Initial commit of new spring-MVC/spring security/tiles-based functionality

git-svn-id: http://webgoat.googlecode.com/svn/branches/webgoat-6.0@484 4033779f-a91e-0410-96ef-6bf7bf53c507
2012-09-11 00:26:09 +00:00
parent 65f73a5206
commit fb938e0933
17 changed files with 884 additions and 19 deletions
--- a/src/main/webapp/WEB-INF/spring-security.xml
+++ b/src/main/webapp/WEB-INF/spring-security.xml
@@ -0,0 +1,28 @@
+<beans:beans xmlns="http://www.springframework.org/schema/security"
+	xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+	xsi:schemaLocation="http://www.springframework.org/schema/beans
+	http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
+	http://www.springframework.org/schema/security
+	http://www.springframework.org/schema/security/spring-security-3.1.xsd">
+
+	<!--
+		PCS 8/27/2012
+		NOTE: Without Spring security, HttpServletRequest.getUserPrincipal() returns null when called from pages under Spring's control.
+		That method is used extensively in legacy webgoat code.  Integrating Spring security into the application resolves this issue.
+	-->  
+    <http auto-config='true'>    	
+        <intercept-url pattern="/**" access="ROLE_USER" />
+        <http-basic/>
+    </http>
+
+    <!-- Authentication Manager -->
+    <authentication-manager alias="authenticationManager">
+        <authentication-provider>
+        	<user-service>
+        		<!-- TODO: credentials in the config - this isn't something I'm proud of - get rid of this ASAP --> 
+            	<user name="guest" password="guest" authorities="ROLE_USER" />
+        	</user-service>
+    	</authentication-provider>
+    </authentication-manager>  
+    
+</beans:beans>