chore: release version 2023.4

.github/dependabot.yml

@@ -1,15 +1,7 @@
 version: 2
 updates:
+  # Maintain dependencies for GitHub Actions
   - package-ecosystem: "github-actions"
     directory: "/"
     schedule:
-            interval: "weekly"
+      interval: "daily"
-    -   package-ecosystem: "maven"
-        directory: "/"
-        schedule:
-            interval: "weekly"
-    -   package-ecosystem: "docker"
-        directory: "/"
-        schedule:
-            interval: "weekly"
-

.github/workflows/build.yml

@@ -27,7 +27,7 @@ jobs:
                     java-version: 17
                     architecture: x64
             -   name: Cache Maven packages
-                uses: actions/cache@v3.3.1
+                uses: actions/cache@v3.2.5
                 with:
                     path: ~/.m2
                     key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }}
@@ -36,13 +36,13 @@ jobs:
                 run: mvn --no-transfer-progress verify
             -   name: "Set up QEMU"
                 if: runner.os == 'Linux'
-                uses: docker/setup-qemu-action@v2.2.0
+                uses: docker/setup-qemu-action@v2.1.0
             -   name: "Set up Docker Buildx"
                 if: runner.os == 'Linux'
                 uses: docker/setup-buildx-action@v2
             -   name: "Verify Docker WebGoat build"
                 if: runner.os == 'Linux'
-                uses: docker/build-push-action@v4.1.1
+                uses: docker/build-push-action@v4.0.0
                 with:
                     context: ./
                     file: ./Dockerfile
@@ -50,7 +50,7 @@ jobs:
                     build-args: |
                         webgoat_version=${{ env.WEBGOAT_MAVEN_VERSION }}
             -   name: "Verify Docker WebGoat desktop build"
-                uses: docker/build-push-action@v4.1.1
+                uses: docker/build-push-action@v4.0.0
                 if: runner.os == 'Linux'
                 with:
                     context: ./

.github/workflows/release.yml

@@ -21,7 +21,7 @@ jobs:
           architecture: x64
 
       - name: Cache Maven packages
-        uses: actions/cache@v3.3.1
+        uses: actions/cache@v3.2.5
         with:
           path: ~/.m2
           key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }}
@@ -44,7 +44,7 @@ jobs:
           files: |
             target/webgoat-${{ env.WEBGOAT_MAVEN_VERSION }}.jar
           body: |
-           ## Version ${{ github.ref_name }} 
+            ## Version ${{ steps.tag.outputs.tag }}
 
             ### New functionality
 
@@ -54,7 +54,7 @@ jobs:
 
             - [#743 - Character encoding errors](https://github.com/WebGoat/WebGoat/issues/743)
               
-            Full change log: https://github.com/WebGoat/WebGoat/compare/${{ github.ref_name }}...${{ github.ref_name }}  
+            Full change log: https://github.com/WebGoat/WebGoat/compare/${{ steps.tag.outputs.tag }}...${{ steps.tag.outputs.tag }}  
 
 
             ## Contributors
@@ -72,7 +72,7 @@ jobs:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
       - name: "Set up QEMU"
-        uses: docker/setup-qemu-action@v2.2.0
+        uses: docker/setup-qemu-action@v2.1.0
         with:
           platforms: all
 
@@ -80,13 +80,13 @@ jobs:
         uses: docker/setup-buildx-action@v2
 
       - name: "Login to dockerhub"
-        uses: docker/login-action@v2.2.0
+        uses: docker/login-action@v2.1.0
         with:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
 
       - name: "Build and push WebGoat"
-        uses: docker/build-push-action@v4.1.1
+        uses: docker/build-push-action@v4.0.0
         with:
           context: ./
           file: ./Dockerfile
@@ -99,12 +99,12 @@ jobs:
             webgoat_version=${{ env.WEBGOAT_MAVEN_VERSION }}
 
       - name: "Build and push WebGoat desktop"
-        uses: docker/build-push-action@v4.1.1
+        uses: docker/build-push-action@v4.0.0
         with:
           context: ./
           file: ./Dockerfile_desktop
           push: true
-          platforms: linux/amd64, linux/arm64
+          platforms: linux/amd64, linux/arm64, linux/arm/v7
           tags: |
             webgoat/webgoat-desktop:${{ env.WEBGOAT_TAG_VERSION }}
             webgoat/webgoat-desktop:latest
@@ -123,7 +123,6 @@ jobs:
       - name: Set up JDK 17
         uses: actions/setup-java@v3
         with:
-          distribution: 'temurin'
           java-version: 17
           architecture: x64
 

.github/workflows/test.yml

@@ -37,7 +37,7 @@ jobs:
                     architecture: x64
             #Uses an action to set up a cache using a certain key based on the hash of the dependencies
             -   name: Cache Maven packages
-                uses: actions/cache@v3.3.1
+                uses: actions/cache@v3.2.5
                 with:
                     path: ~/.m2
                     key: ubuntu-latest-m2-${{ hashFiles('**/pom.xml') }}
@@ -48,8 +48,6 @@ jobs:
                         robotframework
                         robotframework-SeleniumLibrary
                         webdriver-manager
-                        selenium==4.9.1
-                    # TODO https://github.com/robotframework/SeleniumLibrary/issues/1835
             -   name: Run with Maven
                 run: mvn --no-transfer-progress spring-boot:run &
             -   name: Wait to start
@@ -61,7 +59,7 @@ jobs:
             # send report to forks only due to limits on permission tokens
             -   name: Send report to commit
                 if: github.repository != 'WebGoat/WebGoat' && github.event_name == 'push'
-                uses: joonvena/robotframework-reporter-action@v2.2
+                uses: joonvena/robotframework-reporter-action@v2.1
                 with:
                     gh_access_token: ${{ secrets.GITHUB_TOKEN }}
                     report_path: 'robotreport'

CONTRIBUTING.md

@@ -3,7 +3,6 @@
 [![GitHub contributors](https://img.shields.io/github/contributors/WebGoat/WebGoat.svg)](https://github.com/WebGoat/WebGoat/graphs/contributors)
 ![GitHub issues by-label "help wanted"](https://img.shields.io/github/issues/WebGoat/WebGoat/help%20wanted.svg)
 ![GitHub issues by-label "good first issue"](https://img.shields.io/github/issues/WebGoat/WebGoat/good%20first%20issue.svg)
-[![Conventional Commits](https://img.shields.io/badge/Conventional%20Commits-1.0.0-%23FE5196?logo=conventionalcommits&logoColor=white)](https://conventionalcommits.org)
 
 This document describes how you can contribute to WebGoat. Please read it carefully.
 
@@ -42,19 +41,6 @@ Pull requests should be as small/atomic as possible. Large, wide-sweeping change
 
 ### Write a good commit message
 
-* We use [Conventional Commits](https://www.conventionalcommits.org/en/v1.0.0/) and use the following types:
-
-  - fix:
-  - feat:
-  - build:
-  - chore:
-  - ci:
-  - docs:
-  - refactor:
-  - test:
-
-  Using this style of commits makes it possible to create our release notes automatically.
-
 * Explain why you make the changes. [More infos about a good commit message.](https://betterprogramming.pub/stop-writing-bad-commit-messages-8df79517177d)
 
 * If you fix an issue with your commit, please close the issue by [adding one of the keywords and the issue number](https://docs.github.com/en/issues/tracking-your-work-with-issues/linking-a-pull-request-to-an-issue) to your commit message.

Dockerfile

@@ -1,4 +1,4 @@
-FROM docker.io/eclipse-temurin:19-jre-focal
+FROM docker.io/eclipse-temurin:17-jre-focal
 LABEL NAME = "WebGoat: A deliberately insecure Web Application"
 MAINTAINER "WebGoat team"
 
@@ -27,8 +27,6 @@ ENTRYPOINT [ "java", \
    "--add-opens", "java.base/sun.nio.ch=ALL-UNNAMED", \
    "--add-opens", "java.base/java.io=ALL-UNNAMED", \
    "--add-opens", "java.base/java.util=ALL-UNNAMED", \
-   "--add-opens", "java.base/sun.nio.ch=ALL-UNNAMED", \
-   "--add-opens", "java.base/java.io=ALL-UNNAMED", \
    "-Drunning.in.docker=true", \
    "-Dwebgoat.host=0.0.0.0", \
    "-Dwebwolf.host=0.0.0.0", \

Dockerfile_desktop

@@ -10,17 +10,12 @@ COPY config/desktop/start_zap.sh /config/start_zap.sh
 COPY config/desktop/WebGoat.txt /config/Desktop/
 
 RUN \
- case $(uname -m) in \
-  x86_64) ARCH=x64;; \
-  aarch64) ARCH=aarch64;; \
-  *) ARCH=unknown;; \
- esac && \
  curl -LO https://github.com/zaproxy/zaproxy/releases/download/v2.12.0/ZAP_2.12.0_Linux.tar.gz && \
  tar zfxv ZAP_2.12.0_Linux.tar.gz && \
  rm -rf ZAP_2.12.0_Linux.tar.gz && \
- curl -LO https://github.com/adoptium/temurin17-binaries/releases/download/jdk-17.0.6%2B10/OpenJDK17U-jre_${ARCH}_linux_hotspot_17.0.6_10.tar.gz && \
+ curl -LO https://github.com/adoptium/temurin17-binaries/releases/download/jdk-17.0.6%2B10/OpenJDK17U-jre_aarch64_linux_hotspot_17.0.6_10.tar.gz && \
- tar zfxv OpenJDK17U-jre_${ARCH}_linux_hotspot_17.0.6_10.tar.gz && \
+ tar zfxv OpenJDK17U-jre_aarch64_linux_hotspot_17.0.6_10.tar.gz && \
- rm -rf OpenJDK17U-jre_${ARCH}_linux_hotspot_17.0.6_10.tar.gz && \
+ rm -rf OpenJDK17U-jre_aarch64_linux_hotspot_17.0.6_10.tar.gz && \
  chmod +x /config/start_webgoat.sh && \
  chmod +x /config/start_zap.sh && \
  apt-get update &&  \

FAQ.md

@@ -1,8 +0,0 @@
-# FAQ for development
-
-## Introduction
-
-### Integration tests fail
-
-Try to run the command in the console `java -jar ...` and remove `-Dlogging.pattern.console=` from the command line.
-

README.md

@@ -6,7 +6,6 @@
 [![GitHub release](https://img.shields.io/github/release/WebGoat/WebGoat.svg)](https://github.com/WebGoat/WebGoat/releases/latest)
 [![Gitter](https://badges.gitter.im/OWASPWebGoat/community.svg)](https://gitter.im/OWASPWebGoat/community?utm_source=badge&utm_medium=badge&utm_campaign=pr-badge)
 [![Discussions](https://img.shields.io/github/discussions/WebGoat/WebGoat)](https://github.com/WebGoat/WebGoat/discussions)
-[![Conventional Commits](https://img.shields.io/badge/Conventional%20Commits-1.0.0-%23FE5196?logo=conventionalcommits&logoColor=white)](https://conventionalcommits.org)
 
 # Introduction
 

pom.xml

@@ -1,16 +1,16 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+
   <modelVersion>4.0.0</modelVersion>
 
   <parent>
     <groupId>org.springframework.boot</groupId>
     <artifactId>spring-boot-starter-parent</artifactId>
-    <version>3.1.0</version>
+    <version>2.7.1</version>
   </parent>
-
   <groupId>org.owasp.webgoat</groupId>
   <artifactId>webgoat</artifactId>
-  <version>2023.5-SNAPSHOT</version>
+  <version>2023.4</version>
   <packaging>jar</packaging>
 
   <name>WebGoat</name>
@@ -27,7 +27,6 @@
       <url>https://www.gnu.org/licenses/gpl-2.0.txt</url>
     </license>
   </licenses>
-
   <developers>
     <developer>
       <id>mayhew64</id>
@@ -95,6 +94,7 @@
       <archive>http://lists.owasp.org/pipermail/owasp-webgoat/</archive>
     </mailingList>
   </mailingLists>
+
   <scm>
     <connection>scm:git:git@github.com:WebGoat/WebGoat.git</connection>
     <developerConnection>scm:git:git@github.com:WebGoat/WebGoat.git</developerConnection>
@@ -108,46 +108,44 @@
   </issueManagement>
 
   <properties>
+
     <!-- Shared properties with plugins and version numbers across submodules-->
-    <asciidoctorj.version>2.5.10</asciidoctorj.version>
+    <asciidoctorj.version>2.5.3</asciidoctorj.version>
-    <!-- Upgrading needs UI work in WebWolf -->
     <bootstrap.version>3.3.7</bootstrap.version>
-    <cglib.version>3.3.0</cglib.version>
+    <cglib.version>2.2</cglib.version>
     <!-- do not update necessary for lesson -->
-    <checkstyle.version>3.3.0</checkstyle.version>
+    <checkstyle.version>3.1.2</checkstyle.version>
     <commons-collections.version>3.2.1</commons-collections.version>
-    <commons-io.version>2.11.0</commons-io.version>
+    <commons-io.version>2.6</commons-io.version>
     <commons-lang3.version>3.12.0</commons-lang3.version>
-    <commons-text.version>1.10.0</commons-text.version>
+    <commons-text.version>1.9</commons-text.version>
-    <guava.version>32.1.1-jre</guava.version>
+    <guava.version>30.1-jre</guava.version>
-    <jacoco.version>0.8.10</jacoco.version>
     <java.version>17</java.version>
-    <jaxb.version>2.3.1</jaxb.version>
     <jjwt.version>0.9.1</jjwt.version>
-    <jose4j.version>0.9.3</jose4j.version>
+    <jose4j.version>0.7.6</jose4j.version>
-    <jquery.version>3.6.4</jquery.version>
+    <jquery.version>3.5.1</jquery.version>
-    <jsoup.version>1.16.1</jsoup.version>
+    <jsoup.version>1.14.3</jsoup.version>
     <maven-compiler-plugin.version>3.8.0</maven-compiler-plugin.version>
     <maven-failsafe-plugin.version>2.22.0</maven-failsafe-plugin.version>
     <maven-jar-plugin.version>3.1.2</maven-jar-plugin.version>
     <maven-javadoc-plugin.version>3.1.1</maven-javadoc-plugin.version>
     <maven-source-plugin.version>3.1.0</maven-source-plugin.version>
-    <maven-surefire-plugin.version>3.1.2</maven-surefire-plugin.version>
+    <maven-surefire-plugin.version>3.0.0-M5</maven-surefire-plugin.version>
     <maven.compiler.source>17</maven.compiler.source>
     <maven.compiler.target>17</maven.compiler.target>
     <pmd.version>3.15.0</pmd.version>
     <!-- Use UTF-8 Encoding -->
     <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
     <project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
-    <thymeleaf.version>3.1.1.RELEASE</thymeleaf.version>
+    <thymeleaf.version>3.0.15.RELEASE</thymeleaf.version>
-    <webdriver.version>5.3.2</webdriver.version>
+    <webdriver.version>4.3.1</webdriver.version>
     <webgoat.port>8080</webgoat.port>
     <webwolf.port>9090</webwolf.port>
     <wiremock.version>2.27.2</wiremock.version>
     <xml-resolver.version>1.2</xml-resolver.version>
     <xstream.version>1.4.5</xstream.version>
     <!-- do not update necessary for lesson -->
-    <zxcvbn.version>1.8.0</zxcvbn.version>
+    <zxcvbn.version>1.5.2</zxcvbn.version>
   </properties>
 
   <dependencyManagement>
@@ -156,7 +154,7 @@
       <dependency>
         <groupId>org.ow2.asm</groupId>
         <artifactId>asm</artifactId>
-        <version>9.5</version>
+        <version>9.1</version>
       </dependency>
 
       <dependency>
@@ -243,15 +241,16 @@
       <dependency>
         <groupId>org.apache.commons</groupId>
         <artifactId>commons-compress</artifactId>
-        <version>1.23.0</version>
+        <version>1.21</version>
       </dependency>
       <dependency>
         <groupId>org.jruby</groupId>
         <artifactId>jruby</artifactId>
-        <version>9.4.2.0</version>
+        <version>9.3.6.0</version>
       </dependency>
     </dependencies>
   </dependencyManagement>
+
   <dependencies>
     <dependency>
       <groupId>org.apache.commons</groupId>
@@ -270,7 +269,6 @@
     <dependency>
       <groupId>javax.xml.bind</groupId>
       <artifactId>jaxb-api</artifactId>
-      <version>${jaxb.version}</version>
     </dependency>
     <dependency>
       <groupId>org.springframework.boot</groupId>
@@ -312,11 +310,7 @@
     </dependency>
     <dependency>
       <groupId>org.thymeleaf.extras</groupId>
-      <artifactId>thymeleaf-extras-springsecurity6</artifactId>
+      <artifactId>thymeleaf-extras-springsecurity5</artifactId>
-    </dependency>
-    <dependency>
-      <groupId>jakarta.servlet</groupId>
-      <artifactId>jakarta.servlet-api</artifactId>
     </dependency>
     <dependency>
       <groupId>org.hsqldb</groupId>
@@ -375,13 +369,8 @@
       <artifactId>jquery</artifactId>
     </dependency>
     <dependency>
-      <groupId>jakarta.xml.bind</groupId>
+      <groupId>org.glassfish.jaxb</groupId>
-      <artifactId>jakarta.xml.bind-api</artifactId>
+      <artifactId>jaxb-runtime</artifactId>
-    </dependency>
-    <dependency>
-      <groupId>com.sun.xml.bind</groupId>
-      <artifactId>jaxb-impl</artifactId>
-      <scope>runtime</scope>
     </dependency>
 
     <dependency>
@@ -397,7 +386,6 @@
     <dependency>
       <groupId>com.github.tomakehurst</groupId>
       <artifactId>wiremock</artifactId>
-      <version>3.0.0-beta-2</version>
       <scope>test</scope>
     </dependency>
     <dependency>
@@ -405,11 +393,6 @@
       <artifactId>rest-assured</artifactId>
       <scope>test</scope>
     </dependency>
-    <dependency>
-      <groupId>org.springframework.boot</groupId>
-      <artifactId>spring-boot-properties-migrator</artifactId>
-      <scope>runtime</scope>
-    </dependency>
   </dependencies>
 
   <repositories>
@@ -507,8 +490,7 @@
           <argLine>--add-opens java.base/sun.nio.ch=ALL-UNNAMED --add-opens java.base/java.io=ALL-UNNAMED
                         --add-opens java.base/sun.nio.ch=ALL-UNNAMED --add-opens java.base/java.io=ALL-UNNAMED
                         --add-opens java.base/java.util=ALL-UNNAMED --add-opens java.base/java.lang.reflect=ALL-UNNAMED
-          --add-opens java.base/java.text=ALL-UNNAMED --add-opens java.desktop/java.awt.font=ALL-UNNAMED
+                        --add-opens java.base/java.text=ALL-UNNAMED --add-opens java.desktop/java.awt.font=ALL-UNNAMED</argLine>
-          --add-opens=java.base/sun.nio.ch=ALL-UNNAMED --add-opens=java.base/java.io=ALL-UNNAMED</argLine>
           <excludes>
             <exclude>**/*IntegrationTest.java</exclude>
             <exclude>src/it/java</exclude>
@@ -532,7 +514,7 @@
       <plugin>
         <groupId>com.diffplug.spotless</groupId>
         <artifactId>spotless-maven-plugin</artifactId>
-        <version>2.38.0</version>
+        <version>2.29.0</version>
         <configuration>
           <formats>
             <format>
@@ -593,7 +575,7 @@
       <plugin>
         <groupId>org.apache.maven.plugins</groupId>
         <artifactId>maven-enforcer-plugin</artifactId>
-        <version>3.3.0</version>
+        <version>3.0.0</version>
         <executions>
           <execution>
             <id>restrict-log4j-versions</id>
@@ -696,10 +678,6 @@
                     <argument>java.base/java.io=ALL-UNNAMED</argument>
                     <argument>--add-opens</argument>
                     <argument>java.base/java.util=ALL-UNNAMED</argument>
-                    <argument>--add-opens</argument>
-                    <argument>java.base/sun.nio.ch=ALL-UNNAMED</argument>
-                    <argument>--add-opens</argument>
-                    <argument>java.base/java.io=ALL-UNNAMED</argument>
                     <argument>${project.build.directory}/webgoat-${project.version}.jar</argument>
                   </arguments>
                   <waitForInterrupt>false</waitForInterrupt>
@@ -749,82 +727,6 @@
         </plugins>
       </build>
     </profile>
-    <profile>
-      <!-- run with: mvn test -Pcoverage -->
-      <id>coverage</id>
-      <activation>
-        <activeByDefault>false</activeByDefault>
-      </activation>
-      <build>
-        <plugins>
-          <plugin>
-            <groupId>org.apache.maven.plugins</groupId>
-            <artifactId>maven-surefire-plugin</artifactId>
-            <version>${maven-surefire-plugin.version}</version>
-            <configuration>
-              <argLine>--add-opens java.base/sun.nio.ch=ALL-UNNAMED --add-opens java.base/java.io=ALL-UNNAMED
-          --add-opens java.base/sun.nio.ch=ALL-UNNAMED --add-opens java.base/java.io=ALL-UNNAMED
-          --add-opens java.base/java.util=ALL-UNNAMED --add-opens java.base/java.lang.reflect=ALL-UNNAMED
-          --add-opens java.base/java.text=ALL-UNNAMED --add-opens java.desktop/java.awt.font=ALL-UNNAMED
-          ${surefire.jacoco.args}</argLine>
-              <excludes>
-                <exclude>**/*IntegrationTest.java</exclude>
-                <exclude>src/it/java</exclude>
-                <exclude>org/owasp/webgoat/*Test</exclude>
-              </excludes>
-            </configuration>
-          </plugin>
-          <plugin>
-            <groupId>org.jacoco</groupId>
-            <artifactId>jacoco-maven-plugin</artifactId>
-            <version>${jacoco.version}</version>
-            <executions>
-              <execution>
-                <id>before-unit-test</id>
-                <goals>
-                  <goal>prepare-agent</goal>
-                </goals>
-                <configuration>
-                  <destFile>${project.build.directory}/jacoco/jacoco-ut.exec</destFile>
-                  <propertyName>surefire.jacoco.args</propertyName>
-                </configuration>
-              </execution>
-              <execution>
-                <id>check</id>
-                <goals>
-                  <goal>check</goal>
-                </goals>
-                <configuration>
-                  <rules>
-                    <rule>
-                      <element>BUNDLE</element>
-                      <limits>
-                        <limit>
-                          <counter>CLASS</counter>
-                          <value>COVEREDCOUNT</value>
-                          <minimum>0.6</minimum>
-                        </limit>
-                      </limits>
-                    </rule>
-                  </rules>
-                  <dataFile>${project.build.directory}/jacoco/jacoco-ut.exec</dataFile>
-                </configuration>
-              </execution>
-              <execution>
-                <id>after-unit-test</id>
-                <goals>
-                  <goal>report</goal>
-                </goals>
-                <phase>test</phase>
-                <configuration>
-                  <dataFile>${project.build.directory}/jacoco/jacoco-ut.exec</dataFile>
-                  <outputDirectory>${project.reporting.outputDirectory}/jacoco-unit-test-coverage-report</outputDirectory>
-                </configuration>
-              </execution>
-            </executions>
-          </plugin>
-        </plugins>
-      </build>
-    </profile>
   </profiles>
+
 </project>

src/it/java/org/owasp/webgoat/ChallengeIntegrationTest.java

@@ -7,14 +7,12 @@ import java.util.Arrays;
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
-import org.assertj.core.api.Assertions;
 import org.junit.jupiter.api.Test;
-import org.springframework.http.HttpStatus;
 
 public class ChallengeIntegrationTest extends IntegrationTest {
 
   @Test
-  void testChallenge1() {
+  public void testChallenge1() {
     startLesson("Challenge1");
 
     byte[] resultBytes =
@@ -69,7 +67,7 @@ public class ChallengeIntegrationTest extends IntegrationTest {
   }
 
   @Test
-  void testChallenge5() {
+  public void testChallenge5() {
     startLesson("Challenge5");
 
     Map<String, Object> params = new HashMap<>();
@@ -109,62 +107,4 @@ public class ChallengeIntegrationTest extends IntegrationTest {
             .get("find { it.username == \"" + this.getUser() + "\" }.flagsCaptured");
     assertTrue(capturefFlags.contains("Without password"));
   }
-
-  @Test
-  void testChallenge7() {
-    startLesson("Challenge7");
-    cleanMailbox();
-
-    // One should first be able to download git.zip from WebGoat
-    RestAssured.given()
-        .when()
-        .relaxedHTTPSValidation()
-        .cookie("JSESSIONID", getWebGoatCookie())
-        .get(url("/WebGoat/challenge/7/.git"))
-        .then()
-        .statusCode(200)
-        .extract()
-        .asString();
-
-    // Should send an email to WebWolf inbox this should give a hint to the link being static
-    RestAssured.given()
-        .when()
-        .relaxedHTTPSValidation()
-        .cookie("JSESSIONID", getWebGoatCookie())
-        .formParams("email", getUser() + "@webgoat.org")
-        .post(url("/WebGoat/challenge/7"))
-        .then()
-        .statusCode(200)
-        .extract()
-        .asString();
-
-    // Check whether email has been received
-    var responseBody =
-        RestAssured.given()
-            .when()
-            .relaxedHTTPSValidation()
-            .cookie("WEBWOLFSESSION", getWebWolfCookie())
-            .get(webWolfUrl("/mail"))
-            .then()
-            .extract()
-            .response()
-            .getBody()
-            .asString();
-    Assertions.assertThat(responseBody).contains("Hi, you requested a password reset link");
-
-    // Call reset link with admin link
-    String result =
-        RestAssured.given()
-            .when()
-            .relaxedHTTPSValidation()
-            .cookie("JSESSIONID", getWebGoatCookie())
-            .get(url("/challenge/7/reset-password/{link}"), "375afe1104f4a487a73823c50a9292a2")
-            .then()
-            .statusCode(HttpStatus.ACCEPTED.value())
-            .extract()
-            .asString();
-
-    String flag = result.substring(result.indexOf("flag") + 6, result.indexOf("flag") + 42);
-    checkAssignment(url("/WebGoat/challenge/flag"), Map.of("flag", flag), true);
-  }
 }

src/it/java/org/owasp/webgoat/IntegrationTest.java

@@ -11,7 +11,6 @@ import org.hamcrest.CoreMatchers;
 import org.hamcrest.MatcherAssert;
 import org.junit.jupiter.api.AfterEach;
 import org.junit.jupiter.api.BeforeEach;
-import org.springframework.http.HttpStatus;
 
 public abstract class IntegrationTest {
 
@@ -253,14 +252,4 @@ public abstract class IntegrationTest {
         .getBody()
         .asString();
   }
-
-  public void cleanMailbox() {
-    RestAssured.given()
-        .when()
-        .relaxedHTTPSValidation()
-        .cookie("WEBWOLFSESSION", getWebWolfCookie())
-        .delete(webWolfUrl("/mail"))
-        .then()
-        .statusCode(HttpStatus.ACCEPTED.value());
-  }
 }

src/it/java/org/owasp/webgoat/PasswordResetLessonIntegrationTest.java

@@ -5,6 +5,7 @@ import static org.junit.jupiter.api.DynamicTest.dynamicTest;
 import io.restassured.RestAssured;
 import java.util.Arrays;
 import java.util.Map;
+import lombok.SneakyThrows;
 import org.apache.commons.lang3.StringUtils;
 import org.assertj.core.api.Assertions;
 import org.junit.jupiter.api.AfterEach;
@@ -15,6 +16,7 @@ import org.junit.jupiter.api.TestFactory;
 public class PasswordResetLessonIntegrationTest extends IntegrationTest {
 
   @BeforeEach
+  @SneakyThrows
   public void init() {
     startLesson("/PasswordReset");
   }

src/it/java/org/owasp/webgoat/ProgressRaceConditionIntegrationTest.java

@@ -29,9 +29,9 @@ public class ProgressRaceConditionIntegrationTest extends IntegrationTest {
               .relaxedHTTPSValidation()
               .cookie("JSESSIONID", getWebGoatCookie())
               .formParams(Map.of("flag", "test"))
-              .post(url("/challenge/flag"));
+              .post(url("/challenge/flag/"));
         };
-    ExecutorService executorService = Executors.newFixedThreadPool(NUMBER_OF_PARALLEL_THREADS);
+    ExecutorService executorService = Executors.newWorkStealingPool(NUMBER_OF_PARALLEL_THREADS);
     List<? extends Callable<Response>> flagCalls =
         IntStream.range(0, NUMBER_OF_CALLS).mapToObj(i -> call).collect(Collectors.toList());
     var responses = executorService.invokeAll(flagCalls);

src/main/java/org/owasp/webgoat/container/AjaxAuthenticationEntryPoint.java

@@ -27,10 +27,10 @@
  */
 package org.owasp.webgoat.container;
 
-import jakarta.servlet.ServletException;
-import jakarta.servlet.http.HttpServletRequest;
-import jakarta.servlet.http.HttpServletResponse;
 import java.io.IOException;
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
 import org.springframework.security.core.AuthenticationException;
 import org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint;
 

src/main/java/org/owasp/webgoat/container/AsciiDoctorTemplateResolver.java

@@ -33,7 +33,6 @@ package org.owasp.webgoat.container;
 import static org.asciidoctor.Asciidoctor.Factory.create;
 
 import io.undertow.util.Headers;
-import jakarta.servlet.http.HttpServletRequest;
 import java.io.IOException;
 import java.io.InputStream;
 import java.io.InputStreamReader;
@@ -42,6 +41,7 @@ import java.util.HashMap;
 import java.util.Locale;
 import java.util.Map;
 import java.util.Set;
+import javax.servlet.http.HttpServletRequest;
 import lombok.extern.slf4j.Slf4j;
 import org.asciidoctor.Asciidoctor;
 import org.asciidoctor.extension.JavaExtensionRegistry;
@@ -60,7 +60,7 @@ import org.thymeleaf.templateresource.StringTemplateResource;
  * Thymeleaf resolver for AsciiDoc used in the lesson, can be used as follows inside a lesson file:
  *
  * <p><code>
- * <div th:replace="~{doc:AccessControlMatrix_plan.adoc}"></div>
+ * <div th:replace="doc:AccessControlMatrix_plan.adoc"></div>
  * </code>
  */
 @Slf4j

src/main/java/org/owasp/webgoat/container/DatabaseConfiguration.java

@@ -50,13 +50,12 @@ public class DatabaseConfiguration {
   }
 
   @Bean
-  public Function<String, Flyway> flywayLessons() {
+  public Function<String, Flyway> flywayLessons(LessonDataSource lessonDataSource) {
     return schema ->
         Flyway.configure()
             .configuration(Map.of("driver", properties.getDriverClassName()))
             .schemas(schema)
-            .cleanDisabled(false)
+            .dataSource(lessonDataSource)
-            .dataSource(dataSource())
             .locations("lessons")
             .load();
   }

src/main/java/org/owasp/webgoat/container/MvcConfiguration.java

@@ -56,10 +56,10 @@ import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;
 import org.springframework.web.servlet.i18n.LocaleChangeInterceptor;
 import org.springframework.web.servlet.i18n.SessionLocaleResolver;
 import org.thymeleaf.IEngineConfiguration;
-import org.thymeleaf.extras.springsecurity6.dialect.SpringSecurityDialect;
+import org.thymeleaf.extras.springsecurity5.dialect.SpringSecurityDialect;
-import org.thymeleaf.spring6.SpringTemplateEngine;
+import org.thymeleaf.spring5.SpringTemplateEngine;
-import org.thymeleaf.spring6.templateresolver.SpringResourceTemplateResolver;
+import org.thymeleaf.spring5.templateresolver.SpringResourceTemplateResolver;
-import org.thymeleaf.spring6.view.ThymeleafViewResolver;
+import org.thymeleaf.spring5.view.ThymeleafViewResolver;
 import org.thymeleaf.templatemode.TemplateMode;
 import org.thymeleaf.templateresolver.FileTemplateResolver;
 import org.thymeleaf.templateresolver.ITemplateResolver;

src/main/java/org/owasp/webgoat/container/WebSecurityConfig.java

@@ -37,26 +37,26 @@ import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.security.authentication.AuthenticationManager;
 import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
-import org.springframework.security.config.annotation.authentication.configuration.AuthenticationConfiguration;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
+import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
+import org.springframework.security.config.annotation.web.configurers.ExpressionUrlAuthorizationConfigurer;
 import org.springframework.security.core.userdetails.UserDetailsService;
 import org.springframework.security.crypto.password.NoOpPasswordEncoder;
-import org.springframework.security.web.SecurityFilterChain;
 
 /** Security configuration for WebGoat. */
 @Configuration
 @AllArgsConstructor
 @EnableWebSecurity
-public class WebSecurityConfig {
+public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
 
   private final UserService userDetailsService;
 
-  @Bean
+  @Override
-  public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
+  protected void configure(HttpSecurity http) throws Exception {
-    http.authorizeHttpRequests(
+    ExpressionUrlAuthorizationConfigurer<HttpSecurity>.ExpressionInterceptUrlRegistry security =
-        auth ->
+        http.authorizeRequests()
-            auth.requestMatchers(
+            .antMatchers(
                 "/css/**",
                 "/images/**",
                 "/js/**",
@@ -67,19 +67,20 @@ public class WebSecurityConfig {
                 "/actuator/**")
             .permitAll()
             .anyRequest()
-                .authenticated());
+            .authenticated();
-    http.formLogin()
+    security
+        .and()
+        .formLogin()
         .loginPage("/login")
         .defaultSuccessUrl("/welcome.mvc", true)
         .usernameParameter("username")
         .passwordParameter("password")
         .permitAll();
-    http.logout().deleteCookies("JSESSIONID").invalidateHttpSession(true);
+    security.and().logout().deleteCookies("JSESSIONID").invalidateHttpSession(true);
-    http.csrf().disable();
+    security.and().csrf().disable();
 
     http.headers().cacheControl().disable();
     http.exceptionHandling().authenticationEntryPoint(new AjaxAuthenticationEntryPoint("/login"));
-    return http.build();
   }
 
   @Autowired
@@ -88,14 +89,15 @@ public class WebSecurityConfig {
   }
 
   @Bean
-  public UserDetailsService userDetailsServiceBean() {
+  @Override
+  public UserDetailsService userDetailsServiceBean() throws Exception {
     return userDetailsService;
   }
 
+  @Override
   @Bean
-  public AuthenticationManager authenticationManager(
+  protected AuthenticationManager authenticationManager() throws Exception {
-      AuthenticationConfiguration authenticationConfiguration) throws Exception {
+    return super.authenticationManager();
-    return authenticationConfiguration.getAuthenticationManager();
   }
 
   @SuppressWarnings("deprecation")

src/main/java/org/owasp/webgoat/container/asciidoc/WebWolfMacro.java

@@ -1,8 +1,8 @@
 package org.owasp.webgoat.container.asciidoc;
 
-import jakarta.servlet.http.HttpServletRequest;
 import java.util.HashMap;
 import java.util.Map;
+import javax.servlet.http.HttpServletRequest;
 import org.asciidoctor.ast.ContentNode;
 import org.asciidoctor.extension.InlineMacroProcessor;
 import org.springframework.web.context.request.RequestContextHolder;

src/main/java/org/owasp/webgoat/container/assignments/LessonTrackerInterceptor.java

@@ -75,8 +75,7 @@ public class LessonTrackerInterceptor implements ResponseBodyAdvice<Object> {
     } else {
       userTracker.assignmentFailed(webSession.getCurrentLesson());
     }
-    userTrackerRepository.save(userTracker);
+    userTrackerRepository.saveAndFlush(userTracker);
-
     return attackResult;
   }
 }

src/main/java/org/owasp/webgoat/container/controller/StartLesson.java

@@ -31,7 +31,7 @@
  */
 package org.owasp.webgoat.container.controller;
 
-import jakarta.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletRequest;
 import org.owasp.webgoat.container.session.Course;
 import org.owasp.webgoat.container.session.WebSession;
 import org.springframework.stereotype.Controller;

src/main/java/org/owasp/webgoat/container/controller/Welcome.java

@@ -29,8 +29,8 @@
  */
 package org.owasp.webgoat.container.controller;
 
-import jakarta.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletRequest;
-import jakarta.servlet.http.HttpSession;
+import javax.servlet.http.HttpSession;
 import org.springframework.stereotype.Controller;
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.servlet.ModelAndView;
@@ -49,7 +49,7 @@ public class Welcome {
   /**
    * welcome.
    *
-   * @param request a {@link jakarta.servlet.http.HttpServletRequest} object.
+   * @param request a {@link javax.servlet.http.HttpServletRequest} object.
    * @return a {@link org.springframework.web.servlet.ModelAndView} object.
    */
   @GetMapping(path = {"welcome.mvc"})

src/main/java/org/owasp/webgoat/container/lessons/Assignment.java

@@ -1,14 +1,9 @@
 package org.owasp.webgoat.container.lessons;
 
-import jakarta.persistence.Entity;
-import jakarta.persistence.GeneratedValue;
-import jakarta.persistence.GenerationType;
-import jakarta.persistence.Id;
-import jakarta.persistence.Transient;
 import java.util.ArrayList;
 import java.util.List;
-import lombok.EqualsAndHashCode;
+import javax.persistence.*;
-import lombok.Getter;
+import lombok.*;
 
 /**
  * ************************************************************************************************
@@ -46,7 +41,7 @@ import lombok.Getter;
 public class Assignment {
 
   @Id
-  @GeneratedValue(strategy = GenerationType.IDENTITY)
+  @GeneratedValue(strategy = GenerationType.AUTO)
   private Long id;
 
   private String name;

src/main/java/org/owasp/webgoat/container/lessons/LessonConnectionInvocationHandler.java

@@ -4,13 +4,15 @@ import java.lang.reflect.InvocationHandler;
 import java.lang.reflect.InvocationTargetException;
 import java.lang.reflect.Method;
 import java.sql.Connection;
+import lombok.extern.slf4j.Slf4j;
 import org.owasp.webgoat.container.users.WebGoatUser;
 import org.springframework.security.core.context.SecurityContextHolder;
 
 /**
  * Handler which sets the correct schema for the currently bounded user. This way users are not
- * seeing each other data, and we can reset data for just one particular user.
+ * seeing each other data and we can reset data for just one particular user.
  */
+@Slf4j
 public class LessonConnectionInvocationHandler implements InvocationHandler {
 
   private final Connection targetConnection;

src/main/java/org/owasp/webgoat/container/users/LessonTracker.java

@@ -1,20 +1,8 @@
 package org.owasp.webgoat.container.users;
 
-import jakarta.persistence.CascadeType;
+import java.util.*;
-import jakarta.persistence.Entity;
-import jakarta.persistence.FetchType;
-import jakarta.persistence.GeneratedValue;
-import jakarta.persistence.GenerationType;
-import jakarta.persistence.Id;
-import jakarta.persistence.OneToMany;
-import jakarta.persistence.Version;
-import java.util.HashSet;
-import java.util.List;
-import java.util.Map;
-import java.util.Optional;
-import java.util.Set;
 import java.util.stream.Collectors;
-import lombok.EqualsAndHashCode;
+import javax.persistence.*;
 import lombok.Getter;
 import org.owasp.webgoat.container.lessons.Assignment;
 import org.owasp.webgoat.container.lessons.Lesson;
@@ -51,11 +39,10 @@ import org.owasp.webgoat.container.lessons.Lesson;
  * @since October 29, 2003
  */
 @Entity
-@EqualsAndHashCode
 public class LessonTracker {
 
   @Id
-  @GeneratedValue(strategy = GenerationType.IDENTITY)
+  @GeneratedValue(strategy = GenerationType.AUTO)
   private Long id;
 
   @Getter private String lessonName;

src/main/java/org/owasp/webgoat/container/users/RegistrationController.java

@@ -1,10 +1,11 @@
 package org.owasp.webgoat.container.users;
 
-import jakarta.servlet.ServletException;
+import javax.servlet.ServletException;
-import jakarta.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletRequest;
-import jakarta.validation.Valid;
+import javax.validation.Valid;
 import lombok.AllArgsConstructor;
 import lombok.extern.slf4j.Slf4j;
+import org.springframework.security.authentication.AuthenticationManager;
 import org.springframework.stereotype.Controller;
 import org.springframework.validation.BindingResult;
 import org.springframework.web.bind.annotation.GetMapping;
@@ -22,6 +23,7 @@ public class RegistrationController {
 
   private UserValidator userValidator;
   private UserService userService;
+  private AuthenticationManager authenticationManager;
 
   @GetMapping("/registration")
   public String showForm(UserForm userForm) {

src/main/java/org/owasp/webgoat/container/users/UserForm.java

@@ -1,8 +1,8 @@
 package org.owasp.webgoat.container.users;
 
-import jakarta.validation.constraints.NotNull;
+import javax.validation.constraints.NotNull;
-import jakarta.validation.constraints.Pattern;
+import javax.validation.constraints.Pattern;
-import jakarta.validation.constraints.Size;
+import javax.validation.constraints.Size;
 import lombok.Getter;
 import lombok.Setter;
 

src/main/java/org/owasp/webgoat/container/users/UserTracker.java

@@ -1,19 +1,11 @@
 package org.owasp.webgoat.container.users;
 
-import jakarta.persistence.CascadeType;
-import jakarta.persistence.Column;
-import jakarta.persistence.Entity;
-import jakarta.persistence.FetchType;
-import jakarta.persistence.GeneratedValue;
-import jakarta.persistence.GenerationType;
-import jakarta.persistence.Id;
-import jakarta.persistence.OneToMany;
 import java.util.HashSet;
 import java.util.Map;
 import java.util.Optional;
 import java.util.Set;
 import java.util.stream.Collectors;
-import lombok.EqualsAndHashCode;
+import javax.persistence.*;
 import lombok.extern.slf4j.Slf4j;
 import org.owasp.webgoat.container.lessons.Assignment;
 import org.owasp.webgoat.container.lessons.Lesson;
@@ -51,11 +43,10 @@ import org.owasp.webgoat.container.lessons.Lesson;
  */
 @Slf4j
 @Entity
-@EqualsAndHashCode
 public class UserTracker {
 
   @Id
-  @GeneratedValue(strategy = GenerationType.IDENTITY)
+  @GeneratedValue(strategy = GenerationType.AUTO)
   private Long id;
 
   @Column(name = "username")

src/main/java/org/owasp/webgoat/container/users/WebGoatUser.java

@@ -1,10 +1,10 @@
 package org.owasp.webgoat.container.users;
 
-import jakarta.persistence.Entity;
-import jakarta.persistence.Id;
-import jakarta.persistence.Transient;
 import java.util.Collection;
 import java.util.Collections;
+import javax.persistence.Entity;
+import javax.persistence.Id;
+import javax.persistence.Transient;
 import lombok.Getter;
 import org.springframework.security.core.GrantedAuthority;
 import org.springframework.security.core.authority.SimpleGrantedAuthority;

src/main/java/org/owasp/webgoat/lessons/authbypass/AccountVerificationHelper.java

@@ -42,7 +42,6 @@ public class AccountVerificationHelper {
   static {
     secQuestionStore.put(verifyUserId, userSecQuestions);
   }
-
   // end 'data store set up'
 
   // this is to aid feedback in the attack process and is not intended to be part of the
@@ -69,7 +68,6 @@ public class AccountVerificationHelper {
 
     return likely;
   }
-
   // end of cheating check ... the method below is the one of real interest. Can you find the flaw?
 
   public boolean verifyAccount(Integer userId, HashMap<String, String> submittedQuestions) {

src/main/java/org/owasp/webgoat/lessons/authbypass/VerifyAccount.java

@@ -22,13 +22,13 @@
 
 package org.owasp.webgoat.lessons.authbypass;
 
-import jakarta.servlet.ServletException;
-import jakarta.servlet.http.HttpServletRequest;
 import java.io.IOException;
 import java.util.Collections;
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServletRequest;
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.container.assignments.AssignmentHints;
 import org.owasp.webgoat.container.assignments.AttackResult;

src/main/java/org/owasp/webgoat/lessons/challenges/Flag.java

@@ -1,13 +1,89 @@
+/*
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details, please see http://www.owasp.org/
+ *
+ * Copyright (c) 2002 - 2019 Bruce Mayhew
+ *
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
+ *
+ * Getting Source ==============
+ *
+ * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
+ */
+
 package org.owasp.webgoat.lessons.challenges;
 
-public record Flag(int number, String answer) {
+import java.util.HashMap;
+import java.util.Map;
+import java.util.UUID;
+import java.util.stream.IntStream;
+import javax.annotation.PostConstruct;
+import lombok.AllArgsConstructor;
+import lombok.Getter;
+import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
+import org.owasp.webgoat.container.assignments.AttackResult;
+import org.owasp.webgoat.container.session.WebSession;
+import org.owasp.webgoat.container.users.UserTracker;
+import org.owasp.webgoat.container.users.UserTrackerRepository;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.http.MediaType;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RequestMethod;
+import org.springframework.web.bind.annotation.RequestParam;
+import org.springframework.web.bind.annotation.ResponseBody;
+import org.springframework.web.bind.annotation.RestController;
 
-  public boolean isCorrect(String flag) {
+/**
-    return answer.equals(flag);
+ * @author nbaars
+ * @since 3/23/17.
+ */
+@RestController
+public class Flag extends AssignmentEndpoint {
+
+  public static final Map<Integer, String> FLAGS = new HashMap<>();
+  @Autowired private UserTrackerRepository userTrackerRepository;
+  @Autowired private WebSession webSession;
+
+  @AllArgsConstructor
+  private class FlagPosted {
+    @Getter private boolean lessonCompleted;
   }
 
-  @Override
+  @PostConstruct
-  public String toString() {
+  public void initFlags() {
-    return answer;
+    IntStream.range(1, 10).forEach(i -> FLAGS.put(i, UUID.randomUUID().toString()));
+  }
+
+  @RequestMapping(
+      path = "/challenge/flag",
+      method = RequestMethod.POST,
+      produces = MediaType.APPLICATION_JSON_VALUE)
+  @ResponseBody
+  public AttackResult postFlag(@RequestParam String flag) {
+    UserTracker userTracker = userTrackerRepository.findByUser(webSession.getUserName());
+    String currentChallenge = webSession.getCurrentLesson().getName();
+    int challengeNumber =
+        Integer.valueOf(
+            currentChallenge.substring(currentChallenge.length() - 1, currentChallenge.length()));
+    String expectedFlag = FLAGS.get(challengeNumber);
+    final AttackResult attackResult;
+    if (expectedFlag.equals(flag)) {
+      userTracker.assignmentSolved(webSession.getCurrentLesson(), "Assignment" + challengeNumber);
+      attackResult = success(this).feedback("challenge.flag.correct").build();
+    } else {
+      userTracker.assignmentFailed(webSession.getCurrentLesson());
+      attackResult = failed(this).feedback("challenge.flag.incorrect").build();
+    }
+    userTrackerRepository.save(userTracker);
+    return attackResult;
   }
 }

src/main/java/org/owasp/webgoat/lessons/challenges/FlagController.java

@@ -1,52 +0,0 @@
-/*
- * This file is part of WebGoat, an Open Web Application Security Project utility. For details, please see http://www.owasp.org/
- *
- * Copyright (c) 2002 - 2019 Bruce Mayhew
- *
- * This program is free software; you can redistribute it and/or modify it under the terms of the
- * GNU General Public License as published by the Free Software Foundation; either version 2 of the
- * License, or (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
- * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License along with this program; if
- * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
- * 02111-1307, USA.
- *
- * Getting Source ==============
- *
- * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
- */
-
-package org.owasp.webgoat.lessons.challenges;
-
-import lombok.AllArgsConstructor;
-import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
-import org.owasp.webgoat.container.assignments.AttackResult;
-import org.owasp.webgoat.container.session.WebSession;
-import org.springframework.http.MediaType;
-import org.springframework.web.bind.annotation.PostMapping;
-import org.springframework.web.bind.annotation.RequestParam;
-import org.springframework.web.bind.annotation.ResponseBody;
-import org.springframework.web.bind.annotation.RestController;
-
-@RestController
-@AllArgsConstructor
-public class FlagController extends AssignmentEndpoint {
-
-  private final WebSession webSession;
-  private final Flags flags;
-
-  @PostMapping(path = "/challenge/flag", produces = MediaType.APPLICATION_JSON_VALUE)
-  @ResponseBody
-  public AttackResult postFlag(@RequestParam String flag) {
-    Flag expectedFlag = flags.getFlag(webSession.getCurrentLesson());
-    if (expectedFlag.isCorrect(flag)) {
-      return success(this).feedback("challenge.flag.correct").build();
-    } else {
-      return failed(this).feedback("challenge.flag.incorrect").build();
-    }
-  }
-}

src/main/java/org/owasp/webgoat/lessons/challenges/Flags.java

@@ -1,27 +0,0 @@
-package org.owasp.webgoat.lessons.challenges;
-
-import java.util.HashMap;
-import java.util.Map;
-import java.util.UUID;
-import java.util.stream.IntStream;
-import org.owasp.webgoat.container.lessons.Lesson;
-import org.springframework.context.annotation.Configuration;
-
-@Configuration
-public class Flags {
-  private final Map<Integer, Flag> FLAGS = new HashMap<>();
-
-  public Flags() {
-    IntStream.range(1, 10).forEach(i -> FLAGS.put(i, new Flag(i, UUID.randomUUID().toString())));
-  }
-
-  public Flag getFlag(Lesson forLesson) {
-    String lessonName = forLesson.getName();
-    int challengeNumber = Integer.valueOf(lessonName.substring(lessonName.length() - 1));
-    return FLAGS.get(challengeNumber);
-  }
-
-  public Flag getFlag(int flagNumber) {
-    return FLAGS.get(flagNumber);
-  }
-}

src/main/java/org/owasp/webgoat/lessons/challenges/SolutionConstants.java

@@ -32,4 +32,6 @@ public interface SolutionConstants {
 
   // TODO should be random generated when starting the server
   String PASSWORD = "!!webgoat_admin_1234!!";
+  String PASSWORD_TOM = "thisisasecretfortomonly";
+  String ADMIN_PASSWORD_LINK = "375afe1104f4a487a73823c50a9292a2";
 }

src/main/java/org/owasp/webgoat/lessons/challenges/challenge1/Assignment1.java

@@ -2,10 +2,11 @@ package org.owasp.webgoat.lessons.challenges.challenge1;
 
 import static org.owasp.webgoat.lessons.challenges.SolutionConstants.PASSWORD;
 
-import lombok.RequiredArgsConstructor;
+import javax.servlet.http.HttpServletRequest;
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.container.assignments.AttackResult;
-import org.owasp.webgoat.lessons.challenges.Flags;
+import org.owasp.webgoat.lessons.challenges.Flag;
+import org.springframework.util.StringUtils;
 import org.springframework.web.bind.annotation.PostMapping;
 import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.ResponseBody;
@@ -42,14 +43,12 @@ import org.springframework.web.bind.annotation.RestController;
  * @since August 11, 2016
  */
 @RestController
-@RequiredArgsConstructor
 public class Assignment1 extends AssignmentEndpoint {
 
-  private final Flags flags;
-
   @PostMapping("/challenge/1")
   @ResponseBody
-  public AttackResult completed(@RequestParam String username, @RequestParam String password) {
+  public AttackResult completed(
+      @RequestParam String username, @RequestParam String password, HttpServletRequest request) {
     boolean ipAddressKnown = true;
     boolean passwordCorrect =
         "admin".equals(username)
@@ -57,10 +56,14 @@ public class Assignment1 extends AssignmentEndpoint {
                 .replace("1234", String.format("%04d", ImageServlet.PINCODE))
                 .equals(password);
     if (passwordCorrect && ipAddressKnown) {
-      return success(this).feedback("challenge.solved").feedbackArgs(flags.getFlag(1)).build();
+      return success(this).feedback("challenge.solved").feedbackArgs(Flag.FLAGS.get(1)).build();
     } else if (passwordCorrect) {
       return failed(this).feedback("ip.address.unknown").build();
     }
     return failed(this).build();
   }
+
+  public static boolean containsHeader(HttpServletRequest request) {
+    return StringUtils.hasText(request.getHeader("X-Forwarded-For"));
+  }
 }

src/main/java/org/owasp/webgoat/lessons/challenges/challenge1/ImageServlet.java

@@ -4,7 +4,8 @@ import static org.springframework.web.bind.annotation.RequestMethod.GET;
 import static org.springframework.web.bind.annotation.RequestMethod.POST;
 
 import java.io.IOException;
-import java.util.Random;
+import java.security.SecureRandom;
+import javax.servlet.http.HttpServlet;
 import org.springframework.core.io.ClassPathResource;
 import org.springframework.http.MediaType;
 import org.springframework.web.bind.annotation.RequestMapping;
@@ -12,9 +13,10 @@ import org.springframework.web.bind.annotation.ResponseBody;
 import org.springframework.web.bind.annotation.RestController;
 
 @RestController
-public class ImageServlet {
+public class ImageServlet extends HttpServlet {
 
-  public static final int PINCODE = new Random().nextInt(10000);
+  private static final long serialVersionUID = 9132775506936676850L;
+  public static final int PINCODE = new SecureRandom().nextInt(10000);
 
   @RequestMapping(
       method = {GET, POST},

src/main/java/org/owasp/webgoat/lessons/challenges/challenge5/Assignment5.java

@@ -24,12 +24,11 @@ package org.owasp.webgoat.lessons.challenges.challenge5;
 
 import java.sql.PreparedStatement;
 import java.sql.ResultSet;
-import lombok.RequiredArgsConstructor;
 import lombok.extern.slf4j.Slf4j;
 import org.owasp.webgoat.container.LessonDataSource;
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.container.assignments.AttackResult;
-import org.owasp.webgoat.lessons.challenges.Flags;
+import org.owasp.webgoat.lessons.challenges.Flag;
 import org.springframework.util.StringUtils;
 import org.springframework.web.bind.annotation.PostMapping;
 import org.springframework.web.bind.annotation.RequestParam;
@@ -38,11 +37,13 @@ import org.springframework.web.bind.annotation.RestController;
 
 @RestController
 @Slf4j
-@RequiredArgsConstructor
 public class Assignment5 extends AssignmentEndpoint {
 
   private final LessonDataSource dataSource;
-  private final Flags flags;
+
+  public Assignment5(LessonDataSource dataSource) {
+    this.dataSource = dataSource;
+  }
 
   @PostMapping("/challenge/5")
   @ResponseBody
@@ -65,7 +66,7 @@ public class Assignment5 extends AssignmentEndpoint {
       ResultSet resultSet = statement.executeQuery();
 
       if (resultSet.next()) {
-        return success(this).feedback("challenge.solved").feedbackArgs(flags.getFlag(5)).build();
+        return success(this).feedback("challenge.solved").feedbackArgs(Flag.FLAGS.get(5)).build();
       } else {
         return failed(this).feedback("challenge.close").build();
       }

src/main/java/org/owasp/webgoat/lessons/challenges/challenge7/Assignment7.java

@@ -1,14 +1,16 @@
 package org.owasp.webgoat.lessons.challenges.challenge7;
 
-import jakarta.servlet.http.HttpServletRequest;
 import java.net.URI;
 import java.net.URISyntaxException;
 import java.time.LocalDateTime;
+import javax.servlet.http.HttpServletRequest;
 import lombok.extern.slf4j.Slf4j;
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.container.assignments.AttackResult;
 import org.owasp.webgoat.lessons.challenges.Email;
-import org.owasp.webgoat.lessons.challenges.Flags;
+import org.owasp.webgoat.lessons.challenges.Flag;
+import org.owasp.webgoat.lessons.challenges.SolutionConstants;
+import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.core.io.ClassPathResource;
 import org.springframework.http.HttpStatus;
@@ -31,8 +33,6 @@ import org.springframework.web.client.RestTemplate;
 @Slf4j
 public class Assignment7 extends AssignmentEndpoint {
 
-  public static final String ADMIN_PASSWORD_LINK = "375afe1104f4a487a73823c50a9292a2";
-
   private static final String TEMPLATE =
       "Hi, you requested a password reset link, please use this <a target='_blank'"
           + " href='%s:8080/WebGoat/challenge/7/reset-password/%s'>link</a> to reset your"
@@ -44,26 +44,22 @@ public class Assignment7 extends AssignmentEndpoint {
           + "Kind regards, \n"
           + "Team WebGoat";
 
-  private final Flags flags;
+  @Autowired private RestTemplate restTemplate;
-  private final RestTemplate restTemplate;
-  private final String webWolfMailURL;
 
-  public Assignment7(
+  @Value("${webwolf.mail.url}")
-      Flags flags, RestTemplate restTemplate, @Value("${webwolf.mail.url}") String webWolfMailURL) {
+  private String webWolfMailURL;
-    this.flags = flags;
-    this.restTemplate = restTemplate;
-    this.webWolfMailURL = webWolfMailURL;
-  }
 
   @GetMapping("/challenge/7/reset-password/{link}")
   public ResponseEntity<String> resetPassword(@PathVariable(value = "link") String link) {
-    if (link.equals(ADMIN_PASSWORD_LINK)) {
+    if (link.equals(SolutionConstants.ADMIN_PASSWORD_LINK)) {
       return ResponseEntity.accepted()
           .body(
               "<h1>Success!!</h1>"
                   + "<img src='/WebGoat/images/hi-five-cat.jpg'>"
                   + "<br/><br/>Here is your flag: "
-                  + flags.getFlag(7));
+                  + "<b>"
+                  + Flag.FLAGS.get(7)
+                  + "</b>");
     }
     return ResponseEntity.status(HttpStatus.I_AM_A_TEAPOT)
         .body("That is not the reset link for admin");
@@ -98,6 +94,6 @@ public class Assignment7 extends AssignmentEndpoint {
   @GetMapping(value = "/challenge/7/.git", produces = MediaType.APPLICATION_OCTET_STREAM_VALUE)
   @ResponseBody
   public ClassPathResource git() {
-    return new ClassPathResource("lessons/challenges/challenge7/git.zip");
+    return new ClassPathResource("challenge7/git.zip");
   }
 }

src/main/java/org/owasp/webgoat/lessons/challenges/challenge8/Assignment8.java

@@ -1,14 +1,13 @@
 package org.owasp.webgoat.lessons.challenges.challenge8;
 
-import jakarta.servlet.http.HttpServletRequest;
 import java.util.HashMap;
 import java.util.Map;
 import java.util.stream.Collectors;
-import lombok.RequiredArgsConstructor;
+import javax.servlet.http.HttpServletRequest;
 import lombok.extern.slf4j.Slf4j;
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.container.assignments.AttackResult;
-import org.owasp.webgoat.lessons.challenges.Flags;
+import org.owasp.webgoat.lessons.challenges.Flag;
 import org.springframework.http.MediaType;
 import org.springframework.http.ResponseEntity;
 import org.springframework.web.bind.annotation.GetMapping;
@@ -16,9 +15,12 @@ import org.springframework.web.bind.annotation.PathVariable;
 import org.springframework.web.bind.annotation.ResponseBody;
 import org.springframework.web.bind.annotation.RestController;
 
+/**
+ * @author nbaars
+ * @since 4/8/17.
+ */
 @RestController
 @Slf4j
-@RequiredArgsConstructor
 public class Assignment8 extends AssignmentEndpoint {
 
   private static final Map<Integer, Integer> votes = new HashMap<>();
@@ -31,8 +33,6 @@ public class Assignment8 extends AssignmentEndpoint {
     votes.put(5, 300);
   }
 
-  private final Flags flags;
-
   @GetMapping(value = "/challenge/8/vote/{stars}", produces = MediaType.APPLICATION_JSON_VALUE)
   @ResponseBody
   public ResponseEntity<?> vote(
@@ -47,7 +47,7 @@ public class Assignment8 extends AssignmentEndpoint {
     Integer allVotesForStar = votes.getOrDefault(nrOfStars, 0);
     votes.put(nrOfStars, allVotesForStar + 1);
     return ResponseEntity.ok()
-        .header("X-FlagController", "Thanks for voting, your flag is: " + flags.getFlag(8))
+        .header("X-Flag", "Thanks for voting, your flag is: " + Flag.FLAGS.get(8))
         .build();
   }
 

src/main/java/org/owasp/webgoat/lessons/clientsidefiltering/Salaries.java

@@ -22,7 +22,6 @@
 
 package org.owasp.webgoat.lessons.clientsidefiltering;
 
-import jakarta.annotation.PostConstruct;
 import java.io.File;
 import java.io.FileInputStream;
 import java.io.FileOutputStream;
@@ -32,6 +31,7 @@ import java.util.ArrayList;
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
+import javax.annotation.PostConstruct;
 import javax.xml.xpath.XPath;
 import javax.xml.xpath.XPathConstants;
 import javax.xml.xpath.XPathExpressionException;

src/main/java/org/owasp/webgoat/lessons/cryptography/EncodingAssignment.java

@@ -22,9 +22,9 @@
 
 package org.owasp.webgoat.lessons.cryptography;
 
-import jakarta.servlet.http.HttpServletRequest;
 import java.util.Base64;
 import java.util.Random;
+import javax.servlet.http.HttpServletRequest;
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.container.assignments.AttackResult;
 import org.springframework.http.MediaType;

src/main/java/org/owasp/webgoat/lessons/cryptography/HashingAssignment.java

@@ -22,10 +22,10 @@
 
 package org.owasp.webgoat.lessons.cryptography;
 
-import jakarta.servlet.http.HttpServletRequest;
 import java.security.MessageDigest;
 import java.security.NoSuchAlgorithmException;
 import java.util.Random;
+import javax.servlet.http.HttpServletRequest;
 import javax.xml.bind.DatatypeConverter;
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.container.assignments.AssignmentHints;

src/main/java/org/owasp/webgoat/lessons/cryptography/SigningAssignment.java

@@ -22,11 +22,11 @@
 
 package org.owasp.webgoat.lessons.cryptography;
 
-import jakarta.servlet.http.HttpServletRequest;
 import java.security.InvalidAlgorithmParameterException;
 import java.security.KeyPair;
 import java.security.NoSuchAlgorithmException;
 import java.security.interfaces.RSAPublicKey;
+import javax.servlet.http.HttpServletRequest;
 import javax.xml.bind.DatatypeConverter;
 import lombok.extern.slf4j.Slf4j;
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;

src/main/java/org/owasp/webgoat/lessons/csrf/CSRFFeedback.java

@@ -24,11 +24,11 @@ package org.owasp.webgoat.lessons.csrf;
 
 import com.fasterxml.jackson.databind.DeserializationFeature;
 import com.fasterxml.jackson.databind.ObjectMapper;
-import jakarta.servlet.http.Cookie;
-import jakarta.servlet.http.HttpServletRequest;
 import java.io.IOException;
 import java.util.Map;
 import java.util.UUID;
+import javax.servlet.http.Cookie;
+import javax.servlet.http.HttpServletRequest;
 import org.apache.commons.lang3.exception.ExceptionUtils;
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.container.assignments.AssignmentHints;

src/main/java/org/owasp/webgoat/lessons/csrf/CSRFGetFlag.java

@@ -22,10 +22,10 @@
 
 package org.owasp.webgoat.lessons.csrf;
 
-import jakarta.servlet.http.HttpServletRequest;
 import java.util.HashMap;
 import java.util.Map;
 import java.util.Random;
+import javax.servlet.http.HttpServletRequest;
 import org.owasp.webgoat.container.i18n.PluginMessages;
 import org.owasp.webgoat.container.session.UserSessionData;
 import org.springframework.beans.factory.annotation.Autowired;

src/main/java/org/owasp/webgoat/lessons/csrf/CSRFLogin.java

@@ -22,7 +22,7 @@
 
 package org.owasp.webgoat.lessons.csrf;
 
-import jakarta.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletRequest;
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.container.assignments.AssignmentHints;
 import org.owasp.webgoat.container.assignments.AttackResult;

src/main/java/org/owasp/webgoat/lessons/csrf/ForgedReviews.java

@@ -25,7 +25,6 @@ package org.owasp.webgoat.lessons.csrf;
 import static org.springframework.http.MediaType.ALL_VALUE;
 
 import com.google.common.collect.Lists;
-import jakarta.servlet.http.HttpServletRequest;
 import java.time.LocalDateTime;
 import java.time.format.DateTimeFormatter;
 import java.util.ArrayList;
@@ -33,6 +32,7 @@ import java.util.Collection;
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
+import javax.servlet.http.HttpServletRequest;
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.container.assignments.AssignmentHints;
 import org.owasp.webgoat.container.assignments.AttackResult;

src/main/java/org/owasp/webgoat/lessons/hijacksession/HijackSessionAssignment.java

@@ -22,8 +22,8 @@
 
 package org.owasp.webgoat.lessons.hijacksession;
 
-import jakarta.servlet.http.Cookie;
+import javax.servlet.http.Cookie;
-import jakarta.servlet.http.HttpServletResponse;
+import javax.servlet.http.HttpServletResponse;
 import org.apache.commons.lang3.StringUtils;
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.container.assignments.AssignmentHints;

src/main/java/org/owasp/webgoat/lessons/httpproxies/HttpBasicsInterceptRequest.java

@@ -22,7 +22,7 @@
 
 package org.owasp.webgoat.lessons.httpproxies;
 
-import jakarta.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletRequest;
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.container.assignments.AttackResult;
 import org.springframework.http.HttpMethod;

src/main/java/org/owasp/webgoat/lessons/idor/IDORDiffAttributes.java

@@ -15,8 +15,7 @@
  * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
  * 02111-1307, USA.
  *
- * Getting Source
+ * Getting Source ==============
- * ==============
  *
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */

src/main/java/org/owasp/webgoat/lessons/idor/IDOREditOtherProfiile.java

@@ -15,8 +15,7 @@
  * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
  * 02111-1307, USA.
  *
- * Getting Source
+ * Getting Source ==============
- * ==============
  *
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
@@ -46,7 +45,7 @@ import org.springframework.web.bind.annotation.RestController;
   "idor.hints.otherProfile8",
   "idor.hints.otherProfile9"
 })
-public class IDOREditOtherProfile extends AssignmentEndpoint {
+public class IDOREditOtherProfiile extends AssignmentEndpoint {
 
   @Autowired private UserSessionData userSessionData;
 
@@ -70,7 +69,7 @@ public class IDOREditOtherProfile extends AssignmentEndpoint {
       // we will persist in the session object for now in case we want to refer back or use it later
       userSessionData.setValue("idor-updated-other-profile", currentUserProfile);
       if (currentUserProfile.getRole() <= 1
-          && currentUserProfile.getColor().equalsIgnoreCase("red")) {
+          && currentUserProfile.getColor().toLowerCase().equals("red")) {
         return success(this)
             .feedback("idor.edit.profile.success1")
             .output(currentUserProfile.profileToMap().toString())
@@ -78,16 +77,16 @@ public class IDOREditOtherProfile extends AssignmentEndpoint {
       }
 
       if (currentUserProfile.getRole() > 1
-          && currentUserProfile.getColor().equalsIgnoreCase("red")) {
+          && currentUserProfile.getColor().toLowerCase().equals("red")) {
-        return failed(this)
+        return success(this)
             .feedback("idor.edit.profile.failure1")
             .output(currentUserProfile.profileToMap().toString())
             .build();
       }
 
       if (currentUserProfile.getRole() <= 1
-          && !currentUserProfile.getColor().equalsIgnoreCase("red")) {
+          && !currentUserProfile.getColor().toLowerCase().equals("red")) {
-        return failed(this)
+        return success(this)
             .feedback("idor.edit.profile.failure2")
             .output(currentUserProfile.profileToMap().toString())
             .build();
@@ -98,8 +97,7 @@ public class IDOREditOtherProfile extends AssignmentEndpoint {
           .feedback("idor.edit.profile.failure3")
           .output(currentUserProfile.profileToMap().toString())
           .build();
-    } else if (userSubmittedProfile.getUserId() != null
+    } else if (userSubmittedProfile.getUserId().equals(authUserId)) {
-        && userSubmittedProfile.getUserId().equals(authUserId)) {
       return failed(this).feedback("idor.edit.profile.failure4").build();
     }
 

src/main/java/org/owasp/webgoat/lessons/idor/IDORLogin.java

@@ -15,8 +15,7 @@
  * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
  * 02111-1307, USA.
  *
- * Getting Source
+ * Getting Source ==============
- * ==============
  *
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */

src/main/java/org/owasp/webgoat/lessons/idor/IDORViewOtherProfile.java

@@ -15,15 +15,16 @@
  * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
  * 02111-1307, USA.
  *
- * Getting Source
+ * Getting Source ==============
- * ==============
  *
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
 package org.owasp.webgoat.lessons.idor;
 
-import jakarta.servlet.http.HttpServletResponse;
+import java.util.HashMap;
+import java.util.Map;
+import javax.servlet.http.HttpServletResponse;
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.container.assignments.AssignmentHints;
 import org.owasp.webgoat.container.assignments.AttackResult;
@@ -55,6 +56,7 @@ public class IDORViewOtherProfile extends AssignmentEndpoint {
       produces = {"application/json"})
   @ResponseBody
   public AttackResult completed(@PathVariable("userId") String userId, HttpServletResponse resp) {
+    Map<String, Object> details = new HashMap<>();
 
     if (userSessionData.getValue("idor-authenticated-as").equals("tom")) {
       // going to use session auth to view this one
@@ -64,8 +66,7 @@ public class IDORViewOtherProfile extends AssignmentEndpoint {
         UserProfile requestedProfile = new UserProfile(userId);
         // secure code would ensure there was a horizontal access control check prior to dishing up
         // the requested profile
-        if (requestedProfile.getUserId() != null
+        if (requestedProfile.getUserId().equals("2342388")) {
-            && requestedProfile.getUserId().equals("2342388")) {
           return success(this)
               .feedback("idor.view.profile.success")
               .output(requestedProfile.profileToMap().toString())

src/main/java/org/owasp/webgoat/lessons/idor/IDORViewOwnProfile.java

@@ -15,8 +15,7 @@
  * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
  * 02111-1307, USA.
  *
- * Getting Source
+ * Getting Source ==============
- * ==============
  *
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */

src/main/java/org/owasp/webgoat/lessons/idor/IDORViewOwnProfileAltUrl.java

@@ -15,8 +15,7 @@
  * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
  * 02111-1307, USA.
  *
- * Getting Source
+ * Getting Source ==============
- * ==============
  *
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
@@ -69,7 +68,7 @@ public class IDORViewOwnProfileAltUrl extends AssignmentEndpoint {
         return failed(this).feedback("idor.view.own.profile.failure2").build();
       }
     } catch (Exception ex) {
-      return failed(this).output("an error occurred with your request").build();
+      return failed(this).feedback("an error occurred with your request").build();
     }
   }
 }

src/main/java/org/owasp/webgoat/lessons/idor/UserProfile.java

@@ -15,8 +15,7 @@
  * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
  * 02111-1307, USA.
  *
- * Getting Source
+ * Getting Source ==============
- * ==============
  *
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */

src/main/java/org/owasp/webgoat/lessons/jwt/JWTVotesEndpoint.java

@@ -31,14 +31,14 @@ import io.jsonwebtoken.Jwt;
 import io.jsonwebtoken.JwtException;
 import io.jsonwebtoken.Jwts;
 import io.jsonwebtoken.impl.TextCodec;
-import jakarta.annotation.PostConstruct;
-import jakarta.servlet.http.Cookie;
-import jakarta.servlet.http.HttpServletResponse;
 import java.time.Duration;
 import java.time.Instant;
 import java.util.Date;
 import java.util.HashMap;
 import java.util.Map;
+import javax.annotation.PostConstruct;
+import javax.servlet.http.Cookie;
+import javax.servlet.http.HttpServletResponse;
 import org.apache.commons.lang3.StringUtils;
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.container.assignments.AssignmentHints;

src/main/java/org/owasp/webgoat/lessons/logging/LogBleedingTask.java

@@ -22,10 +22,10 @@
 
 package org.owasp.webgoat.lessons.logging;
 
-import jakarta.annotation.PostConstruct;
 import java.nio.charset.StandardCharsets;
 import java.util.Base64;
 import java.util.UUID;
+import javax.annotation.PostConstruct;
 import org.apache.logging.log4j.util.Strings;
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.container.assignments.AttackResult;

src/main/java/org/owasp/webgoat/lessons/passwordreset/ResetLinkAssignmentForgotPassword.java

@@ -22,8 +22,8 @@
 
 package org.owasp.webgoat.lessons.passwordreset;
 
-import jakarta.servlet.http.HttpServletRequest;
 import java.util.UUID;
+import javax.servlet.http.HttpServletRequest;
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.container.assignments.AttackResult;
 import org.springframework.beans.factory.annotation.Value;

src/main/java/org/owasp/webgoat/lessons/passwordreset/resetlink/PasswordChangeForm.java

@@ -1,7 +1,7 @@
 package org.owasp.webgoat.lessons.passwordreset.resetlink;
 
-import jakarta.validation.constraints.NotNull;
+import javax.validation.constraints.NotNull;
-import jakarta.validation.constraints.Size;
+import javax.validation.constraints.Size;
 import lombok.Getter;
 import lombok.Setter;
 

src/main/java/org/owasp/webgoat/lessons/pathtraversal/ProfileUploadRetrieval.java

@@ -1,7 +1,5 @@
 package org.owasp.webgoat.lessons.pathtraversal;
 
-import jakarta.annotation.PostConstruct;
-import jakarta.servlet.http.HttpServletRequest;
 import java.io.File;
 import java.io.FileOutputStream;
 import java.io.IOException;
@@ -10,6 +8,8 @@ import java.net.URI;
 import java.net.URISyntaxException;
 import java.nio.file.Files;
 import java.util.Base64;
+import javax.annotation.PostConstruct;
+import javax.servlet.http.HttpServletRequest;
 import lombok.extern.slf4j.Slf4j;
 import org.apache.commons.lang3.RandomUtils;
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;

src/main/java/org/owasp/webgoat/lessons/spoofcookie/SpoofCookie.java

@@ -15,8 +15,7 @@
  * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
  * 02111-1307, USA.
  *
- * Getting Source
+ * Getting Source ==============
- * ==============
  *
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */

src/main/java/org/owasp/webgoat/lessons/spoofcookie/SpoofCookieAssignment.java

@@ -15,20 +15,18 @@
  * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
  * 02111-1307, USA.
  *
- * Getting Source
+ * Getting Source ==============
- * ==============
  *
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
 
 package org.owasp.webgoat.lessons.spoofcookie;
 
-import jakarta.servlet.http.Cookie;
-import jakarta.servlet.http.HttpServletResponse;
 import java.util.Map;
+import javax.servlet.http.Cookie;
+import javax.servlet.http.HttpServletResponse;
 import org.apache.commons.lang3.StringUtils;
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
-import org.owasp.webgoat.container.assignments.AssignmentHints;
 import org.owasp.webgoat.container.assignments.AttackResult;
 import org.owasp.webgoat.lessons.spoofcookie.encoders.EncDec;
 import org.springframework.web.bind.UnsatisfiedServletRequestParameterException;
@@ -46,7 +44,6 @@ import org.springframework.web.bind.annotation.RestController;
  *
  */
 
-@AssignmentHints({"spoofcookie.hint1", "spoofcookie.hint2", "spoofcookie.hint3"})
 @RestController
 public class SpoofCookieAssignment extends AssignmentEndpoint {
 

src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson5.java

@@ -22,11 +22,11 @@
 
 package org.owasp.webgoat.lessons.sqlinjection.introduction;
 
-import jakarta.annotation.PostConstruct;
 import java.sql.Connection;
 import java.sql.ResultSet;
 import java.sql.SQLException;
 import java.sql.Statement;
+import javax.annotation.PostConstruct;
 import org.owasp.webgoat.container.LessonDataSource;
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.container.assignments.AssignmentHints;

src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson5b.java

@@ -22,9 +22,9 @@
 
 package org.owasp.webgoat.lessons.sqlinjection.introduction;
 
-import jakarta.servlet.http.HttpServletRequest;
 import java.io.IOException;
 import java.sql.*;
+import javax.servlet.http.HttpServletRequest;
 import org.owasp.webgoat.container.LessonDataSource;
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.container.assignments.AssignmentHints;

src/main/java/org/owasp/webgoat/lessons/ssrf/SSRFTask1.java

@@ -44,12 +44,12 @@ public class SSRFTask1 extends AssignmentEndpoint {
     try {
       StringBuilder html = new StringBuilder();
 
-      if (url.matches("images/tom\\.png")) {
+      if (url.matches("images/tom.png")) {
         html.append(
             "<img class=\"image\" alt=\"Tom\" src=\"images/tom.png\" width=\"25%\""
                 + " height=\"25%\">");
         return failed(this).feedback("ssrf.tom").output(html.toString()).build();
-      } else if (url.matches("images/jerry\\.png")) {
+      } else if (url.matches("images/jerry.png")) {
         html.append(
             "<img class=\"image\" alt=\"Jerry\" src=\"images/jerry.png\" width=\"25%\""
                 + " height=\"25%\">");

src/main/java/org/owasp/webgoat/lessons/ssrf/SSRFTask2.java

@@ -46,7 +46,7 @@ public class SSRFTask2 extends AssignmentEndpoint {
   }
 
   protected AttackResult furBall(String url) {
-    if (url.matches("http://ifconfig\\.pro")) {
+    if (url.matches("http://ifconfig.pro")) {
       String html;
       try (InputStream in = new URL(url).openStream()) {
         html =

src/main/java/org/owasp/webgoat/lessons/webwolfintroduction/LandingAssignment.java

@@ -22,9 +22,9 @@
 
 package org.owasp.webgoat.lessons.webwolfintroduction;
 
-import jakarta.servlet.http.HttpServletRequest;
 import java.net.URI;
 import java.net.URISyntaxException;
+import javax.servlet.http.HttpServletRequest;
 import org.apache.commons.lang3.StringUtils;
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.container.assignments.AttackResult;

src/main/java/org/owasp/webgoat/lessons/xss/DOMCrossSiteScripting.java

@@ -22,8 +22,8 @@
 
 package org.owasp.webgoat.lessons.xss;
 
-import jakarta.servlet.http.HttpServletRequest;
 import java.security.SecureRandom;
+import javax.servlet.http.HttpServletRequest;
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.container.assignments.AttackResult;
 import org.owasp.webgoat.container.session.UserSessionData;

src/main/java/org/owasp/webgoat/lessons/xxe/Comment.java

@@ -22,8 +22,7 @@
 
 package org.owasp.webgoat.lessons.xxe;
 
-import jakarta.xml.bind.annotation.XmlRootElement;
+import javax.xml.bind.annotation.XmlRootElement;
-import jakarta.xml.bind.annotation.XmlType;
 import lombok.AllArgsConstructor;
 import lombok.Getter;
 import lombok.NoArgsConstructor;
@@ -38,8 +37,7 @@ import lombok.ToString;
 @Setter
 @AllArgsConstructor
 @NoArgsConstructor
-@XmlRootElement(name = "comment")
+@XmlRootElement
-@XmlType
 @ToString
 public class Comment {
   private String user;

src/main/java/org/owasp/webgoat/lessons/xxe/CommentsCache.java

@@ -26,8 +26,6 @@ import static java.util.Optional.empty;
 import static java.util.Optional.of;
 
 import com.fasterxml.jackson.databind.ObjectMapper;
-import jakarta.xml.bind.JAXBContext;
-import jakarta.xml.bind.JAXBException;
 import java.io.IOException;
 import java.io.StringReader;
 import java.time.LocalDateTime;
@@ -38,6 +36,8 @@ import java.util.HashMap;
 import java.util.Map;
 import java.util.Optional;
 import javax.xml.XMLConstants;
+import javax.xml.bind.JAXBContext;
+import javax.xml.bind.JAXBException;
 import javax.xml.stream.XMLInputFactory;
 import javax.xml.stream.XMLStreamException;
 import org.owasp.webgoat.container.session.WebSession;
@@ -93,7 +93,7 @@ public class CommentsCache {
    * progress etc). In real life the XmlMapper bean defined above will be used automatically and the
    * Comment class can be directly used in the controller method (instead of a String)
    */
-  protected Comment parseXml(String xml) throws XMLStreamException, JAXBException {
+  protected Comment parseXml(String xml) throws JAXBException, XMLStreamException {
     var jc = JAXBContext.newInstance(Comment.class);
     var xif = XMLInputFactory.newInstance();
 

src/main/java/org/owasp/webgoat/lessons/xxe/ContentTypeAssignment.java

@@ -24,7 +24,7 @@ package org.owasp.webgoat.lessons.xxe;
 
 import static org.springframework.http.MediaType.APPLICATION_JSON_VALUE;
 
-import jakarta.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletRequest;
 import org.apache.commons.exec.OS;
 import org.apache.commons.lang3.exception.ExceptionUtils;
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
@@ -60,7 +60,8 @@ public class ContentTypeAssignment extends AssignmentEndpoint {
   public AttackResult createNewUser(
       HttpServletRequest request,
       @RequestBody String commentStr,
-      @RequestHeader("Content-Type") String contentType) {
+      @RequestHeader("Content-Type") String contentType)
+      throws Exception {
     AttackResult attackResult = failed(this).build();
 
     if (APPLICATION_JSON_VALUE.equals(contentType)) {

src/main/java/org/owasp/webgoat/lessons/xxe/SimpleXXE.java

@@ -25,7 +25,7 @@ package org.owasp.webgoat.lessons.xxe;
 import static org.springframework.http.MediaType.ALL_VALUE;
 import static org.springframework.http.MediaType.APPLICATION_JSON_VALUE;
 
-import jakarta.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletRequest;
 import org.apache.commons.exec.OS;
 import org.apache.commons.lang3.exception.ExceptionUtils;
 import org.owasp.webgoat.container.assignments.AssignmentEndpoint;

src/main/java/org/owasp/webgoat/webwolf/FileServer.java

@@ -24,10 +24,10 @@ package org.owasp.webgoat.webwolf;
 
 import static org.springframework.http.MediaType.ALL_VALUE;
 
-import jakarta.servlet.http.HttpServletRequest;
 import java.io.File;
 import java.io.IOException;
 import java.util.ArrayList;
+import javax.servlet.http.HttpServletRequest;
 import lombok.AllArgsConstructor;
 import lombok.Getter;
 import lombok.extern.slf4j.Slf4j;

src/main/java/org/owasp/webgoat/webwolf/MvcConfiguration.java

@@ -22,8 +22,8 @@
 
 package org.owasp.webgoat.webwolf;
 
-import jakarta.annotation.PostConstruct;
 import java.io.File;
+import javax.annotation.PostConstruct;
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.web.servlet.config.annotation.ResourceHandlerRegistry;

src/main/java/org/owasp/webgoat/webwolf/WebSecurityConfig.java

@@ -29,49 +29,54 @@ import org.springframework.context.annotation.Configuration;
 import org.springframework.http.HttpMethod;
 import org.springframework.security.authentication.AuthenticationManager;
 import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
-import org.springframework.security.config.annotation.authentication.configuration.AuthenticationConfiguration;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
+import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
+import org.springframework.security.config.annotation.web.configurers.ExpressionUrlAuthorizationConfigurer;
 import org.springframework.security.core.userdetails.UserDetailsService;
 import org.springframework.security.crypto.password.NoOpPasswordEncoder;
-import org.springframework.security.web.SecurityFilterChain;
 
-/** Security configuration for WebWolf. */
+/** Security configuration for WebGoat. */
 @Configuration
 @AllArgsConstructor
 @EnableWebSecurity
-public class WebSecurityConfig {
+public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
 
   private final UserService userDetailsService;
 
-  @Bean
+  @Override
-  public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
+  protected void configure(HttpSecurity http) throws Exception {
-    http.authorizeHttpRequests(
+    ExpressionUrlAuthorizationConfigurer<HttpSecurity>.ExpressionInterceptUrlRegistry security =
-        auth -> auth.requestMatchers(HttpMethod.POST, "/fileupload").authenticated());
+        http.authorizeRequests()
-    http.authorizeHttpRequests(
+            .antMatchers(HttpMethod.POST, "/fileupload")
-        auth ->
+            .authenticated()
-            auth.requestMatchers(HttpMethod.GET, "/files", "/mail", "/requests").authenticated());
+            .antMatchers(HttpMethod.GET, "/files", "/mail", "/requests")
-    http.authorizeHttpRequests().anyRequest().permitAll();
+            .authenticated()
-    http.csrf().disable().formLogin().loginPage("/login").failureUrl("/login?error=true");
+            .and()
-    http.formLogin().loginPage("/login").defaultSuccessUrl("/home", true).permitAll();
+            .authorizeRequests()
-    http.logout().permitAll();
+            .anyRequest()
-    return http.build();
+            .permitAll();
+
+    security.and().csrf().disable().formLogin().loginPage("/login").failureUrl("/login?error=true");
+    security.and().formLogin().loginPage("/login").defaultSuccessUrl("/home", true).permitAll();
+    security.and().logout().permitAll();
   }
 
   @Autowired
   public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
-    auth.userDetailsService(userDetailsService);
+    auth.userDetailsService(userDetailsService); // .passwordEncoder(bCryptPasswordEncoder());
   }
 
   @Bean
-  public UserDetailsService userDetailsServiceBean() {
+  @Override
+  public UserDetailsService userDetailsServiceBean() throws Exception {
     return userDetailsService;
   }
 
+  @Override
   @Bean
-  public AuthenticationManager authenticationManager(
+  protected AuthenticationManager authenticationManager() throws Exception {
-      AuthenticationConfiguration authenticationConfiguration) throws Exception {
+    return super.authenticationManager();
-    return authenticationConfiguration.getAuthenticationManager();
   }
 
   @Bean

src/main/java/org/owasp/webgoat/webwolf/WebWolf.java

@@ -23,7 +23,7 @@
 package org.owasp.webgoat.webwolf;
 
 import org.owasp.webgoat.webwolf.requests.WebWolfTraceRepository;
-import org.springframework.boot.actuate.web.exchanges.HttpExchangeRepository;
+import org.springframework.boot.actuate.trace.http.HttpTraceRepository;
 import org.springframework.boot.autoconfigure.EnableAutoConfiguration;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.ComponentScan;
@@ -37,7 +37,7 @@ import org.springframework.context.annotation.PropertySource;
 public class WebWolf {
 
   @Bean
-  public HttpExchangeRepository traceRepository() {
+  public HttpTraceRepository traceRepository() {
     return new WebWolfTraceRepository();
   }
 }

src/main/java/org/owasp/webgoat/webwolf/mailbox/Email.java

@@ -23,14 +23,10 @@
 package org.owasp.webgoat.webwolf.mailbox;
 
 import com.fasterxml.jackson.annotation.JsonIgnore;
-import jakarta.persistence.Column;
-import jakarta.persistence.Entity;
-import jakarta.persistence.GeneratedValue;
-import jakarta.persistence.GenerationType;
-import jakarta.persistence.Id;
 import java.io.Serializable;
 import java.time.LocalDateTime;
 import java.time.format.DateTimeFormatter;
+import javax.persistence.*;
 import lombok.AllArgsConstructor;
 import lombok.Builder;
 import lombok.Data;

src/main/java/org/owasp/webgoat/webwolf/mailbox/MailboxController.java

@@ -23,25 +23,26 @@
 package org.owasp.webgoat.webwolf.mailbox;
 
 import java.util.List;
-import lombok.RequiredArgsConstructor;
+import lombok.AllArgsConstructor;
+import lombok.extern.slf4j.Slf4j;
 import org.springframework.http.HttpStatus;
+import org.springframework.http.ResponseEntity;
 import org.springframework.security.core.context.SecurityContextHolder;
 import org.springframework.security.core.userdetails.UserDetails;
-import org.springframework.web.bind.annotation.DeleteMapping;
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.PostMapping;
 import org.springframework.web.bind.annotation.RequestBody;
-import org.springframework.web.bind.annotation.ResponseStatus;
 import org.springframework.web.bind.annotation.RestController;
 import org.springframework.web.servlet.ModelAndView;
 
 @RestController
-@RequiredArgsConstructor
+@AllArgsConstructor
+@Slf4j
 public class MailboxController {
 
   private final MailboxRepository mailboxRepository;
 
-  @GetMapping("/mail")
+  @GetMapping(value = "/mail")
   public ModelAndView mail() {
     UserDetails user =
         (UserDetails) SecurityContextHolder.getContext().getAuthentication().getPrincipal();
@@ -55,15 +56,9 @@ public class MailboxController {
     return modelAndView;
   }
 
-  @PostMapping("/mail")
+  @PostMapping(value = "/mail")
-  @ResponseStatus(HttpStatus.CREATED)
+  public ResponseEntity<?> sendEmail(@RequestBody Email email) {
-  public void sendEmail(@RequestBody Email email) {
     mailboxRepository.save(email);
-  }
+    return ResponseEntity.status(HttpStatus.CREATED).build();
-
-  @DeleteMapping("/mail")
-  @ResponseStatus(HttpStatus.ACCEPTED)
-  public void deleteAllMail() {
-    mailboxRepository.deleteAll();
   }
 }

src/main/java/org/owasp/webgoat/webwolf/requests/LandingPage.java

@@ -22,8 +22,8 @@
 
 package org.owasp.webgoat.webwolf.requests;
 
-import jakarta.servlet.http.HttpServletRequest;
 import java.util.concurrent.Callable;
+import javax.servlet.http.HttpServletRequest;
 import lombok.extern.slf4j.Slf4j;
 import org.springframework.http.ResponseEntity;
 import org.springframework.stereotype.Controller;

src/main/java/org/owasp/webgoat/webwolf/requests/Requests.java

@@ -32,7 +32,8 @@ import lombok.Getter;
 import lombok.RequiredArgsConstructor;
 import lombok.extern.slf4j.Slf4j;
 import org.apache.commons.lang3.StringUtils;
-import org.springframework.boot.actuate.web.exchanges.HttpExchange;
+import org.springframework.boot.actuate.trace.http.HttpTrace;
+import org.springframework.boot.actuate.trace.http.HttpTrace.Request;
 import org.springframework.security.core.context.SecurityContextHolder;
 import org.springframework.security.core.userdetails.UserDetails;
 import org.springframework.stereotype.Controller;
@@ -77,8 +78,8 @@ public class Requests {
     return model;
   }
 
-  private boolean allowedTrace(HttpExchange t, UserDetails user) {
+  private boolean allowedTrace(HttpTrace t, UserDetails user) {
-    HttpExchange.Request req = t.getRequest();
+    Request req = t.getRequest();
     boolean allowed = true;
     /* do not show certain traces to other users in a classroom setup */
     if (req.getUri().getPath().contains("/files")
@@ -94,11 +95,11 @@ public class Requests {
     return allowed;
   }
 
-  private String path(HttpExchange t) {
+  private String path(HttpTrace t) {
     return (String) t.getRequest().getUri().getPath();
   }
 
-  private String toJsonString(HttpExchange t) {
+  private String toJsonString(HttpTrace t) {
     try {
       return objectMapper.writeValueAsString(t);
     } catch (JsonProcessingException e) {

src/main/java/org/owasp/webgoat/webwolf/requests/WebWolfTraceRepository.java

@@ -26,8 +26,8 @@ import com.google.common.collect.EvictingQueue;
 import java.util.ArrayList;
 import java.util.List;
 import lombok.extern.slf4j.Slf4j;
-import org.springframework.boot.actuate.web.exchanges.HttpExchange;
+import org.springframework.boot.actuate.trace.http.HttpTrace;
-import org.springframework.boot.actuate.web.exchanges.HttpExchangeRepository;
+import org.springframework.boot.actuate.trace.http.HttpTraceRepository;
 
 /**
  * Keep track of all the incoming requests, we are only keeping track of request originating from
@@ -37,9 +37,9 @@ import org.springframework.boot.actuate.web.exchanges.HttpExchangeRepository;
  * @since 8/13/17.
  */
 @Slf4j
-public class WebWolfTraceRepository implements HttpExchangeRepository {
+public class WebWolfTraceRepository implements HttpTraceRepository {
 
-  private final EvictingQueue<HttpExchange> traces = EvictingQueue.create(10000);
+  private final EvictingQueue<HttpTrace> traces = EvictingQueue.create(10000);
   private final List<String> exclusionList =
       List.of(
           "/tmpdir",
@@ -54,11 +54,11 @@ public class WebWolfTraceRepository implements HttpExchangeRepository {
           "/mail");
 
   @Override
-  public List<HttpExchange> findAll() {
+  public List<HttpTrace> findAll() {
     return List.of();
   }
 
-  public List<HttpExchange> findAllTraces() {
+  public List<HttpTrace> findAllTraces() {
     return new ArrayList<>(traces);
   }
 
@@ -67,7 +67,7 @@ public class WebWolfTraceRepository implements HttpExchangeRepository {
   }
 
   @Override
-  public void add(HttpExchange httpTrace) {
+  public void add(HttpTrace httpTrace) {
     var path = httpTrace.getRequest().getUri().getPath();
     if (!isInExclusionList(path)) {
       traces.add(httpTrace);

src/main/java/org/owasp/webgoat/webwolf/user/WebGoatUser.java

@@ -22,11 +22,11 @@
 
 package org.owasp.webgoat.webwolf.user;
 
-import jakarta.persistence.Entity;
-import jakarta.persistence.Id;
-import jakarta.persistence.Transient;
 import java.util.Collection;
 import java.util.Collections;
+import javax.persistence.Entity;
+import javax.persistence.Id;
+import javax.persistence.Transient;
 import lombok.Getter;
 import org.springframework.security.core.GrantedAuthority;
 import org.springframework.security.core.userdetails.User;

src/main/resources/application-webgoat.properties

@@ -13,12 +13,11 @@ server.ssl.key-store-password=${WEBGOAT_KEYSTORE_PASSWORD:password}
 server.ssl.key-alias=${WEBGOAT_KEY_ALIAS:goat}
 server.ssl.enabled=${WEBGOAT_SSLENABLED:false}
 
-spring.banner.location=classpath:banner.txt
 spring.datasource.url=jdbc:hsqldb:file:${webgoat.server.directory}/webgoat
-spring.datasource.driver-class-name=org.hsqldb.jdbc.JDBCDriver
-spring.jpa.open-in-view=false
 spring.jpa.properties.hibernate.dialect=org.hibernate.dialect.HSQLDialect
+spring.datasource.driver-class-name=org.hsqldb.jdbc.JDBCDriver
 spring.jpa.properties.hibernate.default_schema=CONTAINER
+spring.banner.location=classpath:banner.txt
 
 logging.level.org.thymeleaf=INFO
 logging.level.org.thymeleaf.TemplateEngine.CONFIG=INFO
@@ -29,7 +28,6 @@ logging.level.org.springframework=INFO
 logging.level.org.springframework.boot.devtools=INFO
 logging.level.org.owasp=DEBUG
 logging.level.org.owasp.webgoat=DEBUG
-logging.level.org.hidbernate.SQL=DEBUG
 
 webgoat.server.directory=${user.home}/.webgoat-${webgoat.build.version}/
 webgoat.user.directory=${user.home}/.webgoat-${webgoat.build.version}/
@@ -53,11 +51,11 @@ spring.jackson.serialization.write-dates-as-timestamps=false
 #For static file refresh ... and faster dev :D
 spring.devtools.restart.additional-paths=webgoat-container/src/main/resources/static/js,webgoat-container/src/main/resources/static/css
 
-#exclude based on the enum of the Category
 exclude.categories=${EXCLUDE_CATEGORIES:none,none}
+#exclude based on the enum of the Category
 
-#exclude based on the class name of a lesson e.g.: LessonTemplate
 exclude.lessons=${EXCLUDE_LESSONS:none,none}
+#exclude based on the class name of a lesson e.g.: LessonTemplate
 
 management.health.db.enabled=true
 management.endpoint.health.show-details=always

src/main/resources/application-webwolf.properties

@@ -18,7 +18,6 @@ spring.datasource.url=jdbc:hsqldb:file:${webgoat.server.directory}/webgoat
 spring.jpa.properties.hibernate.dialect=org.hibernate.dialect.HSQLDialect
 spring.datasource.driver-class-name=org.hsqldb.jdbc.JDBCDriver
 spring.jpa.properties.hibernate.default_schema=CONTAINER
-spring.jpa.open-in-view=false
 spring.messages.basename=i18n/messages
 spring.jmx.enabled=false
 
@@ -27,7 +26,7 @@ logging.level.org.springframework.boot.devtools=WARN
 logging.level.org.owasp=DEBUG
 logging.level.org.owasp.webwolf=TRACE
 
-management.httpexchanges.recording.include=REQUEST_HEADERS,RESPONSE_HEADERS,COOKIE_HEADERS,TIME_TAKEN
+management.trace.http.include=REQUEST_HEADERS,RESPONSE_HEADERS,COOKIE_HEADERS,TIME_TAKEN
 management.endpoint.httptrace.enabled=true
 
 spring.thymeleaf.cache=false

src/main/resources/db/container/V3__id.sql

@@ -1,4 +0,0 @@
-ALTER TABLE CONTAINER.ASSIGNMENT ALTER COLUMN ID SET GENERATED BY DEFAULT AS IDENTITY(START WITH 1);
-ALTER TABLE CONTAINER.LESSON_TRACKER ALTER COLUMN ID SET GENERATED BY DEFAULT AS IDENTITY(START WITH 1);
-ALTER TABLE CONTAINER.USER_TRACKER ALTER COLUMN ID SET GENERATED BY DEFAULT AS IDENTITY(START WITH 1);
-

src/main/resources/lessons/authbypass/html/AuthBypass.html

@@ -4,14 +4,14 @@
         <!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
         <!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
         which go in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
-        <div class="adoc-content" th:replace="~{doc:lessons/authbypass/documentation/bypass-intro.adoc}"></div>
+        <div class="adoc-content" th:replace="doc:lessons/authbypass/documentation/bypass-intro.adoc"></div>
     </div>
 
     <div class="lesson-page-wrapper">
         <!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
         <!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
         which go in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
-        <div class="adoc-content" th:replace="~{doc:lessons/authbypass/documentation/2fa-bypass.adoc}"></div>
+        <div class="adoc-content" th:replace="doc:lessons/authbypass/documentation/2fa-bypass.adoc"></div>
         <div class="attack-container">
             <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
             <!-- using attack-form class on your form, will allow your request to be ajaxified and stay within the display framework for webgoat -->
@@ -72,9 +72,9 @@
         <!-- reuse the above lesson-page-wrapper block for each 'page' of content in your lesson -->
         <!-- include content here, or can be placed in another location. Content will be presented via asciidocs files,
         which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
-        <!--<div class="adoc-content" th:replace="~{doc:lessons/authbypass/documentation/lesson-template-video.adoc}"></div>-->
+        <!--<div class="adoc-content" th:replace="doc:lessons/authbypass/documentation/lesson-template-video.adoc"></div>-->
         <!-- can use multiple adoc's in a page-wrapper if you want ... or not-->
-        <!--<div class="adoc-content" th:replace="~{doc:lessons/authbypass/documentation/lesson-template-attack.adoc}"></div>-->
+        <!--<div class="adoc-content" th:replace="doc:lessons/authbypass/documentation/lesson-template-attack.adoc"></div>-->
 
         <!-- WebGoat will automatically style and scaffold some functionality by using the div.attack-container as below -->
 

src/main/resources/lessons/bypassrestrictions/html/BypassRestrictions.html

@@ -6,12 +6,12 @@
     <!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
     <!-- include content here. Content will be presented via asciidocs files,
     which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
-    <div class="adoc-content" th:replace="~{doc:lessons/bypassrestrictions/documentation/BypassRestrictions_Intro.adoc}"></div>
+    <div class="adoc-content" th:replace="doc:lessons/bypassrestrictions/documentation/BypassRestrictions_Intro.adoc"></div>
 </div>
 
 <div class="lesson-page-wrapper">
     <!-- stripped down without extra comments -->
-    <div class="adoc-content" th:replace="~{doc:lessons/bypassrestrictions/documentation/BypassRestrictions_FieldRestrictions.adoc}"></div>
+    <div class="adoc-content" th:replace="doc:lessons/bypassrestrictions/documentation/BypassRestrictions_FieldRestrictions.adoc"></div>
     <link rel="stylesheet" type="text/css" th:href="@{/lesson_css/bypass-restrictions.css}"/>
     <div class="attack-container">
         <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
@@ -59,7 +59,7 @@
 </div>
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="~{doc:lessons/bypassrestrictions/documentation/BypassRestrictions_FrontendValidation.adoc}"></div>
+    <div class="adoc-content" th:replace="doc:lessons/bypassrestrictions/documentation/BypassRestrictions_FrontendValidation.adoc"></div>
     <div class="attack-container">
         <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
 

src/main/resources/lessons/challenges/html/Challenge.html

@@ -3,7 +3,7 @@
 <html xmlns:th="http://www.thymeleaf.org">
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="~{doc:lessons/challenges/documentation/Challenge_introduction.adoc}"></div>
+    <div class="adoc-content" th:replace="doc:lessons/challenges/documentation/Challenge_introduction.adoc"></div>
 </div>
 
 </html>

src/main/resources/lessons/challenges/html/Challenge1.html

@@ -3,7 +3,7 @@
 <html xmlns:th="http://www.thymeleaf.org">
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="~{doc:lessons/challenges/documentation/Challenge_introduction.adoc}"></div>
+    <div class="adoc-content" th:replace="doc:lessons/challenges/documentation/Challenge_introduction.adoc"></div>
 </div>
 <div class="lesson-page-wrapper">
     <div class="attack-container">

src/main/resources/lessons/challenges/html/Challenge5.html

@@ -4,7 +4,7 @@
 
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="~{doc:lessons/challenges/documentation/Challenge_5.adoc}"></div>
+    <div class="adoc-content" th:replace="doc:lessons/challenges/documentation/Challenge_5.adoc"></div>
     <link rel="stylesheet" type="text/css" th:href="@{/lesson_css/challenge6.css}"/>
     <div class="attack-container">
         <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>

src/main/resources/lessons/challenges/html/Challenge6.html

@@ -4,7 +4,7 @@
 
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="~{doc:lessons/challenges/documentation/Challenge_6.adoc}"></div>
+    <div class="adoc-content" th:replace="doc:lessons/challenges/documentation/Challenge_6.adoc"></div>
     <link rel="stylesheet" type="text/css" th:href="@{/lesson_css/challenge6.css}"/>
     <script th:src="@{/lesson_js/challenge6.js}" language="JavaScript"></script>
     <div class="attack-container">

src/main/resources/lessons/challenges/html/Challenge7.html

@@ -12,7 +12,7 @@ f94008f801fceb8833a30fe56a8b26976347edcf First version of WebGoat Cloud website
 
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="~{doc:lessons/challenges/documentation/Challenge_7.adoc}"></div>
+    <div class="adoc-content" th:replace="doc:lessons/challenges/documentation/Challenge_7.adoc"></div>
     <div class="attack-container">
         <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
         <div class="container-fluid">

src/main/resources/lessons/challenges/html/Challenge8.html

@@ -3,7 +3,7 @@
 
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="~{doc:lessons/challenges/documentation/Challenge_8.adoc}"></div>
+    <div class="adoc-content" th:replace="doc:lessons/challenges/documentation/Challenge_8.adoc"></div>
     <link rel="stylesheet" type="text/css" th:href="@{/lesson_css/challenge8.css}"/>
     <script th:src="@{/lesson_js/challenge8.js}" language="JavaScript"></script>
 

src/main/resources/lessons/chromedevtools/html/ChromeDevTools.html

@@ -4,22 +4,22 @@
 
 <!-- 1 -->
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="~{doc:lessons/chromedevtools/documentation/ChromeDevTools_intro.adoc}"></div>
+    <div class="adoc-content" th:replace="doc:lessons/chromedevtools/documentation/ChromeDevTools_intro.adoc"></div>
 </div>
 
 <!-- 2 -->
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="~{doc:lessons/chromedevtools/documentation/ChromeDevTools_elements.adoc}"></div>
+    <div class="adoc-content" th:replace="doc:lessons/chromedevtools/documentation/ChromeDevTools_elements.adoc"></div>
 </div>
 
 <!-- 3 -->
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="~{doc:lessons/chromedevtools/documentation/ChromeDevTools_console.adoc}"></div>
+    <div class="adoc-content" th:replace="doc:lessons/chromedevtools/documentation/ChromeDevTools_console.adoc"></div>
 </div>
 
 <!-- 4 -->
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="~{doc:lessons/chromedevtools/documentation/ChromeDevTools_Assignment.adoc}"></div>
+    <div class="adoc-content" th:replace="doc:lessons/chromedevtools/documentation/ChromeDevTools_Assignment.adoc"></div>
     <div class="attack-container">
         <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
         <form class="attack-form" accept-charset="UNKNOWN"
@@ -35,12 +35,12 @@
 
 <!-- 5 -->
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="~{doc:lessons/chromedevtools/documentation/ChromeDevTools_sources.adoc}"></div>
+    <div class="adoc-content" th:replace="doc:lessons/chromedevtools/documentation/ChromeDevTools_sources.adoc"></div>
 </div>
 
 <!-- 6 -->
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="~{doc:lessons/chromedevtools/documentation/ChromeDevTools_Assignment_Network.adoc}"></div>
+    <div class="adoc-content" th:replace="doc:lessons/chromedevtools/documentation/ChromeDevTools_Assignment_Network.adoc"></div>
     <div class="attack-container">
         <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
         <form class="attack-form" accept-charset="UNKNOWN"

src/main/resources/lessons/cia/html/CIA.html

@@ -3,19 +3,19 @@
 <html xmlns:th="http://www.thymeleaf.org">
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="~{doc:lessons/cia/documentation/CIA_intro.adoc}"></div>
+    <div class="adoc-content" th:replace="doc:lessons/cia/documentation/CIA_intro.adoc"></div>
 </div>
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="~{doc:lessons/cia/documentation/CIA_confidentiality.adoc}"></div>
+    <div class="adoc-content" th:replace="doc:lessons/cia/documentation/CIA_confidentiality.adoc"></div>
 </div>
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="~{doc:lessons/cia/documentation/CIA_integrity.adoc}"></div>
+    <div class="adoc-content" th:replace="doc:lessons/cia/documentation/CIA_integrity.adoc"></div>
 </div>
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="~{doc:lessons/cia/documentation/CIA_availability.adoc}"></div>
+    <div class="adoc-content" th:replace="doc:lessons/cia/documentation/CIA_availability.adoc"></div>
 </div>
 
 <div class="lesson-page-wrapper">
@@ -23,7 +23,7 @@
     <link rel="stylesheet" type="text/css" th:href="@{/css/quiz.css}"/>
     <script th:src="@{/js/quiz.js}" language="JavaScript"></script>
     <link rel="import" type="application/json" th:href="@{/lesson_js/questions.json}"/>
-    <div class="adoc-content" th:replace="~{doc:lessons/cia/documentation/CIA_quiz.adoc}"></div>
+    <div class="adoc-content" th:replace="doc:lessons/cia/documentation/CIA_quiz.adoc"></div>
     <div class="attack-container">
         <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
         <div class="container-fluid">

src/main/resources/lessons/clientsidefiltering/html/ClientSideFiltering.html

@@ -2,10 +2,10 @@
 <html xmlns:th="http://www.thymeleaf.org">
 
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="~{doc:lessons/clientsidefiltering/documentation/ClientSideFiltering_plan.adoc}"></div>
+    <div class="adoc-content" th:replace="doc:lessons/clientsidefiltering/documentation/ClientSideFiltering_plan.adoc"></div>
 </div>
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="~{doc:lessons/clientsidefiltering/documentation/ClientSideFiltering_assignment.adoc}"></div>
+    <div class="adoc-content" th:replace="doc:lessons/clientsidefiltering/documentation/ClientSideFiltering_assignment.adoc"></div>
 
     <br/>
 
@@ -74,7 +74,7 @@
     </div>
 </div>
 <div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="~{doc:lessons/clientsidefiltering/documentation/ClientSideFiltering_final.adoc}"></div>
+    <div class="adoc-content" th:replace="doc:lessons/clientsidefiltering/documentation/ClientSideFiltering_final.adoc"></div>
     <link rel="stylesheet" type="text/css" th:href="@{/lesson_css/clientSideFilteringFree.css}"/>
     <script th:src="@{/lesson_js/clientSideFilteringFree.js}" language="JavaScript"></script>
     <div class="attack-container">

src/main/resources/lessons/cryptography/html/Cryptography.html

@@ -18,11 +18,11 @@ $(document).ready(initialise);
 <body>
 	<!-- 1. overview -->
 	<div class="lesson-page-wrapper">
-		<div class="adoc-content" th:replace="~{doc:lessons/cryptography/documentation/Crypto_plan.adoc}"></div>
+		<div class="adoc-content" th:replace="doc:lessons/cryptography/documentation/Crypto_plan.adoc"></div>
 	</div>
 	<!-- 2. encoding -->
 	<div class="lesson-page-wrapper">
-		<div class="adoc-content" th:replace="~{doc:lessons/cryptography/documentation/encoding_plan.adoc}"></div>
+		<div class="adoc-content" th:replace="doc:lessons/cryptography/documentation/encoding_plan.adoc"></div>
 		<!-- 2. assignment -->
 		<div class="attack-container">
 			<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
@@ -41,7 +41,7 @@ $(document).ready(initialise);
 	</div>
 	<!-- 3. encoding xor -->
 	<div class="lesson-page-wrapper">
-		<div class="adoc-content" th:replace="~{doc:lessons/cryptography/documentation/encoding_plan2.adoc}"></div>
+		<div class="adoc-content" th:replace="doc:lessons/cryptography/documentation/encoding_plan2.adoc"></div>
 		<!-- 3. assignment xor -->
 		<div class="attack-container">
 			<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
@@ -58,7 +58,7 @@ $(document).ready(initialise);
 
 	<!-- 4. hashing -->
 	<div class="lesson-page-wrapper">
-		<div class="adoc-content" th:replace="~{doc:lessons/cryptography/documentation/hashing_plan.adoc}"></div>
+		<div class="adoc-content" th:replace="doc:lessons/cryptography/documentation/hashing_plan.adoc"></div>
 		<!-- 4. weak hashing exercise -->
 		<div class="attack-container">
 			<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
@@ -76,12 +76,12 @@ $(document).ready(initialise);
 	
 	<!-- 5. encryption -->
 	<div class="lesson-page-wrapper">
-		<div class="adoc-content" th:replace="~{doc:lessons/cryptography/documentation/encryption.adoc}"></div>
+		<div class="adoc-content" th:replace="doc:lessons/cryptography/documentation/encryption.adoc"></div>
 	</div>
 
 	<!-- 6. signing -->
 	<div class="lesson-page-wrapper">
-		<div class="adoc-content" th:replace="~{doc:lessons/cryptography/documentation/signing.adoc}"></div>
+		<div class="adoc-content" th:replace="doc:lessons/cryptography/documentation/signing.adoc"></div>
 		<!-- 6. assignment -->
 		<div class="attack-container">
 			<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
@@ -101,12 +101,12 @@ $(document).ready(initialise);
 	
 	<!-- 7. keystores -->
 	<div class="lesson-page-wrapper">
-		<div class="adoc-content" th:replace="~{doc:lessons/cryptography/documentation/keystores.adoc}"></div>
+		<div class="adoc-content" th:replace="doc:lessons/cryptography/documentation/keystores.adoc"></div>
 	</div>
 	
 	<!-- 8. security defaults -->
 	<div class="lesson-page-wrapper">
-		<div class="adoc-content" th:replace="~{doc:lessons/cryptography/documentation/defaults.adoc}"></div>
+		<div class="adoc-content" th:replace="doc:lessons/cryptography/documentation/defaults.adoc"></div>
 		<!-- 8. assignment -->
 		<div class="attack-container">
 			<div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
@@ -123,7 +123,7 @@ $(document).ready(initialise);
 	</div>
 	<!-- 9. postquantum -->
 	<div class="lesson-page-wrapper">
-		<div class="adoc-content" th:replace="~{doc:lessons/cryptography/documentation/postquantum.adoc}"></div>
+		<div class="adoc-content" th:replace="doc:lessons/cryptography/documentation/postquantum.adoc"></div>
 	</div>
 </body>
 </html>