MultiLevelLogin 2 data stored now in session

git-svn-id: http://webgoat.googlecode.com/svn/trunk@303 4033779f-a91e-0410-96ef-6bf7bf53c507
2008-04-08 07:51:47 +00:00 · 2008-04-08 07:51:47 +00:00 · eabdc53709
commit eabdc53709
parent aec76a30e4
2 changed files with 135 additions and 46 deletions
--- a/webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/MultiLevelLogin1.java
+++ b/webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/MultiLevelLogin1.java
@ -61,10 +61,11 @@ public class MultiLevelLogin1 extends SequentialLessonAdapter
 	private final static String PASSWORD = "pass";
 	private final static String HIDDEN_TAN = "hidden_tan";
 	private final static String TAN = "tan";
-	
+
 	private final static String LOGGEDIN = "loggedin";
 	private final static String CORRECTTAN = "correctTan";
 	private final static String LOGGEDINUSER = "loggedInUser";
+
 	/**
 	 * Creates Staged WebContent
 	 * 
@ -74,9 +75,10 @@ public class MultiLevelLogin1 extends SequentialLessonAdapter
 	{
 		return super.createStagedContent(s);
 	}
-	
+
 	/**
-	 * See if the user is logged in
+	 * See if the user has logged in correctly
+	 * 
 	 * @param s
 	 * @return true if loggedIn
 	 */
@ -85,15 +87,15 @@ public class MultiLevelLogin1 extends SequentialLessonAdapter
 		try
 		{
 			return s.get(LOGGEDIN).equals("true");
-		}
-		catch (Exception e)
+		} catch (Exception e)
 		{
 			return false;
 		}
 	}
-	
+
 	/**
-	 * See if the user has a used a valid tan
+	 * See if the user had used a valid tan
+	 * 
 	 * @param s
 	 * @return treu if correctTan
 	 */
@ -102,15 +104,15 @@ public class MultiLevelLogin1 extends SequentialLessonAdapter
 		try
 		{
 			return s.get(CORRECTTAN).equals("true");
-		}
-		catch (Exception e)
+		} catch (Exception e)
 		{
 			return false;
 		}
 	}
-	
+
 	/**
 	 * Get the logged in user
+	 * 
 	 * @param s
 	 * @return the logged in user
 	 */
@ -118,10 +120,9 @@ public class MultiLevelLogin1 extends SequentialLessonAdapter
 	{
 		try
 		{
-			String user = (String)s.get(LOGGEDINUSER);
+			String user = (String) s.get(LOGGEDINUSER);
 			return user;
-		}
-		catch (Exception e)
+		} catch (Exception e)
 		{
 			return "";
 		}
@ -202,7 +203,7 @@ public class MultiLevelLogin1 extends SequentialLessonAdapter
 		// verify the password
 		if (correctLogin(user, password, s))
 		{
-			s.add(LOGGEDIN, "true");			
+			s.add(LOGGEDIN, "true");
 			s.add(LOGGEDINUSER, user);
 		}

@ -222,7 +223,7 @@ public class MultiLevelLogin1 extends SequentialLessonAdapter
 		}
 		if (loggedIn(s) && correctTan(s))
 		{
-			s.add(LOGGEDIN, "false");			
+			s.add(LOGGEDIN, "false");
 			s.add(CORRECTTAN, "false");

 			createSuccessfulLoginContent(s, ec);
--- a/webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/MultiLevelLogin2.java
+++ b/webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/MultiLevelLogin2.java
@ -57,18 +57,108 @@ import org.owasp.webgoat.session.WebSession;

 public class MultiLevelLogin2 extends LessonAdapter
 {
-	private boolean loggedIn = false;
-	private boolean correctTan = false;
-	private String currentTan = "";
-	private int currentTanNr = 0;
-
 	private final static String USER = "user";
 	private final static String PASSWORD = "pass";
 	private final static String TAN = "tan";
 	private final static String HIDDEN_USER = "hidden_user";

+	private final static String LOGGEDIN = "loggedin";
+	private final static String CORRECTTAN = "correctTan";
+	private final static String CURRENTTAN = "currentTan";
+	private final static String CURRENTTANPOS = "currentTanPos";
+
 	// needed to see if lesson was successfull
-	private String LoggedInUser = "";
+	private final static String LOGGEDINUSER = "loggedInUser";
+
+	//private String LoggedInUser = "";
+
+	/**
+	 * See if the user is logged in
+	 * 
+	 * @param s
+	 * @return true if loggedIn
+	 */
+	private boolean loggedIn(WebSession s)
+	{
+		try
+		{
+			return s.get(LOGGEDIN).equals("true");
+		} catch (Exception e)
+		{
+			return false;
+		}
+	}
+
+	/**
+	 * See if the user had used a valid tan
+	 * 
+	 * @param s
+	 * @return true if correctTan
+	 */
+	private boolean correctTan(WebSession s)
+	{
+		try
+		{
+			return s.get(CORRECTTAN).equals("true");
+		} catch (Exception e)
+		{
+			return false;
+		}
+	}
+
+	/**
+	 * Get the currentTan
+	 * 
+	 * @param s
+	 * @return the logged in user
+	 */
+	private String getCurrentTan(WebSession s)
+	{
+		try
+		{
+			String currentTan = (String) s.get(CURRENTTAN);
+			return currentTan;
+		} catch (Exception e)
+		{
+			return "";
+		}
+	}
+
+	/**
+	 * Get the currentTanPossition
+	 * 
+	 * @param s
+	 * @return the logged in user
+	 */
+	private Integer getCurrentTanPosition(WebSession s)
+	{
+		try
+		{
+			Integer tanPos = (Integer) s.get(CURRENTTANPOS);
+			return tanPos;
+		} catch (Exception e)
+		{
+			return 0;
+		}
+	}
+
+	/**
+	 * Get the logged in user
+	 * 
+	 * @param s
+	 * @return the logged in user
+	 */
+	private String getLoggedInUser(WebSession s)
+	{
+		try
+		{
+			String user = (String) s.get(LOGGEDINUSER);
+			return user;
+		} catch (Exception e)
+		{
+			return "";
+		}
+	}

 	/**
 	 * Creates WebContent
@ -133,57 +223,56 @@ public class MultiLevelLogin2 extends LessonAdapter
 		ElementContainer ec = new ElementContainer();

 		// verify that tan is correct and user is logged in
-		if (loggedIn && correctTan(tan))
+		if (loggedIn(s) && correctTan(tan, s))
 		{
-			correctTan = true;
+			s.add(CORRECTTAN, "true");
 		}
 		// user is loggedIn but enters wrong tan
-		else if (loggedIn && !correctTan(tan))
+		else if (loggedIn(s) && !correctTan(tan, s))
 		{
-			loggedIn = false;
+			s.add(LOGGEDIN, "false");
 		}

 		if (correctLogin(user, password, s))
 		{
-			loggedIn = true;
-			LoggedInUser = user;
-			currentTanNr = getTanPosition(user, s);
-			currentTan = getTan(user, currentTanNr, s);
+			s.add(LOGGEDIN, "true");
+			s.add(LOGGEDINUSER, user);
+			s.add(CURRENTTANPOS, getTanPosition(user, s));
+			// currentTanNr = getTanPosition(user, s);
+			// currentTan = getTan(user, currentTanNr, s);
+			s.add(CURRENTTAN, getTan(user, getCurrentTanPosition(s), s));

 		}

 		// if restart button is clicked owe have to reset log in
 		if (!s.getParser().getStringParameter("Restart", "").equals(""))
 		{
-			loggedIn = false;
-			correctTan = false;
-			currentTanNr = 0;
-			resetTans(s);
 		}
 		// Logout Button is pressed
 		if (s.getParser().getRawParameter("logout", "").equals("true"))
 		{
-			loggedIn = false;
-			correctTan = false;
+
+			s.add(LOGGEDIN, "false");
+			s.add(CORRECTTAN, "false");

 		}
-		if (loggedIn && correctTan)
+		if (loggedIn(s) && correctTan(s))
 		{
-			loggedIn = false;
-			correctTan = false;
+			s.add(LOGGEDIN, "false");
+			s.add(CORRECTTAN, "false");

 			createSuccessfulLoginContent(s, ec, hiddenUser);

 		}
-		else if (loggedIn)
+		else if (loggedIn(s))
 		{
-			if (currentTanNr > 5)
+			if (getCurrentTanPosition(s) > 5)
 			{
 				createNoTanLeftContent(ec);
 			}
 			else
 			{
-				createAskForTanContent(s, ec, currentTanNr, user);
+				createAskForTanContent(s, ec, getCurrentTanPosition(s), user);
 			}
 		}
 		else
@ -202,8 +291,6 @@ public class MultiLevelLogin2 extends LessonAdapter
 			createLogInContent(ec, errorMessage);
 		}

-		System.out.println("Logged In: " + loggedIn);
-
 		return ec;
 	}

@ -350,7 +437,7 @@ public class MultiLevelLogin2 extends LessonAdapter
 				tr4.addElement(new TD("<b>Credit Card Number:</b>"));
 				tr4.addElement(new TD(results.getString("cc_number")));

-				if (!user.equals(LoggedInUser))
+				if (!user.equals(getLoggedInUser(s)))
 				{
 					makeSuccess(s);
 				}
@ -551,9 +638,10 @@ public class MultiLevelLogin2 extends LessonAdapter
 	 * @param tan
 	 * @return true if the tan is correct
 	 */
-	private boolean correctTan(String tan)
+	private boolean correctTan(String tan, WebSession s)
 	{
-		if (!currentTan.equals("")) { return tan.equals(String.valueOf(currentTan)); }
+		// if (!getCurrentTan(s).equals("")) { return tan.equals(String.valueOf(currentTan)); }
+		if (!getCurrentTan(s).equals("")) { return tan.equals(getCurrentTan(s)); }
 		return false;
 	}