.
|
||||
action.handleRequest(s);
|
||||
}
|
||||
else
|
||||
{
|
||||
if (action.isAuthenticated(s))
|
||||
{
|
||||
int userId = action.getUserId(s);
|
||||
if (action.isAuthorized(s, userId, action
|
||||
.getActionName()))
|
||||
{
|
||||
action.handleRequest(s);
|
||||
}
|
||||
else
|
||||
{
|
||||
throw new UnauthorizedException();
|
||||
}
|
||||
}
|
||||
else
|
||||
throw new UnauthenticatedException();
|
||||
}
|
||||
}
|
||||
else
|
||||
setCurrentAction(s, ERROR_ACTION);
|
||||
}
|
||||
catch (ParameterNotFoundException pnfe)
|
||||
{
|
||||
System.out.println("Missing parameter");
|
||||
pnfe.printStackTrace();
|
||||
setCurrentAction(s, ERROR_ACTION);
|
||||
}
|
||||
catch (ValidationException ve)
|
||||
{
|
||||
System.out.println("Validation failed");
|
||||
ve.printStackTrace();
|
||||
setCurrentAction(s, ERROR_ACTION);
|
||||
}
|
||||
catch (UnauthenticatedException ue)
|
||||
{
|
||||
s.setMessage("Login failed");
|
||||
System.out.println("Authentication failure");
|
||||
ue.printStackTrace();
|
||||
}
|
||||
catch (UnauthorizedException ue2)
|
||||
{
|
||||
String stage = getStage(s);
|
||||
// Update lesson status if necessary.
|
||||
if (STAGE2.equals(stage))
|
||||
{
|
||||
try
|
||||
{
|
||||
if (RoleBasedAccessControl.DELETEPROFILE_ACTION.equals(requestedActionName) &&
|
||||
!isAuthorized(s, getUserId(s), RoleBasedAccessControl.DELETEPROFILE_ACTION))
|
||||
{
|
||||
setStageComplete(s, STAGE2);
|
||||
}
|
||||
} catch (ParameterNotFoundException pnfe)
|
||||
{
|
||||
pnfe.printStackTrace();
|
||||
}
|
||||
}
|
||||
//System.out.println("isAuthorized() exit stage: " + getStage(s));
|
||||
// Update lesson status if necessary.
|
||||
if (STAGE4.equals(stage))
|
||||
{
|
||||
try
|
||||
{
|
||||
//System.out.println("Checking for stage 4 completion");
|
||||
DefaultLessonAction action = (DefaultLessonAction) getAction(getCurrentAction(s));
|
||||
int userId = Integer.parseInt((String)s.getRequest().getSession().getAttribute(getLessonName() + "."
|
||||
+ RoleBasedAccessControl.USER_ID));
|
||||
int employeeId = s.getParser().getIntParameter(
|
||||
RoleBasedAccessControl.EMPLOYEE_ID);
|
||||
|
||||
if (!action.isAuthorizedForEmployee(s, userId, employeeId))
|
||||
{
|
||||
setStageComplete(s, STAGE4);
|
||||
}
|
||||
} catch (Exception e)
|
||||
{
|
||||
// swallow this - shouldn't happen inthe normal course
|
||||
// e.printStackTrace();
|
||||
}
|
||||
}
|
||||
|
||||
s.setMessage("You are not authorized to perform this function");
|
||||
System.out.println("Authorization failure");
|
||||
setCurrentAction(s, ERROR_ACTION);
|
||||
ue2.printStackTrace();
|
||||
}
|
||||
catch (Exception e)
|
||||
{
|
||||
// All other errors send the user to the generic error page
|
||||
System.out.println("handleRequest() error");
|
||||
e.printStackTrace();
|
||||
setCurrentAction(s, ERROR_ACTION);
|
||||
}
|
||||
}
|
||||
|
||||
// All this does for this lesson is ensure that a non-null content exists.
|
||||
setContent(new ElementContainer());
|
||||
}
|
||||
|
||||
protected Integer getDefaultRanking()
|
||||
{
|
||||
return DEFAULT_RANKING;
|
||||
}
|
||||
|
||||
|
||||
/**
|
||||
* Gets the title attribute of the DirectoryScreen object
|
||||
*
|
||||
* @return The title value
|
||||
*/
|
||||
public String getTitle()
|
||||
{
|
||||
return "LAB: Role Based Access Control";
|
||||
}
|
||||
}
|
@ -0,0 +1,300 @@
|
||||
package org.owasp.webgoat.lessons.RoleBasedAccessControl;
|
||||
|
||||
import java.sql.PreparedStatement;
|
||||
import java.sql.ResultSet;
|
||||
import java.sql.SQLException;
|
||||
import java.sql.Statement;
|
||||
|
||||
import org.owasp.webgoat.lessons.GoatHillsFinancial.DefaultLessonAction;
|
||||
import org.owasp.webgoat.lessons.GoatHillsFinancial.GoatHillsFinancial;
|
||||
import org.owasp.webgoat.lessons.GoatHillsFinancial.LessonAction;
|
||||
import org.owasp.webgoat.session.Employee;
|
||||
import org.owasp.webgoat.session.ParameterNotFoundException;
|
||||
import org.owasp.webgoat.session.UnauthenticatedException;
|
||||
import org.owasp.webgoat.session.UnauthorizedException;
|
||||
import org.owasp.webgoat.session.ValidationException;
|
||||
import org.owasp.webgoat.session.WebSession;
|
||||
|
||||
/*******************************************************************************
|
||||
*
|
||||
*
|
||||
* This file is part of WebGoat, an Open Web Application Security Project
|
||||
* utility. For details, please see http://www.owasp.org/
|
||||
*
|
||||
* Copyright (c) 2002 - 2007 Bruce Mayhew
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify it under
|
||||
* the terms of the GNU General Public License as published by the Free Software
|
||||
* Foundation; either version 2 of the License, or (at your option) any later
|
||||
* version.
|
||||
*
|
||||
* This program is distributed in the hope that it will be useful, but WITHOUT
|
||||
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
|
||||
* FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
|
||||
* details.
|
||||
*
|
||||
* You should have received a copy of the GNU General Public License along with
|
||||
* this program; if not, write to the Free Software Foundation, Inc., 59 Temple
|
||||
* Place - Suite 330, Boston, MA 02111-1307, USA.
|
||||
*
|
||||
* Getting Source ==============
|
||||
*
|
||||
* Source for this application is maintained at code.google.com, a repository
|
||||
* for free software projects.
|
||||
*
|
||||
* For details, please see http://code.google.com/p/webgoat/
|
||||
*/
|
||||
public class UpdateProfile extends DefaultLessonAction
|
||||
{
|
||||
|
||||
private LessonAction chainedAction;
|
||||
|
||||
|
||||
public UpdateProfile(GoatHillsFinancial lesson, String lessonName,
|
||||
String actionName, LessonAction chainedAction)
|
||||
{
|
||||
super(lesson, lessonName, actionName);
|
||||
this.chainedAction = chainedAction;
|
||||
}
|
||||
|
||||
|
||||
public void handleRequest(WebSession s) throws ParameterNotFoundException,
|
||||
UnauthenticatedException, UnauthorizedException,
|
||||
ValidationException
|
||||
{
|
||||
if (isAuthenticated(s))
|
||||
{
|
||||
int userId = getIntSessionAttribute(s, getLessonName() + "."
|
||||
+ RoleBasedAccessControl.USER_ID);
|
||||
|
||||
int subjectId = s.getParser().getIntParameter(
|
||||
RoleBasedAccessControl.EMPLOYEE_ID, 0);
|
||||
|
||||
String firstName = s.getParser().getStringParameter(
|
||||
RoleBasedAccessControl.FIRST_NAME);
|
||||
String lastName = s.getParser().getStringParameter(
|
||||
RoleBasedAccessControl.LAST_NAME);
|
||||
String ssn = s.getParser().getStringParameter(
|
||||
RoleBasedAccessControl.SSN);
|
||||
String title = s.getParser().getStringParameter(
|
||||
RoleBasedAccessControl.TITLE);
|
||||
String phone = s.getParser().getStringParameter(
|
||||
RoleBasedAccessControl.PHONE_NUMBER);
|
||||
String address1 = s.getParser().getStringParameter(
|
||||
RoleBasedAccessControl.ADDRESS1);
|
||||
String address2 = s.getParser().getStringParameter(
|
||||
RoleBasedAccessControl.ADDRESS2);
|
||||
int manager = s.getParser().getIntParameter(
|
||||
RoleBasedAccessControl.MANAGER);
|
||||
String startDate = s.getParser().getStringParameter(
|
||||
RoleBasedAccessControl.START_DATE);
|
||||
int salary = s.getParser().getIntParameter(
|
||||
RoleBasedAccessControl.SALARY);
|
||||
String ccn = s.getParser().getStringParameter(
|
||||
RoleBasedAccessControl.CCN);
|
||||
int ccnLimit = s.getParser().getIntParameter(
|
||||
RoleBasedAccessControl.CCN_LIMIT);
|
||||
String disciplinaryActionDate = s.getParser().getStringParameter(
|
||||
RoleBasedAccessControl.DISCIPLINARY_DATE);
|
||||
String disciplinaryActionNotes = s.getParser().getStringParameter(
|
||||
RoleBasedAccessControl.DISCIPLINARY_NOTES);
|
||||
String personalDescription = s.getParser().getStringParameter(
|
||||
RoleBasedAccessControl.DESCRIPTION);
|
||||
|
||||
Employee employee = new Employee(subjectId, firstName, lastName,
|
||||
ssn, title, phone, address1, address2, manager, startDate,
|
||||
salary, ccn, ccnLimit, disciplinaryActionDate,
|
||||
disciplinaryActionNotes, personalDescription);
|
||||
|
||||
if (subjectId > 0)
|
||||
{
|
||||
this.changeEmployeeProfile(s, userId, subjectId, employee);
|
||||
setRequestAttribute(s, getLessonName() + "."
|
||||
+ RoleBasedAccessControl.EMPLOYEE_ID, Integer
|
||||
.toString(subjectId));
|
||||
}
|
||||
else
|
||||
this.createEmployeeProfile(s, userId, employee);
|
||||
|
||||
try
|
||||
{
|
||||
chainedAction.handleRequest(s);
|
||||
}
|
||||
catch (UnauthenticatedException ue1)
|
||||
{
|
||||
System.out.println("Internal server error");
|
||||
ue1.printStackTrace();
|
||||
}
|
||||
catch (UnauthorizedException ue2)
|
||||
{
|
||||
System.out.println("Internal server error");
|
||||
ue2.printStackTrace();
|
||||
}
|
||||
}
|
||||
else
|
||||
throw new UnauthenticatedException();
|
||||
}
|
||||
|
||||
|
||||
public String getNextPage(WebSession s)
|
||||
{
|
||||
return RoleBasedAccessControl.VIEWPROFILE_ACTION;
|
||||
}
|
||||
|
||||
|
||||
public void changeEmployeeProfile(WebSession s, int userId, int subjectId,
|
||||
Employee employee) throws UnauthorizedException
|
||||
{
|
||||
try
|
||||
{
|
||||
// Note: The password field is ONLY set by ChangePassword
|
||||
String query = "UPDATE employee SET first_name = ?, last_name = ?, ssn = ?, title = ?, phone = ?, address1 = ?, address2 = ?,"
|
||||
+ " manager = ?, start_date = ?, ccn = ?, ccn_limit = ?,"
|
||||
+ " personal_description = ? WHERE userid = ?;";
|
||||
try
|
||||
{
|
||||
PreparedStatement ps = WebSession.getConnection(s).prepareStatement(query, ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY);
|
||||
|
||||
ps.setString(1, employee.getFirstName());
|
||||
ps.setString(2, employee.getLastName());
|
||||
ps.setString(3, employee.getSsn());
|
||||
ps.setString(4, employee.getTitle());
|
||||
ps.setString(5, employee.getPhoneNumber());
|
||||
ps.setString(6, employee.getAddress1());
|
||||
ps.setString(7, employee.getAddress2());
|
||||
ps.setInt(8, employee.getManager());
|
||||
ps.setString(9, employee.getStartDate());
|
||||
ps.setString(10, employee.getCcn());
|
||||
ps.setInt(11, employee.getCcnLimit());
|
||||
ps.setString(12, employee.getPersonalDescription());
|
||||
ps.setInt(13, subjectId);
|
||||
ps.execute();
|
||||
}
|
||||
catch (SQLException sqle)
|
||||
{
|
||||
s.setMessage("Error updating employee profile");
|
||||
sqle.printStackTrace();
|
||||
}
|
||||
|
||||
}
|
||||
catch (Exception e)
|
||||
{
|
||||
s.setMessage("Error updating employee profile");
|
||||
e.printStackTrace();
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
public void changeEmployeeProfile_BACKUP(WebSession s, int userId,
|
||||
int subjectId, Employee employee) throws UnauthorizedException
|
||||
{
|
||||
try
|
||||
{
|
||||
// Note: The password field is ONLY set by ChangePassword
|
||||
String query = "UPDATE employee SET first_name = ?, last_name = ?, ssn = ?, title = ?, phone = ?, address1 = ?, address2 = ?,"
|
||||
+ " manager = ?, start_date = ?, ccn = ?, ccn_limit = ?,"
|
||||
+ " personal_description = ? WHERE userid = ?;";
|
||||
try
|
||||
{
|
||||
PreparedStatement ps = WebSession.getConnection(s).prepareStatement(query, ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY);
|
||||
|
||||
ps.setString(1, employee.getFirstName());
|
||||
ps.setString(2, employee.getLastName());
|
||||
ps.setString(3, employee.getSsn());
|
||||
ps.setString(4, employee.getTitle());
|
||||
ps.setString(5, employee.getPhoneNumber());
|
||||
ps.setString(6, employee.getAddress1());
|
||||
ps.setString(7, employee.getAddress2());
|
||||
ps.setInt(8, employee.getManager());
|
||||
ps.setString(9, employee.getStartDate());
|
||||
ps.setString(10, employee.getCcn());
|
||||
ps.setInt(11, employee.getCcnLimit());
|
||||
ps.setString(12, employee.getPersonalDescription());
|
||||
ps.setInt(13, subjectId);
|
||||
ps.executeUpdate(query);
|
||||
}
|
||||
catch (SQLException sqle)
|
||||
{
|
||||
s.setMessage("Error updating employee profile");
|
||||
sqle.printStackTrace();
|
||||
}
|
||||
|
||||
}
|
||||
catch (Exception e)
|
||||
{
|
||||
s.setMessage("Error updating employee profile");
|
||||
e.printStackTrace();
|
||||
}
|
||||
}
|
||||
|
||||
protected int getNextUID(WebSession s)
|
||||
{
|
||||
int uid = -1;
|
||||
try
|
||||
{
|
||||
Statement statement = WebSession.getConnection(s).createStatement(
|
||||
ResultSet.TYPE_SCROLL_INSENSITIVE,
|
||||
ResultSet.CONCUR_READ_ONLY);
|
||||
ResultSet results = statement
|
||||
.executeQuery("select max(userid) as uid from employee");
|
||||
results.first();
|
||||
uid = results.getInt("uid");
|
||||
}
|
||||
catch (SQLException sqle)
|
||||
{
|
||||
sqle.printStackTrace();
|
||||
s.setMessage("Error updating employee profile");
|
||||
}
|
||||
catch (ClassNotFoundException e)
|
||||
{
|
||||
// TODO Auto-generated catch block
|
||||
e.printStackTrace();
|
||||
}
|
||||
return uid + 1;
|
||||
}
|
||||
|
||||
public void createEmployeeProfile(WebSession s, int userId,
|
||||
Employee employee) throws UnauthorizedException
|
||||
{
|
||||
try
|
||||
{
|
||||
// FIXME: Cannot choose the id because we cannot guarantee uniqueness
|
||||
int nextId = getNextUID(s);
|
||||
String query = "INSERT INTO employee VALUES ( " + nextId + ", ?,?,?,?,?,?,?,?,?,?,?,?,?,?)";
|
||||
|
||||
//System.out.println("Query: " + query);
|
||||
|
||||
try
|
||||
{
|
||||
PreparedStatement ps = WebSession.getConnection(s).prepareStatement(query);
|
||||
|
||||
ps.setString(1, employee.getFirstName().toLowerCase());
|
||||
ps.setString(2, employee.getLastName());
|
||||
ps.setString(3, employee.getSsn());
|
||||
ps.setString(4, employee.getTitle());
|
||||
ps.setString(5, employee.getPhoneNumber());
|
||||
ps.setString(6, employee.getAddress1());
|
||||
ps.setString(7, employee.getAddress2());
|
||||
ps.setInt(8, employee.getManager());
|
||||
ps.setString(9, employee.getStartDate());
|
||||
ps.setString(10, employee.getCcn());
|
||||
ps.setInt(11, employee.getCcnLimit());
|
||||
ps.setString(12, employee.getDisciplinaryActionDate());
|
||||
ps.setString(13, employee.getDisciplinaryActionNotes());
|
||||
ps.setString(14, employee.getPersonalDescription());
|
||||
|
||||
ps.execute();
|
||||
}
|
||||
catch (SQLException sqle)
|
||||
{
|
||||
s.setMessage("Error updating employee profile");
|
||||
sqle.printStackTrace();
|
||||
}
|
||||
}
|
||||
catch (Exception e)
|
||||
{
|
||||
s.setMessage("Error updating employee profile");
|
||||
e.printStackTrace();
|
||||
}
|
||||
}
|
||||
}
|
@ -0,0 +1,230 @@
|
||||
package org.owasp.webgoat.lessons.RoleBasedAccessControl;
|
||||
|
||||
import java.sql.ResultSet;
|
||||
import java.sql.SQLException;
|
||||
import java.sql.Statement;
|
||||
|
||||
import org.owasp.webgoat.lessons.GoatHillsFinancial.DefaultLessonAction;
|
||||
import org.owasp.webgoat.lessons.GoatHillsFinancial.GoatHillsFinancial;
|
||||
import org.owasp.webgoat.session.Employee;
|
||||
import org.owasp.webgoat.session.ParameterNotFoundException;
|
||||
import org.owasp.webgoat.session.UnauthenticatedException;
|
||||
import org.owasp.webgoat.session.UnauthorizedException;
|
||||
import org.owasp.webgoat.session.WebSession;
|
||||
|
||||
/*******************************************************************************
|
||||
*
|
||||
*
|
||||
* This file is part of WebGoat, an Open Web Application Security Project
|
||||
* utility. For details, please see http://www.owasp.org/
|
||||
*
|
||||
* Copyright (c) 2002 - 2007 Bruce Mayhew
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify it under
|
||||
* the terms of the GNU General Public License as published by the Free Software
|
||||
* Foundation; either version 2 of the License, or (at your option) any later
|
||||
* version.
|
||||
*
|
||||
* This program is distributed in the hope that it will be useful, but WITHOUT
|
||||
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
|
||||
* FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
|
||||
* details.
|
||||
*
|
||||
* You should have received a copy of the GNU General Public License along with
|
||||
* this program; if not, write to the Free Software Foundation, Inc., 59 Temple
|
||||
* Place - Suite 330, Boston, MA 02111-1307, USA.
|
||||
*
|
||||
* Getting Source ==============
|
||||
*
|
||||
* Source for this application is maintained at code.google.com, a repository
|
||||
* for free software projects.
|
||||
*
|
||||
* For details, please see http://code.google.com/p/webgoat/
|
||||
*/
|
||||
public class ViewProfile extends DefaultLessonAction
|
||||
{
|
||||
|
||||
public ViewProfile(GoatHillsFinancial lesson, String lessonName,
|
||||
String actionName)
|
||||
{
|
||||
super(lesson, lessonName, actionName);
|
||||
}
|
||||
|
||||
|
||||
public void handleRequest(WebSession s) throws ParameterNotFoundException,
|
||||
UnauthenticatedException, UnauthorizedException
|
||||
{
|
||||
getLesson().setCurrentAction(s, getActionName());
|
||||
|
||||
if (isAuthenticated(s))
|
||||
{
|
||||
int userId = getIntSessionAttribute(s, getLessonName() + "."
|
||||
+ RoleBasedAccessControl.USER_ID);
|
||||
int employeeId = -1;
|
||||
try
|
||||
{
|
||||
// User selected employee
|
||||
employeeId = s.getParser().getIntParameter(
|
||||
RoleBasedAccessControl.EMPLOYEE_ID);
|
||||
}
|
||||
catch (ParameterNotFoundException e)
|
||||
{
|
||||
// May be an internally selected employee
|
||||
employeeId = getIntRequestAttribute(s, getLessonName() + "."
|
||||
+ RoleBasedAccessControl.EMPLOYEE_ID);
|
||||
}
|
||||
|
||||
Employee employee = getEmployeeProfile(s, userId, employeeId);
|
||||
setSessionAttribute(s, getLessonName() + "."
|
||||
+ RoleBasedAccessControl.EMPLOYEE_ATTRIBUTE_KEY, employee);
|
||||
}
|
||||
else
|
||||
throw new UnauthenticatedException();
|
||||
|
||||
updateLessonStatus(s);
|
||||
}
|
||||
|
||||
|
||||
private void updateLessonStatus(WebSession s)
|
||||
{
|
||||
// If the logged in user is not authorized to see the given employee's data, stage is complete.
|
||||
try
|
||||
{
|
||||
int userId = getIntSessionAttribute(s, getLessonName() + "."
|
||||
+ RoleBasedAccessControl.USER_ID);
|
||||
int employeeId = s.getParser().getIntParameter(
|
||||
RoleBasedAccessControl.EMPLOYEE_ID);
|
||||
|
||||
if (RoleBasedAccessControl.STAGE3.equals(getStage(s))
|
||||
&& !isAuthorizedForEmployee(s, userId, employeeId))
|
||||
{
|
||||
setStageComplete(s, RoleBasedAccessControl.STAGE3);
|
||||
}
|
||||
}
|
||||
catch (ParameterNotFoundException e)
|
||||
{}
|
||||
}
|
||||
|
||||
|
||||
public String getNextPage(WebSession s)
|
||||
{
|
||||
return RoleBasedAccessControl.VIEWPROFILE_ACTION;
|
||||
}
|
||||
|
||||
|
||||
public Employee getEmployeeProfile(WebSession s, int userId,
|
||||
int subjectUserId) throws UnauthorizedException
|
||||
{
|
||||
Employee profile = null;
|
||||
|
||||
// Query the database for the profile data of the given employee
|
||||
try
|
||||
{
|
||||
String query = "SELECT * FROM employee WHERE userid = "
|
||||
+ subjectUserId;
|
||||
|
||||
try
|
||||
{
|
||||
Statement answer_statement = WebSession.getConnection(s)
|
||||
.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE,
|
||||
ResultSet.CONCUR_READ_ONLY);
|
||||
ResultSet answer_results = answer_statement.executeQuery(query);
|
||||
if (answer_results.next())
|
||||
{
|
||||
// Note: Do NOT get the password field.
|
||||
profile = new Employee(answer_results.getInt("userid"),
|
||||
answer_results.getString("first_name"),
|
||||
answer_results.getString("last_name"),
|
||||
answer_results.getString("ssn"), answer_results
|
||||
.getString("title"), answer_results
|
||||
.getString("phone"), answer_results
|
||||
.getString("address1"), answer_results
|
||||
.getString("address2"), answer_results
|
||||
.getInt("manager"), answer_results
|
||||
.getString("start_date"), answer_results
|
||||
.getInt("salary"), answer_results
|
||||
.getString("ccn"), answer_results
|
||||
.getInt("ccn_limit"), answer_results
|
||||
.getString("disciplined_date"),
|
||||
answer_results.getString("disciplined_notes"),
|
||||
answer_results.getString("personal_description"));
|
||||
/* System.out.println("Retrieved employee from db: " +
|
||||
profile.getFirstName() + " " + profile.getLastName() +
|
||||
" (" + profile.getId() + ")");
|
||||
*/}
|
||||
}
|
||||
catch (SQLException sqle)
|
||||
{
|
||||
s.setMessage("Error getting employee profile");
|
||||
sqle.printStackTrace();
|
||||
}
|
||||
}
|
||||
catch (Exception e)
|
||||
{
|
||||
s.setMessage("Error getting employee profile");
|
||||
e.printStackTrace();
|
||||
}
|
||||
|
||||
return profile;
|
||||
}
|
||||
|
||||
|
||||
public Employee getEmployeeProfile_BACKUP(WebSession s, int userId,
|
||||
int subjectUserId) throws UnauthorizedException
|
||||
{
|
||||
// Query the database to determine if the given employee is owned by the given user
|
||||
// Query the database for the profile data of the given employee
|
||||
|
||||
Employee profile = null;
|
||||
|
||||
// Query the database for the profile data of the given employee
|
||||
try
|
||||
{
|
||||
String query = "SELECT * FROM employee WHERE userid = "
|
||||
+ subjectUserId;
|
||||
|
||||
try
|
||||
{
|
||||
Statement answer_statement = WebSession.getConnection(s)
|
||||
.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE,
|
||||
ResultSet.CONCUR_READ_ONLY);
|
||||
ResultSet answer_results = answer_statement.executeQuery(query);
|
||||
if (answer_results.next())
|
||||
{
|
||||
// Note: Do NOT get the password field.
|
||||
profile = new Employee(answer_results.getInt("userid"),
|
||||
answer_results.getString("first_name"),
|
||||
answer_results.getString("last_name"),
|
||||
answer_results.getString("ssn"), answer_results
|
||||
.getString("title"), answer_results
|
||||
.getString("phone"), answer_results
|
||||
.getString("address1"), answer_results
|
||||
.getString("address2"), answer_results
|
||||
.getInt("manager"), answer_results
|
||||
.getString("start_date"), answer_results
|
||||
.getInt("salary"), answer_results
|
||||
.getString("ccn"), answer_results
|
||||
.getInt("ccn_limit"), answer_results
|
||||
.getString("disciplined_date"),
|
||||
answer_results.getString("disciplined_notes"),
|
||||
answer_results.getString("personal_description"));
|
||||
/* System.out.println("Retrieved employee from db: " +
|
||||
profile.getFirstName() + " " + profile.getLastName() +
|
||||
" (" + profile.getId() + ")");
|
||||
*/}
|
||||
}
|
||||
catch (SQLException sqle)
|
||||
{
|
||||
s.setMessage("Error getting employee profile");
|
||||
sqle.printStackTrace();
|
||||
}
|
||||
}
|
||||
catch (Exception e)
|
||||
{
|
||||
s.setMessage("Error getting employee profile");
|
||||
e.printStackTrace();
|
||||
}
|
||||
|
||||
return profile;
|
||||
}
|
||||
}
|
Reference in New Issue
Block a user