Forced browsing lesson does not show success #143

2016-01-06 18:47:59 +02:00
parent 23a1f9e38e
commit e1be080eea
5 changed files with 92 additions and 149 deletions
--- a/webgoat-container/src/main/java/org/owasp/webgoat/application/WebGoatServletListener.java
+++ b/webgoat-container/src/main/java/org/owasp/webgoat/application/WebGoatServletListener.java
@ -5,15 +5,29 @@
 */
 package org.owasp.webgoat.application;

+import com.google.common.collect.Maps;
+import org.owasp.webgoat.HammerHead;
+import org.owasp.webgoat.lessons.LessonServletMapping;
+import org.owasp.webgoat.plugins.PluginsLoader;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.beans.factory.config.BeanDefinition;
+import org.springframework.context.annotation.ClassPathScanningCandidateComponentProvider;
+import org.springframework.core.type.filter.AnnotationTypeFilter;
+
 import javax.servlet.ServletContext;
 import javax.servlet.ServletContextEvent;
 import javax.servlet.ServletContextListener;
+import javax.servlet.ServletRegistration;
 import java.io.IOException;
 import java.io.InputStream;
+import java.nio.file.Paths;
 import java.sql.Driver;
 import java.sql.DriverManager;
 import java.sql.SQLException;
 import java.util.Enumeration;
+import java.util.Map;
+import java.util.Set;
 import java.util.jar.Attributes;
 import java.util.jar.Manifest;

@ -25,15 +39,50 @@ import java.util.jar.Manifest;
 */
 public class WebGoatServletListener implements ServletContextListener {

-    /** {@inheritDoc} */
+    private static final Logger logger = LoggerFactory.getLogger(HammerHead.class);
+
+    /**
+     * {@inheritDoc}
+     */
    @Override
    public void contextInitialized(ServletContextEvent sce) {
        ServletContext context = sce.getServletContext();
        context.log("WebGoat is starting");
        setApplicationVariables(context);
+        context.log("Adding extra mappings for lessions");
+
+        loadPlugins(sce);
+        loadServlets(sce);
    }

-    /** {@inheritDoc} */
+    private void loadServlets(ServletContextEvent sce) {
+        final ServletContext servletContext = sce.getServletContext();
+        Map<String, Class> controllers = Maps.newHashMap();
+        ClassPathScanningCandidateComponentProvider provider = new ClassPathScanningCandidateComponentProvider(
+                false);
+        provider.addIncludeFilter(new AnnotationTypeFilter(LessonServletMapping.class));
+        Set<BeanDefinition> candidateComponents = provider.findCandidateComponents("org.owasp.webgoat");
+        try {
+            for (BeanDefinition beanDefinition : candidateComponents) {
+                Class controllerClass = Class.forName(beanDefinition.getBeanClassName());
+                LessonServletMapping pathAnnotation = (LessonServletMapping) controllerClass.getAnnotation(LessonServletMapping.class);
+                final ServletRegistration.Dynamic dynamic = servletContext.addServlet(controllerClass.getSimpleName(), controllerClass);
+                dynamic.addMapping(pathAnnotation.path());
+            }
+        } catch (Exception e) {
+            logger.error("Error", e);
+        }
+    }
+
+    private void loadPlugins(ServletContextEvent sce) {
+        String pluginPath = sce.getServletContext().getRealPath("plugin_lessons");
+        String targetPath = sce.getServletContext().getRealPath("plugin_extracted");
+        new PluginsLoader(Paths.get(pluginPath), Paths.get(targetPath)).loadPlugins();
+    }
+
+    /**
+     * {@inheritDoc}
+     */
    @Override
    public void contextDestroyed(ServletContextEvent sce) {
        ServletContext context = sce.getServletContext();
--- a/webgoat-container/src/main/java/org/owasp/webgoat/lessons/LessonServletMapping.java
+++ b/webgoat-container/src/main/java/org/owasp/webgoat/lessons/LessonServletMapping.java
@ -0,0 +1,40 @@
+package org.owasp.webgoat.lessons;
+
+import java.lang.annotation.Retention;
+import java.lang.annotation.RetentionPolicy;
+
+/***************************************************************************************************
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
+ * please see http://www.owasp.org/
+ * <p>
+ * Copyright (c) 2002 - 20014 Bruce Mayhew
+ * <p>
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
+ * <p>
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ * <p>
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
+ * <p>
+ * Getting Source ==============
+ * <p>
+ * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
+ * projects.
+ * <p>
+ * For details, please see http://webgoat.github.io
+ *
+ * @author Nanne Baars
+ * @created December 12, 2015
+ */
+@Retention(RetentionPolicy.RUNTIME)
+public @interface LessonServletMapping {
+
+    String path();
+}
+
+