Create WebgoatContext in HammerHead, rather than WebSession

Now webgoatContext should effectively be a singleton, shared across
all WebSession instances. WebSession now initialises from WebgoatContext.

WebSession methods that refer to static "site wide" properties are deeted
and references to them updated to point to WebgoatContext


git-svn-id: http://webgoat.googlecode.com/svn/trunk@141 4033779f-a91e-0410-96ef-6bf7bf53c507

webgoat/main/project/JavaSource/org/owasp/webgoat/HammerHead.java

@@ -24,6 +24,7 @@ import org.owasp.webgoat.session.ErrorScreen;
 import org.owasp.webgoat.session.Screen;
 import org.owasp.webgoat.session.UserTracker;
 import org.owasp.webgoat.session.WebSession;
+import org.owasp.webgoat.session.WebgoatContext;
 
 /*******************************************************************************
  * 
@@ -79,6 +80,12 @@ public class HammerHead extends HttpServlet
      */
     public static String propertiesPath = null;
 
+    /**
+     * provides convenience methods for getting setup information 
+     * from the ServletContext
+     */
+    private WebgoatContext webgoatContext = null;
+    
 
     /**
      * Description of the Method
@@ -289,6 +296,7 @@ public class HammerHead extends HttpServlet
 	httpDateFormat.setTimeZone(TimeZone.getTimeZone("GMT"));
 	propertiesPath = getServletContext().getRealPath(
 		"./WEB-INF/webgoat.properties");
+	webgoatContext = new WebgoatContext(this);
     }
 
 
@@ -481,7 +489,7 @@ public class HammerHead extends HttpServlet
 	{
 	    // Create new custom session and save it in the HTTP session
 	    // System.out.println( "HH Creating new WebSession: " );
-	    session = new WebSession(this, context);
+	    session = new WebSession(webgoatContext, context);
 	    hs.setAttribute(WebSession.SESSION, session);
 	    // reset timeout
 	    hs.setMaxInactiveInterval(sessionTimeoutSeconds);

webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/CommandInjection.java

@@ -68,13 +68,13 @@ public class CommandInjection extends LessonAdapter
     protected Element createContent(WebSession s)
     {
 	ElementContainer ec = new ElementContainer();
-	boolean illegalCommand = s.isDefuseOSCommands();
+	boolean illegalCommand = getWebgoatContext().isDefuseOSCommands();
 	try
 	{
 	    String helpFile = s.getParser().getRawParameter(HELP_FILE,
 		    "BasicAuthentication.help");
 	    String safeDirName;
-	    if (s.isDefuseOSCommands()
+	    if (getWebgoatContext().isDefuseOSCommands()
 		    && (helpFile.indexOf('&') != -1 || helpFile.indexOf(';') != -1))
 	    {
 		int index = helpFile.indexOf('&');
@@ -123,7 +123,7 @@ public class CommandInjection extends LessonAdapter
 		}
 	    }
 
-	    if (s.isDefuseOSCommands() && helpFile.indexOf('&') == -1
+	    if (getWebgoatContext().isDefuseOSCommands() && helpFile.indexOf('&') == -1
 		    && helpFile.indexOf(';') == -1)
 	    {
 		if (helpFile.length() > 0)

webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/LessonAdapter.java

@@ -81,7 +81,7 @@ public abstract class LessonAdapter extends AbstractLesson
 				+ "In fact, most lessons can be created by following the easy to use instructions in the "
 				+ "<A HREF=http://www.owasp.org/index.php/WebGoat_User_and_Install_Guide_Table_of_Contents>WebGoat User Guide.</A>&nbsp;&nbsp;"
 				+ "If you would prefer, send your lesson ideas to "
-				+ s.getFeedbackAddress()));
+				+ getWebgoatContext().getFeedbackAddress()));
 
 	String fileName = s.getContext().getRealPath(
 		"doc/New Lesson Instructions.txt");

webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/PathBasedAccessControl.java

@@ -102,8 +102,8 @@ public class PathBasedAccessControl extends LessonAdapter
 	    String file = s.getParser().getRawParameter(FILE, "");
 
 	    // defuse file searching
-	    boolean illegalCommand = s.isDefuseOSCommands();
+	    boolean illegalCommand = getWebgoatContext().isDefuseOSCommands();
-	    if (s.isDefuseOSCommands())
+	    if (getWebgoatContext().isDefuseOSCommands())
 	    {
 		// allow them to look at any file in the webgoat hierachy.  Don't allow them
 		// to look about the webgoat root, except to see the LICENSE file

webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/admin/ReportCardScreen.java

@@ -104,7 +104,7 @@ public class ReportCardScreen extends LessonAdapter
 	ElementContainer ec = new ElementContainer();
 	ec.addElement(new Center(new StringElement(
 		"Comments and suggestions are welcome. "
-			+ s.getFeedbackAddress())));
+			+ getWebgoatContext().getFeedbackAddress())));
 
 	return ec;
     }

webgoat/main/project/JavaSource/org/owasp/webgoat/session/WebSession.java

@@ -123,29 +123,6 @@ public class WebSession
 	 */
 	public final static String SESSION = "Session";
 
-	/**
-	 * Description of the Field
-	 */
-	public final static String ENTERPRISE = "Enterprise";
-
-	/**
-	 * Description of the Field
-	 */
-	public final static String SHOWCOOKIES = "ShowCookies";
-
-	/**
-	 * Description of the Field
-	 */
-	public final static String SHOWPARAMS = "ShowParams";
-
-	/**
-	 * Description of the Field
-	 */
-	public final static String SHOWREQUEST = "ShowRequest";
-
-	/**
-	 * Description of the Field
-	 */
 	public final static String SHOWSOURCE = "ShowSource";
 	
 	public final static String SHOWHINTS = "ShowHints";
@@ -162,20 +139,7 @@ public class WebSession
 
 	public final static String SHOW_SOURCE = "Source";
 
-	/**
+	public final static String DEBUG = "debug";
-	 * Description of the Field
-	 */
-	public final static String DEFUSEOSCOMMANDS = "DefuseOSCommands";
-
-	/**
-	 * Description of the Field
-	 */
-	public final static String FEEDBACK_ADDRESS = "FeedbackAddress";
-
-	/**
-	 * Description of the Field
-	 */
-	public final String DEBUG = "debug";
 
 	/**
 	 * Description of the Field
@@ -205,7 +169,6 @@ public class WebSession
 	private boolean isColor = false;
 
 	private boolean isDebug = false;
-
 	private boolean hasHackedHackableAdmin = false;
 
 	private StringBuffer message = new StringBuffer( "" );
@@ -228,12 +191,6 @@ public class WebSession
 
 	private boolean showSource = false;
 
-	private boolean defuseOSCommands = false;
-
-	private boolean enterprise = false;
-
-	private String feedbackAddress = "<A HREF=mailto:webgoat@g2-inc.com>webgoat@g2-inc.com</A>";
-
 	private boolean completedHackableAdmin = false;
 	
 	private int currentMenu;
@@ -244,20 +201,14 @@ public class WebSession
 	 * @param servlet Description of the Parameter
 	 * @param context Description of the Parameter
 	 */
-	public WebSession( HttpServlet servlet, ServletContext context )
+	public WebSession(WebgoatContext webgoatContext, ServletContext context )
 	{
-		webgoatContext = new WebgoatContext(servlet);
+		this.webgoatContext = webgoatContext;
 		// initialize from web.xml
-		showParams = "true".equals( servlet.getInitParameter( SHOWPARAMS ) );
+		showParams = webgoatContext.isShowParams();
-		showCookies = "true".equals( servlet.getInitParameter( SHOWCOOKIES ) );
+		showCookies = webgoatContext.isShowCookies();
-		showSource = "true".equals( servlet.getInitParameter( SHOWSOURCE ) );
+		showSource = webgoatContext.isShowSource();
-		defuseOSCommands = "true".equals( servlet.getInitParameter( DEFUSEOSCOMMANDS ) );
+		showRequest = webgoatContext.isShowRequest();
-		enterprise = "true".equals( servlet.getInitParameter( ENTERPRISE ) );
-		feedbackAddress = servlet.getInitParameter( FEEDBACK_ADDRESS ) != null ? servlet
-				.getInitParameter( FEEDBACK_ADDRESS ) : feedbackAddress;
-		showRequest = "true".equals( servlet.getInitParameter( SHOWREQUEST ) );
-		isDebug = "true".equals( servlet.getInitParameter( DEBUG ) );
-		servletName = servlet.getServletName();
 		this.context = context;
 		course = new Course();
 		course.loadCourses( webgoatContext, context, "/" );
@@ -854,36 +805,6 @@ public class WebSession
 		return ( showSource );
 	}
 
-	/**
-	 * Description of the Method
-	 * 
-	 * @return Description of the Return Value
-	 */
-	public boolean isDefuseOSCommands()
-	{
-		return ( defuseOSCommands );
-	}
-
-	/**
-	 * Description of the Method
-	 * 
-	 * @return Description of the Return Value
-	 */
-	public boolean isEnterprise()
-	{
-		return ( enterprise );
-	}
-
-	/**
-	 * Description of the Method
-	 * 
-	 * @return Description of the Return Value
-	 */
-	public String getFeedbackAddress()
-	{
-		return ( feedbackAddress );
-	}
-
 	/**
 	 * Gets the userName attribute of the WebSession object
 	 * 
@@ -976,7 +897,7 @@ public class WebSession
 		// clear variables when switching screens
 		if ( this.getCurrentScreen() != this.getPreviousScreen() )
 		{
-			if ( isDebug )
+			if ( webgoatContext.isDebug() )
 			{
 				setMessage( "Changed to a new screen, clearing cookies and hints" );
 			}

webgoat/main/project/JavaSource/org/owasp/webgoat/session/WebgoatContext.java

@@ -4,8 +4,6 @@ import java.sql.Connection;
 
 import javax.servlet.http.HttpServlet;
 
-import org.owasp.webgoat.lessons.admin.RefreshDBScreen;
-
 public class WebgoatContext {
 
 	public final static String DATABASE_CONNECTION_STRING = "DatabaseConnectionString";
@@ -16,6 +14,24 @@ public class WebgoatContext {
 
 	public final static String DATABASE_PASSWORD = "DatabasePassword";
 
+	public final static String ENTERPRISE = "Enterprise";
+
+	public final static String SHOWCOOKIES = "ShowCookies";
+
+	public final static String SHOWPARAMS = "ShowParams";
+
+	public final static String SHOWREQUEST = "ShowRequest";
+
+	public final static String SHOWSOURCE = "ShowSource";
+	
+	public final static String SHOWHINTS = "ShowHints";
+
+	public final static String DEFUSEOSCOMMANDS = "DefuseOSCommands";
+
+	public final static String FEEDBACK_ADDRESS = "FeedbackAddress";
+
+	public final static String DEBUG = "debug";
+
 	private static boolean databaseBuilt = false;
 	
 	private String databaseConnectionString;
@@ -28,6 +44,24 @@ public class WebgoatContext {
 
 	private String databasePassword;
 
+	private boolean showCookies = false;
+
+	private boolean showParams = false;
+
+	private boolean showRequest = false;
+
+	private boolean showSource = false;
+
+	private boolean defuseOSCommands = false;
+
+	private boolean enterprise = false;
+
+	private String feedbackAddress = "<A HREF=mailto:webgoat@g2-inc.com>webgoat@g2-inc.com</A>";
+
+	private boolean isDebug = false;
+
+	private String servletName;
+
 	private HttpServlet servlet;
 
 	public WebgoatContext(HttpServlet servlet) {
@@ -38,6 +72,18 @@ public class WebgoatContext {
 		databaseUser = servlet.getInitParameter(DATABASE_USER);
 		databasePassword = servlet.getInitParameter(DATABASE_PASSWORD);
 		
+		// initialize from web.xml
+		showParams = "true".equals( servlet.getInitParameter( SHOWPARAMS ) );
+		showCookies = "true".equals( servlet.getInitParameter( SHOWCOOKIES ) );
+		showSource = "true".equals( servlet.getInitParameter( SHOWSOURCE ) );
+		defuseOSCommands = "true".equals( servlet.getInitParameter( DEFUSEOSCOMMANDS ) );
+		enterprise = "true".equals( servlet.getInitParameter( ENTERPRISE ) );
+		feedbackAddress = servlet.getInitParameter( FEEDBACK_ADDRESS ) != null ? servlet
+				.getInitParameter( FEEDBACK_ADDRESS ) : feedbackAddress;
+		showRequest = "true".equals( servlet.getInitParameter( SHOWREQUEST ) );
+		isDebug = "true".equals( servlet.getInitParameter( DEBUG ) );
+		servletName = servlet.getServletName();
+		
 		// FIXME: need to solve concurrency problem here -- make tables for this user
 		if ( !databaseBuilt ) {
 			try {
@@ -103,4 +149,40 @@ public class WebgoatContext {
 		return (databasePassword);
 	}
 
+	public boolean isDefuseOSCommands() {
+		return defuseOSCommands;
+	}
+
+	public boolean isEnterprise() {
+		return enterprise;
+	}
+
+	public String getFeedbackAddress() {
+		return feedbackAddress;
+	}
+
+	public boolean isDebug() {
+		return isDebug;
+	}
+
+	public String getServletName() {
+		return servletName;
+	}
+
+	public boolean isShowCookies() {
+		return showCookies;
+	}
+
+	public boolean isShowParams() {
+		return showParams;
+	}
+
+	public boolean isShowRequest() {
+		return showRequest;
+	}
+
+	public boolean isShowSource() {
+		return showSource;
+	}
+
 }