add form based login

java/org/owasp/webgoat/controller/Login.java

@@ -0,0 +1,39 @@
+/*
+ * To change this license header, choose License Headers in Project Properties.
+ * To change this template file, choose Tools | Templates
+ * and open the template in the editor.
+ */
+package org.owasp.webgoat.controller;
+
+import org.springframework.stereotype.Controller;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RequestMethod;
+import org.springframework.web.bind.annotation.RequestParam;
+import org.springframework.web.servlet.ModelAndView;
+
+/**
+ *
+ * @author rlawson
+ */
+@Controller
+public class Login {
+
+    @RequestMapping(value = "login.do", method = RequestMethod.GET)
+    public ModelAndView login(
+            @RequestParam(value = "error", required = false) String error,
+            @RequestParam(value = "logout", required = false) String logout) {
+
+        ModelAndView model = new ModelAndView();
+        if (error != null) {
+            model.addObject("error", "Invalid username and password!");
+        }
+
+        if (logout != null) {
+            model.addObject("msg", "You've been logged out successfully.");
+        }
+        model.setViewName("login");
+
+        return model;
+
+    }
+}

webapp/WEB-INF/mvc-dispatcher-servlet.xml

@@ -11,7 +11,7 @@
 			http://www.springframework.org/schema/mvc 
 			http://www.springframework.org/schema/mvc/spring-mvc-3.2.xsd">
 
-	<context:component-scan base-package="org.owasp.webgoat.lessons" />
+    	<context:component-scan base-package="org.owasp.webgoat.controller, org.owasp.webgoat.lessons" />
 	
 	<!--
 	put custom validators here.  E.g.:
@@ -25,7 +25,7 @@
 	<mvc:annotation-driven /> 
 	
 	<!-- Import Tiles-related configuration -->
-	<import resource="tiles-context.xml" />
+	<!--import resource="tiles-context.xml" /-->
 	
 		
 	<!-- Declare a view resolver -->

webapp/WEB-INF/pages/login.jsp

@@ -0,0 +1,66 @@
+<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"%>
+<html>
+    <head>
+        <title>Login Page</title>
+        <!-- Latest compiled and minified CSS -->
+        <link rel="stylesheet" href="//netdna.bootstrapcdn.com/bootstrap/3.1.1/css/bootstrap.min.css">
+        <style type="text/css">
+            body {
+                padding-top: 40px;
+                padding-bottom: 40px;
+                background-color: #f5f5f5;
+            }
+
+            .form-signin {
+                max-width: 300px;
+                padding: 19px 29px 29px;
+                margin: 0 auto 20px;
+                background-color: #fff;
+                border: 1px solid #e5e5e5;
+                -webkit-border-radius: 5px;
+                -moz-border-radius: 5px;
+                border-radius: 5px;
+                -webkit-box-shadow: 0 1px 2px rgba(0,0,0,.05);
+                -moz-box-shadow: 0 1px 2px rgba(0,0,0,.05);
+                box-shadow: 0 1px 2px rgba(0,0,0,.05);
+            }
+            .form-signin .form-signin-heading,
+            .form-signin .checkbox {
+                margin-bottom: 10px;
+            }
+            .form-signin input[type="text"],
+            .form-signin input[type="password"] {
+                font-size: 16px;
+                height: auto;
+                margin-bottom: 15px;
+                padding: 7px 9px;
+            }
+
+        </style>
+    </head>
+    <body onload='document.loginForm.username.focus();'>
+
+        <div class="container">
+            <c:if test="${not empty error}">
+                <div class="error">${error}</div>
+            </c:if>
+            <c:if test="${not empty msg}">
+                <div class="msg">${msg}</div>
+            </c:if>
+            <form class="form-signin" name='loginForm'
+                  action="<c:url value='j_spring_security_check' />" method='POST'>
+                <h2 class="form-signin-heading">Please sign in</h2>
+                <input type="text" class="input-block-level" placeholder="Email address" name='username'>
+                <input type="password" class="input-block-level" placeholder="Password"  name='password'>
+
+                <input type="hidden" name="${_csrf.parameterName}"
+                       value="${_csrf.token}" />
+                <button class="btn btn-large btn-primary" type="submit">Sign in</button>
+            </form>
+
+        </div> <!-- /container -->
+
+
+
+    </body>
+</html>

webapp/WEB-INF/spring-security.xml

@@ -10,11 +10,21 @@
             NOTE: Without Spring security, HttpServletRequest.getUserPrincipal() returns null when called from pages under Spring's control.
             That method is used extensively in legacy webgoat code.  Integrating Spring security into the application resolves this issue.
     -->  
-    <http>     
-        <intercept-url pattern="/servlet/AdminServlet/**" access="ROLE_WEBGOAT_ADMIN" />
-        <intercept-url pattern="/JavaSource/**" access="ROLE_SERVER_ADMIN" />          	
-        <intercept-url pattern="/**" access="ROLE_WEBGOAT_USER" />
-        <http-basic />
+    <http auto-config="true"  use-expressions="true">  
+        <intercept-url pattern="/login.do" access="permitAll" />
+        <intercept-url pattern="/logout.do" access="permitAll" />   
+        <intercept-url pattern="/servlet/AdminServlet/**" access="hasRole('ROLE_WEBGOAT_ADMIN')" />
+        <intercept-url pattern="/JavaSource/**" access="hasRole('ROLE_SERVER_ADMIN')" />          	
+        <intercept-url pattern="/**" access="hasRole('ROLE_WEBGOAT_USER')" />
+        <form-login 
+            login-page="/login.do" 
+            default-target-url="/attack" 
+            authentication-failure-url="/login.do?error" 
+            username-parameter="username"
+            password-parameter="password" />
+        <logout logout-success-url="/logout.do" />
+        <!-- enable csrf protection -->
+        <csrf/>
     </http>
 
     <!-- Authentication Manager -->