Password reset link test condition more strict and move all WebWolf links to /WebWolf (#1645)

* better check on host and port for password reset and make context roots more flexible * spotless applied * removed hardcoded /WebGoat from js * removed hardcoded /WebGoat from js * fix spotless * fix scoreboard * upgrade WebWolf bootstrap version and icons and templates - part 1 * fixed more bootstrap 5 style issues and context path issues * organized WebSecurityConfig based on latest conventions and added basic support for oauth (more work needed) * spotless applied * added mock bean * requires updates to properties - commented for now * requires updates to properties - commented for now * oauth secrets through env values * user creation after oauth login * integration test against non default context paths * adjusted StartupMessage * add global model element username * conditionally show login oauth links * fixed WebWolf login --------- Co-authored-by: René Zubcevic <rene@Mac-mini-van-Rene.local>
2023-11-14 10:01:59 +01:00
parent 5a4974f3c2
commit d1e44bbc98
114 changed files with 2763 additions and 546 deletions
--- a/src/main/java/org/owasp/webgoat/webwolf/WebSecurityConfig.java
+++ b/src/main/java/org/owasp/webgoat/webwolf/WebSecurityConfig.java
@ -22,6 +22,7 @@
 package org.owasp.webgoat.webwolf;

 import lombok.AllArgsConstructor;
+import org.owasp.webgoat.container.AjaxAuthenticationEntryPoint;
 import org.owasp.webgoat.webwolf.user.UserService;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.context.annotation.Bean;
@ -46,16 +47,39 @@ public class WebSecurityConfig {

  @Bean
  public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
-    http.authorizeHttpRequests(
-        auth -> auth.requestMatchers(HttpMethod.POST, "/fileupload").authenticated());
-    http.authorizeHttpRequests(
-        auth ->
-            auth.requestMatchers(HttpMethod.GET, "/files", "/mail", "/requests").authenticated());
-    http.authorizeHttpRequests().anyRequest().permitAll();
-    http.csrf().disable().formLogin().loginPage("/login").failureUrl("/login?error=true");
-    http.formLogin().loginPage("/login").defaultSuccessUrl("/home", true).permitAll();
-    http.logout().permitAll();
-    return http.build();
+    return http.authorizeHttpRequests(
+            auth -> {
+              auth.requestMatchers("/css/**", "/webjars/**", "/favicon.ico", "/js/**", "/images/**")
+                  .permitAll();
+              auth.requestMatchers(
+                      HttpMethod.GET,
+                      "/fileupload/**",
+                      "/files/**",
+                      "/landing/**",
+                      "/PasswordReset/**")
+                  .permitAll();
+              auth.requestMatchers(HttpMethod.POST, "/files", "/mail", "/requests").permitAll();
+              auth.anyRequest().authenticated();
+            })
+        .csrf(csrf -> csrf.disable())
+        .formLogin(
+            login ->
+                login
+                    .loginPage("/login")
+                    .failureUrl("/login?error=true")
+                    .defaultSuccessUrl("/home", true)
+                    .usernameParameter("username")
+                    .passwordParameter("password")
+                    .permitAll())
+        .oauth2Login(
+            oidc -> {
+              oidc.defaultSuccessUrl("/home");
+            })
+        .logout(logout -> logout.deleteCookies("WEBWOLFSESSION").invalidateHttpSession(true))
+        .exceptionHandling(
+            handling ->
+                handling.authenticationEntryPoint(new AjaxAuthenticationEntryPoint("/login")))
+        .build();
  }

  @Autowired