diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/application/WebGoatServletListener.java b/webgoat-container/src/main/java/org/owasp/webgoat/application/WebGoatServletListener.java index a0f6c937d..b5385f9fd 100644 --- a/webgoat-container/src/main/java/org/owasp/webgoat/application/WebGoatServletListener.java +++ b/webgoat-container/src/main/java/org/owasp/webgoat/application/WebGoatServletListener.java @@ -5,15 +5,29 @@ */ package org.owasp.webgoat.application; +import com.google.common.collect.Maps; +import org.owasp.webgoat.HammerHead; +import org.owasp.webgoat.lessons.LessonServletMapping; +import org.owasp.webgoat.plugins.PluginsLoader; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; +import org.springframework.beans.factory.config.BeanDefinition; +import org.springframework.context.annotation.ClassPathScanningCandidateComponentProvider; +import org.springframework.core.type.filter.AnnotationTypeFilter; + import javax.servlet.ServletContext; import javax.servlet.ServletContextEvent; import javax.servlet.ServletContextListener; +import javax.servlet.ServletRegistration; import java.io.IOException; import java.io.InputStream; +import java.nio.file.Paths; import java.sql.Driver; import java.sql.DriverManager; import java.sql.SQLException; import java.util.Enumeration; +import java.util.Map; +import java.util.Set; import java.util.jar.Attributes; import java.util.jar.Manifest; @@ -25,15 +39,50 @@ import java.util.jar.Manifest; */ public class WebGoatServletListener implements ServletContextListener { - /** {@inheritDoc} */ + private static final Logger logger = LoggerFactory.getLogger(HammerHead.class); + + /** + * {@inheritDoc} + */ @Override public void contextInitialized(ServletContextEvent sce) { ServletContext context = sce.getServletContext(); context.log("WebGoat is starting"); setApplicationVariables(context); + context.log("Adding extra mappings for lessions"); + + loadPlugins(sce); + loadServlets(sce); } - /** {@inheritDoc} */ + private void loadServlets(ServletContextEvent sce) { + final ServletContext servletContext = sce.getServletContext(); + Map controllers = Maps.newHashMap(); + ClassPathScanningCandidateComponentProvider provider = new ClassPathScanningCandidateComponentProvider( + false); + provider.addIncludeFilter(new AnnotationTypeFilter(LessonServletMapping.class)); + Set candidateComponents = provider.findCandidateComponents("org.owasp.webgoat"); + try { + for (BeanDefinition beanDefinition : candidateComponents) { + Class controllerClass = Class.forName(beanDefinition.getBeanClassName()); + LessonServletMapping pathAnnotation = (LessonServletMapping) controllerClass.getAnnotation(LessonServletMapping.class); + final ServletRegistration.Dynamic dynamic = servletContext.addServlet(controllerClass.getSimpleName(), controllerClass); + dynamic.addMapping(pathAnnotation.path()); + } + } catch (Exception e) { + logger.error("Error", e); + } + } + + private void loadPlugins(ServletContextEvent sce) { + String pluginPath = sce.getServletContext().getRealPath("plugin_lessons"); + String targetPath = sce.getServletContext().getRealPath("plugin_extracted"); + new PluginsLoader(Paths.get(pluginPath), Paths.get(targetPath)).loadPlugins(); + } + + /** + * {@inheritDoc} + */ @Override public void contextDestroyed(ServletContextEvent sce) { ServletContext context = sce.getServletContext(); diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/lessons/LessonServletMapping.java b/webgoat-container/src/main/java/org/owasp/webgoat/lessons/LessonServletMapping.java new file mode 100644 index 000000000..0e2034904 --- /dev/null +++ b/webgoat-container/src/main/java/org/owasp/webgoat/lessons/LessonServletMapping.java @@ -0,0 +1,40 @@ +package org.owasp.webgoat.lessons; + +import java.lang.annotation.Retention; +import java.lang.annotation.RetentionPolicy; + +/*************************************************************************************************** + * This file is part of WebGoat, an Open Web Application Security Project utility. For details, + * please see http://www.owasp.org/ + *

+ * Copyright (c) 2002 - 20014 Bruce Mayhew + *

+ * This program is free software; you can redistribute it and/or modify it under the terms of the + * GNU General Public License as published by the Free Software Foundation; either version 2 of the + * License, or (at your option) any later version. + *

+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without + * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * General Public License for more details. + *

+ * You should have received a copy of the GNU General Public License along with this program; if + * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA + * 02111-1307, USA. + *

+ * Getting Source ============== + *

+ * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software + * projects. + *

+ * For details, please see http://webgoat.github.io + * + * @author Nanne Baars + * @created December 12, 2015 + */ +@Retention(RetentionPolicy.RUNTIME) +public @interface LessonServletMapping { + + String path(); +} + + diff --git a/webgoat-container/src/main/webapp/WEB-INF/pages/welcome.jsp b/webgoat-container/src/main/webapp/WEB-INF/pages/welcome.jsp deleted file mode 100644 index 9afe2118a..000000000 --- a/webgoat-container/src/main/webapp/WEB-INF/pages/welcome.jsp +++ /dev/null @@ -1,138 +0,0 @@ -<%@ page contentType="text/html; charset=ISO-8859-1" language="java" - errorPage=""%> -<%@page import="org.owasp.webgoat.session.WebSession"%> -<% - //WebSession webSession = ((WebSession) session.getAttribute("websession")); -%> - - - - - - WebGoat V5.4 - - - - - -

-
-
-

Thank you for using WebGoat! This program is a demonstration of common web application flaws. - The exercises are intended to provide hands on experience with - application penetration testing techniques.

-

The WebGoat project is led - by Bruce Mayhew. Please send all comments to Bruce at [TODO, session was blowing up here for some reason].

- -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-
OWASP Foundation
- 		-
Aspect Security
-
-
- WebGoat Authors
-
-
- Bruce Mayhew
-
-
- Jeff Williams
-
-

- WebGoat Design Team
- 		-

- V5.4 Lesson Contributers
-
-
David Anderson
-
Laurence Casey (Graphics)
-
Rogan Dawes
-
Bruce Mayhew
- 		-
Sherif Koussa
-
Yiannis Pavlosoglou
-
- -
-
Special Thanks - for V5.4
- 		-
Documentation - Contributers
-
-
Brian Ciomei (Multitude of bug fixes)
-
To all who have sent comments
- - 		-
- Erwin Geirnaert
-
- Aung Khant
-
- Sherif Koussa -
-
-
-
-
-
-
 
-
-
-
-
 
-
 
-
 
-
WARNING
- While running this program, your machine is extremely vulnerable to - attack if you are not running on localhost. If you are NOT running on localhost (default configuration), You should disconnect from the network while using this program. -
-
- This program is for educational purposes only. Use of these techniques - without permission could lead to job termination, financial liability, - and/or criminal penalties.
-
- - diff --git a/webgoat-container/src/main/webapp/WEB-INF/web.xml b/webgoat-container/src/main/webapp/WEB-INF/web.xml index f45d4a5ab..6431ce4f7 100644 --- a/webgoat-container/src/main/webapp/WEB-INF/web.xml +++ b/webgoat-container/src/main/webapp/WEB-INF/web.xml @@ -185,10 +185,6 @@ Catcher org.owasp.webgoat.Catcher - - conf - /lessons/ConfManagement/config.jsp - mvc-dispatcher @@ -272,10 +268,6 @@ Catcher /catcher - - conf - /conf - \ No newline at end of file