dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

add form based login

Browse Source
This commit is contained in:
lawson89
2014-06-02 16:00:58 -04:00
parent 617d16d8a7
commit dc0bc99b60
4 changed files with 122 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
webapp/WEB-INF/mvc-dispatcher-servlet.xml
View File

@ -11,7 +11,7 @@
http://www.springframework.org/schema/mvc
http://www.springframework.org/schema/mvc/spring-mvc-3.2.xsd">
<context:component-scan base-package="org.owasp.webgoat.lessons" />
<context:component-scan base-package="org.owasp.webgoat.controller, org.owasp.webgoat.lessons" />
<!--
put custom validators here. E.g.:
@ -25,7 +25,7 @@
<mvc:annotation-driven />
<!-- Import Tiles-related configuration -->
<import resource="tiles-context.xml" />
<!--import resource="tiles-context.xml" /-->
<!-- Declare a view resolver -->

66
webapp/WEB-INF/pages/login.jsp Normal file
View File

@ -0,0 +1,66 @@
<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"%>
<html>
<head>
<title>Login Page</title>
<!-- Latest compiled and minified CSS -->
<link rel="stylesheet" href="//netdna.bootstrapcdn.com/bootstrap/3.1.1/css/bootstrap.min.css">
<style type="text/css">
body {
padding-top: 40px;
padding-bottom: 40px;
background-color: #f5f5f5;
}
.form-signin {
max-width: 300px;
padding: 19px 29px 29px;
margin: 0 auto 20px;
background-color: #fff;
border: 1px solid #e5e5e5;
-webkit-border-radius: 5px;
-moz-border-radius: 5px;
border-radius: 5px;
-webkit-box-shadow: 0 1px 2px rgba(0,0,0,.05);
-moz-box-shadow: 0 1px 2px rgba(0,0,0,.05);
box-shadow: 0 1px 2px rgba(0,0,0,.05);
}
.form-signin .form-signin-heading,
.form-signin .checkbox {
margin-bottom: 10px;
}
.form-signin input[type="text"],
.form-signin input[type="password"] {
font-size: 16px;
height: auto;
margin-bottom: 15px;
padding: 7px 9px;
}
</style>
</head>
<body onload='document.loginForm.username.focus();'>
<div class="container">
<c:if test="${not empty error}">
<div class="error">${error}</div>
</c:if>
<c:if test="${not empty msg}">
<div class="msg">${msg}</div>
</c:if>
<form class="form-signin" name='loginForm'
action="<c:url value='j_spring_security_check' />" method='POST'>
<h2 class="form-signin-heading">Please sign in</h2>
<input type="text" class="input-block-level" placeholder="Email address" name='username'>
<input type="password" class="input-block-level" placeholder="Password" name='password'>
<input type="hidden" name="${_csrf.parameterName}"
value="${_csrf.token}" />
<button class="btn btn-large btn-primary" type="submit">Sign in</button>
</form>
</div> <!-- /container -->
</body>
</html>

20
webapp/WEB-INF/spring-security.xml
View File

@ -10,11 +10,21 @@
NOTE: Without Spring security, HttpServletRequest.getUserPrincipal() returns null when called from pages under Spring's control.
That method is used extensively in legacy webgoat code. Integrating Spring security into the application resolves this issue.
-->
<http>
<intercept-url pattern="/servlet/AdminServlet/**" access="ROLE_WEBGOAT_ADMIN" />
<intercept-url pattern="/JavaSource/**" access="ROLE_SERVER_ADMIN" />
<intercept-url pattern="/**" access="ROLE_WEBGOAT_USER" />
<http-basic />
<http auto-config="true" use-expressions="true">
<intercept-url pattern="/login.do" access="permitAll" />
<intercept-url pattern="/logout.do" access="permitAll" />
<intercept-url pattern="/servlet/AdminServlet/**" access="hasRole('ROLE_WEBGOAT_ADMIN')" />
<intercept-url pattern="/JavaSource/**" access="hasRole('ROLE_SERVER_ADMIN')" />
<intercept-url pattern="/**" access="hasRole('ROLE_WEBGOAT_USER')" />
<form-login
login-page="/login.do"
default-target-url="/attack"
authentication-failure-url="/login.do?error"
username-parameter="username"
password-parameter="password" />
<logout logout-success-url="/logout.do" />
<!-- enable csrf protection -->
<csrf/>
</http>
<!-- Authentication Manager -->