Initial commit of new spring-MVC/spring security/tiles-based functionality

git-svn-id: http://webgoat.googlecode.com/svn/branches/webgoat-6.0@484 4033779f-a91e-0410-96ef-6bf7bf53c507
2012-09-11 00:26:09 +00:00 · 2012-09-11 00:26:09 +00:00 · fb938e0933
commit fb938e0933
parent 65f73a5206
17 changed files with 884 additions and 19 deletions
--- a/build.xml
+++ b/build.xml
@ -60,8 +60,8 @@
  	<property name="dist.home"     		   value="${app.home}/dist"/>
  	<property name="dist.owasp"     		   value="${app.home}/owasp_distributions"/>
  	<property name="install.home"     	   value="WebGoat-${app.version}"/>
-  	<property name="maven.war"     	   value="${basedir}/target/WebGoat-5.4-SNAPSHOT.war"/> <!-- UPDATE THIS! -->
-	<property name="maven.target"     	   value="${basedir}/target/WebGoat-5.4-SNAPSHOT"/> <!-- UPDATE THIS! -->
+  	<property name="maven.war"     	   value="${basedir}/target/WebGoat-6.0-SNAPSHOT.war"/> <!-- UPDATE THIS! -->
+	<property name="maven.target"     	   value="${basedir}/target/WebGoat-6.0-SNAPSHOT"/> <!-- UPDATE THIS! -->
 	<property name="maven.home"     	   value="C:/Program Files (x86)/apache/apache-maven-3.0.3"/> <!-- UPDATE THIS! -->
 	 <property name="java32.home"     	   value="C:/Program Files (x86)/Java/jre7"/> <!-- UPDATE THIS! -->
 	 <property name="java32.ubuntu.home"     	   value="C:/RTC/WebGoat/ubuntu_openjava_6_32"/> <!-- UPDATE THIS! -->
--- a/pom.xml
+++ b/pom.xml
@ -4,7 +4,7 @@
 	<groupId>WebGoat</groupId>
 	<artifactId>WebGoat</artifactId>
 	<packaging>war</packaging>
-	<version>5.4-SNAPSHOT</version>
+	<version>6.0-SNAPSHOT</version>
 	
 	<repositories>
 		<repository>
@ -13,7 +13,13 @@
 			<url>http://download.java.net/maven/2</url>
 		</repository>
 	</repositories>
-	
+    	
+  	<!-- Shared version number properties -->
+	<properties>
+    	<org.springframework.version>3.0.5.RELEASE</org.springframework.version>
+    	<spring.security.version>3.1.2.RELEASE</spring.security.version>
+    	<tiles.version>2.2.2</tiles.version>
+	</properties>	

 	<build>
 		<resources>
@ -149,14 +155,7 @@
 			<groupId>net.sourceforge.jtds</groupId>
 			<artifactId>jtds</artifactId>
 			<version>1.2.2</version>
-		</dependency>
-		
-		<dependency>
-			<groupId>javax.servlet</groupId>
-			<artifactId>servlet-api</artifactId>
-			<version>2.3</version>
-			<scope>provided</scope>
-		</dependency>
+		</dependency>	
 		<dependency>
 			<groupId>org.apache.tomcat</groupId>
 			<artifactId>tomcat-catalina</artifactId>
@ -164,5 +163,139 @@
 			<scope>provided</scope>
 		</dependency>

+
+		<!-- ************* spring MVC and related dependencies ************** -->
+
+		<!-- servlet API -->
+		<dependency>
+			<groupId>javax</groupId>
+			<artifactId>javaee-api</artifactId>
+			<version>6.0</version>
+			<scope>provided</scope>
+		</dependency>
+		
+		<dependency>
+			<groupId>org.springframework</groupId>
+			<artifactId>spring-core</artifactId>
+			<version>${org.springframework.version}</version>
+		</dependency>
+
+	    <!-- Spring MVC framework --> 
+	    <dependency>
+			<groupId>org.springframework</groupId>
+			<artifactId>spring-webmvc</artifactId>
+			<version>${org.springframework.version}</version>
+			<type>jar</type>			
+	    </dependency>
+	    
+		<dependency>
+			<groupId>org.springframework.security</groupId>
+			<artifactId>spring-security-core</artifactId>
+			<version>${spring.security.version}</version>
+		</dependency>
+		
+		<dependency>
+        	<groupId>org.springframework.security</groupId>
+        	<artifactId>spring-security-config</artifactId>
+        	<version>${spring.security.version}</version>
+    	</dependency>
+    	
+		<dependency>
+        	<groupId>org.springframework.security</groupId>
+        	<artifactId>spring-security-web</artifactId>
+        	<version>${spring.security.version}</version>
+    	</dependency>    	
+
+		<!-- Apache Commons Upload --> 
+		<dependency>
+			<groupId>commons-fileupload</groupId>
+			<artifactId>commons-fileupload</artifactId>
+			<version>1.2.2</version>
+		</dependency>
+
+		<!-- Apache Commons Upload --> 
+		<dependency>
+			<groupId>commons-io</groupId>
+			<artifactId>commons-io</artifactId>
+			<version>1.3.2</version>
+		</dependency>
+
+		<!-- JSTL --> 
+		<dependency>
+			<groupId>javax.servlet</groupId>
+			<artifactId>jstl</artifactId>
+			<version>1.2</version>
+		</dependency>
+
+		<dependency>
+			<groupId>taglibs</groupId>
+			<artifactId>standard</artifactId>
+			<version>1.1.2</version>
+		</dependency>
+		
+		<dependency>
+			<groupId>log4j</groupId>
+			<artifactId>log4j</artifactId>
+			<version>1.2.15</version>
+			<exclusions>
+			    <exclusion>
+					<groupId>javax.jms</groupId>
+					<artifactId>jms</artifactId>
+		    	</exclusion>
+		    	<exclusion>
+					<groupId>com.sun.jdmk</groupId>
+					<artifactId>jmxtools</artifactId>
+		    	</exclusion>
+		    	<exclusion>
+					<groupId>com.sun.jmx</groupId>
+					<artifactId>jmxri</artifactId>
+		    	</exclusion>
+			</exclusions>
+		</dependency>
+		<dependency>
+			<groupId>junit</groupId>
+			<artifactId>junit</artifactId>
+			<version>4.8.1</version>
+			<type>jar</type>
+		</dependency>
+	    <dependency>
+			<groupId>org.apache.tiles</groupId>
+			<artifactId>tiles-core</artifactId>
+			<version>${tiles.version}</version>
+			<type>jar</type>			
+	    </dependency>
+	    <dependency>
+			<groupId>org.apache.tiles</groupId>
+			<artifactId>tiles-template</artifactId>
+			<version>${tiles.version}</version>
+			<type>jar</type>			
+	    </dependency>
+	    <dependency>
+			<groupId>org.apache.tiles</groupId>
+			<artifactId>tiles-servlet</artifactId>
+			<version>${tiles.version}</version>
+			<type>jar</type>
+	    </dependency>
+	    <dependency>
+			<groupId>org.apache.tiles</groupId>
+			<artifactId>tiles-jsp</artifactId>
+			<version>${tiles.version}</version>
+			<type>jar</type>
+	    </dependency>    
+	    <dependency>
+			<groupId>org.slf4j</groupId>
+			<artifactId>slf4j-api</artifactId>
+			<version>1.5.8</version>
+			<type>jar</type>
+	    </dependency>        
+	    <dependency>
+			<groupId>org.slf4j</groupId>
+			<artifactId>slf4j-log4j12</artifactId>
+			<version>1.5.8</version>
+			<type>jar</type>
+	    </dependency>		
+		
+		<!-- ************* END spring MVC and related dependencies ************** -->
+		
 	</dependencies>
 </project>
--- a/src/main/java/org/owasp/webgoat/lessons/AbstractLesson.java
+++ b/src/main/java/org/owasp/webgoat/lessons/AbstractLesson.java
@ -561,6 +561,20 @@ public abstract class AbstractLesson extends Screen implements Comparable<Object
 		// Solutions are html files
 		return src;
 	}
+	
+	
+	/**
+	 * <p>Returns the default "path" portion of a lesson's URL.</p>
+	 * 
+	 * <p>Legacy webgoat lesson links are of the form "attack?Screen=Xmenu=Ystage=Z".
+	 * This method returns the path portion of the url, i.e., "attack" in the string above.</p>
+	 * 
+	 * <p>Newer, Spring-Controller-based classes will override this method
+	 * to return "*.do"-styled paths.</p>
+	 */
+	protected String getPath() {
+		return "attack";
+	}

 	/**
 	 * Get the link that can be used to request this screen.
@ -571,7 +585,8 @@ public abstract class AbstractLesson extends Screen implements Comparable<Object
 	{
 		StringBuffer link = new StringBuffer();

-		link.append("attack?");
+		// mvc update:
+		link.append(getPath()).append("?");
 		link.append(WebSession.SCREEN);
 		link.append("=");
 		link.append(getScreenId());
--- a/src/main/java/org/owasp/webgoat/lessons/HttpBasicsController.java
+++ b/src/main/java/org/owasp/webgoat/lessons/HttpBasicsController.java
@ -0,0 +1,107 @@
+package org.owasp.webgoat.lessons;
+
+import java.util.ArrayList;
+import java.util.List;
+
+import org.apache.log4j.Logger;
+import org.owasp.webgoat.lessons.model.HttpBasicsModel;
+import org.owasp.webgoat.session.WebSession;
+import org.springframework.stereotype.Controller;
+import org.springframework.ui.ModelMap;
+import org.springframework.web.bind.annotation.ModelAttribute;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RequestMethod;
+import org.springframework.web.servlet.ModelAndView;
+
+/**
+ * <p>
+ * Handles the "HTTP Basics" lesson.  Contains all 
+ * mapping methods for that lesson as well as all helper methods
+ * used by those mappers.
+ * </p>
+ * 
+ */
+@Controller
+public class HttpBasicsController extends LessonAdapter {
+
+	protected static Logger logger = Logger.getLogger("controller");
+	
+	// [url] path used by this lesson 
+	private final String PAGE_PATH = "httpBasics.do";
+
+	// The (apache) tile used by this lesson, as specified in tiles-definitions.xml 
+	private String TILE_NAME = "http-basics";
+	
+	// ID attribute associated with the JSP's form.
+	private String FORM_NAME = "command";
+	
+	
+	/**
+	 * @see {@link org.owasp.webgoat.lessons.AbstractLesson#getPath()}
+	 * @see {@link org.owasp.webgoat.lessons.AbstractLesson#getLink()}
+	 */
+	protected String getPath() {
+		return PAGE_PATH;
+	}
+	   
+	/**
+	 * Handles GET requests for this lesson.
+	 * @return
+	 */
+    @RequestMapping(value = PAGE_PATH, method = RequestMethod.GET)
+    public ModelAndView displayPage() {
+    	return new ModelAndView(TILE_NAME, FORM_NAME, new HttpBasicsModel());
+    }
+    
+    /**
+     * Handles POST requests for this lesson.  Takes the user's name and displays 
+     * a reversed copy of it.
+     * 
+     * @param httpBasicsModel
+     * @param model
+     * @return
+     */
+    @RequestMapping(value = PAGE_PATH, method = RequestMethod.POST)
+    public ModelAndView processSubmit(
+    		@ModelAttribute("")HttpBasicsModel httpBasicsModel, ModelMap model) {
+    	
+    	StringBuffer personName = new StringBuffer(httpBasicsModel.getPersonName());
+    	httpBasicsModel.setPersonName(personName.reverse().toString());
+    	
+    	return new ModelAndView(TILE_NAME, FORM_NAME, httpBasicsModel);
+    }    
+    
+    
+	public Category getCategory()
+	{
+		return Category.GENERAL;
+	}
+
+	/**
+	 * Gets the hints attribute of the HelloScreen object
+	 * 
+	 * @return The hints value
+	 */
+	public List<String> getHints(WebSession s)
+	{
+		List<String> hints = new ArrayList<String>();
+		hints.add("Type in your name and press 'go'");
+		hints.add("Turn on Show Parameters or other features");
+		hints.add("Try to intercept the request with WebScarab");
+		hints.add("Press the Show Lesson Plan button to view a lesson summary");
+		hints.add("Press the Show Solution button to view a lesson solution");
+
+		return hints;
+	}
+
+	protected String getInstructions()
+	{
+		return null;
+	}
+
+	public String getTitle()
+	{
+		// TODO: GET RID OF THE "(Spring MVC)" BELOW LATER!!!!"
+		return "HTTP Basics (Spring MVC)";
+	}    
+}
--- a/src/main/java/org/owasp/webgoat/lessons/model/HttpBasicsModel.java
+++ b/src/main/java/org/owasp/webgoat/lessons/model/HttpBasicsModel.java
@ -0,0 +1,21 @@
+package org.owasp.webgoat.lessons.model;
+
+/**
+ * Model component for the Http Basics lesson.  Using a model
+ * for that simple lesson is architectural overkill.  We do it anyway
+ * for illustrative purposes - to demonstrate the pattern that we will 
+ * use for more complex lessons.
+ * 
+ */
+public class HttpBasicsModel {
+
+	private String personName;
+
+	public String getPersonName() {
+		return personName;
+	}
+
+	public void setPersonName(String personName) {
+		this.personName = personName;
+	}
+}
--- a/src/main/webapp/WEB-INF/mvc-dispatcher-servlet.xml
+++ b/src/main/webapp/WEB-INF/mvc-dispatcher-servlet.xml
@ -0,0 +1,50 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<beans xmlns="http://www.springframework.org/schema/beans"
+	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+	xmlns:p="http://www.springframework.org/schema/p" 
+	xmlns:context="http://www.springframework.org/schema/context"
+	xmlns:mvc="http://www.springframework.org/schema/mvc"
+	xsi:schemaLocation="http://www.springframework.org/schema/beans 
+	   		http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
+	   		http://www.springframework.org/schema/context
+	   		http://www.springframework.org/schema/context/spring-context-3.0.xsd
+			http://www.springframework.org/schema/mvc 
+			http://www.springframework.org/schema/mvc/spring-mvc-3.0.xsd">
+
+	<context:component-scan base-package="org.owasp.webgoat.lessons" />
+	
+	<!--
+	put custom validators here.  E.g.:
+	<bean class="org.owasp.webgoat.validators.MyCustomValidator" />
+	-->
+	
+	<!-- Activates various annotations to be detected in bean classes -->
+	<context:annotation-config />
+	
+	<!-- Configures the annotation-driven Spring MVC Controller programming model.  -->
+	<mvc:annotation-driven /> 
+	
+	<!-- Import Tiles-related configuration -->
+	<import resource="tiles-context.xml" />
+	
+		
+	<!-- Declare a view resolver -->
+	<!-- Take note of the order. Since we're using TilesViewResolver as well 
+		 We need to define which ViewResolver is called first. 
+		 We chose this InternalResourceViewResolver to be at the bottom order -->
+	<bean 
+		id="viewResolver" 
+		class="org.springframework.web.servlet.view.InternalResourceViewResolver" 
+    	p:prefix="/WEB-INF/pages/" 
+    	p:suffix=".jsp" 
+    	p:order="1"/>
+    	
+	
+ 	<!-- Register the Customer.properties 
+	<bean id="messageSource"
+		class="org.springframework.context.support.ResourceBundleMessageSource">
+		<property name="basename" value="org/owasp/webgoat/properties/Customer" />
+	</bean>
+	-->
+
+</beans>
--- a/src/main/webapp/WEB-INF/pages/layouts/genericLesson.jsp
+++ b/src/main/webapp/WEB-INF/pages/layouts/genericLesson.jsp
@ -0,0 +1,70 @@
+<%@ taglib uri="http://java.sun.com/jsp/jstl/core" prefix="c" %>
+<%@ taglib uri="http://tiles.apache.org/tags-tiles" prefix="tiles"%>
+<%@ page 
+	language="java" 
+	contentType="text/html; charset=UTF-8"
+    pageEncoding="UTF-8"
+    import="org.owasp.webgoat.session.*, org.owasp.webgoat.lessons.AbstractLesson, org.owasp.webgoat.util.*" 
+	errorPage=""
+	isELIgnored="false" %>
+	   
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
+<html>
+	<head>
+		<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" />
+		<title><tiles:insertAttribute name="title-content" /></title>
+		<link rel="stylesheet" href="css/webgoat.css" type="text/css" />
+		<link rel="stylesheet" href="css/lesson.css" type="text/css" />
+		<link rel="stylesheet" href="css/menu.css" type="text/css" />
+		<link rel="stylesheet" href="css/layers.css" type="text/css" />
+		<script language="JavaScript1.2" src="javascript/javascript.js" type="text/javascript"></script>
+		<script language="JavaScript1.2" src="javascript/menu_system.js" type="text/javascript"></script>
+		<script language="JavaScript1.2" src="javascript/lessonNav.js" type="text/javascript"></script>
+		<script language="JavaScript1.2" src="javascript/makeWindow.js" type="text/javascript"></script>
+		<script language="JavaScript1.2" src="javascript/toggle.js" type="text/javascript"></script>
+	</head>
+	
+	<body>
+		<%
+		Course course = ((Course)session.getAttribute("course"));
+		WebSession webSession = ((WebSession)session.getAttribute("websession"));
+		
+		// pcs 8/29/2012 - HACK  
+		// 
+		// Legacy lessons result in a call to WebSession.update().  Among other things, that call
+		// sets the previous and current screens.  The latter determines the title that is displayed 
+		// in the webgoat banner.  
+		//
+		// The new Spring-MVC jsps, among which is this genericLesson.jsp, are loaded via our dispatcher servlet
+		// and does not pass through the code path that results in that update() call.  
+		// 
+		// As a result, we must call update() explicitly here.  If we refactor away that legacy code as part
+		// of webgoat 6 development, we will need to get rid of the call below.
+		//
+		webSession.update(request, response, "genericLesson");
+		AbstractLesson currentLesson = webSession.getCurrentLesson();
+		%>
+		
+		<div id="header-style"><tiles:insertAttribute name="header-content" /></div>
+		<div><tiles:insertAttribute name="menu-content" /></div>
+		<div id="lessonTitle" align="right"><%= currentLesson.getTitle() %></div>
+		<div id="primary-style"">
+			<div id="lessonArea">			
+				<tiles:insertAttribute name="hints-params-cookies" />
+				<div id="twoCol">
+			 	 	<div id="menuSpacer"></div>
+			 	 	<div id="lessonAreaTop">	 	 	
+					    <div id="training_wrap">
+							<div id="training" class="info"><a href="http://yehg.net/lab/pr0js/training/webgoat.php" target="_blank"><%=WebGoatI18N.get("SolutionVideos")%></a></div>
+							<div id="reset" class="info"><a href="<%=webSession.getRestartLink()%>"><%=WebGoatI18N.get("RestartLesson")%></a></div>
+						</div>
+					</div>
+				</div>	
+				<div id="lessonContent">
+					<tiles:insertAttribute name="primary-content" />
+				</div>
+			</div>
+		</div>	
+		<div id="footer-style"><tiles:insertAttribute name="footer-content" /></div>
+	</body>
+</html>
--- a/src/main/webapp/WEB-INF/pages/lessons/httpBasics.jsp
+++ b/src/main/webapp/WEB-INF/pages/lessons/httpBasics.jsp
@ -0,0 +1,77 @@
+<%@ taglib uri="http://java.sun.com/jsp/jstl/core" prefix="c" %>
+<%@ taglib uri="http://tiles.apache.org/tags-tiles" prefix="tiles"%>
+<%@taglib uri="http://www.springframework.org/tags/form" prefix="form"%>
+<%@ page 
+	language="java" 
+	contentType="text/html; charset=UTF-8"
+    pageEncoding="UTF-8"
+    import="org.owasp.webgoat.session.*, org.owasp.webgoat.lessons.AbstractLesson" 
+	errorPage=""
+	isELIgnored="false" %>
+	 
+ <div id="lessonPlans" style="visibility:hidden; height:1px; position:absolute; left:260px; top:130px; width:425px; z-index:105;">
+ 	<div align="Center"> 
+		<p><b>Lesson Plan Title:</b> Http Basics </p>
+		</div>
+		<p><b>Concept / Topic To Teach:</b> </p>
+	This lesson presents the basics for understanding the transfer of data between the browser and the web application.<br>
+	
+	<div align="Left"> 
+		<p>
+			<b>How HTTP works:</b>
+		</p>
+		All HTTP transactions follow the same general format. Each client request and server response has three parts:  the request or response line, a header section, and the entity body. The client initiates a transaction as follows: <br>
+		<br>
+		The client contacts the server and sends a document request <br>
+	</div>
+	<br>
+
+	<ul>GET /index.html?param=value HTTP/1.0</ul>
+	Next, the client sends optional header information to inform the server of its configuration and the document formats it will accept.<br>
+	<br>
+	<ul>User-Agent: Mozilla/4.06 Accept: image/gif,image/jpeg, */*</ul>
+	After sending the request and headers, the client may send additional data. This data is mostly used by CGI programs using the POST method.<br>
+	<p><b>General Goal(s):</b> </p>
+	<%-- Start Instructions --%>	
+	Enter your name in the input field below and press "go" to submit. The server will accept the request, reverse the input, and display it back to the user, illustrating the basics of handling an HTTP request.
+	<br/><br/>
+	The user should become familiar with the features of WebGoat by manipulating the above 
+	buttons to view hints, show the HTTP request parameters, the HTTP request cookies, and the Java source code. You may also try using WebScarab for the first time.
+	<%-- Stop Instructions --%>
+
+	<br/>
+	<br/>
+	<a href="javascript:toggle('lessonPlans')" target="_top" onclick="MM_nbGroup('down','group1','plans','',1)">Close this Window</a>
+</div>
+ 
+ 
+<%
+	Course course = ((Course)session.getAttribute("course"));
+	WebSession webSession = ((WebSession)session.getAttribute("websession"));
+%>	 
+ 
+ <%--
+	This form posts to httpBasics.do.  However, we must append the "menu" request parameter in order
+	for the current submenu to display properly, hence the getLink() call to build the form's 
+	action attribute below. 
+  --%>
+ <form:form method="POST" action="<%= webSession.getCurrentLesson().getLink() %>">
+ 	<p>
+ 		Enter your name in the input field below and press "go" to submit. 
+ 		The server will accept the request, reverse the input, and display it back to the user, 
+ 		illustrating the basics of handling an HTTP request.
+ 	</p> 
+		
+	<p>
+		The user should become familiar with the features of WebGoat by manipulating 
+		the above buttons to view hints, show the HTTP request parameters, 
+		the HTTP request cookies, and the Java source code. 
+		You may also try using WebScarab for the first time.
+	</p>
+
+	<p>
+		Enter your name: 
+		<form:input path="personName" />
+		<input name="SUBMIT" type="SUBMIT" value="Go!"/>
+	</p>
+</form:form>
--- a/src/main/webapp/WEB-INF/pages/sections/footer.jsp
+++ b/src/main/webapp/WEB-INF/pages/sections/footer.jsp
@ -0,0 +1,7 @@
+<div id="bottom">
+	<div align="center">
+		<a href="http://www.owasp.org">OWASP Foundation</a> | 
+		<a href="http://www.owasp.org/index.php/OWASP_WebGoat_Project">Project WebGoat</a> | 
+		<a href="reportBug.jsp">Report Bug</a>
+	</div>
+</div>
--- a/src/main/webapp/WEB-INF/pages/sections/header.jsp
+++ b/src/main/webapp/WEB-INF/pages/sections/header.jsp
@ -0,0 +1,2 @@
+<div id="top"/>
+<div id="topLeft">
--- a/src/main/webapp/WEB-INF/pages/sections/hintsParamsAndCookies.jsp
+++ b/src/main/webapp/WEB-INF/pages/sections/hintsParamsAndCookies.jsp
@ -0,0 +1,45 @@
+<%@ page 
+	language="java" 
+	contentType="text/html; charset=UTF-8"
+    pageEncoding="UTF-8"
+    import="java.util.Iterator, org.owasp.webgoat.session.*, org.owasp.webgoat.lessons.AbstractLesson, org.owasp.webgoat.util.*" 
+	errorPage=""
+	isELIgnored="false" %>
+
+<%
+Course course = ((Course)session.getAttribute("course"));
+WebSession webSession = ((WebSession)session.getAttribute("websession"));
+AbstractLesson currentLesson = webSession.getCurrentLesson();
+
+if (webSession.getHint() != null)
+{
+%>
+	<div id="hint" class="info"> <%= webSession.getHint() %> </div><br>
+<%	
+}
+
+if (webSession.getParams() != null)
+{
+	Iterator i = webSession.getParams().iterator();
+	while (i.hasNext())
+	{
+		Parameter p = (Parameter) i.next();
+%>		
+		<div id="parameter" class="info"> <%= p.getName()%> = <%= p.getValue() %></div><br>
+<%		
+	}
+}
+
+
+if (webSession.getCookies() != null)
+{
+	Iterator i = webSession.getCookies().iterator();
+	while (i.hasNext())
+	{
+		Cookie c = (Cookie) i.next();
+%>		
+		<div id="cookie" class="info"> <%= c.getName() %> <img src="images/icons/rightArrow.jpg" alt="\"><%= c.getValue() %></div><br>
+<%
+	}
+}
+%>
--- a/src/main/webapp/WEB-INF/pages/sections/menu.jsp
+++ b/src/main/webapp/WEB-INF/pages/sections/menu.jsp
@ -0,0 +1,202 @@
+<%@ page contentType="text/html; charset=ISO-8859-1" language="java" 
+	import="org.owasp.webgoat.session.*, org.owasp.webgoat.lessons.Category, org.owasp.webgoat.lessons.AbstractLesson, org.owasp.webgoat.util.*, java.util.*" 
+	errorPage=""  %>
+<%
+Course course = ((Course)session.getAttribute("course"));
+WebSession webSession = ((WebSession)session.getAttribute("websession"));
+AbstractLesson currentLesson = webSession.getCurrentLesson();
+%>
+
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<%@page import="org.owasp.webgoat.lessons.RandomLessonAdapter"%>
+<html xmlns="http://www.w3.org/1999/xhtml">
+
+
+<%
+final String menuPrefix = WebSession.MENU;
+final String submenuPrefix = "submenu";
+final String mbutPrefix = "mbut";
+String printHint = "";
+String printParameters = "";
+String printCookies = "";
+String lessonComplete = "<img src=\"images/buttons/lessonComplete.jpg\">";
+
+List categories = course.getCategories();
+
+StringBuffer buildList = new StringBuffer();
+
+	Iterator iter1 = categories.iterator();
+    while(iter1.hasNext())
+    {
+        Category category = (Category)iter1.next();
+        
+        buildList.append("'");
+        buildList.append(menuPrefix);
+        buildList.append(category.getRanking());
+        buildList.append("','");
+        buildList.append(submenuPrefix);
+        buildList.append(category.getRanking());
+        buildList.append("','");
+        buildList.append(mbutPrefix);
+        buildList.append(category.getRanking());
+        buildList.append("'");
+        
+        if (iter1.hasNext())
+        		buildList.append(",");
+    }%>
+<body class="page" onload="setMenuMagic1(10,40,10,'menubottom',<%=buildList%>);trigMM1url('<%= menuPrefix %>',1);MM_preloadImages('images/buttons/hintLeftOver.jpg','images/buttons/hintOver.jpg','images/buttons/hintRightOver.jpg','images/buttons/paramsOver.jpg','images/buttons/htmlOver.jpg','images/buttons/cookiesOver.jpg','images/buttons/javaOver.jpg','images/buttons/plansOver.jpg','images/buttons/logout.jpg','images/buttons/helpOver.jpg'); initIframe();">
+
+	<div id="wrap">
+	<%
+	int topCord = 140;
+	int zIndex = 105;
+	
+		Iterator iter2 = categories.iterator();
+		while(iter2.hasNext())
+		{
+		    Category category = (Category)iter2.next();
+		%>
+		<div id="<%=menuPrefix + category.getRanking()%>" style="position:absolute; left:30px; top:<%=topCord%>px; width:160px; z-index:<%=zIndex%>"><a href="javascript:;" onclick="trigMenuMagic1('<%=menuPrefix + category.getRanking()%>',1);return false" onfocus="if(this.blur)this.blur()"><img src="images/menu_images/1x1.gif" width="1" height=1"20" name="mbut<%=category.getRanking()%>" border="0" alt=""/><%=category.getName()%></a></div>
+		<%
+		topCord=topCord + 30;
+		zIndex=zIndex + 1;
+		}
+		
+			int topSubMenu = 72;
+		
+			Iterator iter3 = categories.iterator();
+			while(iter3.hasNext())
+			{		    
+			    	Category category = (Category)iter3.next();
+				List lessons = webSession.getLessons(category);
+			    Iterator iter4 = lessons.iterator();
+			%>    
+		<div id="submenu<%=category.getRanking()%>" class="pviimenudiv" style="position:absolute; left:200px; top:<%=topSubMenu%>px; width:150px; visibility: hidden; z-index:<%=zIndex%>">
+	  		<table width="150" border="0" cellspacing="6" cellpadding="0"><%
+
+	  		topSubMenu=topSubMenu+30;
+			zIndex=zIndex + 1;
+			
+		  	while(iter4.hasNext())
+			{		  	    
+		    		AbstractLesson lesson = (AbstractLesson)iter4.next();
+		    
+			%><tr>
+	      		<td><%=(lesson.isCompleted(webSession) ? lessonComplete : "")%><a href="<%=lesson.getLink()%>"><%=lesson.getTitle()%></a></td>
+	    		</tr>
+	    		<% if (lesson instanceof RandomLessonAdapter) {
+					RandomLessonAdapter rla = (RandomLessonAdapter) lesson;
+					String[] stages = rla.getStages();
+					if (stages != null)
+					for (int i=0; i<stages.length; i++) {
+	    		%>
+			    		<tr><td class="pviimenudivstage"><%=(rla.isStageComplete(webSession, stages[i]) ? lessonComplete : "")%><a href="<%=lesson.getLink() + "&stage=" + (i+1) %>">Stage <%=i+1%>: <%=stages[i] %></a>
+						</td></tr>
+				<% 
+					}
+				}
+				%>
+			<%
+			}
+			%>
+	  		</table>
+		</div><%
+			}%>
+		<div id="top"></div>
+		<div id="topLeft">
+		<div align="left">
+		<% if (currentLesson.getAvailableLanguages().size() != 0 ) 
+		{
+		%>
+		<form method="get" action="attack" style="display: inline;">
+		Choose another language: <select name="language" size="1"
+			onChange="changeLanguage();">
+			<%
+					  			for(String lang: currentLesson.getAvailableLanguages()){
+					  				%>
+			<option value="<%=lang%>"
+				<% if(webSession.getCurrrentLanguage().equals(lang)) out.println("selected" );%>><%=lang%>
+			</option>
+			<%
+					  					
+					  			}
+			%>
+		</select></form>
+		<%
+		} else {
+		%>
+			Internationalization is not available for this lesson
+		<%
+		}
+		%>
+		</div></div>
+		<div align="right" id="topRight">
+		<a href="attack?action=Logout" onmouseout="MM_swapImgRestore()"
+			onmouseover="MM_swapImage('logout','','images/buttons/logoutOver.jpg',1)"><img
+			src="images/buttons/logout.jpg" alt="LogOut" name="logout" width="45"
+			height="22" border="0" id="logout" /></a> <a href="#getFAQ()"
+			onmouseout="MM_swapImgRestore()"
+			onmouseover="MM_swapImage('help','','images/buttons/helpOver.jpg',1)"><img
+			src="images/buttons/help.jpg" alt="Help" name="help" width="22"
+			height="22" border="0" id="help" /></a>
+		</div>
+			<div id="hMenuBar">
+				<% 
+				if (webSession.isAuthorizedInLesson(webSession.getRole(), WebSession.SHOWHINTS))
+				{
+				%>
+				<a href="<%= webSession.getCurrentLesson().getLink() %>&show=PreviousHint" target="_top" onclick="MM_nbGroup('down','group1','hintLeft','',1)" 
+				onmouseover="MM_nbGroup('over','hintLeft','images/buttons/hintLeftOver.jpg','',1)" 
+				onmouseout="MM_nbGroup('out')">
+				<img src="images/buttons/hintLeft.jpg" alt="Previous Hint" name="hintLeft" width="20" height="20" border="0" id="hintLeft"/>
+				</a>
+				<a href="<%= webSession.getCurrentLesson().getLink() %>&show=NextHint" target="_top" onclick="MM_nbGroup('down','group1','hint','',1)" 
+				onmouseover="MM_nbGroup('over','hint','images/buttons/hintOver.jpg','',1)" 
+				onmouseout="MM_nbGroup('out')">
+				<img src="images/buttons/hint.jpg" alt="Hints" name="hint" width="35" height="20" border="0" id="hint"/>
+				</a>
+				<a href="<%= webSession.getCurrentLesson().getLink() %>&show=NextHint" target="_top" onclick="MM_nbGroup('down','group1','hintRight','',1)" 
+				onmouseover="MM_nbGroup('over','hintRight','images/buttons/hintRightOver.jpg','',1)" 
+				onmouseout="MM_nbGroup('out')">
+				<img src="images/buttons/hintRight.jpg" alt="Next Hint" name="hintRight" width="20" height="20" border="0" id="hintRight"/>
+				</a>
+				<%}%>
+				<a href="<%= webSession.getCurrentLesson().getLink() %>&show=Params" target="_top" onclick="MM_nbGroup('down','group1','params','',1)" 
+				onmouseover="MM_nbGroup('over','params','images/buttons/paramsOver.jpg','',1)" 
+				onmouseout="MM_nbGroup('out')">
+				<img src="images/buttons/params.jpg" alt="Show Params" name="<%= webSession.getCurrentLesson().getLink() %>&show=Params" width="87" height="20" border="0" id="params"/>
+				</a>
+				<a href="<%= webSession.getCurrentLesson().getLink() %>&show=Cookies" target="_top" onclick="MM_nbGroup('down','group1','cookies','',1)" 
+				onmouseover="MM_nbGroup('over','cookies','images/buttons/cookiesOver.jpg','',1)" 
+				onmouseout="MM_nbGroup('out')">
+				<img src="images/buttons/cookies.jpg" alt="Show Cookies" name="cookies" width="99" height="20" border="0" id="cookies"/>
+				</a>
+				<a href="javascript:toggle('lessonPlans')" target="_top" onclick="MM_nbGroup('down','group1','plans','',1)" 
+				onmouseover="MM_nbGroup('over','plans','images/buttons/plansOver.jpg','',1)" 
+				onmouseout="MM_nbGroup('out')">
+				<img src="images/buttons/plans.jpg" alt="Lesson Plans" width="89" height="20" border="0" id="plans"/>
+				</a>
+				<% 
+				if (webSession.isAuthorizedInLesson(webSession.getRole(), WebSession.SHOWSOURCE))
+				{
+				%>
+				<a href="source" onclick="makeWindow(this.href+ '?source=true', 'Java Source');return false;" target="javaWin"
+				onmouseover="MM_nbGroup('over','java','images/buttons/javaOver.jpg','',1)" 
+				onmouseout="MM_nbGroup('out')">
+				<img src="images/buttons/java.jpg" alt="Show Java" name="java" width="75" height="20" border="0" id="java"/>
+				</a>
+				<a href="source" onclick="makeWindow(this.href + '?solution=true', 'Java Solution');return false;" target="javaWin"
+				onmouseover="MM_nbGroup('over','solutions','images/buttons/solutionsOver.jpg','',1)" 
+				onmouseout="MM_nbGroup('out')">
+				<img src="images/buttons/solutions.jpg" alt="Show Solution" name="solutions" width="73" height="20" border="0" id="solutions"/>
+				</a>
+				<%}%>
+								
+			</div>
+			<div id="twoCol">
+	 	 	<div id="menuSpacer"></div>
+
+	  	</div>
+	</div>
+</body>
+</html>
--- a/src/main/webapp/WEB-INF/spring-security.xml
+++ b/src/main/webapp/WEB-INF/spring-security.xml
@ -0,0 +1,28 @@
+<beans:beans xmlns="http://www.springframework.org/schema/security"
+	xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+	xsi:schemaLocation="http://www.springframework.org/schema/beans
+	http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
+	http://www.springframework.org/schema/security
+	http://www.springframework.org/schema/security/spring-security-3.1.xsd">
+
+	<!--
+		PCS 8/27/2012
+		NOTE: Without Spring security, HttpServletRequest.getUserPrincipal() returns null when called from pages under Spring's control.
+		That method is used extensively in legacy webgoat code.  Integrating Spring security into the application resolves this issue.
+	-->  
+    <http auto-config='true'>    	
+        <intercept-url pattern="/**" access="ROLE_USER" />
+        <http-basic/>
+    </http>
+
+    <!-- Authentication Manager -->
+    <authentication-manager alias="authenticationManager">
+        <authentication-provider>
+        	<user-service>
+        		<!-- TODO: credentials in the config - this isn't something I'm proud of - get rid of this ASAP --> 
+            	<user name="guest" password="guest" authorities="ROLE_USER" />
+        	</user-service>
+    	</authentication-provider>
+    </authentication-manager>  
+    
+</beans:beans>
--- a/src/main/webapp/WEB-INF/tiles-context.xml
+++ b/src/main/webapp/WEB-INF/tiles-context.xml
@ -0,0 +1,37 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<beans xmlns="http://www.springframework.org/schema/beans"
+	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
+	xmlns:p="http://www.springframework.org/schema/p" 
+	xsi:schemaLocation="
+		http://www.springframework.org/schema/beans 
+		http://www.springframework.org/schema/beans/spring-beans-3.0.xsd">
+
+	<!--
+	Note: 
+		Spring 3.0 requires Tiles 2.1.2 or above, with explicit support for Tiles 2.2. 
+		Tiles 2.1's EL support will be activated by default when running on JSP 2.1 or above 
+		and when the Tiles EL module is present in the classpath. 
+	
+	See: 
+		JIRA report for TilesViewResolver 2: https://jira.springsource.org/browse/SPR-5689
+		Apache Tiles 2: http://tiles.apache.org/
+	-->
+	
+	<!-- Convenience subclass of UrlBasedViewResolver that supports TilesView (i.e. Tiles definitions) and custom subclasses of it. -->
+	<!-- Don't forget to set the order if you declared other ViewResolvers -->
+	<!-- See http://static.springsource.org/spring/docs/3.0.x/javadoc-api/org/springframework/web/servlet/view/tiles2/TilesViewResolver.html  -->
+	<bean id="tilesviewResolver" class="org.springframework.web.servlet.view.tiles2.TilesViewResolver" 
+			p:order="0"/>
+	
+	<!-- Helper class to configure Tiles 2.x for the Spring Framework -->
+	<!-- See http://static.springsource.org/spring/docs/3.0.x/javadoc-api/org/springframework/web/servlet/view/tiles2/TilesConfigurer.html -->
+	<!-- The actual tiles templates are in the tiles-definitions.xml -->
+	<bean id="tilesConfigurer" class="org.springframework.web.servlet.view.tiles2.TilesConfigurer">
+		<property name="definitions">
+			<list>
+				<value>/WEB-INF/tiles-definitions.xml</value>
+			</list>
+		</property>
+	</bean> 
+	
+</beans>
--- a/src/main/webapp/WEB-INF/tiles-definitions.xml
+++ b/src/main/webapp/WEB-INF/tiles-definitions.xml
@ -0,0 +1,23 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE tiles-definitions PUBLIC 
+	"-//Apache Software Foundation//DTD Tiles Configuration 2.1//EN" 
+	"http://tiles.apache.org/dtds/tiles-config_2_1.dtd">       
+<tiles-definitions>
+
+    <!-- template for generic lessons -->
+	<definition name="generic-lesson" template="/WEB-INF/pages/layouts/genericLesson.jsp">
+		<put-attribute name="header-content" value="/WEB-INF/pages/sections/header.jsp" />
+		<put-attribute name="title-content" cascade="true" value="" />
+		<put-attribute name="menu-content" value="/WEB-INF/pages/sections/menu.jsp" />
+		<put-attribute name="hints-params-cookies" value="/WEB-INF/pages/sections/hintsParamsAndCookies.jsp" />
+		<put-attribute name="primary-content" value="" />
+		<put-attribute name="footer-content" value="/WEB-INF/pages/sections/footer.jsp" />
+	</definition>
+	
+	<!-- vulnerability-specific lesson pages -->
+	<definition name="http-basics" extends="generic-lesson">
+		<put-attribute name="title-content" cascade="true" value="HTTP Basics"/>
+		<put-attribute name="primary-content" value="/WEB-INF/pages/lessons/httpBasics.jsp" />
+	</definition>	
+	
+</tiles-definitions>
--- a/src/main/webapp/WEB-INF/web.xml
+++ b/src/main/webapp/WEB-INF/web.xml
@ -1,9 +1,9 @@
 <?xml version="1.0" encoding="ISO-8859-1"?>
-<!DOCTYPE web-app 
-    PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN" 
-    "http://java.sun.com/dtd/web-app_2_3.dtd">
-
-<web-app>
+<web-app 
+    xmlns="http://java.sun.com/xml/ns/javaee"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
+    version="2.5">

    <!-- General description of your web application -->
    <display-name>WebGoat</display-name>
@ -42,6 +42,16 @@
        and comments about this application should be addressed.
      </description>
    </context-param>
+    
+    <!-- spring MVC -->
+  	<context-param>
+		<param-name>contextConfigLocation</param-name>
+		<param-value>
+			/WEB-INF/mvc-dispatcher-servlet.xml,
+			/WEB-INF/spring-security.xml
+		</param-value>
+  	</context-param>
+  

    <!-- Servlet definitions for the servlets that make up
         your web application, including initialization
@ -201,6 +211,42 @@
 	 <servlet-name>conf</servlet-name>
 	 <jsp-file>/lessons/ConfManagement/config.jsp</jsp-file>
    </servlet>
+    
+    
+    <!-- spring MVC -->
+  <servlet>
+  	<servlet-name>mvc-dispatcher</servlet-name>
+    <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
+    <load-on-startup>1</load-on-startup>
+  </servlet>
+
+  <servlet-mapping>
+ 	<servlet-name>mvc-dispatcher</servlet-name>
+    <url-pattern>*.do</url-pattern>
+  </servlet-mapping>
+  
+  <listener>
+    <listener-class>
+      org.springframework.web.context.ContextLoaderListener
+    </listener-class>
+  </listener>
+  <!-- end spring MVC --> 
+
+  <!-- spring security -->
+  <filter>
+    <filter-name>springSecurityFilterChain</filter-name>
+    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
+  </filter>
+
+  <filter-mapping>
+    <filter-name>springSecurityFilterChain</filter-name>
+    <url-pattern>/*</url-pattern>
+  </filter-mapping>
+  <!-- end spring security -->
+   
+
+    
+    
    <!-- Define mappings that are used by the servlet container to
         translate a particular request URI (context-relative) to a
         particular servlet.  The examples below correspond to the
@ -267,6 +313,8 @@
      <servlet-name>conf</servlet-name>
      <url-pattern>/conf</url-pattern>
    </servlet-mapping>
+    
+    

    <!-- Define the default session timeout for your application,
         in minutes.  From a servlet or JSP page, you can modify
@ -320,7 +368,7 @@
 	       <role-name>server_admin</role-name>
 	    </auth-constraint>
 	</security-constraint>
-	
+   
 	
 	<!-- Login configuration uses BASIC authentication -->
 	<login-config>
--- a/src/main/webapp/images/header/header.jpg
+++ b/src/main/webapp/images/header/header.jpg