feat: upgrade to Spring Boot version 3 (#1477)
This commit is contained in:
Nanne Baars
GitHub
@ -24,10 +24,10 @@ package org.owasp.webgoat.webwolf;
|
||||
|
||||
import static org.springframework.http.MediaType.ALL_VALUE;
|
||||
|
||||
import jakarta.servlet.http.HttpServletRequest;
|
||||
import java.io.File;
|
||||
import java.io.IOException;
|
||||
import java.util.ArrayList;
|
||||
import javax.servlet.http.HttpServletRequest;
|
||||
import lombok.AllArgsConstructor;
|
||||
import lombok.Getter;
|
||||
import lombok.extern.slf4j.Slf4j;
|
||||
|
||||
@ -22,8 +22,8 @@
|
||||
|
||||
package org.owasp.webgoat.webwolf;
|
||||
|
||||
import jakarta.annotation.PostConstruct;
|
||||
import java.io.File;
|
||||
import javax.annotation.PostConstruct;
|
||||
import org.springframework.beans.factory.annotation.Value;
|
||||
import org.springframework.context.annotation.Configuration;
|
||||
import org.springframework.web.servlet.config.annotation.ResourceHandlerRegistry;
|
||||
|
||||
@ -29,54 +29,49 @@ import org.springframework.context.annotation.Configuration;
|
||||
import org.springframework.http.HttpMethod;
|
||||
import org.springframework.security.authentication.AuthenticationManager;
|
||||
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
|
||||
import org.springframework.security.config.annotation.authentication.configuration.AuthenticationConfiguration;
|
||||
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
|
||||
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
|
||||
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
|
||||
import org.springframework.security.config.annotation.web.configurers.ExpressionUrlAuthorizationConfigurer;
|
||||
import org.springframework.security.core.userdetails.UserDetailsService;
|
||||
import org.springframework.security.crypto.password.NoOpPasswordEncoder;
|
||||
import org.springframework.security.web.SecurityFilterChain;
|
||||
|
||||
/** Security configuration for WebGoat. */
|
||||
/** Security configuration for WebWolf. */
|
||||
@Configuration
|
||||
@AllArgsConstructor
|
||||
@EnableWebSecurity
|
||||
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
|
||||
public class WebSecurityConfig {
|
||||
|
||||
private final UserService userDetailsService;
|
||||
|
||||
@Override
|
||||
protected void configure(HttpSecurity http) throws Exception {
|
||||
ExpressionUrlAuthorizationConfigurer<HttpSecurity>.ExpressionInterceptUrlRegistry security =
|
||||
http.authorizeRequests()
|
||||
.antMatchers(HttpMethod.POST, "/fileupload")
|
||||
.authenticated()
|
||||
.antMatchers(HttpMethod.GET, "/files", "/mail", "/requests")
|
||||
.authenticated()
|
||||
.and()
|
||||
.authorizeRequests()
|
||||
.anyRequest()
|
||||
.permitAll();
|
||||
|
||||
security.and().csrf().disable().formLogin().loginPage("/login").failureUrl("/login?error=true");
|
||||
security.and().formLogin().loginPage("/login").defaultSuccessUrl("/home", true).permitAll();
|
||||
security.and().logout().permitAll();
|
||||
@Bean
|
||||
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
|
||||
http.authorizeHttpRequests(
|
||||
auth -> auth.requestMatchers(HttpMethod.POST, "/fileupload").authenticated());
|
||||
http.authorizeHttpRequests(
|
||||
auth ->
|
||||
auth.requestMatchers(HttpMethod.GET, "/files", "/mail", "/requests").authenticated());
|
||||
http.authorizeHttpRequests().anyRequest().permitAll();
|
||||
http.csrf().disable().formLogin().loginPage("/login").failureUrl("/login?error=true");
|
||||
http.formLogin().loginPage("/login").defaultSuccessUrl("/home", true).permitAll();
|
||||
http.logout().permitAll();
|
||||
return http.build();
|
||||
}
|
||||
|
||||
@Autowired
|
||||
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
|
||||
auth.userDetailsService(userDetailsService); // .passwordEncoder(bCryptPasswordEncoder());
|
||||
auth.userDetailsService(userDetailsService);
|
||||
}
|
||||
|
||||
@Bean
|
||||
@Override
|
||||
public UserDetailsService userDetailsServiceBean() throws Exception {
|
||||
public UserDetailsService userDetailsServiceBean() {
|
||||
return userDetailsService;
|
||||
}
|
||||
|
||||
@Override
|
||||
@Bean
|
||||
protected AuthenticationManager authenticationManager() throws Exception {
|
||||
return super.authenticationManager();
|
||||
public AuthenticationManager authenticationManager(
|
||||
AuthenticationConfiguration authenticationConfiguration) throws Exception {
|
||||
return authenticationConfiguration.getAuthenticationManager();
|
||||
}
|
||||
|
||||
@Bean
|
||||
|
||||
@ -23,7 +23,7 @@
|
||||
package org.owasp.webgoat.webwolf;
|
||||
|
||||
import org.owasp.webgoat.webwolf.requests.WebWolfTraceRepository;
|
||||
import org.springframework.boot.actuate.trace.http.HttpTraceRepository;
|
||||
import org.springframework.boot.actuate.web.exchanges.HttpExchangeRepository;
|
||||
import org.springframework.boot.autoconfigure.EnableAutoConfiguration;
|
||||
import org.springframework.context.annotation.Bean;
|
||||
import org.springframework.context.annotation.ComponentScan;
|
||||
@ -37,7 +37,7 @@ import org.springframework.context.annotation.PropertySource;
|
||||
public class WebWolf {
|
||||
|
||||
@Bean
|
||||
public HttpTraceRepository traceRepository() {
|
||||
public HttpExchangeRepository traceRepository() {
|
||||
return new WebWolfTraceRepository();
|
||||
}
|
||||
}
|
||||
|
||||
@ -23,10 +23,14 @@
|
||||
package org.owasp.webgoat.webwolf.mailbox;
|
||||
|
||||
import com.fasterxml.jackson.annotation.JsonIgnore;
|
||||
import jakarta.persistence.Column;
|
||||
import jakarta.persistence.Entity;
|
||||
import jakarta.persistence.GeneratedValue;
|
||||
import jakarta.persistence.GenerationType;
|
||||
import jakarta.persistence.Id;
|
||||
import java.io.Serializable;
|
||||
import java.time.LocalDateTime;
|
||||
import java.time.format.DateTimeFormatter;
|
||||
import javax.persistence.*;
|
||||
import lombok.AllArgsConstructor;
|
||||
import lombok.Builder;
|
||||
import lombok.Data;
|
||||
|
||||
@ -24,7 +24,6 @@ package org.owasp.webgoat.webwolf.mailbox;
|
||||
|
||||
import java.util.List;
|
||||
import lombok.RequiredArgsConstructor;
|
||||
import lombok.extern.slf4j.Slf4j;
|
||||
import org.springframework.http.HttpStatus;
|
||||
import org.springframework.security.core.context.SecurityContextHolder;
|
||||
import org.springframework.security.core.userdetails.UserDetails;
|
||||
@ -38,7 +37,6 @@ import org.springframework.web.servlet.ModelAndView;
|
||||
|
||||
@RestController
|
||||
@RequiredArgsConstructor
|
||||
@Slf4j
|
||||
public class MailboxController {
|
||||
|
||||
private final MailboxRepository mailboxRepository;
|
||||
|
||||
@ -22,8 +22,8 @@
|
||||
|
||||
package org.owasp.webgoat.webwolf.requests;
|
||||
|
||||
import jakarta.servlet.http.HttpServletRequest;
|
||||
import java.util.concurrent.Callable;
|
||||
import javax.servlet.http.HttpServletRequest;
|
||||
import lombok.extern.slf4j.Slf4j;
|
||||
import org.springframework.http.ResponseEntity;
|
||||
import org.springframework.stereotype.Controller;
|
||||
|
||||
@ -32,8 +32,7 @@ import lombok.Getter;
|
||||
import lombok.RequiredArgsConstructor;
|
||||
import lombok.extern.slf4j.Slf4j;
|
||||
import org.apache.commons.lang3.StringUtils;
|
||||
import org.springframework.boot.actuate.trace.http.HttpTrace;
|
||||
import org.springframework.boot.actuate.trace.http.HttpTrace.Request;
|
||||
import org.springframework.boot.actuate.web.exchanges.HttpExchange;
|
||||
import org.springframework.security.core.context.SecurityContextHolder;
|
||||
import org.springframework.security.core.userdetails.UserDetails;
|
||||
import org.springframework.stereotype.Controller;
|
||||
@ -78,8 +77,8 @@ public class Requests {
|
||||
return model;
|
||||
}
|
||||
|
||||
private boolean allowedTrace(HttpTrace t, UserDetails user) {
|
||||
Request req = t.getRequest();
|
||||
private boolean allowedTrace(HttpExchange t, UserDetails user) {
|
||||
HttpExchange.Request req = t.getRequest();
|
||||
boolean allowed = true;
|
||||
/* do not show certain traces to other users in a classroom setup */
|
||||
if (req.getUri().getPath().contains("/files")
|
||||
@ -95,11 +94,11 @@ public class Requests {
|
||||
return allowed;
|
||||
}
|
||||
|
||||
private String path(HttpTrace t) {
|
||||
private String path(HttpExchange t) {
|
||||
return (String) t.getRequest().getUri().getPath();
|
||||
}
|
||||
|
||||
private String toJsonString(HttpTrace t) {
|
||||
private String toJsonString(HttpExchange t) {
|
||||
try {
|
||||
return objectMapper.writeValueAsString(t);
|
||||
} catch (JsonProcessingException e) {
|
||||
|
||||
@ -26,8 +26,8 @@ import com.google.common.collect.EvictingQueue;
|
||||
import java.util.ArrayList;
|
||||
import java.util.List;
|
||||
import lombok.extern.slf4j.Slf4j;
|
||||
import org.springframework.boot.actuate.trace.http.HttpTrace;
|
||||
import org.springframework.boot.actuate.trace.http.HttpTraceRepository;
|
||||
import org.springframework.boot.actuate.web.exchanges.HttpExchange;
|
||||
import org.springframework.boot.actuate.web.exchanges.HttpExchangeRepository;
|
||||
|
||||
/**
|
||||
* Keep track of all the incoming requests, we are only keeping track of request originating from
|
||||
@ -37,9 +37,9 @@ import org.springframework.boot.actuate.trace.http.HttpTraceRepository;
|
||||
* @since 8/13/17.
|
||||
*/
|
||||
@Slf4j
|
||||
public class WebWolfTraceRepository implements HttpTraceRepository {
|
||||
public class WebWolfTraceRepository implements HttpExchangeRepository {
|
||||
|
||||
private final EvictingQueue<HttpTrace> traces = EvictingQueue.create(10000);
|
||||
private final EvictingQueue<HttpExchange> traces = EvictingQueue.create(10000);
|
||||
private final List<String> exclusionList =
|
||||
List.of(
|
||||
"/tmpdir",
|
||||
@ -54,11 +54,11 @@ public class WebWolfTraceRepository implements HttpTraceRepository {
|
||||
"/mail");
|
||||
|
||||
@Override
|
||||
public List<HttpTrace> findAll() {
|
||||
public List<HttpExchange> findAll() {
|
||||
return List.of();
|
||||
}
|
||||
|
||||
public List<HttpTrace> findAllTraces() {
|
||||
public List<HttpExchange> findAllTraces() {
|
||||
return new ArrayList<>(traces);
|
||||
}
|
||||
|
||||
@ -67,7 +67,7 @@ public class WebWolfTraceRepository implements HttpTraceRepository {
|
||||
}
|
||||
|
||||
@Override
|
||||
public void add(HttpTrace httpTrace) {
|
||||
public void add(HttpExchange httpTrace) {
|
||||
var path = httpTrace.getRequest().getUri().getPath();
|
||||
if (!isInExclusionList(path)) {
|
||||
traces.add(httpTrace);
|
||||
|
||||
@ -22,11 +22,11 @@
|
||||
|
||||
package org.owasp.webgoat.webwolf.user;
|
||||
|
||||
import jakarta.persistence.Entity;
|
||||
import jakarta.persistence.Id;
|
||||
import jakarta.persistence.Transient;
|
||||
import java.util.Collection;
|
||||
import java.util.Collections;
|
||||
import javax.persistence.Entity;
|
||||
import javax.persistence.Id;
|
||||
import javax.persistence.Transient;
|
||||
import lombok.Getter;
|
||||
import org.springframework.security.core.GrantedAuthority;
|
||||
import org.springframework.security.core.userdetails.User;
|
||||
|
||||
Reference in New Issue
Block a user