First attempt to remove JSP and move to Thymeleaf and update to Spring Boot. The Thymeleaf templates can be loaded as snippets which makes it more easy to move away from ECS and create normal HTML pages for a lesson.

pom.xml

@@ -17,6 +17,12 @@
         <url>https://webgoat.github.io/</url>
     </organization>
 
+    <parent>
+        <groupId>org.springframework.boot</groupId>
+        <artifactId>spring-boot-starter-parent</artifactId>
+        <version>1.3.3.RELEASE</version>
+    </parent>
+
     <licenses>
         <license>
             <name>GNU General Public License, version 2</name>
@@ -148,7 +154,6 @@
         <maven-surefire-plugin.version>2.19</maven-surefire-plugin.version>
         <maven-war-plugin.version>2.6</maven-war-plugin.version>
         <nexus-staging-maven-plugin.version>1.6.6</nexus-staging-maven-plugin.version>
-        <org.springframework.version>3.2.4.RELEASE</org.springframework.version>
         <sauce_junit.version>2.1.20</sauce_junit.version>
         <selenium-java.version>2.48.2</selenium-java.version>
         <slf4j-api.version>1.7.12</slf4j-api.version>

webgoat-container/pom.xml

@@ -12,6 +12,10 @@
         <version>7.1-SNAPSHOT</version>
     </parent>
 
+    <properties>
+        <start-class>org.owasp.webgoat.WebGoat</start-class>
+    </properties>
+
     <profiles>
         <profile>
             <id>run-integration-tests</id>
@@ -206,10 +210,49 @@
                     </excludes>
                 </configuration>
             </plugin>
+            <plugin>
+                <groupId>org.springframework.boot</groupId>
+                <artifactId>spring-boot-maven-plugin</artifactId>
+            </plugin>
         </plugins>
     </build>
 
     <dependencies>
+        <dependency>
+            <groupId>org.springframework.boot</groupId>
+            <artifactId>spring-boot-starter-web</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.springframework.boot</groupId>
+            <artifactId>spring-boot-starter</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.tomcat.embed</groupId>
+            <artifactId>tomcat-embed-jasper</artifactId>
+            <scope>provided</scope>
+        </dependency>
+        <!--<dependency>-->
+            <!--<groupId>org.springframework.boot</groupId>-->
+            <!--<artifactId>spring-boot-devtools</artifactId>-->
+            <!--<optional>true</optional>-->
+        <!--</dependency>-->
+        <dependency>
+            <groupId>javax.servlet</groupId>
+            <artifactId>jstl</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.springframework.boot</groupId>
+            <artifactId>spring-boot-starter-security</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.springframework.boot</groupId>
+            <artifactId>spring-boot-starter-thymeleaf</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.xeustechnologies</groupId>
+            <artifactId>jcl-core</artifactId>
+            <version>2.7</version>
+        </dependency>
         <dependency>
             <groupId>javax.activation</groupId>
             <artifactId>activation</artifactId>
@@ -266,16 +309,16 @@
                 </exclusion>
             </exclusions>
         </dependency>
-        <dependency>
-            <groupId>commons-logging</groupId>
-            <artifactId>commons-logging</artifactId>
-            <version>${commons-logging.version}</version>
-        </dependency>
-        <dependency>
-            <groupId>org.slf4j</groupId>
-            <artifactId>jcl-over-slf4j</artifactId>
-            <version>${jcl-over-slf4j.version}</version>
-        </dependency>
+        <!--<dependency>-->
+            <!--<groupId>commons-logging</groupId>-->
+            <!--<artifactId>commons-logging</artifactId>-->
+            <!--<version>${commons-logging.version}</version>-->
+        <!--</dependency>-->
+        <!--<dependency>-->
+            <!--<groupId>org.slf4j</groupId>-->
+            <!--<artifactId>jcl-over-slf4j</artifactId>-->
+            <!--<version>${jcl-over-slf4j.version}</version>-->
+        <!--</dependency>-->
         <dependency>
             <groupId>commons-discovery</groupId>
             <artifactId>commons-discovery</artifactId>
@@ -316,71 +359,33 @@
             <artifactId>jtds</artifactId>
             <version>${jtds.version}</version>
         </dependency>
-        <dependency>
-            <groupId>org.apache.tomcat</groupId>
-            <artifactId>tomcat-catalina</artifactId>
-            <version>${tomcat-catalina.version}</version>
-            <scope>provided</scope>
-        </dependency>
+        <!--<dependency>-->
+            <!--<groupId>org.apache.tomcat</groupId>-->
+            <!--<artifactId>tomcat-catalina</artifactId>-->
+            <!--<version>${tomcat-catalina.version}</version>-->
+            <!--<scope>provided</scope>-->
+        <!--</dependency>-->
 
 
         <!-- ************* spring MVC and related dependencies ************** -->
 
         <!-- servlet API -->
-        <dependency>
-            <groupId>javax</groupId>
-            <artifactId>javaee-api</artifactId>
-            <version>${javaee-api.version}</version>
-            <scope>provided</scope>
-        </dependency>
+        <!--<dependency>-->
+            <!--<groupId>javax</groupId>-->
+            <!--<artifactId>javaee-api</artifactId>-->
+            <!--<version>${javaee-api.version}</version>-->
+            <!--<scope>provided</scope>-->
+        <!--</dependency>-->
 
-        <dependency>
-            <groupId>org.springframework</groupId>
-            <artifactId>spring-core</artifactId>
-            <version>${org.springframework.version}</version>
-        </dependency>
-        <dependency>
-            <groupId>org.springframework</groupId>
-            <artifactId>spring-aop</artifactId>
-            <version>${org.springframework.version}</version>
-        </dependency>
 
         <!-- Jackson -->
         <dependency>
             <groupId>com.fasterxml.jackson.core</groupId>
             <artifactId>jackson-core</artifactId>
-            <version>${jackson-core.version}</version>
         </dependency>
         <dependency>
             <groupId>com.fasterxml.jackson.core</groupId>
             <artifactId>jackson-databind</artifactId>
-            <version>${jackson-databind.version}</version>
-        </dependency>
-
-        <!-- Spring MVC framework -->
-        <dependency>
-            <groupId>org.springframework</groupId>
-            <artifactId>spring-webmvc</artifactId>
-            <version>${org.springframework.version}</version>
-            <type>jar</type>
-        </dependency>
-
-        <dependency>
-            <groupId>org.springframework.security</groupId>
-            <artifactId>spring-security-core</artifactId>
-            <version>${spring.security.version}</version>
-        </dependency>
-
-        <dependency>
-            <groupId>org.springframework.security</groupId>
-            <artifactId>spring-security-config</artifactId>
-            <version>${spring.security.version}</version>
-        </dependency>
-
-        <dependency>
-            <groupId>org.springframework.security</groupId>
-            <artifactId>spring-security-web</artifactId>
-            <version>${spring.security.version}</version>
         </dependency>
 
         <!-- Apache Commons Upload -->
@@ -409,43 +414,43 @@
             <version>${standard.version}</version>
         </dependency>
 
-        <dependency>
-            <groupId>log4j</groupId>
-            <artifactId>log4j</artifactId>
-            <version>${log4j.version}</version>
-            <exclusions>
-                <exclusion>
-                    <groupId>javax.jms</groupId>
-                    <artifactId>jms</artifactId>
-                </exclusion>
-                <exclusion>
-                    <groupId>com.sun.jdmk</groupId>
-                    <artifactId>jmxtools</artifactId>
-                </exclusion>
-                <exclusion>
-                    <groupId>com.sun.jmx</groupId>
-                    <artifactId>jmxri</artifactId>
-                </exclusion>
-            </exclusions>
-        </dependency>
+        <!--<dependency>-->
+            <!--<groupId>log4j</groupId>-->
+            <!--<artifactId>log4j</artifactId>-->
+            <!--<version>${log4j.version}</version>-->
+            <!--<exclusions>-->
+                <!--<exclusion>-->
+                    <!--<groupId>javax.jms</groupId>-->
+                    <!--<artifactId>jms</artifactId>-->
+                <!--</exclusion>-->
+                <!--<exclusion>-->
+                    <!--<groupId>com.sun.jdmk</groupId>-->
+                    <!--<artifactId>jmxtools</artifactId>-->
+                <!--</exclusion>-->
+                <!--<exclusion>-->
+                    <!--<groupId>com.sun.jmx</groupId>-->
+                    <!--<artifactId>jmxri</artifactId>-->
+                <!--</exclusion>-->
+            <!--</exclusions>-->
+        <!--</dependency>-->
         <dependency>
             <groupId>org.apache.tiles</groupId>
             <artifactId>tiles-core</artifactId>
             <version>${tiles.version}</version>
             <type>jar</type>
         </dependency>
-        <dependency>
-            <groupId>org.slf4j</groupId>
-            <artifactId>slf4j-api</artifactId>
-            <version>${slf4j-api.version}</version>
-            <type>jar</type>
-        </dependency>
-        <dependency>
-            <groupId>org.slf4j</groupId>
-            <artifactId>slf4j-log4j12</artifactId>
-            <version>${slf4j-log4j12.version}</version>
-            <type>jar</type>
-        </dependency>
+        <!--<dependency>-->
+            <!--<groupId>org.slf4j</groupId>-->
+            <!--<artifactId>slf4j-api</artifactId>-->
+            <!--<version>${slf4j-api.version}</version>-->
+            <!--<type>jar</type>-->
+        <!--</dependency>-->
+        <!--<dependency>-->
+            <!--<groupId>org.slf4j</groupId>-->
+            <!--<artifactId>slf4j-log4j12</artifactId>-->
+            <!--<version>${slf4j-log4j12.version}</version>-->
+            <!--<type>jar</type>-->
+        <!--</dependency>-->
         <!-- ************* END spring MVC and related dependencies ************** -->
         <!-- ************* START: Dependencies for Unit and Integration Testing ************** -->
         <dependency>

webgoat-container/src/main/java/org/owasp/webgoat/HammerHead.java

@@ -204,7 +204,7 @@ public class HammerHead extends HttpServlet {
 
     private String getViewPage(WebSession webSession) {
         // now always display the lesson content
-        String page = "/lesson_content.jsp";
+        String page = "lesson_content";
         //page = "/main.jsp";
         return page;
     }

webgoat-container/src/main/java/org/owasp/webgoat/MvcConfiguration.java

@@ -0,0 +1,33 @@
+package org.owasp.webgoat;
+
+import org.owasp.webgoat.session.LabelDebugger;
+import org.springframework.boot.context.embedded.ServletRegistrationBean;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.web.servlet.config.annotation.ViewControllerRegistry;
+import org.springframework.web.servlet.config.annotation.WebMvcConfigurerAdapter;
+
+/**
+ *
+ */
+@Configuration
+public class MvcConfiguration extends WebMvcConfigurerAdapter {
+
+
+    @Override
+    public void addViewControllers(ViewControllerRegistry registry) {
+        registry.addViewController("/login").setViewName("login");
+        registry.addViewController("/lesson_content").setViewName("lesson_content");
+    }
+
+    @Bean
+    public ServletRegistrationBean servletRegistrationBean() {
+        return new ServletRegistrationBean(new HammerHead(), "/attack/*");
+    }
+
+    @Bean
+    //@Scope(value= WebApplicationContext.SCOPE_SESSION)
+    public LabelDebugger labelDebugger() {
+        return new LabelDebugger();
+    }
+}

webgoat-container/src/main/java/org/owasp/webgoat/WebGoat.java

@@ -0,0 +1,53 @@
+package org.owasp.webgoat;
+
+import org.springframework.boot.SpringApplication;
+import org.springframework.boot.autoconfigure.SpringBootApplication;
+import org.springframework.boot.builder.SpringApplicationBuilder;
+import org.springframework.boot.context.web.SpringBootServletInitializer;
+
+import javax.servlet.ServletContext;
+import javax.servlet.ServletException;
+
+@SpringBootApplication
+public class WebGoat extends SpringBootServletInitializer {
+
+    @Override
+    protected SpringApplicationBuilder configure(SpringApplicationBuilder application) {
+        return application.sources(WebGoat.class);
+    }
+
+    @Override
+    public void onStartup(ServletContext servletContext) throws ServletException {
+        super.onStartup(servletContext);
+
+    }
+
+    public static void main(String[] args) throws Exception {
+        SpringApplication.run(WebGoat.class, args);
+    }
+
+//    @Bean
+//    @Autowired
+//    public TomcatEmbeddedServletContainerFactory servletContainer(final JarScanner jarScanner) {
+//        TomcatEmbeddedServletContainerFactory factory = new TomcatEmbeddedServletContainerFactory();
+//        factory.setPort(80);
+//        factory.setSessionTimeout(10, TimeUnit.MINUTES);
+//        factory.addContextCustomizers(new TomcatContextCustomizer() {
+//            @Override
+//            public void customize(Context context) {
+//
+//                context.setJarScanner(jarScanner);
+//            }
+//        });
+//        return factory;
+//    }
+//
+//    @Bean
+//    public JarScanner getJarScanner() {
+//        StandardJarScanner jarScanner = new StandardJarScanner();
+//        jarScanner.setScanClassPath(true);
+//        return jarScanner;
+//    }
+
+
+}

webgoat-container/src/main/java/org/owasp/webgoat/WebSecurityConfig.java

@@ -0,0 +1,49 @@
+package org.owasp.webgoat;
+
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
+import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
+import org.springframework.security.config.annotation.web.configurers.ExpressionUrlAuthorizationConfigurer;
+import org.springframework.security.core.userdetails.UserDetailsService;
+
+@Configuration
+@EnableWebSecurity
+public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
+    @Override
+    protected void configure(HttpSecurity http) throws Exception {
+        ExpressionUrlAuthorizationConfigurer<HttpSecurity>.ExpressionInterceptUrlRegistry security = http
+                .authorizeRequests()
+                .antMatchers("/css/**", "/images/**", "/js/**", "fonts/**", "/plugins/**").permitAll()
+                .antMatchers("/servlet/AdminServlet/**").hasAnyRole("WEBGOAT_ADMIN", "SERVER_ADMIN") //
+                .antMatchers("/JavaSource/**").hasRole("SERVER_ADMIN") //
+                .anyRequest().hasAnyRole("WEBGOAT_USER", "WEBGOAT_ADMIN", "SERVER_ADMIN");
+        security.and()
+                .formLogin()
+                .loginPage("/login")
+                .defaultSuccessUrl("/welcome.mvc")
+                .usernameParameter("username")
+                .passwordParameter("password")
+                .permitAll();
+        security.and()
+                .logout()
+                .permitAll();
+    }
+
+    @Autowired
+    public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
+        auth.inMemoryAuthentication()
+                .withUser("guest").password("guest").roles("WEBGOAT_USER").and() //
+                .withUser("webgoat").password("webgoat").roles("WEBGOAT_ADMIN").and() //
+                .withUser("server").password("server").roles("SERVER_ADMIN");
+    }
+
+    @Bean
+    @Override
+    public UserDetailsService userDetailsServiceBean() throws Exception {
+        return super.userDetailsServiceBean();
+    }
+}

webgoat-container/src/main/java/org/owasp/webgoat/controller/About.java

@@ -1,59 +0,0 @@
-/*
- * To change this license header, choose License Headers in Project Properties.
- * To change this template file, choose Tools | Templates
- * and open the template in the editor.
- */
-package org.owasp.webgoat.controller;
-
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpSession;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-import org.springframework.stereotype.Controller;
-import org.springframework.web.bind.annotation.RequestMapping;
-import org.springframework.web.bind.annotation.RequestMethod;
-import org.springframework.web.bind.annotation.RequestParam;
-import org.springframework.web.servlet.ModelAndView;
-
-/**
- * <p>About class.</p>
- *
- * @author rlawson
- * @version $Id: $Id
- */
-@Controller
-public class About {
-    
-    final Logger logger = LoggerFactory.getLogger(About.class);
-    private static final String WELCOMED = "welcomed";
-    
-    /**
-     * <p>welcome.</p>
-     *
-     * @param request a {@link javax.servlet.http.HttpServletRequest} object.
-     * @param error a {@link java.lang.String} object.
-     * @param logout a {@link java.lang.String} object.
-     * @return a {@link org.springframework.web.servlet.ModelAndView} object.
-     */
-    @RequestMapping(value = "about.mvc", method = RequestMethod.GET)
-    public ModelAndView welcome(HttpServletRequest request,
-            @RequestParam(value = "error", required = false) String error,
-            @RequestParam(value = "logout", required = false) String logout) {
-
-        // set the welcome attribute
-        // this is so the attack servlet does not also 
-        // send them to the welcome page
-        HttpSession session = request.getSession();
-        if (session.getAttribute(WELCOMED) == null) {
-            session.setAttribute(WELCOMED, "true");
-        }
-        
-        //go ahead and send them to webgoat (skip the welcome page)
-        ModelAndView model = new ModelAndView();
-        //model.setViewName("welcome");
-        //model.setViewName("main_new");
-        model.setViewName("about");
-        return model;
-    }
-    
-}

webgoat-container/src/main/java/org/owasp/webgoat/controller/Login.java

@@ -5,44 +5,38 @@
  */
 package org.owasp.webgoat.controller;
 
-import org.springframework.stereotype.Controller;
-import org.springframework.web.bind.annotation.RequestMapping;
-import org.springframework.web.bind.annotation.RequestMethod;
-import org.springframework.web.bind.annotation.RequestParam;
-import org.springframework.web.servlet.ModelAndView;
-
 /**
  * <p>Login class.</p>
  *
  * @author rlawson
  * @version $Id: $Id
  */
-@Controller
+//@Controller
 public class Login {
 
-    /**
-     * <p>login.</p>
-     *
-     * @param error a {@link java.lang.String} object.
-     * @param logout a {@link java.lang.String} object.
-     * @return a {@link org.springframework.web.servlet.ModelAndView} object.
-     */
-    @RequestMapping(value = "login.mvc", method = RequestMethod.GET)
-    public ModelAndView login(
-            @RequestParam(value = "error", required = false) String error,
-            @RequestParam(value = "logout", required = false) String logout) {
-
-        ModelAndView model = new ModelAndView();
-        if (error != null) {
-            model.addObject("error", "Invalid username and password!");
-        }
-
-        if (logout != null) {
-            model.addObject("msg", "You've been logged out successfully.");
-        }
-        model.setViewName("login");
-
-        return model;
-
-    }
+//    /**
+//     * <p>login.</p>
+//     *
+//     * @param error a {@link java.lang.String} object.
+//     * @param logout a {@link java.lang.String} object.
+//     * @return a {@link org.springframework.web.servlet.ModelAndView} object.
+//     */
+//    @RequestMapping(path = "login.mvc", method = RequestMethod.GET)
+//    public ModelAndView login(
+//            @RequestParam(value = "error", required = false) String error,
+//            @RequestParam(value = "logout", required = false) String logout) {
+//
+//        ModelAndView model = new ModelAndView();
+//        if (error != null) {
+//            model.addObject("error", "Invalid username and password!");
+//        }
+//
+//        if (logout != null) {
+//            model.addObject("msg", "You've been logged out successfully.");
+//        }
+//        model.setViewName("login");
+//
+//        return model;
+//
+//    }
 }

webgoat-container/src/main/java/org/owasp/webgoat/controller/Logout.java

@@ -31,7 +31,7 @@ public class Logout {
      * @param logout a {@link java.lang.String} object.
      * @return a {@link org.springframework.web.servlet.ModelAndView} object.
      */
-    @RequestMapping(value = "logout.mvc", method = RequestMethod.GET)
+    @RequestMapping(path = "logout.mvc", method = RequestMethod.GET)
     public ModelAndView logout(
             @RequestParam(value = "error", required = false) String error,
             @RequestParam(value = "logout", required = false) String logout) {

webgoat-container/src/main/java/org/owasp/webgoat/controller/Start.java

@@ -5,10 +5,6 @@
  */
 package org.owasp.webgoat.controller;
 
-import java.util.Collection;
-import javax.servlet.ServletContext;
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpSession;
 import org.apache.commons.lang3.StringUtils;
 import org.owasp.webgoat.application.Application;
 import org.owasp.webgoat.session.WebSession;
@@ -20,9 +16,13 @@ import org.springframework.security.core.context.SecurityContextHolder;
 import org.springframework.stereotype.Controller;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestMethod;
-import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.servlet.ModelAndView;
 
+import javax.servlet.ServletContext;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpSession;
+import java.util.Collection;
+
 /**
  * <p>Start class.</p>
  *
@@ -43,14 +43,10 @@ public class Start {
      * <p>start.</p>
      *
      * @param request a {@link javax.servlet.http.HttpServletRequest} object.
-     * @param error a {@link java.lang.String} object.
-     * @param logout a {@link java.lang.String} object.
      * @return a {@link org.springframework.web.servlet.ModelAndView} object.
      */
-    @RequestMapping(value = "start.mvc", method = {RequestMethod.GET, RequestMethod.POST})
-    public ModelAndView start(HttpServletRequest request,
-            @RequestParam(value = "error", required = false) String error,
-            @RequestParam(value = "logout", required = false) String logout) {
+    @RequestMapping(path = "start.mvc", method = {RequestMethod.GET, RequestMethod.POST})
+    public ModelAndView start(HttpServletRequest request) {
 
         ModelAndView model = new ModelAndView();
         // make sure session is set up correctly

webgoat-container/src/main/java/org/owasp/webgoat/controller/Welcome.java

@@ -5,16 +5,14 @@
  */
 package org.owasp.webgoat.controller;
 
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpSession;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
 import org.springframework.stereotype.Controller;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestMethod;
-import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.servlet.ModelAndView;
 
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpSession;
+
 /**
  * <p>Welcome class.</p>
  *
@@ -24,21 +22,16 @@ import org.springframework.web.servlet.ModelAndView;
 @Controller
 public class Welcome {
 
-    final Logger logger = LoggerFactory.getLogger(Welcome.class);
     private static final String WELCOMED = "welcomed";
     
     /**
      * <p>welcome.</p>
      *
      * @param request a {@link javax.servlet.http.HttpServletRequest} object.
-     * @param error a {@link java.lang.String} object.
-     * @param logout a {@link java.lang.String} object.
      * @return a {@link org.springframework.web.servlet.ModelAndView} object.
      */
-    @RequestMapping(value = "welcome.mvc", method = RequestMethod.GET)
-    public ModelAndView welcome(HttpServletRequest request,
-            @RequestParam(value = "error", required = false) String error,
-            @RequestParam(value = "logout", required = false) String logout) {
+    @RequestMapping(path = "welcome.mvc", method = RequestMethod.GET)
+    public ModelAndView welcome(HttpServletRequest request) {
 
         // set the welcome attribute
         // this is so the attack servlet does not also 

webgoat-container/src/main/java/org/owasp/webgoat/lessons/AbstractLesson.java

@@ -259,7 +259,7 @@ public abstract class AbstractLesson extends Screen implements Comparable<Object
 
             while ((line = reader.readLine()) != null) {
                 if ((line.indexOf(methodName) != -1)
-                        && ((line.indexOf("public") != -1) || (line.indexOf("protected") != -1) || (line
+                        && ((line.indexOf("static") != -1) || (line.indexOf("protected") != -1) || (line
                         .indexOf("private") != -1))) {
                     echo = true;
                     startCount = true;

webgoat-container/src/main/java/org/owasp/webgoat/plugins/Plugin.java

@@ -2,7 +2,6 @@ package org.owasp.webgoat.plugins;
 
 import com.google.common.base.Optional;
 import com.google.common.collect.Lists;
-import org.apache.catalina.loader.WebappClassLoader;
 import org.owasp.webgoat.lessons.AbstractLesson;
 import org.springframework.util.StringUtils;
 
@@ -28,6 +27,7 @@ public class Plugin {
 
     private static final String NAME_LESSON_SOLUTION_DIRECTORY = "lessonSolutions";
     private static final String NAME_LESSON_PLANS_DIRECTORY = "lessonPlans";
+    private final PluginClassLoader classLoader;
 
     private Class<AbstractLesson> lesson;
     private Map<String, File> solutionLanguageFiles = new HashMap<>();
@@ -35,6 +35,10 @@ public class Plugin {
     private List<File> pluginFiles = Lists.newArrayList();
     private File lessonSourceFile;
 
+    public Plugin(PluginClassLoader classLoader) {
+        this.classLoader = classLoader;
+    }
+
     /**
      * <p>findLesson.</p>
      *
@@ -49,10 +53,10 @@ public class Plugin {
     private void findLesson(String name) {
         String realClassName = StringUtils.trimLeadingCharacter(name, '/').replaceAll("/", ".").replaceAll(".class", "");
         //TODO should be passed in (refactor)
-        WebappClassLoader cl = (WebappClassLoader) Thread.currentThread().getContextClassLoader();
+        //TomcatEmbeddedWebappClassLoader cl = (TomcatEmbeddedWebappClassLoader) Thread.currentThread().getContextClassLoader();
 
         try {
-            Class clazz = cl.loadClass(realClassName, true);
+            Class clazz = classLoader.loadClass(realClassName);
 
             if (AbstractLesson.class.isAssignableFrom(clazz)) {
                 this.lesson = clazz;

webgoat-container/src/main/java/org/owasp/webgoat/plugins/PluginClassLoader.java

@@ -0,0 +1,16 @@
+package org.owasp.webgoat.plugins;
+
+import java.net.URL;
+import java.net.URLClassLoader;
+
+public class PluginClassLoader extends URLClassLoader {
+
+    public PluginClassLoader(ClassLoader parent) {
+        super(new URL[] {}, parent);
+    }
+
+    @Override
+    public void addURL(URL url) {
+        super.addURL(url);
+    }
+}

webgoat-container/src/main/java/org/owasp/webgoat/plugins/PluginExtractor.java

@@ -34,9 +34,9 @@ public class PluginExtractor {
      * @return a {@link org.owasp.webgoat.plugins.Plugin} object.
      * @throws java.io.IOException if any.
      */
-    public Plugin extractJarFile(final File archive, final File targetDirectory) throws IOException {
+    public Plugin extractJarFile(final File archive, final File targetDirectory, PluginClassLoader cl) throws IOException {
         ZipFile zipFile = new ZipFile(archive);
-        Plugin plugin = new Plugin();
+        Plugin plugin = new Plugin(cl);
         try {
             Enumeration<? extends ZipEntry> entries = zipFile.entries();
             while (entries.hasMoreElements()) {

webgoat-container/src/main/java/org/owasp/webgoat/plugins/PluginsLoader.java

@@ -1,7 +1,6 @@
 package org.owasp.webgoat.plugins;
 
 import com.google.common.collect.Lists;
-import org.apache.catalina.loader.WebappClassLoader;
 import org.apache.commons.io.FileUtils;
 import org.owasp.webgoat.util.LabelProvider;
 import org.slf4j.Logger;
@@ -48,24 +47,25 @@ public class PluginsLoader {
         this.pluginTarget = Objects.requireNonNull(pluginTarget, "plugin target cannot be null");
     }
 
-    /**
-     * Copy jars to the lib directory
-     */
-    public void copyJars() {
-        try {
-            if (!alreadyLoaded) {
-                WebappClassLoader cl = (WebappClassLoader) Thread.currentThread().getContextClassLoader();
-                cl.setAntiJARLocking(true);
-                List<URL> jars = listJars();
-                for (URL jar : jars) {
-                    cl.addRepository(jar.toString());
-                }
-                alreadyLoaded = true;
-            }
-        } catch (Exception e) {
-            logger.error("Copying plugins failed", e);
-        }
-    }
+//    /**
+//     * Copy jars to the lib directory
+//     */
+//    public void copyJars() {
+//        try {
+//            if (!alreadyLoaded) {
+//                WebappClassLoader cl = (WebappClassLoader) Thread.currentThread().getContextClassLoader();
+//               // cl.setAntiJARLocking(true);
+//                List<URL> jars = listJars();
+//                for (URL jar : jars) {
+//                  //  cl.setResources();
+//                   // cl.addRepository(jar.toString());
+//                }
+//                alreadyLoaded = true;
+//            }
+//        } catch (Exception e) {
+//            logger.error("Copying plugins failed", e);
+//        }
+//    }
 
     /**
      * <p>loadPlugins.</p>
@@ -73,7 +73,7 @@ public class PluginsLoader {
      * @return a {@link java.util.List} object.
      */
     public List<Plugin> loadPlugins() {
-        copyJars();
+       // copyJars();
         List<Plugin> plugins = Lists.newArrayList();
 
         try {
@@ -134,13 +134,17 @@ public class PluginsLoader {
 
     private List<Callable<Plugin>> extractJars(List<URL> jars) {
         List<Callable<Plugin>> extractorCallables = Lists.newArrayList();
+        ClassLoader parentClassLoader = PluginClassLoader.class.getClassLoader();
+        final PluginClassLoader classLoader = new PluginClassLoader(parentClassLoader);
+
         for (final URL jar : jars) {
+            classLoader.addURL(jar);
             extractorCallables.add(new Callable<Plugin>() {
 
                 @Override
                 public Plugin call() throws Exception {
                     PluginExtractor extractor = new PluginExtractor();
-                    return extractor.extractJarFile(ResourceUtils.getFile(jar), pluginTarget.toFile());
+                    return extractor.extractJarFile(ResourceUtils.getFile(jar), pluginTarget.toFile(), classLoader);
                 }
             });
         }

webgoat-container/src/main/java/org/owasp/webgoat/service/ApplicationService.java

@@ -29,12 +29,13 @@
  */
 package org.owasp.webgoat.service;
 
-import javax.servlet.http.HttpSession;
 import org.owasp.webgoat.application.Application;
 import org.springframework.stereotype.Controller;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.ResponseBody;
 
+import javax.servlet.http.HttpSession;
+
 /**
  * <p>ApplicationService class.</p>
  *
@@ -50,7 +51,7 @@ public class ApplicationService extends BaseService {
      * @param session a {@link javax.servlet.http.HttpSession} object.
      * @return a {@link org.owasp.webgoat.application.Application} object.
      */
-    @RequestMapping(value = "/application.mvc", produces = "application/json")
+    @RequestMapping(path = "/application.mvc", produces = "application/json")
     public @ResponseBody
     Application showApplication(HttpSession session) {
         Application app = Application.getInstance();

webgoat-container/src/main/java/org/owasp/webgoat/service/CookieService.java

@@ -29,10 +29,6 @@
  */
 package org.owasp.webgoat.service;
 
-import java.util.Collections;
-import java.util.List;
-import javax.servlet.http.Cookie;
-import javax.servlet.http.HttpSession;
 import org.owasp.webgoat.lessons.model.RequestParameter;
 import org.owasp.webgoat.session.WebSession;
 import org.springframework.stereotype.Controller;
@@ -40,6 +36,11 @@ import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.ResponseBody;
 import org.springframework.web.servlet.ModelAndView;
 
+import javax.servlet.http.Cookie;
+import javax.servlet.http.HttpSession;
+import java.util.Collections;
+import java.util.List;
+
 /**
  * <p>CookieService class.</p>
  *
@@ -55,7 +56,7 @@ public class CookieService extends BaseService {
      * @param session a {@link javax.servlet.http.HttpSession} object.
      * @return a {@link java.util.List} object.
      */
-    @RequestMapping(value = "/cookie.mvc", produces = "application/json")
+    @RequestMapping(path = "/cookie.mvc", produces = "application/json")
     public @ResponseBody
     List<Cookie> showCookies(HttpSession session) {
         WebSession ws = getWebSession(session);

webgoat-container/src/main/java/org/owasp/webgoat/service/HintService.java

@@ -32,7 +32,7 @@ public class HintService extends BaseService {
      * @param session a {@link javax.servlet.http.HttpSession} object.
      * @return a {@link java.util.List} object.
      */
-    @RequestMapping(value = "/hint.mvc", produces = "application/json")
+    @RequestMapping(path = "/hint.mvc", produces = "application/json")
     public @ResponseBody
     List<Hint> showHint(HttpSession session) {
         List<Hint> listHints = new ArrayList<Hint>();

webgoat-container/src/main/java/org/owasp/webgoat/service/LabelDebugService.java

@@ -68,7 +68,7 @@ public class LabelDebugService extends BaseService {
      *
      * @return a {@link org.springframework.http.ResponseEntity} object.
      */
-    @RequestMapping(value = URL_DEBUG_LABELS_MVC, produces = MediaType.APPLICATION_JSON_VALUE)
+    @RequestMapping(path = URL_DEBUG_LABELS_MVC, produces = MediaType.APPLICATION_JSON_VALUE)
     public @ResponseBody
     ResponseEntity<Map<String, Object>> checkDebuggingStatus() {
         logger.debug("Checking label debugging, it is " + labelDebugger.isEnabled()); // FIXME parameterize

webgoat-container/src/main/java/org/owasp/webgoat/service/LessonInfoService.java

@@ -32,7 +32,7 @@ public class LessonInfoService extends BaseService {
      * @param session a {@link javax.servlet.http.HttpSession} object.
      * @return a {@link org.owasp.webgoat.lessons.model.LessonInfoModel} object.
      */
-    @RequestMapping(value = "/lessoninfo.mvc", produces = "application/json")
+    @RequestMapping(path = "/lessoninfo.mvc", produces = "application/json")
     public @ResponseBody
     LessonInfoModel getLessonInfo(HttpSession session) {
         WebSession webSession = getWebSession(session);

webgoat-container/src/main/java/org/owasp/webgoat/service/LessonMenuService.java

@@ -29,9 +29,6 @@
  */
 package org.owasp.webgoat.service;
 
-import java.util.ArrayList;
-import java.util.List;
-import javax.servlet.http.HttpSession;
 import org.owasp.webgoat.lessons.AbstractLesson;
 import org.owasp.webgoat.lessons.Category;
 import org.owasp.webgoat.lessons.RandomLessonAdapter;
@@ -45,6 +42,10 @@ import org.springframework.stereotype.Controller;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.ResponseBody;
 
+import javax.servlet.http.HttpSession;
+import java.util.ArrayList;
+import java.util.List;
+
 /**
  * <p>LessonMenuService class.</p>
  *
@@ -62,7 +63,7 @@ public class LessonMenuService extends BaseService {
      * @param session a {@link javax.servlet.http.HttpSession} object.
      * @return a {@link java.util.List} object.
      */
-    @RequestMapping(value = "/lessonmenu.mvc", produces = "application/json")
+    @RequestMapping(path = "/lessonmenu.mvc", produces = "application/json")
     public @ResponseBody
     List<LessonMenuItem> showLeftNav(HttpSession session) {
         List<LessonMenuItem> menu = new ArrayList<LessonMenuItem>();

webgoat-container/src/main/java/org/owasp/webgoat/service/LessonPlanService.java

@@ -53,7 +53,7 @@ public class LessonPlanService extends BaseService {
      * @param session a {@link javax.servlet.http.HttpSession} object.
      * @return a {@link java.lang.String} object.
      */
-    @RequestMapping(value = "/lessonplan.mvc", produces = "application/html")
+    @RequestMapping(path = "/lessonplan.mvc", produces = "application/html")
     public @ResponseBody
     String showPlan(HttpSession session) {
         WebSession ws = getWebSession(session);

webgoat-container/src/main/java/org/owasp/webgoat/service/LessonTitleService.java

@@ -24,7 +24,7 @@ public class LessonTitleService extends BaseService {
      * @param session a {@link javax.servlet.http.HttpSession} object.
      * @return a {@link java.lang.String} object.
      */
-    @RequestMapping(value = "/lessontitle.mvc", produces = "application/html")
+    @RequestMapping(path = "/lessontitle.mvc", produces = "application/html")
     public @ResponseBody
     String showPlan(HttpSession session) {
         WebSession ws = getWebSession(session);

webgoat-container/src/main/java/org/owasp/webgoat/service/ParameterService.java

@@ -58,7 +58,7 @@ public class ParameterService extends BaseService {
      * @param session a {@link javax.servlet.http.HttpSession} object.
      * @return a {@link java.util.List} object.
      */
-    @RequestMapping(value = "/parameter.mvc", produces = "application/json")
+    @RequestMapping(path = "/parameter.mvc", produces = "application/json")
     public @ResponseBody
     List<RequestParameter> showParameters(HttpSession session) {
         WebSession ws = getWebSession(session);

webgoat-container/src/main/java/org/owasp/webgoat/service/PluginReloadService.java

@@ -63,7 +63,7 @@ public class PluginReloadService extends BaseService {
      * @param session a {@link javax.servlet.http.HttpSession} object.
      * @return a {@link org.springframework.http.ResponseEntity} object.
      */
-    @RequestMapping(value = "/reloadplugins.mvc", produces = MediaType.APPLICATION_JSON_VALUE)
+    @RequestMapping(path = "/reloadplugins.mvc", produces = MediaType.APPLICATION_JSON_VALUE)
     public @ResponseBody
     ResponseEntity<Map<String, Object>> reloadPlugins(HttpSession session) {
         WebSession webSession = (WebSession) session.getAttribute(WebSession.SESSION);

webgoat-container/src/main/java/org/owasp/webgoat/service/RestartLessonService.java

@@ -47,7 +47,7 @@ public class RestartLessonService extends BaseService {
      * @param session a {@link javax.servlet.http.HttpSession} object.
      * @return a {@link java.lang.String} object.
      */
-    @RequestMapping(value = "/restartlesson.mvc", produces = "text/text")
+    @RequestMapping(path = "/restartlesson.mvc", produces = "text/text")
     public @ResponseBody
     String restartLesson(HttpSession session) {
         WebSession ws = getWebSession(session);

webgoat-container/src/main/java/org/owasp/webgoat/service/SessionService.java

@@ -32,7 +32,7 @@ public class SessionService extends BaseService {
      * @param request a {@link javax.servlet.http.HttpServletRequest} object.
      * @return a {@link java.lang.String} object.
      */
-    @RequestMapping(value = "/session.mvc", produces = "application/json")
+    @RequestMapping(path = "/session.mvc", produces = "application/json")
     public @ResponseBody
     String showSession(HttpServletRequest request, HttpSession session) {
         StringBuilder sb = new StringBuilder();

webgoat-container/src/main/java/org/owasp/webgoat/service/SolutionService.java

@@ -53,7 +53,7 @@ public class SolutionService extends BaseService {
      * @param session a {@link javax.servlet.http.HttpSession} object.
      * @return a {@link java.lang.String} object.
      */
-    @RequestMapping(value = "/solution.mvc", produces = "text/html")
+    @RequestMapping(path = "/solution.mvc", produces = "text/html")
     public @ResponseBody
     String showSolution(HttpSession session) {
         WebSession ws = getWebSession(session);

webgoat-container/src/main/java/org/owasp/webgoat/service/SourceService.java

@@ -57,7 +57,7 @@ public class SourceService extends BaseService {
      * @param session a {@link javax.servlet.http.HttpSession} object.
      * @return a {@link java.lang.String} object.
      */
-    @RequestMapping(value = "/source.mvc", produces = "application/text")
+    @RequestMapping(path = "/source.mvc", produces = "application/text")
     public @ResponseBody
     String showSource(HttpSession session) {
         WebSession ws = getWebSession(session);

webgoat-container/src/main/java/org/owasp/webgoat/session/Course.java

@@ -3,10 +3,13 @@ package org.owasp.webgoat.session;
 import org.owasp.webgoat.HammerHead;
 import org.owasp.webgoat.lessons.AbstractLesson;
 import org.owasp.webgoat.lessons.Category;
+import org.owasp.webgoat.plugins.LegacyLoader;
 import org.owasp.webgoat.plugins.Plugin;
 import org.owasp.webgoat.plugins.PluginsLoader;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
+import org.springframework.core.io.ClassPathResource;
+import org.springframework.core.io.Resource;
 
 import javax.servlet.ServletContext;
 import java.io.File;
@@ -18,16 +21,6 @@ import java.util.Iterator;
 import java.util.LinkedList;
 import java.util.List;
 import java.util.Map;
-import javax.servlet.ServletContext;
-
-import org.owasp.webgoat.HammerHead;
-import org.owasp.webgoat.lessons.AbstractLesson;
-import org.owasp.webgoat.lessons.Category;
-import org.owasp.webgoat.plugins.LegacyLoader;
-import org.owasp.webgoat.plugins.Plugin;
-import org.owasp.webgoat.plugins.PluginsLoader;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
 
 /**
  *************************************************************************************************
@@ -63,7 +56,7 @@ public class Course {
 
     final Logger logger = LoggerFactory.getLogger(Course.class);
 
-    private final List<AbstractLesson> lessons = new LinkedList<AbstractLesson>();
+    private List<AbstractLesson> lessons = new LinkedList<AbstractLesson>();
 
     private final static String PROPERTIES_FILENAME = HammerHead.propertiesPath;
 
@@ -262,7 +255,7 @@ public class Course {
      * Gets the lessons attribute of the Course object
      *
      * @param category Description of the Parameter
-     * @param role     Description of the Parameter
+     * @param roles     Description of the Parameter
      * @return The lessons value
      */
     private List<AbstractLesson> getLessons(Category category, List roles) {
@@ -322,15 +315,30 @@ public class Course {
         return null;
     }
 
+    public void setLessons(List<AbstractLesson> lessons) {
+        this.lessons = lessons;
+    }
+
     /**
      * <p>loadLessonFromPlugin.</p>
      *
      * @param context a {@link javax.servlet.ServletContext} object.
      */
     public void loadLessonFromPlugin(ServletContext context) {
+        Resource resource = new ClassPathResource("/plugin_lessons/plugin_lessons_marker.txt");
+        String pluginPath = null;
+        String targetPath = null;
+        try {
+            pluginPath = resource.getFile().getParent();
+            targetPath = pluginPath;
+
+        } catch (IOException e) {
+            e.printStackTrace();
+        }
+
         logger.debug("Loading plugins into cache");
-        String pluginPath = context.getRealPath("plugin_lessons");
-        String targetPath = context.getRealPath("plugin_extracted");
+        //String pluginPath = context.getRealPath("plugin_lessons");
+        //String targetPath = context.getRealPath("plugin_extracted");
 
         if (pluginPath == null) {
             logger.error("Plugins directory {} not found", pluginPath);

webgoat-container/src/main/java/org/owasp/webgoat/session/WebgoatProperties.java

@@ -2,9 +2,9 @@ package org.owasp.webgoat.session;
 
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
+import org.springframework.core.io.ClassPathResource;
+import org.springframework.core.io.Resource;
 
-import java.io.File;
-import java.io.FileInputStream;
 import java.io.IOException;
 import java.util.Properties;
 
@@ -57,12 +57,14 @@ public class WebgoatProperties extends Properties {
         if (propertiesFileName == null) {
             throw new IOException("Path to webgoat.properties is null, initialization must have failed");
         }
-        File propertiesFile = new File(propertiesFileName);
-        if (propertiesFile.exists() == false) {
-            throw new IOException("Unable to locate webgoat.properties at: " + propertiesFileName);
-        }
-        FileInputStream in = new FileInputStream(propertiesFile);
-        load(in);
+
+//        File propertiesFile = new File(propertiesFileName);
+//        if (propertiesFile.exists() == false) {
+//            throw new IOException("Unable to locate webgoat.properties at: " + propertiesFileName);
+//        }
+        Resource resource = new ClassPathResource("/webgoat.properties");
+        //FileInputStream in = new FileInputStream(propertiesFile);
+        load(resource.getInputStream());
     }
 
     /**

webgoat-container/src/main/java/org/owasp/webgoat/util/LabelProvider.java

@@ -7,7 +7,6 @@ import org.springframework.core.io.ResourceLoader;
 import org.springframework.core.io.UrlResource;
 import org.springframework.stereotype.Component;
 
-import javax.inject.Singleton;
 import java.net.MalformedURLException;
 import java.nio.file.Path;
 import java.util.Arrays;
@@ -47,7 +46,6 @@ import java.util.Locale;
  * @author dm
  */
 @Component
-@Singleton
 public class LabelProvider {
     /** Constant <code>DEFAULT_LANGUAGE="Locale.ENGLISH.getLanguage()"</code> */
     public final static String DEFAULT_LANGUAGE = Locale.ENGLISH.getLanguage();

webgoat-container/src/main/resources/application.properties

@@ -0,0 +1,11 @@
+#spring.mvc.view.prefix=/WEB-INF/jsp/
+#spring.mvc.view.suffix=.jsp
+#server.servlet-path=/*
+#server.jsp-servlet.class-name=org.apache.jasper.servlet.JspServlet
+#server.jsp-servlet.registered=true
+
+server.error.include-stacktrace=always
+logging.level.org.springframework=DEBUG
+logging.level.org.hibernate=ERROR
+spring.thymeleaf.cache=false
+security.enable-csrf=false