From dc0bc99b609456b5559e61e0410c4d9718f38b1f Mon Sep 17 00:00:00 2001
From: lawson89 <rick.lawson@infor.com>
Date: Mon, 2 Jun 2014 16:00:58 -0400
Subject: [PATCH] add form based login

---
 java/org/owasp/webgoat/controller/Login.java | 39 ++++++++++++
 webapp/WEB-INF/mvc-dispatcher-servlet.xml    |  4 +-
 webapp/WEB-INF/pages/login.jsp               | 66 ++++++++++++++++++++
 webapp/WEB-INF/spring-security.xml           | 20 ++++--
 4 files changed, 122 insertions(+), 7 deletions(-)
 create mode 100644 java/org/owasp/webgoat/controller/Login.java
 create mode 100644 webapp/WEB-INF/pages/login.jsp

diff --git a/java/org/owasp/webgoat/controller/Login.java b/java/org/owasp/webgoat/controller/Login.java
new file mode 100644
index 000000000..f770caacb
--- /dev/null
+++ b/java/org/owasp/webgoat/controller/Login.java
@@ -0,0 +1,39 @@
+/*
+ * To change this license header, choose License Headers in Project Properties.
+ * To change this template file, choose Tools | Templates
+ * and open the template in the editor.
+ */
+package org.owasp.webgoat.controller;
+
+import org.springframework.stereotype.Controller;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RequestMethod;
+import org.springframework.web.bind.annotation.RequestParam;
+import org.springframework.web.servlet.ModelAndView;
+
+/**
+ *
+ * @author rlawson
+ */
+@Controller
+public class Login {
+
+    @RequestMapping(value = "login.do", method = RequestMethod.GET)
+    public ModelAndView login(
+            @RequestParam(value = "error", required = false) String error,
+            @RequestParam(value = "logout", required = false) String logout) {
+
+        ModelAndView model = new ModelAndView();
+        if (error != null) {
+            model.addObject("error", "Invalid username and password!");
+        }
+
+        if (logout != null) {
+            model.addObject("msg", "You've been logged out successfully.");
+        }
+        model.setViewName("login");
+
+        return model;
+
+    }
+}
diff --git a/webapp/WEB-INF/mvc-dispatcher-servlet.xml b/webapp/WEB-INF/mvc-dispatcher-servlet.xml
index d9483ac24..73c052a95 100644
--- a/webapp/WEB-INF/mvc-dispatcher-servlet.xml
+++ b/webapp/WEB-INF/mvc-dispatcher-servlet.xml
@@ -11,7 +11,7 @@
 			http://www.springframework.org/schema/mvc 
 			http://www.springframework.org/schema/mvc/spring-mvc-3.2.xsd">
 
-	<context:component-scan base-package="org.owasp.webgoat.lessons" />
+    	<context:component-scan base-package="org.owasp.webgoat.controller, org.owasp.webgoat.lessons" />
 	
 	<!--
 	put custom validators here.  E.g.:
@@ -25,7 +25,7 @@
 	<mvc:annotation-driven /> 
 	
 	<!-- Import Tiles-related configuration -->
-	<import resource="tiles-context.xml" />
+	<!--import resource="tiles-context.xml" /-->
 	
 		
 	<!-- Declare a view resolver -->
diff --git a/webapp/WEB-INF/pages/login.jsp b/webapp/WEB-INF/pages/login.jsp
new file mode 100644
index 000000000..18516f4c7
--- /dev/null
+++ b/webapp/WEB-INF/pages/login.jsp
@@ -0,0 +1,66 @@
+<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"%>
+<html>
+    <head>
+        <title>Login Page</title>
+        <!-- Latest compiled and minified CSS -->
+        <link rel="stylesheet" href="//netdna.bootstrapcdn.com/bootstrap/3.1.1/css/bootstrap.min.css">
+        <style type="text/css">
+            body {
+                padding-top: 40px;
+                padding-bottom: 40px;
+                background-color: #f5f5f5;
+            }
+
+            .form-signin {
+                max-width: 300px;
+                padding: 19px 29px 29px;
+                margin: 0 auto 20px;
+                background-color: #fff;
+                border: 1px solid #e5e5e5;
+                -webkit-border-radius: 5px;
+                -moz-border-radius: 5px;
+                border-radius: 5px;
+                -webkit-box-shadow: 0 1px 2px rgba(0,0,0,.05);
+                -moz-box-shadow: 0 1px 2px rgba(0,0,0,.05);
+                box-shadow: 0 1px 2px rgba(0,0,0,.05);
+            }
+            .form-signin .form-signin-heading,
+            .form-signin .checkbox {
+                margin-bottom: 10px;
+            }
+            .form-signin input[type="text"],
+            .form-signin input[type="password"] {
+                font-size: 16px;
+                height: auto;
+                margin-bottom: 15px;
+                padding: 7px 9px;
+            }
+
+        </style>
+    </head>
+    <body onload='document.loginForm.username.focus();'>
+
+        <div class="container">
+            <c:if test="${not empty error}">
+                <div class="error">${error}</div>
+            </c:if>
+            <c:if test="${not empty msg}">
+                <div class="msg">${msg}</div>
+            </c:if>
+            <form class="form-signin" name='loginForm'
+                  action="<c:url value='j_spring_security_check' />" method='POST'>
+                <h2 class="form-signin-heading">Please sign in</h2>
+                <input type="text" class="input-block-level" placeholder="Email address" name='username'>
+                <input type="password" class="input-block-level" placeholder="Password"  name='password'>
+
+                <input type="hidden" name="${_csrf.parameterName}"
+                       value="${_csrf.token}" />
+                <button class="btn btn-large btn-primary" type="submit">Sign in</button>
+            </form>
+
+        </div> <!-- /container -->
+
+
+
+    </body>
+</html>
\ No newline at end of file
diff --git a/webapp/WEB-INF/spring-security.xml b/webapp/WEB-INF/spring-security.xml
index 98003eafc..c194c1aee 100644
--- a/webapp/WEB-INF/spring-security.xml
+++ b/webapp/WEB-INF/spring-security.xml
@@ -10,11 +10,21 @@
             NOTE: Without Spring security, HttpServletRequest.getUserPrincipal() returns null when called from pages under Spring's control.
             That method is used extensively in legacy webgoat code.  Integrating Spring security into the application resolves this issue.
     -->  
-    <http>     
-        <intercept-url pattern="/servlet/AdminServlet/**" access="ROLE_WEBGOAT_ADMIN" />
-        <intercept-url pattern="/JavaSource/**" access="ROLE_SERVER_ADMIN" />          	
-        <intercept-url pattern="/**" access="ROLE_WEBGOAT_USER" />
-        <http-basic />
+    <http auto-config="true"  use-expressions="true">  
+        <intercept-url pattern="/login.do" access="permitAll" />
+        <intercept-url pattern="/logout.do" access="permitAll" />   
+        <intercept-url pattern="/servlet/AdminServlet/**" access="hasRole('ROLE_WEBGOAT_ADMIN')" />
+        <intercept-url pattern="/JavaSource/**" access="hasRole('ROLE_SERVER_ADMIN')" />          	
+        <intercept-url pattern="/**" access="hasRole('ROLE_WEBGOAT_USER')" />
+        <form-login 
+            login-page="/login.do" 
+            default-target-url="/attack" 
+            authentication-failure-url="/login.do?error" 
+            username-parameter="username"
+            password-parameter="password" />
+        <logout logout-success-url="/logout.do" />
+        <!-- enable csrf protection -->
+        <csrf/>
     </http>
 
     <!-- Authentication Manager -->