WIP

The CI pipeline should take care of this.

.github/dependabot.yml

@@ -0,0 +1,7 @@
+version: 2
+updates:
+  # Maintain dependencies for GitHub Actions
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "daily"

.github/workflows/build.yml

@@ -0,0 +1,41 @@
+name: "Build"
+on:
+  push:
+    branches: [ '*' ]
+    tags-ignore:
+      - '*'
+
+jobs:
+  build:
+    runs-on: ${{ matrix.os }}
+    strategy:
+      matrix:
+        os: [ubuntu-latest, windows-latest, macos-latest]
+        java: [11, 15]
+    steps:
+      - uses: actions/checkout@v2
+      - name: Set up JDK ${{ matrix.java }}
+        uses: actions/setup-java@v1
+        with:
+          java-version: ${{ matrix.java }}
+          architecture: x64
+      - name: Cache Maven packages
+        uses: actions/cache@v2.1.4
+        with:
+          path: ~/.m2
+          key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }}
+          restore-keys: ${{ runner.os }}-m2
+      - name: Build with Maven
+        run: mvn clean install
+
+  notify-slack:
+    if: github.event_name == 'push' && (success() || failure())
+    needs:
+      - build
+    runs-on: ubuntu-latest
+    steps:
+      - name: "Slack workflow notification"
+        uses: Gamesight/slack-workflow-status@master
+        with:
+          repo_token: ${{secrets.GITHUB_TOKEN}}
+          slack_webhook_url: ${{secrets.SLACK_WEBHOOK_URL}}

.github/workflows/rebase.yml

@@ -0,0 +1,19 @@
+name: "Automatic Rebase"
+on:
+  issue_comment:
+    types: [created]
+jobs:
+  rebase:
+    name: Rebase
+    if: github.event.issue.pull_request != '' && contains(github.event.comment.body, '/rebase') && github.event.comment.author_association == 'MEMBER'
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout the latest code
+        uses: actions/checkout@v2
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          fetch-depth: 0 # otherwise, you will fail to push refs to dest repo
+      - name: Automatic Rebase
+        uses: cirrus-actions/rebase@1.4
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/release.yml

@@ -0,0 +1,125 @@
+name: "Release Pipeline"
+on:
+  push:
+    tags:
+      - v*
+jobs:
+#  release:
+#    name: Release WebGoat
+#    runs-on: ubuntu-latest
+#    steps:
+#      - uses: actions/checkout@v2
+#
+#      - name: "Get tag name"
+#        id: tag
+#        uses: dawidd6/action-get-tag@v1
+#
+#      - name: Set up JDK 11
+#        uses: actions/setup-java@v1
+#        with:
+#          java-version: 11
+#          architecture: x64
+#
+#      - name: Cache Maven packages
+#        uses: actions/cache@v2.1.4
+#        with:
+#          path: ~/.m2
+#          key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }}
+#          restore-keys: ${{ runner.os }}-m2
+#
+#      - name: "Set labels for ${{ github.ref }}"
+#        run: |
+#          echo "WEBGOAT_TAG_VERSION=${{ steps.tag.outputs.tag }}" >> $GITHUB_ENV
+#          WEBGOAT_MAVEN_VERSION=${{ steps.tag.outputs.tag }}
+#          echo "WEBGOAT_MAVEN_VERSION=${WEBGOAT_MAVEN_VERSION:1}" >> $GITHUB_ENV
+#      - name: Build with Maven
+#        run: |
+#          mvn versions:set -DnewVersion=${{ env.WEBGOAT_MAVEN_VERSION }}
+#          mvn clean install -DskipTests
+#
+#      - name: "Create release"
+#        uses: softprops/action-gh-release@v1
+#        with:
+#          draft: false
+#          files: |
+#            webgoat-server/target/webgoat-server-${{ env.WEBGOAT_MAVEN_VERSION }}.jar
+#            webwolf/target/webwolf-${{ env.WEBGOAT_MAVEN_VERSION }}.jar
+#          body: |
+#            ## Version ${{ steps.tag.outputs.tag }}
+#
+#            ### New functionality
+#
+#            - test
+#
+#            ### Bug fixes
+#
+#            - [#743 - Character encoding errors](https://github.com/WebGoat/WebGoat/issues/743)
+#
+#
+#            ## Contributors
+#
+#            Special thanks to the following contributors providing us with a pull request:
+#
+#            - Person 1
+#            - Person 2
+#
+#            And everyone who provided feedback through Github.
+#
+#
+#            Team WebGoat
+#        env:
+#          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+#
+#      - name: "Set up QEMU"
+#        uses: docker/setup-qemu-action@v1
+#
+#      - name: "Set up Docker Buildx"
+#        uses: docker/setup-buildx-action@v1
+#
+#      - name: "Login to dockerhub"
+#        uses: docker/login-action@v1
+#        with:
+#          username: ${{ secrets.DOCKERHUB_USERNAME }}
+#          password: ${{ secrets.DOCKERHUB_TOKEN }}
+#
+#      - name: "Build and push"
+#        uses: docker/build-push-action@v2
+#        with:
+#          context: ./docker
+#          file: docker/Dockerfile
+#          push: false #todo enable
+#          platforms: linux/amd64
+#          tags: |
+#            webgoat/goatandwolf:${{ env.WEBGOAT_TAG_VERSION }}
+#            webgoat/goatandwolf:latest
+#          build-args: |
+#            webgoat_version=${{ env.WEBGOAT_MAVEN_VERSION }}
+#
+#      - name: "Image digest"
+#        run: echo ${{ steps.docker_build.outputs.digest }}
+  new_version:
+    name: Update development version
+#    needs: [ release ]
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+        with:
+          ref: develop
+
+      - name: Set up JDK 11
+        uses: actions/setup-java@v1
+        with:
+          java-version: 11
+          architecture: x64
+
+      - name: Set version to next snapshot
+        run: |
+          mvn build-helper:parse-version versions:set -DnewVersion=\${parsedVersion.majorVersion}.\${parsedVersion.minorVersion}.\${parsedVersion.nextIncrementalVersion}-SNAPSHOT versions:commit
+
+      - name: Commit pom.xml
+        run: |
+          git config user.name github-actions
+          git config user.email github-actions@github.com
+          find . -name 'pom.xml' | xargs git add
+          git commit -m "Updating to the new development version"
+          git push

.github/workflows/welcome.yml

@@ -0,0 +1,13 @@
+name: Welcome
+
+on: [pull_request, issues]
+
+jobs:
+  greeting:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/first-interaction@v1
+        with:
+          repo-token: ${{ secrets.GITHUB_TOKEN }}
+          issue-message: 'Thanks for submitting your first issue, we will have a look as quickly as possible.'
+          pr-message: 'Thanks so much for your contribution, really appreciated! We will have a look and merge it if everything checks out!'

.gitignore

@@ -15,6 +15,7 @@
 /.externalToolBuilders/
 .project
 */target/*
+*.pmd
 mongo-data/*
 .classpath
 .idea/
@@ -50,4 +51,7 @@ webgoat-lessons/vulnerable-components/dependency-reduced-pom.xml
 webgoat.lck
 webgoat.log
 webgoat.properties
-webgoat.script
+webgoat.script
+TestClass.class
+**/*.flattened-pom.xml
+/.gitconfig

.mvn/wrapper/MavenWrapperDownloader.java

@@ -0,0 +1,117 @@
+/*
+ * Copyright 2007-present the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+import java.net.*;
+import java.io.*;
+import java.nio.channels.*;
+import java.util.Properties;
+
+public class MavenWrapperDownloader {
+
+    private static final String WRAPPER_VERSION = "0.5.5";
+    /**
+     * Default URL to download the maven-wrapper.jar from, if no 'downloadUrl' is provided.
+     */
+    private static final String DEFAULT_DOWNLOAD_URL = "https://repo.maven.apache.org/maven2/io/takari/maven-wrapper/"
+        + WRAPPER_VERSION + "/maven-wrapper-" + WRAPPER_VERSION + ".jar";
+
+    /**
+     * Path to the maven-wrapper.properties file, which might contain a downloadUrl property to
+     * use instead of the default one.
+     */
+    private static final String MAVEN_WRAPPER_PROPERTIES_PATH =
+            ".mvn/wrapper/maven-wrapper.properties";
+
+    /**
+     * Path where the maven-wrapper.jar will be saved to.
+     */
+    private static final String MAVEN_WRAPPER_JAR_PATH =
+            ".mvn/wrapper/maven-wrapper.jar";
+
+    /**
+     * Name of the property which should be used to override the default download url for the wrapper.
+     */
+    private static final String PROPERTY_NAME_WRAPPER_URL = "wrapperUrl";
+
+    public static void main(String args[]) {
+        System.out.println("- Downloader started");
+        File baseDirectory = new File(args[0]);
+        System.out.println("- Using base directory: " + baseDirectory.getAbsolutePath());
+
+        // If the maven-wrapper.properties exists, read it and check if it contains a custom
+        // wrapperUrl parameter.
+        File mavenWrapperPropertyFile = new File(baseDirectory, MAVEN_WRAPPER_PROPERTIES_PATH);
+        String url = DEFAULT_DOWNLOAD_URL;
+        if(mavenWrapperPropertyFile.exists()) {
+            FileInputStream mavenWrapperPropertyFileInputStream = null;
+            try {
+                mavenWrapperPropertyFileInputStream = new FileInputStream(mavenWrapperPropertyFile);
+                Properties mavenWrapperProperties = new Properties();
+                mavenWrapperProperties.load(mavenWrapperPropertyFileInputStream);
+                url = mavenWrapperProperties.getProperty(PROPERTY_NAME_WRAPPER_URL, url);
+            } catch (IOException e) {
+                System.out.println("- ERROR loading '" + MAVEN_WRAPPER_PROPERTIES_PATH + "'");
+            } finally {
+                try {
+                    if(mavenWrapperPropertyFileInputStream != null) {
+                        mavenWrapperPropertyFileInputStream.close();
+                    }
+                } catch (IOException e) {
+                    // Ignore ...
+                }
+            }
+        }
+        System.out.println("- Downloading from: " + url);
+
+        File outputFile = new File(baseDirectory.getAbsolutePath(), MAVEN_WRAPPER_JAR_PATH);
+        if(!outputFile.getParentFile().exists()) {
+            if(!outputFile.getParentFile().mkdirs()) {
+                System.out.println(
+                        "- ERROR creating output directory '" + outputFile.getParentFile().getAbsolutePath() + "'");
+            }
+        }
+        System.out.println("- Downloading to: " + outputFile.getAbsolutePath());
+        try {
+            downloadFileFromURL(url, outputFile);
+            System.out.println("Done");
+            System.exit(0);
+        } catch (Throwable e) {
+            System.out.println("- Error downloading");
+            e.printStackTrace();
+            System.exit(1);
+        }
+    }
+
+    private static void downloadFileFromURL(String urlString, File destination) throws Exception {
+        if (System.getenv("MVNW_USERNAME") != null && System.getenv("MVNW_PASSWORD") != null) {
+            String username = System.getenv("MVNW_USERNAME");
+            char[] password = System.getenv("MVNW_PASSWORD").toCharArray();
+            Authenticator.setDefault(new Authenticator() {
+                @Override
+                protected PasswordAuthentication getPasswordAuthentication() {
+                    return new PasswordAuthentication(username, password);
+                }
+            });
+        }
+        URL website = new URL(urlString);
+        ReadableByteChannel rbc;
+        rbc = Channels.newChannel(website.openStream());
+        FileOutputStream fos = new FileOutputStream(destination);
+        fos.getChannel().transferFrom(rbc, 0, Long.MAX_VALUE);
+        fos.close();
+        rbc.close();
+    }
+
+}

.mvn/wrapper/maven-wrapper.properties

@@ -1 +1,2 @@
-distributionUrl=https://repo.maven.apache.org/maven2/org/apache/maven/apache-maven/3.5.4/apache-maven-3.5.4-bin.zip
+distributionUrl=https://repo.maven.apache.org/maven2/org/apache/maven/apache-maven/3.2.5/apache-maven-3.2.5-bin.zip
+wrapperUrl=https://repo.maven.apache.org/maven2/io/takari/maven-wrapper/0.5.5/maven-wrapper-0.5.5.jar

.travis.yml

@@ -1,47 +0,0 @@
-services:
-  - docker
-language: java
-jdk:
-- openjdk11
-install: "/bin/true"
-script:
-- export BRANCH=$(if [ "$TRAVIS_PULL_REQUEST" == "false" ]; then echo $TRAVIS_BRANCH; else echo $TRAVIS_PULL_REQUEST_BRANCH; fi)
-- echo "TRAVIS_BRANCH=$TRAVIS_BRANCH, PR=$PR, BRANCH=$BRANCH"
-- if [ ! -z "${TRAVIS_TAG}" ]; then mvn versions:set -DnewVersion=${TRAVIS_TAG:1}; fi
-- mvn clean install -q
-cache:
-  directories:
-  - "$HOME/.m2"
-before_deploy:
-  - export WEBGOAT_SERVER_TARGET_DIR=$HOME/build/$TRAVIS_REPO_SLUG/webgoat-server/target
-  - export WEBWOLF_TARGET_DIR=$HOME/build/$TRAVIS_REPO_SLUG/webwolf/target
-  - export WEBGOAT_ARTIFACTS_FOLDER=$HOME/build/$TRAVIS_REPO_SLUG/Deployable_Artifacts/
-  - mkdir -p $WEBGOAT_ARTIFACTS_FOLDER
-  - cp -fa $WEBGOAT_SERVER_TARGET_DIR/*.jar $WEBGOAT_ARTIFACTS_FOLDER/
-  - cp -fa $WEBWOLF_TARGET_DIR/*.jar $WEBGOAT_ARTIFACTS_FOLDER/
-  - echo "Contents of artifacts folder:"
-  - ls $WEBGOAT_ARTIFACTS_FOLDER
-deploy:
-  - provider: script
-    skip_cleanup: true
-    script: bash scripts/deploy-webgoat.sh
-    on:
-      repo: WebGoat/WebGoat
-      tags: true
-  - provider: releases
-    skip_cleanup: true
-    overwrite: true
-    api_key:
-      #api-key from webgoat-github user
-      secure: pJOLBnl6427PcVg/tVy/qB18JC7b8cKpffau+IP0pjdSt7KUfBdBY3QuJ7mrM65zRoVILzggLckaew2PlRmYQRdumyWlyRn44XiJ9KO4n6Bsufbz+ictB4ggtozpp9+I9IIUh1TmqypL9lhkX2ONM9dSHmyblYpAAgMuYSK8FYc=
-    file_glob: true
-    file: $WEBGOAT_ARTIFACTS_FOLDER/*
-    on:
-      repo: WebGoat/WebGoat
-      tags: true
-env:
-  global:
-  #Docker login
-  - secure: XgPc0UKRTUI70I4YWNQpThPPWeQIxkmzh1GNoR/SSDC2GPIBq3EfkkbSQewqil8stTy+S1/xSzc0JXG8NTn7UOxHVHA/2nhI6jX9E+DKtXQ89YwmaDNQjkbMjziAtDCIex+5TRykxNfkxj6VPYbDssrzI7iJXOIZVj/HoyO3O5E=
-  #Docker password
-  - secure: aly5TKBUK9sIiqtMbytNNPZHQhC0a7Yond5tEtuJ8fO+j/KZB4Uro3I6BhzYjGWFb5Kndd0j2TXHPFvtOl402J1CmFsY3v0BhilQd0g6zOssp5T0A73m8Jgq4ItV8wQJJy2bQsXqL1B+uFYieYPiMchj7JxWW0vBn7TV5b68l6U=

COPYRIGHT.txt

@@ -0,0 +1,19 @@
+This file is part of WebGoat, an Open Web Application Security Project utility. For details, please see http://www.owasp.org/
+
+Copyright (c) 2002 - $today.year Bruce Mayhew
+
+This program is free software; you can redistribute it and/or modify it under the terms of the
+GNU General Public License as published by the Free Software Foundation; either version 2 of the
+License, or (at your option) any later version.
+
+This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License along with this program; if
+not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+02111-1307, USA.
+
+Getting Source ==============
+
+Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.

CREATE_RELEASE.MD

@@ -5,7 +5,11 @@
 
 For WebGoat we use milestone releases first before we release the official version, we use `v8.0.0.M3` while tagging
  and 8.0.0.M3 in the `pom.xml`. When we create the final release we remove the milestone release and use 
- `v8.0.0` and 8.0.0 in the `pom.xml`
+ `v8.0.0` in the `pom.xml`
+ 
+### Release notes:
+Update the release notes with the correct version. Use `git shortlog -s -n --since "SEP 31 2019"` for the list of 
+committers.
 
 At the moment we use Gitflow, for a release you create a new release branch and take the following steps:
 
@@ -15,6 +19,10 @@ git flow release start <version>
 mvn versions:set <<version>  
 git commit -am "New release, updating pom.xml" 
 git flow release publish
+
+<<Make changes if necessary>>
+
+git flow release finish <version>
 git push origin develop
 git push origin master
 git push --tags

LICENSE.txt

@@ -0,0 +1,19 @@
+This file is part of WebGoat, an Open Web Application Security Project utility. For details, please see http://www.owasp.org/
+
+Copyright (c) 2002 - 2019 Bruce Mayhew
+
+This program is free software; you can redistribute it and/or modify it under the terms of the
+GNU General Public License as published by the Free Software Foundation; either version 2 of the
+License, or (at your option) any later version.
+
+This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License along with this program; if
+not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+02111-1307, USA.
+
+Getting Source ==============
+
+Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.

README.MD

@@ -3,9 +3,9 @@
 [![Build Status](https://travis-ci.org/WebGoat/WebGoat.svg?branch=develop)](https://travis-ci.org/WebGoat/WebGoat)
 [![Coverage Status](https://coveralls.io/repos/WebGoat/WebGoat/badge.svg?branch=develop&service=github)](https://coveralls.io/github/WebGoat/WebGoat?branch=master)
 [![Codacy Badge](https://api.codacy.com/project/badge/b69ee3a86e3b4afcaf993f210fccfb1d)](https://www.codacy.com/app/dm/WebGoat)
-[![Dependency Status](https://www.versioneye.com/user/projects/562da95ae346d7000e0369aa/badge.svg?style=flat)](https://www.versioneye.com/user/projects/562da95ae346d7000e0369aa)
-[![OWASP Labs](https://img.shields.io/badge/owasp-lab%20project-f7b73c.svg)](https://www.owasp.org/index.php/OWASP_Project_Inventory#tab=Labs_Projects) 
-[![GitHub release](https://img.shields.io/github/release/WebGoat/WebGoat.svg)](https://github.com/WebGoat/WebGoat/releases/latest) 
+[![OWASP Labs](https://img.shields.io/badge/owasp-lab%20project-f7b73c.svg)](https://www.owasp.org/index.php/OWASP_Project_Inventory#tab=Labs_Projects)
+[![GitHub release](https://img.shields.io/github/release/WebGoat/WebGoat.svg)](https://github.com/WebGoat/WebGoat/releases/latest)
+[![Gitter](https://badges.gitter.im/OWASPWebGoat/community.svg)](https://gitter.im/OWASPWebGoat/community?utm_source=badge&utm_medium=badge&utm_campaign=pr-badge)
 
 # Introduction
 
@@ -27,42 +27,70 @@ you are caught engaging in unauthorized hacking, most companies will fire you.
 Claiming that you were doing security research will not work as that is the
 first thing that all hackers claim.*
 
-# Run Instructions:
+# Installation Instructions:
 
-## 1. Standalone 
-
-Download the latest WebGoat release from [https://github.com/WebGoat/WebGoat/releases](https://github.com/WebGoat/WebGoat/releases)
-
-```Shell
-java -jar webgoat-server-8.0.0.VERSION.jar [--server.port=8080] [--server.address=localhost]
-```
-
-By default WebGoat starts on port 8080 with `--server.port` you can specify a different port. With `server.address` you
-can bind it to a different address (default localhost)
-
-If you use Java 9 or higher you need to run WebGoat as follows:
-
-```Shell
-java --add-modules java.xml.bind -jar webgoat-server-8.0.0.VERSION.jar
-```
-
-## 2. Run using Docker
+## 1. Run using Docker
 
 Every release is also published on [DockerHub]((https://hub.docker.com/r/webgoat/webgoat-8.0/)).
 
-### Using docker-compose
+### Using docker run
 
-The easiest way to start WebGoat as a Docker container is to use the `docker-compose.yml` [file](https://raw.githubusercontent.com/WebGoat/WebGoat/develop/docker-compose.yml) 
-from our Github repository. This will start both containers and it also takes care of setting up the
-connection between WebGoat and WebWolf.
+The easiest way to start WebGoat as a Docker container is to use the all-in-one docker container. This is a docker image that has WebGoat and WebWolf running inside.
 
 ```shell
-curl https://raw.githubusercontent.com/WebGoat/WebGoat/develop/docker-compose.yml | docker-compose -f - up
+docker run -p 8080:8080 -p 9090:9090 -e TZ=Europe/Amsterdam webgoat/goatandwolf
 ```
 
+WebGoat will be located at: http://127.0.0.1:8080/WebGoat
+WebWolf will be located at: http://127.0.0.1:9090/WebWolf
+
+**Important**: Choose the correct timezone, so that the docker container and your host are in the same timezone. As it important for the validity of JWT tokens used in certain exercises.
+
+### Using docker stack deploy
+
+Another way to deply WebGoat and WebWolf in a more advanced way is to use a compose-file in a docker stack deploy.
+You can define which containers should run in which combinations and define all of this in a yaml file.
+An example of such a file is: [goat-with-reverseproxy.yaml](goat-with-reverseproxy.yaml)
+
+This sets up an nginx webserver as reverse proxy to WebGoat and WebWolf. You can change the timezone by adjusting the value in the yaml file.
+
+```shell
+docker stack init
+docker stack deploy --compose-file goat-with-reverseproxy.yaml webgoatdemo
+```
+
+Add the following entries in your local hosts file:
+
+```shell
+127.0.0.1 www.webgoat.local www.webwolf.localhost
+```
+
+You can use the overall start page: http://www.webgoat.local or:
+
+WebGoat will be located at: http://www.webgoat.local/WebGoat
+
+WebWolf will be located at: http://www.webwolf.local/WebWolf
+
 **Important**: the current directory on your host will be mapped into the container for keeping state.
 
-Using the `docker-compose` file will simplify getting WebGoat and WebWolf up and running.
+## 2. Standalone
+
+Download the latest WebGoat and WebWolf release from [https://github.com/WebGoat/WebGoat/releases](https://github.com/WebGoat/WebGoat/releases)
+
+```Shell
+java -jar webgoat-server-8.1.0.jar [--server.port=8080] [--server.address=localhost]
+java -jar webwolf-8.1.0.jar [--server.port=9090] [--server.address=localhost]
+```
+
+The latest version of WebGoat needs Java 11 or above. By default WebGoat and WebWolf start on port 8080,9000 and 9090 with the environment variable WEBGOAT_PORT, WEBWOLF_PORT and WEBGOAT_HSQLPORT you can set different values.
+```Shell
+export WEBGOAT_PORT=18080
+export WEBGOAT_HSQLPORT=19001
+export WEBWOLF_PORT=19090
+java -jar webgoat-server-8.1.0.jar
+java -jar webwolf-8.1.0.jar 
+```
+Use set in stead of export on Windows cmd. 
 
 
 ## 3. Run from the sources
@@ -102,58 +130,17 @@ To change IP address add the following variable to WebGoat/webgoat-container/src
 server.address=x.x.x.x
 ```
 
-# Vagrant
+## 4. Run with custom menu
 
-We supply a complete environment using Vagrant, to run WebGoat with Vagrant you must first have Vagrant and Virtualbox installed.
-
-```shell
-   $ cd WebGoat/webgoat-images/vagrant-training
-   $ vagrant up
-```
-
-Once the provisioning is complete login to the Virtualbox with username vagrant and password vagrant.
-WebGoat and WebWolf will automatically start when you login to this image.
-
-
-# Building a new Docker image
-
-NOTE: Travis will create a new Docker image automatically when making a new release.
-
-WebGoat now has Docker support for x86 and ARM (raspberry pi).
-### Docker on x86
-On x86 you can build a container with the following commands:
+For specialist only. There is a way to set up WebGoat with a personalized menu. You can leave out some menu categories or individual lessons by setting environment variables.
 
+For instance running as a jar on a Linux/MacOS it will look like:
 ```Shell
-cd WebGoat/
-mvn install
-cd webgoat-server
-docker build -t webgoat/webgoat-8.0 .
-docker tag webgoat/webgoat-8.0 webgoat/webgoat-8.0:8.0
-docker login
-docker push webgoat/webgoat-8.0
+export EXCLUDE_CATEGORIES="CLIENT_SIDE,GENERAL,CHALLENGE"
+export EXCLUDE_LESSONS="SqlInjectionAdvanced,SqlInjectionMitigations"
+java -jar webgoat-server/target/webgoat-server-v8.2.0-SNAPSHOT.jar
 ```
-
-### Docker on ARM (Raspberry Pi)
-On a Raspberry Pi (it has yet been tested with a Raspberry Pi 3 and the hypriot Docker image) you need to build JFFI for
-ARM first. This is needed by the docker-maven-plugin ([see here](https://github.com/spotify/docker-maven-plugin/issues/233)):
-
+Or in a docker run it would (once this version is pushed into docker hub) look like:
 ```Shell
-sudo apt-get install build-essential
-git clone https://github.com/jnr/jffi.git
-cd jffi
-ant jar
-cd build/jni
-sudo cp libjffi-1.2.so /usr/lib
-```
-
-When you have done this you can build the Docker container using the following commands:
-
-```Shell
-cd WebGoat/
-mvn install
-cd webgoat-server
-mvn docker:build -Drpi=true
-docker tag webgoat/webgoat-8.0 webgoat/webgoat-8.0:8.0
-docker login
-docker push webgoat/webgoat-8.0
+docker run -d -p 80:8888 -p 8080:8080 -p 9090:9090 -e TZ=Europe/Amsterdam -e EXCLUDE_CATEGORIES="CLIENT_SIDE,GENERAL,CHALLENGE" -e EXCLUDE_LESSONS="SqlInjectionAdvanced,SqlInjectionMitigations" webgoat/goatandwolf
 ```

RELEASE_NOTES.md

@@ -0,0 +1,50 @@
+# WebGoat release notes 
+
+## Version 8.1.0
+
+### New functionality
+
+- Added new lessons for cryptography and path-traversal
+- Extra content added to the XXE lesson
+- Explanation of the assignments will be part of WebGoat, in this release we added detailed descriptions on how to solve the XXE lesson. In the upcoming releases new explanations will be added. If you want to contribute please create a pull request on Github.
+- Docker improvements + docker stack for complete container with nginx 
+- Included JWT token decoding and generation, since jwt.io does not support None anymore 
+
+### Bug fixes
+
+- [#743 - Character encoding errors](https://github.com/WebGoat/WebGoat/issues/743)
+- [#811 -  Flag submission fails](https://github.com/WebGoat/WebGoat/issues/811)
+- [#810 - Scoreboard for challenges shows csrf users](https://github.com/WebGoat/WebGoat/issues/810)
+- [#788 - strange copy in constructor](https://github.com/WebGoat/WebGoat/issues/788) 
+- [#760 - Execution of standalone jar fails (Flyway migration step](https://github.com/WebGoat/WebGoat/issues/760)
+- [#766 - Unclear objective of vulnerable components practical assignment](https://github.com/WebGoat/WebGoat/issues/766)
+- [#708 - Seems like the home directory of WebGoat always use @project.version@](https://github.com/WebGoat/WebGoat/issues/708)
+- [#719 - WebGoat: 'Contact Us' email link in header is not correctly set](https://github.com/WebGoat/WebGoat/issues/719)
+ - [#715 - Reset lesson doesn't reset the "HTML lesson" => forms stay succesful](https://github.com/WebGoat/WebGoat/issues/715)
+ - [#725 - Vulnerable Components lesson 12 broken due to too new dependency](https://github.com/WebGoat/WebGoat/issues/725)
+ - [#716 -  On M26 @project.version@ is not "interpreted" #7](https://github.com/WebGoat/WebGoat/issues/716)
+ - [#721 couldn't be able to run CSRF lesson 3: Receive Whitelabel Error Page](https://github.com/WebGoat/WebGoat/issues/721)
+ - [#724 - Dead link in VulnerableComponents lesson 11](https://github.com/WebGoat/WebGoat/issues/724)
+ 
+ ## Contributors
+ 
+Special thanks to the following contributors providing us with a pull request:
+
+- Satoshi SAKAO
+- Philippe Lafoucrière
+- Cotonne
+- Tiago Mussi
+- thegoodcrumpets
+- Atharva Vaidya
+- torleif
+- August Detlefsen
+- Choe Hyeong Jin
+
+And everyone who provided feedback through Github.
+
+
+Team WebGoat
+
+
+
+

config/checkstyle/checkstyle.xml

@@ -0,0 +1,259 @@
+<?xml version="1.0"?>
+<!DOCTYPE module PUBLIC
+        "-//Puppy Crawl//DTD Check Configuration 1.3//EN"
+        "http://checkstyle.sourceforge.net/dtds/configuration_1_3.dtd">
+
+<!--
+    Checkstyle configuration that checks the Google coding conventions from Google Java Style
+    that can be found at https://google.github.io/styleguide/javaguide.html.
+
+    Checkstyle is very configurable. Be sure to read the documentation at
+    http://checkstyle.sf.net (or in your downloaded distribution).
+
+    To completely disable a check, just comment it out or delete it from the file.
+
+    Authors: Max Vetrenko, Ruslan Diachenko, Roman Ivanov.
+ -->
+
+<module name="Checker">
+    <property name="charset" value="UTF-8"/>
+
+    <property name="severity" value="error"/>
+
+    <property name="fileExtensions" value="java, properties, xml"/>
+    <!-- Checks for whitespace                               -->
+    <!-- See http://checkstyle.sf.net/config_whitespace.html -->
+
+    <module name="SuppressionFilter">
+        <property name="file" value="${suppressionsLocation}" default="target/checkstyle-suppressions.xml"/>
+    </module>
+    <module name="TreeWalker">
+        <module name="com.puppycrawl.tools.checkstyle.checks.regexp.RegexpSinglelineJavaCheck">
+            <property name="maximum" value="0"/>
+            <property name="format" value="org\.junit\.Assert\.assert"/>
+            <property name="message"
+                      value="Please use AssertJ imports."/>
+            <property name="ignoreComments" value="true"/>
+        </module>
+        <module
+                name="com.puppycrawl.tools.checkstyle.checks.imports.IllegalImportCheck">
+            <property name="regexp" value="true"/>
+            <property name="illegalPkgs"
+                      value="^sun.*, ^org\.apache\.commons\.(?!compress|dbcp2|lang|lang3|logging|io|pool2).*, ^org\.flywaydb\.core\.internal.*, ^org\.testcontainers\.shaded.*"/>
+            <property name="illegalClasses"
+                      value="^com\.hazelcast\.util\.Base64, ^org\.junit\.rules\.ExpectedException, ^org\.slf4j\.LoggerFactory, ^reactor\.core\.support\.Assert, ^com\.google\.common\.collect\.Maps, ^com\.google\.common\.collect\.Sets, ^com\.google\.common\.collect\.Lists"/>
+        </module>
+        <module
+                name="com.puppycrawl.tools.checkstyle.checks.regexp.RegexpSinglelineJavaCheck">
+            <property name="maximum" value="0"/>
+            <property name="format"
+                      value="assertThatExceptionOfType\((NullPointerException|IllegalArgumentException|IOException|IllegalStateException)\.class\)"/>
+            <property name="message"
+                      value="Please use specialized AssertJ assertThat*Exception method."/>
+            <property name="ignoreComments" value="true"/>
+        </module>
+        <module
+                name="com.puppycrawl.tools.checkstyle.checks.regexp.RegexpSinglelineJavaCheck">
+            <property name="maximum" value="0"/>
+            <property name="format"
+                      value="@SneakyThrows"/>
+            <property name="message"
+                      value="Please use a unchecked exceptions instead of @SneakyThrows gives compiler warnings"/>
+            <property name="ignoreComments" value="true"/>
+        </module>
+        <module name="OuterTypeFilename"/>
+        <module name="IllegalTokenText">
+            <property name="tokens" value="STRING_LITERAL, CHAR_LITERAL"/>
+            <property name="format"
+                      value="\\u00(09|0(a|A)|0(c|C)|0(d|D)|22|27|5(C|c))|\\(0(10|11|12|14|15|42|47)|134)"/>
+            <property name="message"
+                      value="Consider using special escape sequence instead of octal value or Unicode escaped value."/>
+        </module>
+        <module name="AvoidEscapedUnicodeCharacters">
+            <property name="allowEscapesForControlCharacters" value="true"/>
+            <property name="allowByTailComment" value="true"/>
+            <property name="allowNonPrintableEscapes" value="true"/>
+        </module>
+        <module name="OneTopLevelClass">
+            <property name="severity" value="warning"/>
+        </module>
+        <module name="NoLineWrap"/>
+        <module name="EmptyBlock">
+            <property name="option" value="TEXT"/>
+            <property name="tokens" value="LITERAL_TRY, LITERAL_FINALLY, LITERAL_IF, LITERAL_ELSE, LITERAL_SWITCH"/>
+        </module>
+        <module name="WhitespaceAround">
+            <property name="allowEmptyConstructors" value="true"/>
+            <property name="allowEmptyMethods" value="true"/>
+            <property name="allowEmptyTypes" value="true"/>
+            <property name="allowEmptyLoops" value="true"/>
+            <message key="ws.notFollowed"
+                     value="WhitespaceAround: ''{0}'' is not followed by whitespace. Empty blocks may only be represented as '{}' when not part of a multi-block statement (4.1.3)"/>
+            <message key="ws.notPreceded"
+                     value="WhitespaceAround: ''{0}'' is not preceded with whitespace."/>
+        </module>
+        <module name="OneStatementPerLine"/>
+        <module name="MultipleVariableDeclarations"/>
+        <module name="ArrayTypeStyle"/>
+        <module name="MissingSwitchDefault"/>
+        <module name="FallThrough"/>
+        <module name="UpperEll"/>
+        <module name="ModifierOrder"/>
+        <module name="EmptyLineSeparator">
+            <property name="allowNoEmptyLineBetweenFields" value="true"/>
+        </module>
+        <module name="SeparatorWrap">
+            <property name="id" value="SeparatorWrapDot"/>
+            <property name="tokens" value="DOT"/>
+            <property name="option" value="nl"/>
+        </module>
+        <module name="SeparatorWrap">
+            <property name="id" value="SeparatorWrapComma"/>
+            <property name="tokens" value="COMMA"/>
+            <property name="option" value="EOL"/>
+        </module>
+        <module name="SeparatorWrap">
+            <!-- ELLIPSIS is EOL until https://github.com/google/styleguide/issues/258 -->
+            <property name="id" value="SeparatorWrapEllipsis"/>
+            <property name="tokens" value="ELLIPSIS"/>
+            <property name="option" value="EOL"/>
+        </module>
+        <module name="SeparatorWrap">
+            <!-- ARRAY_DECLARATOR is EOL until https://github.com/google/styleguide/issues/259 -->
+            <property name="id" value="SeparatorWrapArrayDeclarator"/>
+            <property name="tokens" value="ARRAY_DECLARATOR"/>
+            <property name="option" value="EOL"/>
+        </module>
+        <module name="SeparatorWrap">
+            <property name="id" value="SeparatorWrapMethodRef"/>
+            <property name="tokens" value="METHOD_REF"/>
+            <property name="option" value="nl"/>
+        </module>
+        <module name="PackageName">
+            <property name="format" value="^[a-z]+(\.[a-z_][a-z0-9_]*)*$"/>
+            <message key="name.invalidPattern"
+                     value="Package name ''{0}'' must match pattern ''{1}''."/>
+        </module>
+        <module name="TypeName">
+            <message key="name.invalidPattern"
+                     value="Type name ''{0}'' must match pattern ''{1}''."/>
+        </module>
+        <module name="MemberName">
+            <property name="format" value="^[a-z][a-z0-9][a-zA-Z0-9]*$"/>
+            <message key="name.invalidPattern"
+                     value="Member name ''{0}'' must match pattern ''{1}''."/>
+        </module>
+        <module name="ParameterName">
+            <property name="format" value="^[a-z]([a-z0-9][a-zA-Z0-9_]*)?$"/>
+            <message key="name.invalidPattern"
+                     value="Parameter name ''{0}'' must match pattern ''{1}''."/>
+        </module>
+        <module name="CatchParameterName">
+            <property name="format" value="^[a-z]([a-z0-9][a-zA-Z0-9]*)?$"/>
+            <message key="name.invalidPattern"
+                     value="Catch parameter name ''{0}'' must match pattern ''{1}''."/>
+        </module>
+        <module name="LocalVariableName">
+            <property name="tokens" value="VARIABLE_DEF"/>
+            <property name="format" value="^[a-z]([a-z0-9][a-zA-Z0-9]*)?$"/>
+            <message key="name.invalidPattern"
+                     value="Local variable name ''{0}'' must match pattern ''{1}''."/>
+        </module>
+        <module name="ClassTypeParameterName">
+            <property name="format" value="(^[A-Z][0-9]?)$|([A-Z][a-zA-Z0-9]*[T]$)"/>
+            <message key="name.invalidPattern"
+                     value="Class type name ''{0}'' must match pattern ''{1}''."/>
+        </module>
+        <module name="MethodTypeParameterName">
+            <property name="format" value="(^[A-Z][0-9]?)$|([A-Z][a-zA-Z0-9]*[T]$)"/>
+            <message key="name.invalidPattern"
+                     value="Method type name ''{0}'' must match pattern ''{1}''."/>
+        </module>
+        <module name="InterfaceTypeParameterName">
+            <property name="format" value="(^[A-Z][0-9]?)$|([A-Z][a-zA-Z0-9]*[T]$)"/>
+            <message key="name.invalidPattern"
+                     value="Interface type name ''{0}'' must match pattern ''{1}''."/>
+        </module>
+        <module name="NoFinalizer"/>
+        <module name="GenericWhitespace">
+            <message key="ws.followed"
+                     value="GenericWhitespace ''{0}'' is followed by whitespace."/>
+            <message key="ws.preceded"
+                     value="GenericWhitespace ''{0}'' is preceded with whitespace."/>
+            <message key="ws.illegalFollow"
+                     value="GenericWhitespace ''{0}'' should followed by whitespace."/>
+            <message key="ws.notPreceded"
+                     value="GenericWhitespace ''{0}'' is not preceded with whitespace."/>
+        </module>
+        <module name="AbbreviationAsWordInName">
+            <property name="ignoreFinal" value="false"/>
+            <property name="allowedAbbreviationLength" value="4"/>
+            <property name="severity" value="warning"/>
+        </module>
+        <module name="OverloadMethodsDeclarationOrder"/>
+        <module name="VariableDeclarationUsageDistance"/>
+        <module name="CustomImportOrder">
+            <property name="sortImportsInGroupAlphabetically" value="false"/>
+            <property name="separateLineBetweenGroups" value="true"/>
+            <property name="customImportOrderRules" value="THIRD_PARTY_PACKAGE###STATIC"/>
+        </module>
+        <module name="MethodParamPad"/>
+        <module name="NoWhitespaceBefore">
+            <property name="tokens" value="COMMA, SEMI, POST_INC, POST_DEC, DOT, ELLIPSIS, METHOD_REF"/>
+            <property name="allowLineBreaks" value="true"/>
+        </module>
+        <module name="ParenPad"/>
+        <module name="OperatorWrap">
+            <property name="option" value="NL"/>
+            <property name="tokens"
+                      value="BAND, BOR, BSR, BXOR, DIV, EQUAL, GE, GT, LAND, LE, LITERAL_INSTANCEOF, LOR, LT, MINUS, MOD, NOT_EQUAL, PLUS, QUESTION, SL, SR, STAR, METHOD_REF "/>
+        </module>
+        <module name="AnnotationLocation">
+            <property name="id" value="AnnotationLocationMostCases"/>
+            <property name="tokens" value="CLASS_DEF, INTERFACE_DEF, ENUM_DEF, METHOD_DEF, CTOR_DEF"/>
+        </module>
+        <module name="AnnotationLocation">
+            <property name="id" value="AnnotationLocationVariables"/>
+            <property name="tokens" value="VARIABLE_DEF"/>
+            <property name="allowSamelineMultipleAnnotations" value="true"/>
+        </module>
+        <module name="NonEmptyAtclauseDescription"/>
+        <module name="JavadocTagContinuationIndentation"/>
+        <module name="SummaryJavadoc">
+            <property name="forbiddenSummaryFragments"
+                      value="^@return the *|^This method returns |^A [{]@code [a-zA-Z0-9]+[}]( is a )"/>
+            <property name="severity" value="warning"/>
+        </module>
+        <module name="JavadocParagraph">
+            <property name="severity" value="warning"/>
+        </module>
+        <module name="AtclauseOrder">
+            <property name="tagOrder" value="@param, @return, @throws, @deprecated"/>
+            <property name="target" value="CLASS_DEF, INTERFACE_DEF, ENUM_DEF, METHOD_DEF, CTOR_DEF, VARIABLE_DEF"/>
+            <property name="severity" value="warning"/>
+        </module>
+        <module name="JavadocMethod">
+            <property name="tokens" value="CLASS_DEF,INTERFACE_DEF,ENUM_DEF,METHOD_DEF,ANNOTATION_FIELD_DEF"/>
+            <property name="scope" value="public"/>
+            <property name="allowMissingParamTags" value="true"/>
+            <property name="allowMissingThrowsTags" value="true"/>
+            <property name="allowMissingReturnTag" value="true"/>
+            <property name="minLineCount" value="2"/>
+            <property name="allowedAnnotations" value="Override, Test"/>
+            <property name="allowThrowsTagsForSubclasses" value="true"/>
+            <property name="severity" value="warning"/>
+        </module>
+        <module name="MethodName">
+            <property name="format" value="^[a-z][a-z0-9][a-zA-Z0-9_]*$"/>
+            <message key="name.invalidPattern"
+                     value="Method name ''{0}'' must match pattern ''{1}''."/>
+        </module>
+        <module name="SingleLineJavadoc">
+            <property name="ignoreInlineTags" value="false"/>
+        </module>
+        <module name="EmptyCatchBlock">
+            <property name="exceptionVariableName" value="expected"/>
+        </module>
+        <module name="CommentsIndentation"/>
+    </module>
+</module>

config/checkstyle/suppressions.xml

@@ -0,0 +1,11 @@
+<?xml version="1.0"?>
+<!DOCTYPE suppressions PUBLIC
+        "-//Checkstyle//DTD SuppressionFilter Configuration 1.2//EN"
+        "https://checkstyle.org/dtds/suppressions_1_2.dtd">
+<suppressions>
+    <suppress files="MD5.java" checks="[a-zA-Z0-9]*" />
+    <suppress files="VulnerableComponentsLesson.java" checks="[a-zA-Z0-9]*" />
+    <suppress files="ContentTypeAssignment.java" checks="IllegalImportCheck" />
+    <suppress files="SimpleXXE.java" checks="IllegalImportCheck" />
+    <suppress files="HtmlTamperingTask.java" checks="ParameterName" />
+</suppressions>

config/dependency-check/project-suppression.xml

@@ -0,0 +1,42 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
+    <suppress base="true">
+        <notes><![CDATA[
+        This suppresses false positives identified on spring framework.
+        ]]></notes>
+        <cpe>cpe:/a:pivotal_software:spring_framework</cpe>
+        <cve>CVE-2020-5398</cve>
+    </suppress>
+    <suppress base="true">
+        <notes><![CDATA[
+        This suppresses false positives identified on spring framework.
+        ]]></notes>
+        <cpe>cpe:/a:redhat:undertow</cpe>
+        <cve>CVE-2019-14888</cve>
+    </suppress>
+    <suppress base="true">
+        <notes><![CDATA[
+        This suppresses false positives identified on spring framework.
+        ]]></notes>
+        <cpe>cpe:/a:pivotal_software:spring_security</cpe>
+        <cve>CVE-2018-1258</cve>
+    </suppress>
+    <suppress base="true">
+        <cpe>cpe:/a:jruby:jruby</cpe>
+        <cve>CVE-2018-1000613</cve>
+        <cve>CVE-2018-1000180</cve>
+        <cve>CVE-2017-18640</cve>
+        <cve>CVE-2011-4838</cve>
+    </suppress>
+    <suppress base="true"><!-- vulnerable components lesson -->
+        <cpe>cpe:/a:xstream_project:xstream</cpe>
+        <cve>CVE-2017-7957</cve>
+        <cve>CVE-2016-3674</cve>
+        <cve>CVE-2020-26217</cve>
+        <cve>CVE-2020-26258</cve>
+    </suppress>
+    <suppress base="true"><!-- webgoat-server -->
+        <cpe>cpe:/a:postgresql:postgresql</cpe>
+        <cve>CVE-2018-10936</cve>
+    </suppress>
+</suppressions>

docker-compose-postgres.yml

@@ -7,11 +7,11 @@ services:
     environment:
       - WEBWOLF_HOST=webwolf
       - WEBWOLF_PORT=9090
-      - spring.datasource.url=jdbc:postgresql://webgoat_db:5432/webgoat
+      - spring.datasource.url=jdbc:postgresql://webgoat_db:5432/webgoat?user=webgoat&password=webgoat
       - spring.datasource.username=webgoat
       - spring.datasource.password=webgoat
       - spring.datasource.driver-class-name=org.postgresql.Driver
-      - spring.jpa.properties.hibernate.dialect=org.hibernate.dialect.PostgreSQL94Dialect
+      - spring.jpa.properties.hibernate.dialect=org.hibernate.dialect.PostgreSQL10Dialect
       - webgoat.server.directory=/home/webgoat/.webgoat/
       - webgoat.user.directory=/home/webgoat/.webgoat/
     ports:
@@ -19,15 +19,15 @@ services:
   webwolf:
     image: webgoat/webwolf
     environment:
-      - spring.datasource.url=jdbc:postgresql://webgoat_db:5432/webgoat
+      - spring.datasource.url=jdbc:postgresql://webgoat_db:5432/webgoat?user=webgoat&password=webgoat
       - spring.datasource.username=webgoat
       - spring.datasource.password=webgoat
       - spring.datasource.driver-class-name=org.postgresql.Driver
-      - spring.jpa.properties.hibernate.dialect=org.hibernate.dialect.PostgreSQL94Dialect
+      - spring.jpa.properties.hibernate.dialect=org.hibernate.dialect.PostgreSQL10Dialect
     ports:
       - "9090:9090"
   webgoat_db:
-    image: postgres:9.4
+    image: postgres:10.12
 # Uncomment to store the state of the database on the host.
 #    volumes:
 #      - ./database:/var/lib/postgresql

docker-compose.yml

@@ -1,4 +1,4 @@
-version: '2.1'
+version: '3'
 
 services:
   webgoat:
@@ -6,13 +6,17 @@ services:
     environment:
       - WEBWOLF_HOST=webwolf
       - WEBWOLF_PORT=9090
+      - TZ=Europe/Amsterdam
     ports:
       - "8080:8080"
       - "9001:9001"
     volumes:
       - .:/home/webgoat/.webgoat
+    working_dir: /home/webgoat
   webwolf:
     image: webgoat/webwolf
     ports:
       - "9090:9090"
-    command: --spring.datasource.url=jdbc:hsqldb:hsql://webgoat:9001/webgoat --server.address=0.0.0.0
+    command: --spring.datasource.url=jdbc:hsqldb:hsql://webgoat:9001/webgoat --server.address=0.0.0.0
+    depends_on:
+            - webgoat

docker/.gitignore

@@ -0,0 +1 @@
+*.jar

docker/Dockerfile

@@ -0,0 +1,32 @@
+FROM openjdk:11.0.1-jre-slim-stretch
+
+ARG webgoat_version=v8.2.0-SNAPSHOT
+ENV webgoat_version_env=${webgoat_version}
+
+RUN apt-get update && apt-get install 
+RUN useradd --home-dir /home/webgoat --create-home -U webgoat
+RUN cd /home/webgoat/; 
+RUN chgrp -R 0 /home/webgoat
+RUN chmod -R g=u /home/webgoat
+RUN apt-get -y install apt-utils nginx
+
+USER webgoat
+
+COPY nginx.conf /etc/nginx/nginx.conf
+COPY index.html /usr/share/nginx/html/
+COPY webgoat-server-${webgoat_version}.jar /home/webgoat/webgoat.jar
+COPY webwolf-${webgoat_version}.jar /home/webgoat/webwolf.jar
+COPY start.sh /home/webgoat
+
+EXPOSE 8080
+EXPOSE 9090
+
+ENV WEBGOAT_PORT 8080
+ENV WEBGOAT_SSLENABLED false
+
+ENV GOATURL https://127.0.0.1:$WEBGOAT_PORT
+ENV WOLFURL http://127.0.0.1:9090
+
+
+WORKDIR /home/webgoat
+ENTRYPOINT /bin/bash /home/webgoat/start.sh $webgoat_version_env

docker/Readme.md

@@ -0,0 +1,9 @@
+# Docker all-in-one image
+
+## Docker build
+
+	docker build --no-cache --build-arg webgoat_version=v8.2.0-SNAPSHOT -t webgoat/goatandwolf:latest .
+	
+## Docker run
+	
+	docker run -d -p 80:8888 -p 8080:8080 -p 9090:9090 -e TZ=Europe/Amsterdam webgoat/goatandwolf:latest

docker/index.html

@@ -0,0 +1,43 @@
+<!DOCTYPE html>
+<html>
+  <body>
+    <h1>OWASP WebGoat Training tools</h1>
+    <p>
+      Use the following links to access the WebGoat and WebWolf applications.
+      Register a user using WebGoat. The same user can access WebWolf.
+    </p>
+	
+	<h2>Use without special host name entries</h2>
+	
+	<table>
+	<tr>
+		<td>WebGoat URL</td>
+		<td><a href="http://127.0.0.1:8080/WebGoat" target="_blank">http://127.0.0.1:8080/WebGoat</a></td>
+	</tr>
+	<tr>
+		<td>WebWolf URL</td>
+		<td><a href="http://127.0.0.1:9090/WebWolf" target="_blank">http://127.0.0.1:9090/WebWolf</a></td>
+	</tr>
+	<table>
+	
+	<h2>Use with www.webgoat.local and www.webwolf.local</h2>
+	<p>
+      Add the following entries to your local <b><i>hosts</i></b> file on Windows (c:\Windows\System32\drivers\etc\hosts) or Linux (/etc/hosts)
+	  
+<pre>
+127.0.0.1 www.webgoat.local www.webwolf.local
+</pre>
+	Then use the following URL's:
+    </p>
+	<table>
+	<tr>
+		<td>WebGoat URL</td>
+		<td><a href="http://www.webgoat.local/WebGoat" target="_blank">http://www.webgoat.local/WebGoat</a></td>
+	</tr>
+	<tr>
+		<td>WebWolf URL</td>
+		<td><a href="http://www.webwolf.local/WebWolf" target="_blank">http://www.webwolf.local/WebWolf</a></td>
+	</tr>
+	<table>
+  </body>
+</html>

docker/nginx.conf

@@ -0,0 +1,140 @@
+error_log /tmp/error.log;
+pid /tmp/nginx.pid;
+
+worker_processes 1;
+
+events { worker_connections 1024; }
+
+http {
+
+	client_body_temp_path /tmp/client_body;
+	fastcgi_temp_path /tmp/fastcgi_temp;
+	proxy_temp_path /tmp/proxy_temp;
+	scgi_temp_path /tmp/scgi_temp;
+	uwsgi_temp_path /tmp/uwsgi_temp;
+
+    sendfile on;
+
+    upstream docker-webgoat {
+        server 127.0.0.1:8080;
+    }
+
+    upstream docker-webwolf {
+        server 127.0.0.1:9090;
+    }
+
+    proxy_set_header   Host $host;
+    proxy_set_header   X-Real-IP $remote_addr;
+    proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header   X-Forwarded-Host $server_name;
+
+    server {
+        listen 8888;
+        server_name        www.webgoat.local;
+		
+		root /var/www;
+ 
+		access_log /tmp/goataccess.log;
+		error_log /tmp/goaterror.log;
+
+        location ~* \.(png|jpg|jpeg|gif|ico|woff|otf|ttf|mvc|svg|txt|pdf|docx?|xlsx?)$ {
+            access_log         off;
+            proxy_pass         http://docker-webgoat;
+            proxy_redirect     off;
+        }
+
+        location / {
+            root              /usr/share/nginx/html;
+            index             index.html;
+            add_header        Cache-Control no-cache;
+            expires           0;
+        }
+
+        location /WebGoat {
+            proxy_pass         http://docker-webgoat;
+            proxy_redirect     off;
+        }
+
+    }
+
+    server {
+        listen 8888;
+        server_name        www.webwolf.local;
+		
+		root /var/www;
+ 
+		access_log /tmp/wolfaccess.log;
+		error_log /tmp/wolferror.log;
+
+        location /WebGoat/PasswordReset/ForgotPassword/create-password-reset-link {
+            proxy_pass         http://docker-webgoat;
+            proxy_redirect     off;
+        }
+
+        location /PasswordReset/reset/reset-password {
+            proxy_pass         http://docker-webwolf;
+            proxy_redirect     off;
+        }
+
+        location /files {
+            proxy_pass         http://docker-webwolf;
+            proxy_redirect     off;
+        }
+
+        location /tmpdir {
+            proxy_pass         http://docker-webwolf;
+            proxy_redirect     off;
+        }
+
+        location /webjars {
+            proxy_pass         http://docker-webwolf;
+            proxy_redirect     off;
+        }
+
+        location /css {
+            proxy_pass         http://docker-webwolf;
+            proxy_redirect     off;
+        }
+
+        location /login {
+            proxy_pass         http://docker-webwolf;
+            proxy_redirect     off;
+        }
+
+        location /images {
+            proxy_pass         http://docker-webwolf;
+            proxy_redirect     off;
+        }
+
+        location /mail {
+            proxy_pass         http://docker-webwolf;
+            proxy_redirect     off;
+        }
+
+        location /upload {
+            proxy_pass         http://docker-webwolf;
+            proxy_redirect     off;
+        }
+
+        location /js {
+            proxy_pass         http://docker-webwolf;
+            proxy_redirect     off;
+        }
+
+        location /landing {
+            proxy_pass         http://docker-webwolf;
+            proxy_redirect     off;
+        }
+
+        location /logout {
+            proxy_pass         http://docker-webwolf;
+            proxy_redirect     off;
+        }
+
+        location /WebWolf {
+            proxy_pass         http://docker-webwolf;
+            proxy_redirect     off;
+        }
+
+    }
+}

docker/pom.xml

@@ -0,0 +1,40 @@
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+    <artifactId>webgoat-all-in-one-docker</artifactId>
+    <packaging>jar</packaging>
+    <parent>
+        <groupId>org.owasp.webgoat</groupId>
+        <artifactId>webgoat-parent</artifactId>
+        <version>8.2.0-SNAPSHOT</version>
+    </parent>
+
+    <dependencies>
+       
+    </dependencies>
+
+    <build>
+        <plugins>
+            <plugin>
+            <groupId>org.apache.maven.plugins</groupId>
+            <artifactId>maven-antrun-plugin</artifactId>
+            <version>1.8</version>
+            <executions>
+                <execution>
+                    <phase>install</phase>
+                    <configuration>
+                        <target>
+                            <copy file="../webgoat-server/target/webgoat-server-${project.version}.jar" tofile="webgoat-server-${project.version}.jar"/>
+							<copy file="../webwolf/target/webwolf-${project.version}.jar" tofile="webwolf-${project.version}.jar"/>
+                        </target>
+                    </configuration>
+                    <goals>
+                        <goal>run</goal>
+                    </goals>
+                </execution>
+            </executions>
+			</plugin>
+        </plugins>
+    </build>
+
+</project>

docker/start.sh

@@ -0,0 +1,12 @@
+#!/bin/bash
+
+cd /home/webgoat 
+service nginx start
+sleep 1
+java -Duser.home=/home/webgoat -Dfile.encoding=UTF-8 -jar webgoat.jar --webgoat.build.version=$1 --server.address=0.0.0.0  > webgoat.log &
+
+sleep 10
+ 
+java -Duser.home=/home/webgoat -Dfile.encoding=UTF-8 -jar webwolf.jar --webgoat.build.version=$1 --server.address=0.0.0.0 > webwolf.log &
+
+tail -300f webgoat.log

docs/README.md

@@ -0,0 +1,5 @@
+# WebGoat landing page
+
+Old Github page which now redirects to OWASP website.
+
+

docs/index.html

@@ -0,0 +1,14 @@
+<!DOCTYPE html>
+<html lang="en">
+
+<head>
+  <meta charset="utf-8">
+  <meta http-equiv="refresh" content="0;url=https://owasp.org/www-project-webgoat/" />
+  <link rel="canonical" href="https://owasp.org/www-project-webgoat/" />
+</head>
+<body>
+<h1>
+  The page been moved to <a href="https://owasp.org/www-project-webgoat/">https://owasp.org/www-project-webgoat/</a>
+</h1>
+</body>
+</html>

goat-with-reverseproxy.yaml

@@ -0,0 +1,43 @@
+version: '3'
+networks:
+  webwolflocal:
+services:
+  webgoat:
+    hostname: www.webgoat.local
+    image: webgoat/webgoat-8.0
+    environment:
+      - WEBGOAT_PORT=8080
+      - WEBGOAT_SSLENABLED=false
+      - WEBWOLF_HOST=webwolf
+      - WEBWOLF_PORT=9090
+      - TZ=Europe/Amsterdam
+    volumes:
+      - .:/home/webgoat/.webgoat
+    working_dir: /home/webgoat
+    command: --server.address=0.0.0.0
+    networks:
+      webwolflocal:
+        aliases:
+          - goat.webgoat.local
+  webwolf:
+    image: webgoat/webwolf
+    environment:
+      - WEBWOLF_HOST=webwolf
+      - WEBWOLF_PORT=9090
+      - TZ=Europe/Amsterdam
+    command: --spring.datasource.url=jdbc:hsqldb:hsql://webgoat:9001/webgoat --server.address=0.0.0.0
+    networks:
+      webwolflocal:
+        aliases:
+          - wolf.webwolf.local
+    depends_on:
+            - webgoat
+  reverseproxy:
+    hostname: www.webwolf.local
+    image: webgoat/reverseproxy
+    networks:
+      webwolflocal:
+        aliases:
+          - www.webwolf.local
+    ports:
+      - 80:80

mvnw

@@ -114,7 +114,6 @@ if $mingw ; then
     M2_HOME="`(cd "$M2_HOME"; pwd)`"
   [ -n "$JAVA_HOME" ] &&
     JAVA_HOME="`(cd "$JAVA_HOME"; pwd)`"
-  # TODO classpath?
 fi
 
 if [ -z "$JAVA_HOME" ]; then
@@ -212,7 +211,11 @@ else
     if [ "$MVNW_VERBOSE" = true ]; then
       echo "Couldn't find .mvn/wrapper/maven-wrapper.jar, downloading it ..."
     fi
-    jarUrl="https://repo.maven.apache.org/maven2/io/takari/maven-wrapper/0.4.2/maven-wrapper-0.4.2.jar"
+    if [ -n "$MVNW_REPOURL" ]; then
+      jarUrl="$MVNW_REPOURL/io/takari/maven-wrapper/0.5.5/maven-wrapper-0.5.5.jar"
+    else
+      jarUrl="https://repo.maven.apache.org/maven2/io/takari/maven-wrapper/0.5.5/maven-wrapper-0.5.5.jar"
+    fi
     while IFS="=" read key value; do
       case "$key" in (wrapperUrl) jarUrl="$value"; break ;;
       esac
@@ -221,22 +224,38 @@ else
       echo "Downloading from: $jarUrl"
     fi
     wrapperJarPath="$BASE_DIR/.mvn/wrapper/maven-wrapper.jar"
+    if $cygwin; then
+      wrapperJarPath=`cygpath --path --windows "$wrapperJarPath"`
+    fi
 
     if command -v wget > /dev/null; then
         if [ "$MVNW_VERBOSE" = true ]; then
           echo "Found wget ... using wget"
         fi
-        wget "$jarUrl" -O "$wrapperJarPath"
+        if [ -z "$MVNW_USERNAME" ] || [ -z "$MVNW_PASSWORD" ]; then
+            wget "$jarUrl" -O "$wrapperJarPath"
+        else
+            wget --http-user=$MVNW_USERNAME --http-password=$MVNW_PASSWORD "$jarUrl" -O "$wrapperJarPath"
+        fi
     elif command -v curl > /dev/null; then
         if [ "$MVNW_VERBOSE" = true ]; then
           echo "Found curl ... using curl"
         fi
-        curl -o "$wrapperJarPath" "$jarUrl"
+        if [ -z "$MVNW_USERNAME" ] || [ -z "$MVNW_PASSWORD" ]; then
+            curl -o "$wrapperJarPath" "$jarUrl" -f
+        else
+            curl --user $MVNW_USERNAME:$MVNW_PASSWORD -o "$wrapperJarPath" "$jarUrl" -f
+        fi
+        
     else
         if [ "$MVNW_VERBOSE" = true ]; then
           echo "Falling back to using Java to download"
         fi
         javaClass="$BASE_DIR/.mvn/wrapper/MavenWrapperDownloader.java"
+        # For Cygwin, switch paths to Windows format before running javac
+        if $cygwin; then
+          javaClass=`cygpath --path --windows "$javaClass"`
+        fi
         if [ -e "$javaClass" ]; then
             if [ ! -e "$BASE_DIR/.mvn/wrapper/MavenWrapperDownloader.class" ]; then
                 if [ "$MVNW_VERBOSE" = true ]; then
@@ -277,6 +296,11 @@ if $cygwin; then
     MAVEN_PROJECTBASEDIR=`cygpath --path --windows "$MAVEN_PROJECTBASEDIR"`
 fi
 
+# Provide a "standardized" way to retrieve the CLI args that will
+# work with both Windows and non-Windows executions.
+MAVEN_CMD_LINE_ARGS="$MAVEN_CONFIG $@"
+export MAVEN_CMD_LINE_ARGS
+
 WRAPPER_LAUNCHER=org.apache.maven.wrapper.MavenWrapperMain
 
 exec "$JAVACMD" \

mvnw.cmd

@@ -37,7 +37,7 @@
 @echo off
 @REM set title of command window
 title %0
-@REM enable echoing my setting MAVEN_BATCH_ECHO to 'on'
+@REM enable echoing by setting MAVEN_BATCH_ECHO to 'on'
 @if "%MAVEN_BATCH_ECHO%" == "on"  echo %MAVEN_BATCH_ECHO%
 
 @REM set %HOME% to equivalent of $HOME
@@ -120,23 +120,44 @@ SET MAVEN_JAVA_EXE="%JAVA_HOME%\bin\java.exe"
 set WRAPPER_JAR="%MAVEN_PROJECTBASEDIR%\.mvn\wrapper\maven-wrapper.jar"
 set WRAPPER_LAUNCHER=org.apache.maven.wrapper.MavenWrapperMain
 
-set DOWNLOAD_URL="https://repo.maven.apache.org/maven2/io/takari/maven-wrapper/0.4.2/maven-wrapper-0.4.2.jar"
-FOR /F "tokens=1,2 delims==" %%A IN (%MAVEN_PROJECTBASEDIR%\.mvn\wrapper\maven-wrapper.properties) DO (
-	IF "%%A"=="wrapperUrl" SET DOWNLOAD_URL=%%B 
+set DOWNLOAD_URL="https://repo.maven.apache.org/maven2/io/takari/maven-wrapper/0.5.5/maven-wrapper-0.5.5.jar"
+
+FOR /F "tokens=1,2 delims==" %%A IN ("%MAVEN_PROJECTBASEDIR%\.mvn\wrapper\maven-wrapper.properties") DO (
+    IF "%%A"=="wrapperUrl" SET DOWNLOAD_URL=%%B
 )
 
 @REM Extension to allow automatically downloading the maven-wrapper.jar from Maven-central
 @REM This allows using the maven wrapper in projects that prohibit checking in binary data.
 if exist %WRAPPER_JAR% (
-    echo Found %WRAPPER_JAR%
+    if "%MVNW_VERBOSE%" == "true" (
+        echo Found %WRAPPER_JAR%
+    )
 ) else (
-    echo Couldn't find %WRAPPER_JAR%, downloading it ...
-	echo Downloading from: %DOWNLOAD_URL%
-    powershell -Command "(New-Object Net.WebClient).DownloadFile('%DOWNLOAD_URL%', '%WRAPPER_JAR%')"
-    echo Finished downloading %WRAPPER_JAR%
+    if not "%MVNW_REPOURL%" == "" (
+        SET DOWNLOAD_URL="%MVNW_REPOURL%/io/takari/maven-wrapper/0.5.5/maven-wrapper-0.5.5.jar"
+    )
+    if "%MVNW_VERBOSE%" == "true" (
+        echo Couldn't find %WRAPPER_JAR%, downloading it ...
+        echo Downloading from: %DOWNLOAD_URL%
+    )
+
+    powershell -Command "&{"^
+		"$webclient = new-object System.Net.WebClient;"^
+		"if (-not ([string]::IsNullOrEmpty('%MVNW_USERNAME%') -and [string]::IsNullOrEmpty('%MVNW_PASSWORD%'))) {"^
+		"$webclient.Credentials = new-object System.Net.NetworkCredential('%MVNW_USERNAME%', '%MVNW_PASSWORD%');"^
+		"}"^
+		"[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; $webclient.DownloadFile('%DOWNLOAD_URL%', '%WRAPPER_JAR%')"^
+		"}"
+    if "%MVNW_VERBOSE%" == "true" (
+        echo Finished downloading %WRAPPER_JAR%
+    )
 )
 @REM End of extension
 
+@REM Provide a "standardized" way to retrieve the CLI args that will
+@REM work with both Windows and non-Windows executions.
+set MAVEN_CMD_LINE_ARGS=%*
+
 %MAVEN_JAVA_EXE% %JVM_CONFIG_MAVEN_PROPS% %MAVEN_OPTS% %MAVEN_DEBUG_OPTS% -classpath %WRAPPER_JAR% "-Dmaven.multiModuleProjectDirectory=%MAVEN_PROJECTBASEDIR%" %WRAPPER_LAUNCHER% %MAVEN_CONFIG% %*
 if ERRORLEVEL 1 goto error
 goto end

pom.xml

@@ -6,7 +6,7 @@
     <groupId>org.owasp.webgoat</groupId>
     <artifactId>webgoat-parent</artifactId>
     <packaging>pom</packaging>
-    <version>v8.0.0.M23</version>
+    <version>8.2.0-SNAPSHOT</version>
 
     <name>WebGoat Parent Pom</name>
     <description>Parent Pom for the WebGoat Project. A deliberately insecure Web Application</description>
@@ -15,13 +15,13 @@
 
     <organization>
         <name>OWASP</name>
-        <url>https://webgoat.github.io/</url>
+        <url>https://github.com/WebGoat/WebGoat/</url>
     </organization>
 
     <parent>
         <groupId>org.springframework.boot</groupId>
         <artifactId>spring-boot-starter-parent</artifactId>
-        <version>1.5.18.RELEASE</version>
+        <version>2.4.3</version>
     </parent>
 
     <licenses>
@@ -51,6 +51,11 @@
             <name>Jason White</name>
             <email>jason.white@owasp.org</email>
         </developer>
+        <developer>
+            <id>zubcevic</id>
+            <name>René Zubcevic</name>
+            <email>rene.zubcevic@owasp.org</email>
+        </developer>
         <developer>
             <id>jwayman</id>
             <name>Jeff Wayman</name>
@@ -110,53 +115,25 @@
         <!-- Use UTF-8 Encoding -->
         <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
         <project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
+        <maven.compiler.source>11</maven.compiler.source>
+        <maven.compiler.target>11</maven.compiler.target>
 
         <!-- This build number will be ubdated by Travis-CI -->
         <build.number>build</build.number>
 
         <!-- Shared properties with plugins and version numbers across submodules-->
         <activation.version>1.1.1</activation.version>
-        <axis-ant.version>1.4</axis-ant.version>
-        <axis-jaxrpc.version>1.4</axis-jaxrpc.version>
-        <axis-saaj.version>1.4</axis-saaj.version>
-        <axis.version>1.4</axis.version>
-        <build-helper-maven-plugin.version>1.9.1</build-helper-maven-plugin.version>
-        <cobertura-maven-plugin.version>2.7</cobertura-maven-plugin.version>
         <commons-collections.version>3.2.1</commons-collections.version>
-        <commons-digester.version>2.1</commons-digester.version>
-        <commons-discovery.version>0.5</commons-discovery.version>
-        <commons-fileupload.version>1.3.1</commons-fileupload.version>
-        <commons-io.version>2.6</commons-io.version>
         <commons-lang3.version>3.4</commons-lang3.version>
-        <coveralls-maven-plugin.version>4.0.0</coveralls-maven-plugin.version>
-        <gatling.version>2.2.5</gatling.version>
-        <gatling-plugin.version>2.2.4</gatling-plugin.version>
-        <guava.version>18.0</guava.version>
-        <h2.version>1.4.190</h2.version>
-        <hsqldb.version>2.3.4</hsqldb.version>
-        <j2h.version>1.3.1</j2h.version>
-        <jackson-core.version>2.6.3</jackson-core.version>
-        <jackson-databind.version>2.6.3</jackson-databind.version>
-        <javaee-api.version>6.0</javaee-api.version>
-        <javax.transaction-api.version>1.3</javax.transaction-api.version>
-        <jcl-over-slf4j.version>1.7.12</jcl-over-slf4j.version>
-        <jtds.version>1.3.1</jtds.version>
-        <junit.version>4.12</junit.version>
+        <commons-io.version>2.6</commons-io.version>
+        <guava.version>30.1-jre</guava.version>
         <lombok.version>1.18.4</lombok.version>
-        <mail-api.version>1.5.4</mail-api.version>
         <maven-compiler-plugin.version>3.8.0</maven-compiler-plugin.version>
         <maven-failsafe-plugin.version>2.22.0</maven-failsafe-plugin.version>
-        <maven-gpg-plugin.version>1.6</maven-gpg-plugin.version>
-        <maven-jar-plugin.version>2.6</maven-jar-plugin.version>
-        <maven-javadoc-plugin.version>2.10.4</maven-javadoc-plugin.version>
-        <maven-release-plugin.version>2.5.2</maven-release-plugin.version>
-        <maven-source-plugin.version>3.0.1</maven-source-plugin.version>
-        <maven-surefire-plugin.version>2.22.0</maven-surefire-plugin.version>
-        <nexus-staging-maven-plugin.version>1.6.6</nexus-staging-maven-plugin.version>
-        <scala.version>2.11.7</scala.version>
-        <sauce_junit.version>2.1.20</sauce_junit.version>
-        <selenium-java.version>2.48.2</selenium-java.version>
-        <spring.security.version>3.2.4.RELEASE</spring.security.version>
+        <maven-jar-plugin.version>3.1.2</maven-jar-plugin.version>
+        <maven-javadoc-plugin.version>3.1.1</maven-javadoc-plugin.version>
+        <maven-source-plugin.version>3.1.0</maven-source-plugin.version>
+        <maven-surefire-plugin.version>3.0.0-M4</maven-surefire-plugin.version>
     </properties>
 
     <modules>
@@ -164,40 +141,19 @@
         <module>webgoat-lessons</module>
         <module>webgoat-server</module>
         <module>webwolf</module>
+        <module>webgoat-integration-tests</module>
+		<module>docker</module><!-- copy required jars in preparation of docker all-in-one build -->
     </modules>
 
-    <distributionManagement>
-        <snapshotRepository>
-            <id>ossrh</id>
-            <url>https://oss.sonatype.org/content/repositories/snapshots</url>
-        </snapshotRepository>
-        <repository>
-            <id>ossrh</id>
-            <url>https://oss.sonatype.org/service/local/staging/deploy/maven2/</url>
-        </repository>
-    </distributionManagement>
-
-    <pluginRepositories>
-        <pluginRepository>
-            <id>apache.snapshots</id>
-            <url>http://repository.apache.org/snapshots/</url>
-            <!-- The releases element here is due to an issue in Maven 2.0 that will be
-                 fixed in future releases. This should be able to be disabled altogether. -->
-            <releases>
-                <updatePolicy>daily</updatePolicy>
-            </releases>
-            <snapshots>
-                <updatePolicy>daily</updatePolicy>
-            </snapshots>
-        </pluginRepository>
-    </pluginRepositories>
-
     <dependencies>
+	    <dependency>
+			<groupId>org.springframework.boot</groupId>
+			<artifactId>spring-boot-starter-validation</artifactId>
+		</dependency>
         <dependency>
             <groupId>org.projectlombok</groupId>
             <artifactId>lombok</artifactId>
             <scope>provided</scope>
-            <version>${lombok.version}</version>
             <optional>true</optional>
         </dependency>
         <dependency>
@@ -208,16 +164,30 @@
         <dependency>
             <groupId>javax.xml.bind</groupId>
             <artifactId>jaxb-api</artifactId>
-            <version>2.3.0</version>
         </dependency>
     </dependencies>
 
     <build>
         <plugins>
+            <plugin>
+                <groupId>org.codehaus.mojo</groupId>
+                <artifactId>flatten-maven-plugin</artifactId>
+                <version>1.2.5</version>
+                <configuration>
+                </configuration>
+                <executions>
+                    <execution>
+                        <id>flatten</id>
+                        <phase>process-resources</phase>
+                        <goals>
+                            <goal>flatten</goal>
+                        </goals>
+                    </execution>
+                </executions>
+            </plugin>
             <plugin>
                 <groupId>org.apache.maven.plugins</groupId>
                 <artifactId>maven-compiler-plugin</artifactId>
-                <version>${maven-compiler-plugin.version}</version>
                 <configuration>
                     <source>11</source>
                     <target>11</target>
@@ -226,37 +196,96 @@
             </plugin>
             <plugin>
                 <groupId>org.apache.maven.plugins</groupId>
-                <artifactId>maven-release-plugin</artifactId>
-                <version>${maven-release-plugin.version}</version>
+                <artifactId>maven-checkstyle-plugin</artifactId>
+                <version>3.1.0</version>
                 <configuration>
-                    <autoVersionSubmodules>true</autoVersionSubmodules>
-                    <useReleaseProfile>false</useReleaseProfile>
-                    <releaseProfiles>release</releaseProfiles>
-                    <tagNameFormat>@{project.version}</tagNameFormat>
-                    <goals>deploy</goals>
+                    <encoding>UTF-8</encoding>
+                    <consoleOutput>true</consoleOutput>
+                    <failsOnError>true</failsOnError>
+                    <configLocation>config/checkstyle/checkstyle.xml</configLocation>
+                    <suppressionsLocation>config/checkstyle/suppressions.xml</suppressionsLocation>
+                    <suppressionsFileExpression>checkstyle.suppressions.file</suppressionsFileExpression>
                 </configuration>
             </plugin>
             <plugin>
-                <groupId>org.eluder.coveralls</groupId>
-                <artifactId>coveralls-maven-plugin</artifactId>
-                <version>${coveralls-maven-plugin.version}</version>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-pmd-plugin</artifactId>
+                <version>3.14.0</version>
                 <configuration>
-                    <repoToken/>
-                </configuration>
-            </plugin>
-            <plugin>
-                <groupId>org.codehaus.mojo</groupId>
-                <artifactId>cobertura-maven-plugin</artifactId>
-                <version>${cobertura-maven-plugin.version}</version>
-                <configuration>
-                    <check/>
-                    <format>xml</format>
-                    <maxmem>256m</maxmem>
-                    <!-- aggregated reports for multi-module projects -->
-                    <aggregate>true</aggregate>
+                    <targetJdk>11</targetJdk>
+                    <failurePriority>1</failurePriority><!-- 5 means fail even on the lowest priority, 0 means never fail -->
+                    <rulesets>
+                        <!--suppress UnresolvedMavenProperty -->
+                        <ruleset>${maven.multiModuleProjectDirectory}/config/pmd/pmd-ruleset.xml</ruleset>
+                    </rulesets>
+                    <failOnViolation>true</failOnViolation>
+                    <printFailingErrors>true</printFailingErrors>
                 </configuration>
+                <executions>
+                    <execution>
+                        <goals>
+                            <goal>check</goal>
+                        </goals>
+                    </execution>
+                </executions>
             </plugin>
         </plugins>
     </build>
 
+    <profiles>
+        <profile>
+            <id>owasp</id>
+            <activation>
+                <activeByDefault>false</activeByDefault>
+            </activation>
+            <build>
+                <plugins>
+                    <plugin>
+                        <groupId>org.owasp</groupId>
+                        <artifactId>dependency-check-maven</artifactId>
+                        <version>5.3.2</version>
+                        <configuration>
+                            <failBuildOnCVSS>7</failBuildOnCVSS>
+                            <skipProvidedScope>true</skipProvidedScope>
+                            <skipRuntimeScope>true</skipRuntimeScope>
+                            <suppressionFiles>
+                                <!--suppress UnresolvedMavenProperty -->
+                                <suppressionFile>
+                                    ${maven.multiModuleProjectDirectory}/config/dependency-check/project-suppression.xml
+                                </suppressionFile>
+                            </suppressionFiles>
+                        </configuration>
+                        <executions>
+                            <execution>
+                                <goals>
+                                    <goal>check</goal>
+                                </goals>
+                            </execution>
+                        </executions>
+                    </plugin>
+                </plugins>
+            </build>
+        </profile>
+    </profiles>
+
+    <repositories>
+        <repository>
+            <id>central</id>
+            <url>https://repo.maven.apache.org/maven2</url>
+            <snapshots>
+                <enabled>false</enabled>
+            </snapshots>
+        </repository>
+    </repositories>
+    <pluginRepositories>
+        <pluginRepository>
+            <id>central</id>
+            <url>https://repo.maven.apache.org/maven2</url>
+            <snapshots>
+                <enabled>false</enabled>
+            </snapshots>
+        </pluginRepository>
+    </pluginRepositories>
+
+
 </project>

scripts/deploy-webgoat.sh

@@ -1,36 +1,16 @@
 #!/usr/bin/env bash
 
 docker login -u $DOCKER_USER -p $DOCKER_PASS
-export REPO=webgoat/webgoat-8.0
 
-cd webgoat-server
+export REPO=webgoat/goatandwolf
+cd ..
+cd docker
 ls target/
 
 if [ ! -z "${TRAVIS_TAG}" ]; then
   # If we push a tag to master this will update the LATEST Docker image and tag with the version number
   docker build --build-arg webgoat_version=${TRAVIS_TAG:1} -f Dockerfile -t $REPO:latest -t $REPO:${TRAVIS_TAG} .
   docker push $REPO
-#elif [ ! -z "${TRAVIS_TAG}" ]; then
-#  # Creating a tag build we push it to Docker with that tag
-#  docker build --build-arg webgoat_version=${TRAVIS_TAG:1} -f Dockerfile -t $REPO:${TRAVIS_TAG} -t $REPO:latest .
-#  docker push $REPO
-#elif [ "${BRANCH}" == "develop" ]; then
-#  docker build -f Dockerfile -t $REPO:snapshot .
-#  docker push $REPO
 else
   echo "Skipping releasing to DockerHub because it is a build of branch ${BRANCH}"
 fi
-
-
-export REPO=webgoat/webwolf
-cd ..
-cd webwolf
-ls target/
-
-if [ ! -z "${TRAVIS_TAG}" ]; then
-  # If we push a tag to master this will update the LATEST Docker image and tag with the version number
-  docker build --build-arg webwolf_version=${TRAVIS_TAG:1} -f Dockerfile -t $REPO:latest -t $REPO:${TRAVIS_TAG} .
-  docker push $REPO
-else
-  echo "Skipping releasing to DockerHub because it is a build of branch ${BRANCH}"
-fi

webgoat-container/pom.xml

@@ -1,7 +1,6 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
          xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
-    <groupId>org.owasp.webgoat</groupId>
     <name>webgoat-container</name>
     <modelVersion>4.0.0</modelVersion>
     <artifactId>webgoat-container</artifactId>
@@ -10,72 +9,25 @@
     <parent>
         <groupId>org.owasp.webgoat</groupId>
         <artifactId>webgoat-parent</artifactId>
-        <version>v8.0.0.M23</version>
+        <version>8.2.0-SNAPSHOT</version>
     </parent>
 
-    <profiles>
-        <profile>
-            <id>performance</id>
-            <build>
-                <plugins>
-                    <plugin>
-                        <groupId>io.gatling</groupId>
-                        <artifactId>gatling-maven-plugin</artifactId>
-                        <version>${gatling-plugin.version}</version>
-                        <executions>
-                            <execution>
-                                <goals>
-                                    <goal>execute</goal>
-                                </goals>
-                            </execution>
-                        </executions>
-                    </plugin>
-                </plugins>
-            </build>
-        </profile>
-
-    </profiles>
-
     <build>
-        <resources>
-            <resource>
-                <directory>src/main/java</directory>
-            </resource>
-            <resource>
-                <directory>src/main/resources</directory>
-                <filtering>true</filtering>
-                <includes>
-                    <include>**/application.properties</include>
-                </includes>
-            </resource>
-            <resource>
-                <directory>src/main/resources</directory>
-            </resource>
-        </resources>
         <plugins>
-            <plugin>
-                <groupId>org.apache.maven.plugins</groupId>
-                <artifactId>maven-resources-plugin</artifactId>
-                <version>2.6</version>
-                <configuration>
-                    <delimiters>
-                        <delimiter>@</delimiter>
-                    </delimiters>
-                    <useDefaultDelimiters>false</useDefaultDelimiters>
-                </configuration>
-            </plugin>
             <plugin>
                 <groupId>org.apache.maven.plugins</groupId>
                 <artifactId>maven-surefire-plugin</artifactId>
-                <version>${maven-surefire-plugin.version}</version>
                 <configuration>
-                    <forkMode>never</forkMode>
+                    <forkCount>0</forkCount>
+                    <reuseForks>true</reuseForks>
+                    <argLine>
+                        --illegal-access=permit
+                    </argLine>
                 </configuration>
             </plugin>
             <plugin>
                 <groupId>org.apache.maven.plugins</groupId>
                 <artifactId>maven-jar-plugin</artifactId>
-                <version>3.0.2</version>
                 <executions>
                     <execution>
                         <goals>
@@ -89,43 +41,50 @@
 
     <dependencies>
         <dependency>
-            <groupId>com.fasterxml.jackson.datatype</groupId>
-            <artifactId>jackson-datatype-jsr310</artifactId>
+            <groupId>org.springframework.boot</groupId>
+            <artifactId>spring-boot-starter-undertow</artifactId>
         </dependency>
         <dependency>
             <groupId>org.springframework.boot</groupId>
             <artifactId>spring-boot-starter-web</artifactId>
+            <exclusions>
+                <exclusion>
+                    <groupId>org.springframework.boot</groupId>
+                    <artifactId>spring-boot-starter-tomcat</artifactId>
+                </exclusion>
+            </exclusions>
+        </dependency>
+        <dependency>
+            <groupId>javax.activation</groupId>
+            <artifactId>activation</artifactId>
+            <version>${activation.version}</version>
         </dependency>
         <dependency>
             <groupId>org.springframework.boot</groupId>
             <artifactId>spring-boot-starter-actuator</artifactId>
         </dependency>
+        <dependency>
+            <groupId>org.flywaydb</groupId>
+            <artifactId>flyway-core</artifactId>
+        </dependency>
         <dependency>
             <groupId>org.asciidoctor</groupId>
             <artifactId>asciidoctorj</artifactId>
-            <version>1.5.4</version>
+            <version>1.5.8.1</version>
         </dependency>
         <dependency>
             <groupId>org.springframework.boot</groupId>
             <artifactId>spring-boot-starter-data-jpa</artifactId>
+            <exclusions>
+                <exclusion>
+                    <artifactId>HikariCP</artifactId>
+                    <groupId>com.zaxxer</groupId>
+                </exclusion>
+            </exclusions>
         </dependency>
         <dependency>
             <groupId>org.apache.commons</groupId>
             <artifactId>commons-lang3</artifactId>
-            <version>${commons-lang3.version}</version>
-        </dependency>
-        <dependency>
-            <groupId>com.google.guava</groupId>
-            <artifactId>guava</artifactId>
-            <version>${guava.version}</version>
-        </dependency>
-
-
-        <dependency>
-            <groupId>io.gatling.highcharts</groupId>
-            <artifactId>gatling-charts-highcharts</artifactId>
-            <version>${gatling.version}</version>
-            <scope>test</scope>
         </dependency>
         <dependency>
             <groupId>org.springframework.boot</groupId>
@@ -137,31 +96,12 @@
         </dependency>
         <dependency>
             <groupId>org.thymeleaf.extras</groupId>
-            <artifactId>thymeleaf-extras-springsecurity4</artifactId>
-            <version>2.1.2.RELEASE</version>
-        </dependency>
-        <dependency>
-            <groupId>javax.activation</groupId>
-            <artifactId>activation</artifactId>
-            <version>${activation.version}</version>
+            <artifactId>thymeleaf-extras-springsecurity5</artifactId>
         </dependency>
         <dependency>
             <groupId>org.hsqldb</groupId>
             <artifactId>hsqldb</artifactId>
-            <version>${hsqldb.version}</version>
         </dependency>
-        <dependency>
-            <groupId>javax.transaction</groupId>
-            <artifactId>javax.transaction-api</artifactId>
-            <version>${javax.transaction-api.version}</version>
-        </dependency>
-        <dependency>
-            <groupId>org.scala-lang</groupId>
-            <artifactId>scala-compiler</artifactId>
-            <version>${scala.version}</version>
-            <scope>test</scope>
-        </dependency>
-
 
         <!-- ************* END spring MVC and related dependencies ************** -->
         <!-- ************* START: Dependencies for Unit and Integration Testing ************** -->
@@ -173,13 +113,12 @@
         <dependency>
             <groupId>org.springframework.security</groupId>
             <artifactId>spring-security-test</artifactId>
-            <version>4.1.3.RELEASE</version>
+            <!-- <version>4.1.3.RELEASE</version>-->
             <scope>test</scope>
         </dependency>
         <dependency>
             <groupId>junit</groupId>
             <artifactId>junit</artifactId>
-            <version>${junit.version}</version>
             <type>jar</type>
             <scope>test</scope>
         </dependency>

webgoat-container/src/main/java/org/owasp/webgoat/AjaxAuthenticationEntryPoint.java

@@ -5,7 +5,7 @@
  * This file is part of WebGoat, an Open Web Application Security Project
  * utility. For details, please see http://www.owasp.org/
  * <p>
- * Copyright (c) 2002 - 20014 Bruce Mayhew
+ * Copyright (c) 2002 - 2014 Bruce Mayhew
  * <p>
  * This program is free software; you can redistribute it and/or modify it under
  * the terms of the GNU General Public License as published by the Free Software
@@ -49,7 +49,7 @@ public class AjaxAuthenticationEntryPoint extends LoginUrlAuthenticationEntryPoi
     }
 
     public void commence(HttpServletRequest request, HttpServletResponse response, AuthenticationException authException) throws IOException, ServletException {
-        if(request.getHeader("x-requested-with") != null) {
+        if (request.getHeader("x-requested-with") != null) {
             response.sendError(401, authException.getMessage());
         } else {
             super.commence(request, response, authException);

webgoat-container/src/main/java/org/owasp/webgoat/AsciiDoctorTemplateResolver.java

@@ -4,7 +4,7 @@
  * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
  * please see http://www.owasp.org/
  * <p>
- * Copyright (c) 2002 - 20014 Bruce Mayhew
+ * Copyright (c) 2002 - 2014 Bruce Mayhew
  * <p>
  * This program is free software; you can redistribute it and/or modify it under the terms of the
  * GNU General Public License as published by the Free Software Foundation; either version 2 of the
@@ -28,25 +28,27 @@
  * @version $Id: $Id
  * @since December 12, 2015
  */
+
 package org.owasp.webgoat;
 
-import com.google.common.collect.Maps;
-import com.google.common.collect.Sets;
 import lombok.extern.slf4j.Slf4j;
 import org.asciidoctor.Asciidoctor;
 import org.asciidoctor.extension.JavaExtensionRegistry;
-import org.owasp.webgoat.asciidoc.WebGoatVersionMacro;
-import org.owasp.webgoat.asciidoc.WebWolfMacro;
-import org.owasp.webgoat.asciidoc.WebWolfRootMacro;
+import org.owasp.webgoat.asciidoc.*;
 import org.owasp.webgoat.i18n.Language;
-import org.thymeleaf.TemplateProcessingParameters;
-import org.thymeleaf.resourceresolver.IResourceResolver;
-import org.thymeleaf.templateresolver.TemplateResolver;
+import org.thymeleaf.IEngineConfiguration;
+import org.thymeleaf.templateresolver.FileTemplateResolver;
+import org.thymeleaf.templateresource.ITemplateResource;
+import org.thymeleaf.templateresource.StringTemplateResource;
 
-import java.io.*;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.InputStreamReader;
+import java.io.StringWriter;
+import java.util.HashMap;
 import java.util.Map;
+import java.util.Set;
 
-import static org.apache.commons.lang3.CharEncoding.UTF_8;
 import static org.asciidoctor.Asciidoctor.Factory.create;
 
 /**
@@ -57,7 +59,7 @@ import static org.asciidoctor.Asciidoctor.Factory.create;
  * </code>
  */
 @Slf4j
-public class AsciiDoctorTemplateResolver extends TemplateResolver {
+public class AsciiDoctorTemplateResolver extends FileTemplateResolver {
 
     private static final Asciidoctor asciidoctor = create();
     private static final String PREFIX = "doc:";
@@ -65,72 +67,59 @@ public class AsciiDoctorTemplateResolver extends TemplateResolver {
 
     public AsciiDoctorTemplateResolver(Language language) {
         this.language = language;
-
-        setResourceResolver(new AdocResourceResolver());
-        setResolvablePatterns(Sets.newHashSet(PREFIX + "*"));
+        setResolvablePatterns(Set.of(PREFIX + "*"));
     }
 
     @Override
-    protected String computeResourceName(TemplateProcessingParameters params) {
-        String templateName = params.getTemplateName();
-        return templateName.substring(PREFIX.length());
-    }
-
-    private class AdocResourceResolver implements IResourceResolver {
-
-        @Override
-        public InputStream getResourceAsStream(TemplateProcessingParameters params, String resourceName) {
-            try (InputStream is = readInputStreamOrFallbackToEnglish(resourceName, language)) {
-                if (is == null) {
-                    log.warn("Resource name: {} not found, did you add the adoc file?", resourceName);
-                    return new ByteArrayInputStream(new byte[0]);
-                } else {
-                    StringWriter writer = new StringWriter();
-                    JavaExtensionRegistry extensionRegistry = asciidoctor.javaExtensionRegistry();
-                    extensionRegistry.inlineMacro("webWolfLink", WebWolfMacro.class);
-                    extensionRegistry.inlineMacro("webWolfRootLink", WebWolfRootMacro.class);
-                    extensionRegistry.inlineMacro("webGoatVersion", WebGoatVersionMacro.class);
-
-                    asciidoctor.convert(new InputStreamReader(is), writer, createAttributes());
-                    return new ByteArrayInputStream(writer.getBuffer().toString().getBytes(UTF_8));
-                }
-            } catch (IOException e) {
-                //no html yet
-                return new ByteArrayInputStream(new byte[0]);
-            }
-        }
-
-        /**
-         * The resource name is for example HttpBasics_content1.adoc. This is always located in the following directory:
-         * <code>plugin/HttpBasics/lessonPlans/en/HttpBasics_content1.adoc</code>
-         */
-        private String computeResourceName(String resourceName, String language) {
-            return String.format("lessonPlans/%s/%s", language, resourceName);
-        }
-
-        private InputStream readInputStreamOrFallbackToEnglish(String resourceName, Language language) {
-            InputStream is = Thread.currentThread().getContextClassLoader().getResourceAsStream(computeResourceName(resourceName, language.getLocale().getLanguage()));
+    protected ITemplateResource computeTemplateResource(IEngineConfiguration configuration, String ownerTemplate, String template, String resourceName, String characterEncoding, Map<String, Object> templateResolutionAttributes) {
+        var templateName = resourceName.substring(PREFIX.length());
+        try (InputStream is = readInputStreamOrFallbackToEnglish(templateName, language)) {
             if (is == null) {
-                is = Thread.currentThread().getContextClassLoader().getResourceAsStream(computeResourceName(resourceName, "en"));
+                log.warn("Resource name: {} not found, did you add the adoc file?", templateName);
+                return new StringTemplateResource("");
+            } else {
+                JavaExtensionRegistry extensionRegistry = asciidoctor.javaExtensionRegistry();
+                extensionRegistry.inlineMacro("webWolfLink", WebWolfMacro.class);
+                extensionRegistry.inlineMacro("webWolfRootLink", WebWolfRootMacro.class);
+                extensionRegistry.inlineMacro("webGoatVersion", WebGoatVersionMacro.class);
+                extensionRegistry.inlineMacro("webGoatTempDir", WebGoatTmpDirMacro.class);
+                extensionRegistry.inlineMacro("operatingSystem", OperatingSystemMacro.class);
+
+                StringWriter writer = new StringWriter();
+                asciidoctor.convert(new InputStreamReader(is), writer, createAttributes());
+                return new StringTemplateResource(writer.getBuffer().toString());
             }
-            return is;
-        }
-
-        private Map<String, Object> createAttributes() {
-            Map<String, Object> attributes = Maps.newHashMap();
-            attributes.put("source-highlighter", "coderay");
-            attributes.put("backend", "xhtml");
-
-            Map<String, Object> options = Maps.newHashMap();
-            options.put("attributes", attributes);
-
-            return options;
-        }
-
-        @Override
-        public String getName() {
-            return "adocResourceResolver";
+        } catch (IOException e) {
+            //no html yet
+            return new StringTemplateResource("");
         }
     }
 
+    /**
+     * The resource name is for example HttpBasics_content1.adoc. This is always located in the following directory:
+     * <code>plugin/HttpBasics/lessonPlans/en/HttpBasics_content1.adoc</code>
+     */
+    private String computeResourceName(String resourceName, String language) {
+        return String.format("lessonPlans/%s/%s", language, resourceName);
+    }
+
+    private InputStream readInputStreamOrFallbackToEnglish(String resourceName, Language language) {
+        InputStream is = Thread.currentThread().getContextClassLoader().getResourceAsStream(computeResourceName(resourceName, language.getLocale().getLanguage()));
+        if (is == null) {
+            is = Thread.currentThread().getContextClassLoader().getResourceAsStream(computeResourceName(resourceName, "en"));
+        }
+        return is;
+    }
+
+    private Map<String, Object> createAttributes() {
+        Map<String, Object> attributes = new HashMap<>();
+        attributes.put("source-highlighter", "coderay");
+        attributes.put("backend", "xhtml");
+        attributes.put("icons", org.asciidoctor.Attributes.FONT_ICONS);
+
+        Map<String, Object> options = new HashMap<>();
+        options.put("attributes", attributes);
+
+        return options;
+    }
 }

webgoat-container/src/main/java/org/owasp/webgoat/CleanupLocalProgressFiles.java

@@ -1,27 +0,0 @@
-package org.owasp.webgoat;
-
-import lombok.extern.slf4j.Slf4j;
-import org.springframework.beans.factory.annotation.Value;
-import org.springframework.boot.autoconfigure.condition.ConditionalOnExpression;
-import org.springframework.context.annotation.Configuration;
-import org.springframework.util.FileSystemUtils;
-
-import javax.annotation.PostConstruct;
-import java.io.File;
-
-/**
- * @author nbaars
- * @since 4/15/17.
- */
-@Slf4j
-@Configuration
-@ConditionalOnExpression("'${webgoat.clean}' == 'true'")
-public class CleanupLocalProgressFiles {
-
-    @Value("${webgoat.server.directory}")
-    private String webgoatHome;
-
-    @PostConstruct
-    public void clean() {
-    }
-}

webgoat-container/src/main/java/org/owasp/webgoat/DatabaseInitialization.java

@@ -0,0 +1,50 @@
+package org.owasp.webgoat;
+
+import org.flywaydb.core.Flyway;
+import org.owasp.webgoat.service.RestartLessonService;
+import org.springframework.beans.factory.annotation.Value;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.context.annotation.DependsOn;
+
+import javax.sql.DataSource;
+import java.util.Map;
+
+/**
+ * Define 2 Flyway instances, 1 for WebGoat itself which it uses for internal storage like users and 1 for lesson
+ * specific tables we use. This way we clean the data in the lesson database quite easily see {@link RestartLessonService#restartLesson()}
+ * for how we clean the lesson related tables.
+ */
+@Configuration
+public class DatabaseInitialization {
+
+    private final DataSource dataSource;
+    private String driverClassName;
+
+    public DatabaseInitialization(DataSource dataSource,
+                                  @Value("${spring.datasource.driver-class-name}") String driverClassName) {
+        this.dataSource = dataSource;
+        this.driverClassName = driverClassName;
+    }
+
+    @Bean(initMethod = "migrate")
+    public Flyway flyWayContainer() {
+        return Flyway
+                .configure()
+                .configuration(Map.of("driver", driverClassName))
+                .dataSource(dataSource)
+                .schemas("container")
+                .locations("db/container")
+                .load();
+    }
+
+    @Bean(initMethod = "migrate")
+    @DependsOn("flyWayContainer")
+    public Flyway flywayLessons() {
+        return Flyway
+                .configure()
+                .configuration(Map.of("driver", driverClassName))
+                .dataSource(dataSource)
+                .load();
+    }
+}

webgoat-container/src/main/java/org/owasp/webgoat/HammerHead.java

@@ -18,7 +18,7 @@ import javax.servlet.http.HttpServletResponse;
  * This file is part of WebGoat, an Open Web Application Security Project
  * utility. For details, please see http://www.owasp.org/
  * <p>
- * Copyright (c) 2002 - 20014 Bruce Mayhew
+ * Copyright (c) 2002 - 2014 Bruce Mayhew
  * <p>
  * This program is free software; you can redistribute it and/or modify it under
  * the terms of the GNU General Public License as published by the Free Software

webgoat-container/src/main/java/org/owasp/webgoat/LessonTemplateResolver.java

@@ -1,48 +1,47 @@
 /**
- *************************************************************************************************
- *
- *
+ * ************************************************************************************************
+ * <p>
+ * <p>
  * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
  * please see http://www.owasp.org/
- *
- * Copyright (c) 2002 - 20014 Bruce Mayhew
- *
+ * <p>
+ * Copyright (c) 2002 - 2014 Bruce Mayhew
+ * <p>
  * This program is free software; you can redistribute it and/or modify it under the terms of the
  * GNU General Public License as published by the Free Software Foundation; either version 2 of the
  * License, or (at your option) any later version.
- *
+ * <p>
  * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
  * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
  * General Public License for more details.
- *
+ * <p>
  * You should have received a copy of the GNU General Public License along with this program; if
  * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
  * 02111-1307, USA.
- *
+ * <p>
  * Getting Source ==============
- *
+ * <p>
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
  * projects.
  *
  * @author WebGoat
- * @since October 28, 2003
  * @version $Id: $Id
+ * @since October 28, 2003
  */
+
 package org.owasp.webgoat;
 
-import com.google.common.collect.Maps;
-import com.google.common.collect.Sets;
-import com.google.common.io.ByteStreams;
-import lombok.SneakyThrows;
 import org.springframework.core.io.ResourceLoader;
-import org.thymeleaf.TemplateProcessingParameters;
-import org.thymeleaf.resourceresolver.IResourceResolver;
-import org.thymeleaf.templateresolver.TemplateResolver;
+import org.thymeleaf.IEngineConfiguration;
+import org.thymeleaf.templateresolver.FileTemplateResolver;
+import org.thymeleaf.templateresource.ITemplateResource;
+import org.thymeleaf.templateresource.StringTemplateResource;
 
-import java.io.ByteArrayInputStream;
-import java.io.File;
-import java.io.InputStream;
+import java.io.IOException;
+import java.nio.charset.StandardCharsets;
+import java.util.HashMap;
 import java.util.Map;
+import java.util.Set;
 
 /**
  * Dynamically resolve a lesson. In the html file this can be invoked as:
@@ -53,42 +52,29 @@ import java.util.Map;
  *
  * Thymeleaf will invoke this resolver based on the prefix and this implementation will resolve the html in the plugins directory
  */
-public class LessonTemplateResolver extends TemplateResolver {
+public class LessonTemplateResolver extends FileTemplateResolver {
 
-    private final static String PREFIX = "lesson:";
-    private final File pluginTargetDirectory;
+    private static final String PREFIX = "lesson:";
     private ResourceLoader resourceLoader;
-    private Map<String, byte[]> resources = Maps.newHashMap();
+    private Map<String, byte[]> resources = new HashMap<>();
 
-    public LessonTemplateResolver(File pluginTargetDirectory, ResourceLoader resourceLoader) {
-        this.pluginTargetDirectory = pluginTargetDirectory;
+    public LessonTemplateResolver(ResourceLoader resourceLoader) {
         this.resourceLoader = resourceLoader;
-        setResourceResolver(new LessonResourceResolver());
-        setResolvablePatterns(Sets.newHashSet(PREFIX + "*"));
+        setResolvablePatterns(Set.of(PREFIX + "*"));
     }
 
     @Override
-    protected String computeResourceName(TemplateProcessingParameters params) {
-        String templateName = params.getTemplateName();
-        return templateName.substring(PREFIX.length());
-    }
-
-    private class LessonResourceResolver implements IResourceResolver {
-
-        @Override
-        @SneakyThrows
-        public InputStream getResourceAsStream(TemplateProcessingParameters params, String resourceName) {
-            byte[] resource = resources.get(resourceName);
-            if (resource == null) {
-                resource = ByteStreams.toByteArray(resourceLoader.getResource("classpath:/html/" + resourceName + ".html").getInputStream());
-                resources.put(resourceName, resource);
+    protected ITemplateResource computeTemplateResource(IEngineConfiguration configuration, String ownerTemplate, String template, String resourceName, String characterEncoding, Map<String, Object> templateResolutionAttributes) {
+        var templateName = resourceName.substring(PREFIX.length());;
+        byte[] resource = resources.get(templateName);
+        if (resource == null) {
+            try {
+                resource = resourceLoader.getResource("classpath:/html/" + templateName + ".html").getInputStream().readAllBytes();
+            } catch (IOException e) {
+                e.printStackTrace();
             }
-            return new ByteArrayInputStream(resource);
-        }
-
-        @Override
-        public String getName() {
-            return "lessonResourceResolver";
+            resources.put(resourceName, resource);
         }
+        return new StringTemplateResource(new String(resource, StandardCharsets.UTF_8));
     }
-}
+}

webgoat-container/src/main/java/org/owasp/webgoat/MvcConfiguration.java

@@ -5,7 +5,7 @@
  * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
  * please see http://www.owasp.org/
  * <p>
- * Copyright (c) 2002 - 20014 Bruce Mayhew
+ * Copyright (c) 2002 - 2014 Bruce Mayhew
  * <p>
  * This program is free software; you can redistribute it and/or modify it under the terms of the
  * GNU General Public License as published by the Free Software Foundation; either version 2 of the
@@ -28,41 +28,40 @@
  * @version $Id: $Id
  * @since October 28, 2003
  */
+
 package org.owasp.webgoat;
 
-import com.google.common.collect.Sets;
 import org.owasp.webgoat.i18n.Language;
 import org.owasp.webgoat.i18n.Messages;
 import org.owasp.webgoat.i18n.PluginMessages;
-import org.owasp.webgoat.session.Course;
 import org.owasp.webgoat.session.LabelDebugger;
-import org.springframework.beans.factory.annotation.Autowired;
-import org.springframework.beans.factory.annotation.Qualifier;
 import org.springframework.context.ApplicationContext;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.core.io.ResourceLoader;
 import org.springframework.web.servlet.LocaleResolver;
+import org.springframework.web.servlet.ViewResolver;
 import org.springframework.web.servlet.config.annotation.ResourceHandlerRegistry;
 import org.springframework.web.servlet.config.annotation.ViewControllerRegistry;
-import org.springframework.web.servlet.config.annotation.WebMvcConfigurerAdapter;
+import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;
 import org.springframework.web.servlet.i18n.SessionLocaleResolver;
-import org.thymeleaf.extras.springsecurity4.dialect.SpringSecurityDialect;
-import org.thymeleaf.spring4.SpringTemplateEngine;
-import org.thymeleaf.spring4.templateresolver.SpringResourceTemplateResolver;
-import org.thymeleaf.templateresolver.TemplateResolver;
+import org.thymeleaf.TemplateEngine;
+import org.thymeleaf.extras.springsecurity5.dialect.SpringSecurityDialect;
+import org.thymeleaf.spring5.SpringTemplateEngine;
+import org.thymeleaf.spring5.templateresolver.SpringResourceTemplateResolver;
+import org.thymeleaf.spring5.view.ThymeleafViewResolver;
+import org.thymeleaf.templatemode.TemplateMode;
+import org.thymeleaf.templateresolver.ITemplateResolver;
 
-import java.io.File;
+import java.util.Set;
 
 /**
  * Configuration for Spring MVC
  */
 @Configuration
-public class MvcConfiguration extends WebMvcConfigurerAdapter {
-
-    @Autowired
-    @Qualifier("pluginTargetDirectory")
-    private File pluginTargetDirectory;
+public class MvcConfiguration implements WebMvcConfigurer {
+	
+	private static final String UTF8 = "UTF-8";
 
     @Override
     public void addViewControllers(ViewControllerRegistry registry) {
@@ -73,23 +72,33 @@ public class MvcConfiguration extends WebMvcConfigurerAdapter {
         //registry.addViewController("/list_users").setViewName("list_users");
     }
 
+    @Bean
+    public ViewResolver viewResolver(SpringTemplateEngine thymeleafTemplateEngine) {
+        ThymeleafViewResolver resolver = new ThymeleafViewResolver();
+        resolver.setTemplateEngine(thymeleafTemplateEngine);
+        resolver.setCharacterEncoding("UTF-8");
+        return resolver;
+    }
 
     @Bean
-    public TemplateResolver springThymeleafTemplateResolver(ApplicationContext applicationContext) {
+    public ITemplateResolver springThymeleafTemplateResolver(ApplicationContext applicationContext) {
         SpringResourceTemplateResolver resolver = new SpringResourceTemplateResolver();
         resolver.setPrefix("classpath:/templates/");
         resolver.setSuffix(".html");
-        resolver.setOrder(1);
+        resolver.setTemplateMode(TemplateMode.HTML);
+        resolver.setOrder(2);
         resolver.setCacheable(false);
+        resolver.setCharacterEncoding(UTF8);
         resolver.setApplicationContext(applicationContext);
         return resolver;
     }
 
     @Bean
     public LessonTemplateResolver lessonTemplateResolver(ResourceLoader resourceLoader) {
-        LessonTemplateResolver resolver = new LessonTemplateResolver(pluginTargetDirectory, resourceLoader);
-        resolver.setOrder(2);
+        LessonTemplateResolver resolver = new LessonTemplateResolver(resourceLoader);
+        resolver.setOrder(0);
         resolver.setCacheable(false);
+        resolver.setCharacterEncoding(UTF8);
         return resolver;
     }
 
@@ -97,34 +106,29 @@ public class MvcConfiguration extends WebMvcConfigurerAdapter {
     public AsciiDoctorTemplateResolver asciiDoctorTemplateResolver(Language language) {
         AsciiDoctorTemplateResolver resolver = new AsciiDoctorTemplateResolver(language);
         resolver.setCacheable(false);
-        resolver.setOrder(3);
+        resolver.setOrder(1);
+        resolver.setCharacterEncoding(UTF8);
         return resolver;
     }
 
     @Bean
-    public SpringTemplateEngine thymeleafTemplateEngine(TemplateResolver springThymeleafTemplateResolver,
+    public SpringTemplateEngine thymeleafTemplateEngine(ITemplateResolver springThymeleafTemplateResolver,
                                                         LessonTemplateResolver lessonTemplateResolver,
                                                         AsciiDoctorTemplateResolver asciiDoctorTemplateResolver) {
         SpringTemplateEngine engine = new SpringTemplateEngine();
+        engine.setEnableSpringELCompiler(true);
         engine.addDialect(new SpringSecurityDialect());
         engine.setTemplateResolvers(
-                Sets.newHashSet(springThymeleafTemplateResolver, lessonTemplateResolver, asciiDoctorTemplateResolver));
+                Set.of(lessonTemplateResolver, asciiDoctorTemplateResolver, springThymeleafTemplateResolver));
         return engine;
     }
 
-    /**
-     * This way we expose the plugins target directory as a resource within the web application.
-     *
-     * @param registry
-     */
     @Override
     public void addResourceHandlers(ResourceHandlerRegistry registry) {
-        registry.addResourceHandler("/plugin_lessons/**").addResourceLocations("file:///" + pluginTargetDirectory.toString() + "/");
         registry.addResourceHandler("/images/**").addResourceLocations("classpath:/images/");
         registry.addResourceHandler("/lesson_js/**").addResourceLocations("classpath:/js/");
         registry.addResourceHandler("/lesson_css/**").addResourceLocations("classpath:/css/");
         registry.addResourceHandler("/video/**").addResourceLocations("classpath:/video/");
-        super.addResourceHandlers(registry);
     }
 
     @Bean
@@ -132,6 +136,7 @@ public class MvcConfiguration extends WebMvcConfigurerAdapter {
         PluginMessages pluginMessages = new PluginMessages(messages, language);
         pluginMessages.setDefaultEncoding("UTF-8");
         pluginMessages.setBasenames("i18n/WebGoatLabels");
+        pluginMessages.setFallbackToSystemLocale(false);
         return pluginMessages;
     }
 
@@ -145,6 +150,7 @@ public class MvcConfiguration extends WebMvcConfigurerAdapter {
         Messages messages = new Messages(language);
         messages.setDefaultEncoding("UTF-8");
         messages.setBasename("classpath:i18n/messages");
+        messages.setFallbackToSystemLocale(false);
         return messages;
     }
 
@@ -153,7 +159,7 @@ public class MvcConfiguration extends WebMvcConfigurerAdapter {
         SessionLocaleResolver slr = new SessionLocaleResolver();
         return slr;
     }
-
+    
     @Bean
     public LabelDebugger labelDebugger() {
         return new LabelDebugger();

webgoat-container/src/main/java/org/owasp/webgoat/WebGoat.java

@@ -5,7 +5,7 @@
  * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
  * please see http://www.owasp.org/
  * <p>
- * Copyright (c) 2002 - 20014 Bruce Mayhew
+ * Copyright (c) 2002 - 2014 Bruce Mayhew
  * <p>
  * This program is free software; you can redistribute it and/or modify it under the terms of the
  * GNU General Public License as published by the Free Software Foundation; either version 2 of the
@@ -28,45 +28,22 @@
  * @version $Id: $Id
  * @since October 28, 2003
  */
+
 package org.owasp.webgoat;
 
-import lombok.extern.slf4j.Slf4j;
-import org.apache.catalina.Context;
-import org.owasp.webgoat.plugins.PluginEndpointPublisher;
-import org.owasp.webgoat.plugins.PluginsLoader;
-import org.owasp.webgoat.session.Course;
 import org.owasp.webgoat.session.UserSessionData;
 import org.owasp.webgoat.session.WebSession;
-import org.owasp.webgoat.session.WebgoatContext;
 import org.springframework.beans.factory.annotation.Value;
-import org.springframework.boot.SpringApplication;
-import org.springframework.boot.autoconfigure.SpringBootApplication;
-import org.springframework.boot.builder.SpringApplicationBuilder;
-import org.springframework.boot.context.embedded.EmbeddedServletContainerFactory;
-import org.springframework.boot.context.embedded.tomcat.TomcatContextCustomizer;
-import org.springframework.boot.context.embedded.tomcat.TomcatEmbeddedServletContainerFactory;
-import org.springframework.boot.web.support.SpringBootServletInitializer;
-import org.springframework.context.ApplicationContext;
 import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
 import org.springframework.context.annotation.Scope;
 import org.springframework.context.annotation.ScopedProxyMode;
 import org.springframework.web.client.RestTemplate;
 
 import java.io.File;
-import java.util.Arrays;
 
-@SpringBootApplication
-@Slf4j
-public class WebGoat extends SpringBootServletInitializer {
-
-    @Override
-    protected SpringApplicationBuilder configure(SpringApplicationBuilder application) {
-        return application.sources(WebGoat.class);
-    }
-
-    public static void main(String[] args) throws Exception {
-        SpringApplication.run(WebGoat.class, args);
-    }
+@Configuration
+public class WebGoat {
 
     @Bean(name = "pluginTargetDirectory")
     public File pluginTargetDirectory(@Value("${webgoat.user.directory}") final String webgoatHome) {
@@ -75,8 +52,8 @@ public class WebGoat extends SpringBootServletInitializer {
 
     @Bean
     @Scope(value = "session", proxyMode = ScopedProxyMode.TARGET_CLASS)
-    public WebSession webSession(WebgoatContext webgoatContext) {
-        return new WebSession(webgoatContext);
+    public WebSession webSession() {
+        return new WebSession();
     }
 
     @Bean
@@ -85,34 +62,8 @@ public class WebGoat extends SpringBootServletInitializer {
         return new UserSessionData("test", "data");
     }
 
-    @Bean
-    public PluginEndpointPublisher pluginEndpointPublisher(ApplicationContext applicationContext) {
-        return new PluginEndpointPublisher(applicationContext);
-    }
-
-    @Bean
-    public Course course(PluginEndpointPublisher pluginEndpointPublisher) {
-        return new PluginsLoader(pluginEndpointPublisher).loadPlugins();
-    }
-
     @Bean
     public RestTemplate restTemplate() {
         return new RestTemplate();
     }
-
-    @Bean
-    public EmbeddedServletContainerFactory servletContainer() {
-        TomcatEmbeddedServletContainerFactory factory = new TomcatEmbeddedServletContainerFactory();
-        factory.setTomcatContextCustomizers(Arrays.asList(new CustomCustomizer()));
-        return factory;
-    }
-
-    static class CustomCustomizer implements TomcatContextCustomizer {
-        @Override
-        public void customize(Context context) {
-            context.setUseHttpOnly(false);
-        }
-    }
-
-
 }

webgoat-container/src/main/java/org/owasp/webgoat/WebSecurityConfig.java

@@ -1,10 +1,9 @@
-
 /**
  * ************************************************************************************************
  * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
  * please see http://www.owasp.org/
  * <p>
- * Copyright (c) 2002 - 20014 Bruce Mayhew
+ * Copyright (c) 2002 - 2014 Bruce Mayhew
  * <p>
  * This program is free software; you can redistribute it and/or modify it under the terms of the
  * GNU General Public License as published by the Free Software Foundation; either version 2 of the
@@ -28,6 +27,7 @@
  * @version $Id: $Id
  * @since December 12, 2015
  */
+
 package org.owasp.webgoat;
 
 import lombok.AllArgsConstructor;
@@ -35,13 +35,14 @@ import org.owasp.webgoat.users.UserService;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
+import org.springframework.security.authentication.AuthenticationManager;
 import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
-import org.springframework.security.config.annotation.web.builders.WebSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
 import org.springframework.security.config.annotation.web.configurers.ExpressionUrlAuthorizationConfigurer;
 import org.springframework.security.core.userdetails.UserDetailsService;
+import org.springframework.security.crypto.password.NoOpPasswordEncoder;
 
 /**
  * Security configuration for WebGoat.
@@ -58,8 +59,6 @@ public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
         ExpressionUrlAuthorizationConfigurer<HttpSecurity>.ExpressionInterceptUrlRegistry security = http
                 .authorizeRequests()
                 .antMatchers("/css/**", "/images/**", "/js/**", "fonts/**", "/plugins/**", "/registration", "/register.mvc").permitAll()
-                .antMatchers("/servlet/AdminServlet/**").hasAnyRole("WEBGOAT_ADMIN", "SERVER_ADMIN") //
-                .antMatchers("/JavaSource/**").hasRole("SERVER_ADMIN") //
                 .anyRequest().authenticated();
         security.and()
                 .formLogin()
@@ -76,12 +75,6 @@ public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
         http.exceptionHandling().authenticationEntryPoint(new AjaxAuthenticationEntryPoint("/login"));
     }
 
-    //// TODO: 11/18/2016 make this a little bit more configurabe last part at least
-    @Override
-    public void configure(WebSecurity web) throws Exception {
-        web.ignoring().antMatchers("/plugin_lessons/**", "/XXE/**");
-    }
-
     @Autowired
     public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
         auth.userDetailsService(userDetailsService); //.passwordEncoder(bCryptPasswordEncoder());
@@ -92,4 +85,16 @@ public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
     public UserDetailsService userDetailsServiceBean() throws Exception {
         return userDetailsService;
     }
+
+    @Override
+    @Bean
+    protected AuthenticationManager authenticationManager() throws Exception {
+        return super.authenticationManager();
+    }
+
+    @SuppressWarnings("deprecation")
+    @Bean
+    public NoOpPasswordEncoder passwordEncoder() {
+        return (NoOpPasswordEncoder) NoOpPasswordEncoder.getInstance();
+    }
 }

webgoat-container/src/main/java/org/owasp/webgoat/asciidoc/OperatingSystemMacro.java

@@ -0,0 +1,18 @@
+package org.owasp.webgoat.asciidoc;
+
+import java.util.Map;
+
+import org.asciidoctor.ast.AbstractBlock;
+import org.asciidoctor.extension.InlineMacroProcessor;
+
+public class OperatingSystemMacro extends InlineMacroProcessor {
+
+    public OperatingSystemMacro(String macroName, Map<String, Object> config) {
+        super(macroName, config);
+    }
+
+    @Override
+	public String process(AbstractBlock parent, String target, Map<String, Object> attributes) {
+        return System.getProperty("os.name");
+    }
+}

webgoat-container/src/main/java/org/owasp/webgoat/asciidoc/WebGoatTmpDirMacro.java

@@ -0,0 +1,17 @@
+package org.owasp.webgoat.asciidoc;
+
+import org.asciidoctor.ast.AbstractBlock;
+import org.asciidoctor.extension.InlineMacroProcessor;
+import java.util.Map;
+
+public class WebGoatTmpDirMacro extends InlineMacroProcessor {
+
+    public WebGoatTmpDirMacro(String macroName, Map<String, Object> config) {
+        super(macroName, config);
+    }
+
+    @Override
+	public String process(AbstractBlock parent, String target, Map<String, Object> attributes) {
+        return EnvironmentExposure.getEnv().getProperty("webgoat.server.directory");
+    }
+}

webgoat-container/src/main/java/org/owasp/webgoat/asciidoc/WebGoatVersionMacro.java

@@ -2,12 +2,6 @@ package org.owasp.webgoat.asciidoc;
 
 import org.asciidoctor.ast.AbstractBlock;
 import org.asciidoctor.extension.InlineMacroProcessor;
-import org.springframework.core.env.Environment;
-import org.springframework.util.StringUtils;
-import org.springframework.web.context.request.RequestContextHolder;
-import org.springframework.web.context.request.ServletRequestAttributes;
-
-import javax.servlet.http.HttpServletRequest;
 import java.util.Map;
 
 public class WebGoatVersionMacro extends InlineMacroProcessor {
@@ -17,7 +11,7 @@ public class WebGoatVersionMacro extends InlineMacroProcessor {
     }
 
     @Override
-    protected String process(AbstractBlock parent, String target, Map<String, Object> attributes) {
+	public String process(AbstractBlock parent, String target, Map<String, Object> attributes) {
         return EnvironmentExposure.getEnv().getProperty("webgoat.build.version");
     }
 }

webgoat-container/src/main/java/org/owasp/webgoat/asciidoc/WebWolfMacro.java

@@ -3,7 +3,6 @@ package org.owasp.webgoat.asciidoc;
 import org.asciidoctor.ast.AbstractBlock;
 import org.asciidoctor.extension.InlineMacroProcessor;
 import org.springframework.core.env.Environment;
-import org.springframework.util.StringUtils;
 import org.springframework.web.context.request.RequestContextHolder;
 import org.springframework.web.context.request.ServletRequestAttributes;
 
@@ -23,7 +22,7 @@ public class WebWolfMacro extends InlineMacroProcessor {
     }
 
     @Override
-    protected String process(AbstractBlock parent, String target, Map<String, Object> attributes) {
+	public String process(AbstractBlock parent, String target, Map<String, Object> attributes) {
         Environment env = EnvironmentExposure.getEnv();
         String hostname = determineHost(env.getProperty("webwolf.host"), env.getProperty("webwolf.port"));
 
@@ -38,14 +37,23 @@ public class WebWolfMacro extends InlineMacroProcessor {
     }
 
     /**
-     * Look at the remote address from received from the browser first. This way it will also work if you run
-     * the browser in a Docker container and WebGoat on your local machine.
+     * Determine the host from the hostname and ports that were used. 
+     * The purpose is to make it possible to use the application behind a reverse proxy. For instance in the docker
+     * compose/stack version with webgoat webwolf and nginx proxy. 
+     * You do not have to use the indicated hostname, but if you do, you should define two hosts aliases
+     * 127.0.0.1 www.webgoat.local www.webwolf.local
      */
     private String determineHost(String host, String port) {
         HttpServletRequest request = ((ServletRequestAttributes) RequestContextHolder.currentRequestAttributes()).getRequest();
-        String ip = request.getRemoteAddr();
-        String hostname = StringUtils.hasText(ip) ? ip : host;
-        return "http://" + hostname + ":" + port + (includeWebWolfContext() ? "/WebWolf" : "");
+        host = request.getHeader("Host");
+        int semicolonIndex = host.indexOf(":");
+        if (semicolonIndex==-1 || host.endsWith(":80")) {
+        	host = host.replace(":80", "").replace("www.webgoat.local", "www.webwolf.local");
+        } else {
+        	host = host.substring(0, semicolonIndex);
+        	host = host.concat(":").concat(port);
+        }
+        return "http://" + host + (includeWebWolfContext() ? "/WebWolf" : "");
     }
 
     protected boolean includeWebWolfContext() {

webgoat-container/src/main/java/org/owasp/webgoat/assignments/AssignmentEndpoint.java

@@ -22,94 +22,65 @@
  * projects.
  * <p>
  */
+
 package org.owasp.webgoat.assignments;
 
 import lombok.Getter;
 import org.owasp.webgoat.i18n.PluginMessages;
 import org.owasp.webgoat.session.UserSessionData;
-import org.owasp.webgoat.users.UserTracker;
-import org.owasp.webgoat.users.UserTrackerRepository;
 import org.owasp.webgoat.session.WebSession;
+import org.owasp.webgoat.users.UserTrackerRepository;
 import org.springframework.beans.factory.annotation.Autowired;
 
-/**
- * Each lesson can define an endpoint which can support the lesson. So for example if you create a lesson which uses JavaScript and
- * needs to call out to the server to fetch data you can define an endpoint in that lesson. WebGoat will pick up this endpoint and
- * Spring will publish it.
- * </p>
- * Extend this class and implement the met
- * </p>
- * Note: each subclass should declare this annotation otherwise the WebGoat framework cannot find your endpoint.
- */
-public abstract class AssignmentEndpoint extends Endpoint {
+public abstract class AssignmentEndpoint {
 
     @Autowired
-    private UserTrackerRepository userTrackerRepository;
-    @Autowired
-	private WebSession webSession;
+    private WebSession webSession;
     @Autowired
     private UserSessionData userSessionData;
     @Getter
     @Autowired
     private PluginMessages messages;
 
-	//// TODO: 11/13/2016 events better fit?
-    protected AttackResult trackProgress(AttackResult attackResult) {
-        UserTracker userTracker = userTrackerRepository.findByUser(webSession.getUserName());
-        if (userTracker == null) {
-            userTracker = new UserTracker(webSession.getUserName());
-        }
-        if (attackResult.assignmentSolved()) {
-            userTracker.assignmentSolved(webSession.getCurrentLesson(), this.getClass().getSimpleName());
-        } else {
-            userTracker.assignmentFailed(webSession.getCurrentLesson());
-        }
-        userTrackerRepository.save(userTracker);
-        return attackResult;
-    }
-    
     protected WebSession getWebSession() {
-  		return webSession;
-  	}
-
-  	protected UserSessionData getUserSessionData() {
-        return userSessionData;
+        return webSession;
     }
 
-    @Override
-    public final String getPath() {
-        return this.getClass().getAnnotationsByType(AssignmentPath.class)[0].value();
+    protected UserSessionData getUserSessionData() {
+        return userSessionData;
     }
 
     /**
      * Convenience method for create a successful result:
-     *
+     * <p>
      * - Assignment is set to solved
      * - Feedback message is set to 'assignment.solved'
-     *
+     * <p>
      * Of course you can overwrite these values in a specific lesson
      *
      * @return a builder for creating a result from a lesson
+     * @param assignment
      */
-    protected AttackResult.AttackResultBuilder success() {
-        return AttackResult.builder(messages).lessonCompleted(true).feedback("assignment.solved");
+    protected AttackResult.AttackResultBuilder success(AssignmentEndpoint assignment) {
+        return AttackResult.builder(messages).lessonCompleted(true).attemptWasMade().feedback("assignment.solved").assignment(assignment);
     }
 
     /**
      * Convenience method for create a failed result:
-     *
+     * <p>
      * - Assignment is set to not solved
      * - Feedback message is set to 'assignment.not.solved'
-     *
+     * <p>
      * Of course you can overwrite these values in a specific lesson
      *
      * @return a builder for creating a result from a lesson
+     * @param assignment
      */
-    protected AttackResult.AttackResultBuilder failed() {
-        return AttackResult.builder(messages).lessonCompleted(false).feedback("assignment.not.solved");
+    protected AttackResult.AttackResultBuilder failed(AssignmentEndpoint assignment) {
+        return AttackResult.builder(messages).lessonCompleted(false).attemptWasMade().feedback("assignment.not.solved").assignment(assignment);
     }
 
-    protected AttackResult.AttackResultBuilder informationMessage() {
-        return AttackResult.builder(messages).lessonCompleted(false);
+    protected AttackResult.AttackResultBuilder informationMessage(AssignmentEndpoint assignment) {
+        return AttackResult.builder(messages).lessonCompleted(false).assignment(assignment);
     }
 }

webgoat-container/src/main/java/org/owasp/webgoat/assignments/AssignmentPath.java

@@ -1,5 +1,7 @@
 package org.owasp.webgoat.assignments;
 
+import org.springframework.web.bind.annotation.RequestMethod;
+
 import java.lang.annotation.ElementType;
 import java.lang.annotation.Retention;
 import java.lang.annotation.RetentionPolicy;
@@ -12,5 +14,9 @@ import java.lang.annotation.Target;
 @Retention(RetentionPolicy.RUNTIME)
 public @interface AssignmentPath {
 
-    String value();
+    String[] path() default {};
+
+    RequestMethod[] method() default {};
+
+    String value() default "";
 }

webgoat-container/src/main/java/org/owasp/webgoat/assignments/AttackResult.java

@@ -31,6 +31,7 @@ import org.owasp.webgoat.i18n.PluginMessages;
 
 public class AttackResult {
 
+
     public static class AttackResultBuilder {
 
         private boolean lessonCompleted;
@@ -39,6 +40,8 @@ public class AttackResult {
         private String feedbackResourceBundleKey;
         private String output;
         private Object[] outputArgs;
+        private AssignmentEndpoint assignment;
+        private boolean attemptWasMade = false;
 
         public AttackResultBuilder(PluginMessages messages) {
             this.messages = messages;
@@ -76,8 +79,18 @@ public class AttackResult {
             return this;
         }
 
+        public AttackResultBuilder attemptWasMade() {
+            this.attemptWasMade = true;
+            return this;
+        }
+
         public AttackResult build() {
-            return new AttackResult(lessonCompleted, messages.getMessage(feedbackResourceBundleKey, feedbackArgs), messages.getMessage(output, output, outputArgs));
+            return new AttackResult(lessonCompleted, messages.getMessage(feedbackResourceBundleKey, feedbackArgs), messages.getMessage(output, output, outputArgs), assignment.getClass().getSimpleName(), attemptWasMade);
+        }
+
+        public AttackResultBuilder assignment(AssignmentEndpoint assignment) {
+            this.assignment = assignment;
+            return this;
         }
     }
 
@@ -87,11 +100,17 @@ public class AttackResult {
     private String feedback;
     @Getter
     private String output;
+    @Getter
+    private final String assignment;
+    @Getter
+    private boolean attemptWasMade;
 
-    public AttackResult(boolean lessonCompleted, String feedback, String output) {
+    public AttackResult(boolean lessonCompleted, String feedback, String output, String assignment, boolean attemptWasMade) {
         this.lessonCompleted = lessonCompleted;
         this.feedback = StringEscapeUtils.escapeJson(feedback);
         this.output = StringEscapeUtils.escapeJson(output);
+        this.assignment = assignment;
+        this.attemptWasMade = attemptWasMade;
     }
 
     public static AttackResultBuilder builder(PluginMessages messages) {

webgoat-container/src/main/java/org/owasp/webgoat/assignments/LessonTrackerInterceptor.java

@@ -0,0 +1,74 @@
+/*
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details, please see http://www.owasp.org/
+ *
+ * Copyright (c) 2002 - 2019 Bruce Mayhew
+ *
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
+ *
+ * Getting Source ==============
+ *
+ * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
+ */
+
+package org.owasp.webgoat.assignments;
+
+import org.owasp.webgoat.session.WebSession;
+import org.owasp.webgoat.users.UserTracker;
+import org.owasp.webgoat.users.UserTrackerRepository;
+import org.springframework.core.MethodParameter;
+import org.springframework.http.MediaType;
+import org.springframework.http.converter.HttpMessageConverter;
+import org.springframework.http.server.ServerHttpRequest;
+import org.springframework.http.server.ServerHttpResponse;
+import org.springframework.web.bind.annotation.RestControllerAdvice;
+import org.springframework.web.servlet.mvc.method.annotation.ResponseBodyAdvice;
+
+@RestControllerAdvice
+public class LessonTrackerInterceptor implements ResponseBodyAdvice<Object> {
+
+    private UserTrackerRepository userTrackerRepository;
+    private WebSession webSession;
+
+    public LessonTrackerInterceptor(UserTrackerRepository userTrackerRepository, WebSession webSession) {
+        this.userTrackerRepository = userTrackerRepository;
+        this.webSession = webSession;
+    }
+
+    @Override
+    public boolean supports(MethodParameter methodParameter, Class<? extends HttpMessageConverter<?>> clazz) {
+        return true;
+    }
+
+    @Override
+    public Object beforeBodyWrite(Object o, MethodParameter methodParameter, MediaType mediaType, Class<? extends HttpMessageConverter<?>> aClass, ServerHttpRequest serverHttpRequest, ServerHttpResponse serverHttpResponse) {
+        if (o != null && o instanceof AttackResult) {
+            trackProgress((AttackResult) o);
+        }
+        return o;
+    }
+
+
+    protected AttackResult trackProgress(AttackResult attackResult) {
+        UserTracker userTracker = userTrackerRepository.findByUser(webSession.getUserName());
+        if (userTracker == null) {
+            userTracker = new UserTracker(webSession.getUserName());
+        }
+        if (attackResult.assignmentSolved()) {
+            userTracker.assignmentSolved(webSession.getCurrentLesson(), attackResult.getAssignment());
+        } else {
+            userTracker.assignmentFailed(webSession.getCurrentLesson());
+        }
+        userTrackerRepository.saveAndFlush(userTracker);
+        return attackResult;
+    }
+}

webgoat-container/src/main/java/org/owasp/webgoat/controller/StartLesson.java

@@ -5,7 +5,7 @@
  * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
  * please see http://www.owasp.org/
  * <p>
- * Copyright (c) 2002 - 20014 Bruce Mayhew
+ * Copyright (c) 2002 - 2014 Bruce Mayhew
  * <p>
  * This program is free software; you can redistribute it and/or modify it under the terms of the
  * GNU General Public License as published by the Free Software Foundation; either version 2 of the
@@ -28,9 +28,10 @@
  * @version $Id: $Id
  * @since October 28, 2003
  */
+
 package org.owasp.webgoat.controller;
 
-import org.owasp.webgoat.lessons.AbstractLesson;
+import org.owasp.webgoat.lessons.Lesson;
 import org.owasp.webgoat.session.Course;
 import org.owasp.webgoat.session.WebSession;
 import org.springframework.security.core.context.SecurityContext;
@@ -79,8 +80,8 @@ public class StartLesson {
         //GrantedAuthority authority = context.getAuthentication().getAuthorities().iterator().next();
         String path = request.getRequestURL().toString(); // we now got /a/b/c/AccessControlMatrix.lesson
         String lessonName = path.substring(path.lastIndexOf('/') + 1, path.indexOf(".lesson"));
-        List<AbstractLesson> lessons = course.getLessons();
-        Optional<AbstractLesson> lesson = lessons.stream()
+        List<? extends Lesson> lessons = course.getLessons();
+        Optional<? extends Lesson> lesson = lessons.stream()
                 .filter(l -> l.getId().equals(lessonName))
                 .findFirst();
         ws.setCurrentLesson(lesson.get());

webgoat-container/src/main/java/org/owasp/webgoat/controller/Welcome.java

@@ -5,7 +5,7 @@
  * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
  * please see http://www.owasp.org/
  *
- * Copyright (c) 2002 - 20014 Bruce Mayhew
+ * Copyright (c) 2002 - 2014 Bruce Mayhew
  *
  * This program is free software; you can redistribute it and/or modify it under the terms of the
  * GNU General Public License as published by the Free Software Foundation; either version 2 of the
@@ -28,6 +28,7 @@
  * @since October 28, 2003
  * @version $Id: $Id
  */
+
 package org.owasp.webgoat.controller;
 
 import org.springframework.stereotype.Controller;

webgoat-container/src/main/java/org/owasp/webgoat/i18n/Messages.java

@@ -22,6 +22,7 @@
  * projects.
  * <p>
  */
+
 package org.owasp.webgoat.i18n;
 
 import lombok.AllArgsConstructor;

webgoat-container/src/main/java/org/owasp/webgoat/i18n/PluginMessages.java

@@ -25,9 +25,10 @@
 
 package org.owasp.webgoat.i18n;
 
-import lombok.SneakyThrows;
 import org.springframework.context.support.ReloadableResourceBundleMessageSource;
 
+import java.io.IOException;
+import java.net.URISyntaxException;
 import java.net.URL;
 import java.util.Enumeration;
 import java.util.Properties;
@@ -50,18 +51,23 @@ public class PluginMessages extends ReloadableResourceBundleMessageSource {
     }
 
     @Override
-    @SneakyThrows
     protected PropertiesHolder refreshProperties(String filename, PropertiesHolder propHolder) {
         Properties properties = new Properties();
         long lastModified = System.currentTimeMillis();
 
-        Enumeration<URL> resources = Thread.currentThread().getContextClassLoader().getResources(filename + PROPERTIES_SUFFIX);
-        while (resources.hasMoreElements()) {
-            URL resource = resources.nextElement();
-            String sourcePath = resource.toURI().toString().replace(PROPERTIES_SUFFIX, "");
-            PropertiesHolder holder = super.refreshProperties(sourcePath, propHolder);
-            properties.putAll(holder.getProperties());
+        Enumeration<URL> resources = null;
+        try {
+            resources = Thread.currentThread().getContextClassLoader().getResources(filename + PROPERTIES_SUFFIX);
+            while (resources.hasMoreElements()) {
+                URL resource = resources.nextElement();
+                String sourcePath = resource.toURI().toString().replace(PROPERTIES_SUFFIX, "");
+                PropertiesHolder holder = super.refreshProperties(sourcePath, propHolder);
+                properties.putAll(holder.getProperties());
+            }
+        } catch (IOException | URISyntaxException e) {
+            logger.error("Unable to read plugin message", e);
         }
+
         return new PropertiesHolder(properties, lastModified);
     }
 

webgoat-container/src/main/java/org/owasp/webgoat/lessons/Assignment.java

@@ -1,9 +1,9 @@
 package org.owasp.webgoat.lessons;
 
-import com.google.common.collect.Lists;
 import lombok.*;
 
 import javax.persistence.*;
+import java.util.ArrayList;
 import java.util.List;
 
 /**
@@ -11,7 +11,7 @@ import java.util.List;
  * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
  * please see http://www.owasp.org/
  * <p>
- * Copyright (c) 2002 - 20014 Bruce Mayhew
+ * Copyright (c) 2002 - 2014 Bruce Mayhew
  * <p>
  * This program is free software; you can redistribute it and/or modify it under the terms of the
  * GNU General Public License as published by the Free Software Foundation; either version 2 of the
@@ -45,6 +45,7 @@ public class Assignment {
     private Long id;
     private String name;
     private String path;
+
     @Transient
     private List<String> hints;
 
@@ -52,13 +53,27 @@ public class Assignment {
         //Hibernate
     }
 
-    public Assignment(String name, String path) {
-        this(name, path, Lists.newArrayList());
+    public Assignment(String name) {
+        this(name, name, new ArrayList<>());
     }
 
     public Assignment(String name, String path, List<String> hints) {
+        if (path.equals("") || path.equals("/") || path.equals("/WebGoat/")) {
+            throw new IllegalStateException("The path of assignment '" + name + "' overrides WebGoat endpoints, please choose a path within the scope of the lesson");
+        }
         this.name = name;
         this.path = path;
         this.hints = hints;
     }
+
+    /**
+     * Set path is here to overwrite stored paths.
+     * Since a stored path can no longer be used in a lesson while
+     * the lesson (name) itself is still part of the lesson.
+     *
+     * @param pathName the path
+     */
+    public void setPath(String pathName) {
+        this.path = pathName;
+    }
 }

webgoat-container/src/main/java/org/owasp/webgoat/lessons/Category.java

@@ -9,7 +9,7 @@ import lombok.Getter;
  * This file is part of WebGoat, an Open Web Application Security Project
  * utility. For details, please see http://www.owasp.org/
  * <p>
- * Copyright (c) 2002 - 20014 Bruce Mayhew
+ * Copyright (c) 2002 - 2014 Bruce Mayhew
  * <p>
  * This program is free software; you can redistribute it and/or modify it under
  * the terms of the GNU General Public License as published by the Free Software
@@ -36,31 +36,40 @@ import lombok.Getter;
  */
 public enum Category {
 
-    INTRODUCTION("Introduction", new Integer(5)),
-    GENERAL("General", new Integer(100)),
-    INJECTION("Injection Flaws", new Integer(200)),
-    AUTHENTICATION("Authentication Flaws", new Integer(300)),
-    XSS("Cross-Site Scripting (XSS)", new Integer(400)),
-    REQ_FORGERIES("Request Forgeries", new Integer(450)),
-    ACCESS_CONTROL("Access Control Flaws", new Integer(500)),
-    INSECURE_CONFIGURATION("Insecure Configuration", new Integer(600)),
-    INSECURE_COMMUNICATION("Insecure Communication", new Integer(700)),
-    INSECURE_STORAGE("Insecure Storage", new Integer(800)),
-    INSECURE_DESERIALIZATION("Insecure Deserialization", new Integer(850)),
-    REQUEST_FORGERIES("Request Forgeries", new Integer(900)),
-    VULNERABLE_COMPONENTS("Vulnerable Components - A9", new Integer(950)),
-    AJAX_SECURITY("AJAX Security", new Integer(1000)),
-    BUFFER_OVERFLOW("Buffer Overflows", new Integer(1100)),
-    CODE_QUALITY("Code Quality", new Integer(1200)),
-    CONCURRENCY("Concurrency", new Integer(1300)),
-    ERROR_HANDLING("Improper Error Handling", new Integer(1400)),
-    DOS("Denial of Service", new Integer(1500)),
-    MALICIOUS_EXECUTION("Malicious Execution", new Integer(1600)),
-    CLIENT_SIDE("Client side", new Integer(1700)),
-    SESSION_MANAGEMENT("Session Management Flaws", new Integer(1800)),
-    WEB_SERVICES("Web Services", new Integer(1900)),
-    ADMIN_FUNCTIONS("Admin Functions", new Integer(2000)),
-    CHALLENGE("Challenges", new Integer(3000));
+    INTRODUCTION("Introduction", 5),
+    GENERAL("General", 100),
+    
+    INJECTION("(A1) Injection", 300),
+    AUTHENTICATION("(A2) Broken Authentication", 302),
+    INSECURE_COMMUNICATION("(A3) Sensitive Data Exposure", 303),
+    XXE("(A4) XML External Entities (XXE)", 304),
+    ACCESS_CONTROL("(A5) Broken Access Control", 305),
+    
+    XSS("(A7) Cross-Site Scripting (XSS)", 307),
+    INSECURE_DESERIALIZATION("(A8) Insecure Deserialization", 308),
+    VULNERABLE_COMPONENTS("(A9) Vulnerable Components", 309),
+    
+    REQUEST_FORGERIES("(A8:2013) Request Forgeries", 318),
+
+    
+    REQ_FORGERIES("Request Forgeries", 450),
+    
+    INSECURE_CONFIGURATION("Insecure Configuration", 600),
+    INSECURE_STORAGE("Insecure Storage", 800),
+    
+    
+    AJAX_SECURITY("AJAX Security", 1000),
+    BUFFER_OVERFLOW("Buffer Overflows", 1100),
+    CODE_QUALITY("Code Quality", 1200),
+    CONCURRENCY("Concurrency", 1300),
+    ERROR_HANDLING("Improper Error Handling", 1400),
+    DOS("Denial of Service", 1500),
+    MALICIOUS_EXECUTION("Malicious Execution", 1600),
+    CLIENT_SIDE("Client side", 1700),
+    SESSION_MANAGEMENT("Session Management Flaws", 1800),
+    WEB_SERVICES("Web Services", 1900),
+    ADMIN_FUNCTIONS("Admin Functions", 2000),
+    CHALLENGE("Challenges", 3000);
 
     @Getter
     private String name;

webgoat-container/src/main/java/org/owasp/webgoat/lessons/CourseConfiguration.java

@@ -0,0 +1,124 @@
+/*
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details, please see http://www.owasp.org/
+ *
+ * Copyright (c) 2002 - 2019 Bruce Mayhew
+ *
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
+ *
+ * Getting Source ==============
+ *
+ * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
+ */
+
+package org.owasp.webgoat.lessons;
+
+import lombok.extern.slf4j.Slf4j;
+import org.apache.commons.lang3.ArrayUtils;
+import org.owasp.webgoat.assignments.AssignmentEndpoint;
+import org.owasp.webgoat.assignments.AssignmentHints;
+import org.owasp.webgoat.assignments.AttackResult;
+import org.owasp.webgoat.session.Course;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.util.CollectionUtils;
+import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.PostMapping;
+import org.springframework.web.bind.annotation.PutMapping;
+import org.springframework.web.bind.annotation.RequestMapping;
+
+import java.lang.reflect.Method;
+import java.lang.reflect.ParameterizedType;
+import java.util.*;
+
+import static java.util.stream.Collectors.groupingBy;
+import static java.util.stream.Collectors.toList;
+
+@Slf4j
+@Configuration
+public class CourseConfiguration {
+
+    private final List<Lesson> lessons;
+    private final List<AssignmentEndpoint> assignments;
+    private final Map<String, List<AssignmentEndpoint>> assignmentsByPackage;
+
+    public CourseConfiguration(List<Lesson> lessons, List<AssignmentEndpoint> assignments) {
+        this.lessons = lessons;
+        this.assignments = assignments;
+        assignmentsByPackage = this.assignments.stream().collect(groupingBy(a -> a.getClass().getPackageName()));
+    }
+
+    @Bean
+    public Course course() {
+        lessons.stream().forEach(l -> l.setAssignments(createAssignment(l)));
+        return new Course(lessons);
+    }
+
+    private List<Assignment> createAssignment(Lesson lesson) {
+        var endpoints = assignmentsByPackage.get(lesson.getClass().getPackageName());
+        if (CollectionUtils.isEmpty(endpoints)) {
+            log.warn("Lesson: {} has no endpoints, is this intentionally?", lesson.getTitle());
+            return new ArrayList();
+        }
+        return endpoints.stream().map(e -> new Assignment(e.getClass().getSimpleName(), getPath(e.getClass()), getHints(e.getClass()))).collect(toList());
+    }
+
+    private String getPath(Class<? extends AssignmentEndpoint> e) {
+        for (Method m : e.getMethods()) {
+            if (methodReturnTypeIsOfTypeAttackResult(m)) {
+                var mapping = getMapping(m);
+                if (mapping != null) {
+                    return mapping;
+                }
+            }
+        }
+        throw new IllegalStateException("Assignment endpoint: " + e + " has no mapping like @GetMapping/@PostMapping etc," +
+                "with return type 'AttackResult' or 'ResponseEntity<AttackResult>' please consider adding one");
+    }
+
+    private boolean methodReturnTypeIsOfTypeAttackResult(Method m) {
+        if (m.getReturnType() == AttackResult.class) {
+            return true;
+        }
+        var genericType = m.getGenericReturnType();
+        if (genericType instanceof ParameterizedType) {
+            return ((ParameterizedType) m.getGenericReturnType()).getActualTypeArguments()[0] == AttackResult.class;
+        }
+        return false;
+    }
+
+    private String getMapping(Method m) {
+        String[] paths = null;
+        //Find the path, either it is @GetMapping("/attack") of GetMapping(path = "/attack") both are valid, we need to consider both
+        if (m.getAnnotation(RequestMapping.class) != null) {
+            paths = ArrayUtils.addAll(m.getAnnotation(RequestMapping.class).value(), m.getAnnotation(RequestMapping.class).path());
+        } else if (m.getAnnotation(PostMapping.class) != null) {
+            paths = ArrayUtils.addAll(m.getAnnotation(PostMapping.class).value(), m.getAnnotation(PostMapping.class).path());
+        } else if (m.getAnnotation(GetMapping.class) != null) {
+            paths = ArrayUtils.addAll(m.getAnnotation(GetMapping.class).value(), m.getAnnotation(GetMapping.class).path());
+        } else if (m.getAnnotation(PutMapping.class) != null) {
+            paths = ArrayUtils.addAll(m.getAnnotation(PutMapping.class).value(), m.getAnnotation(PutMapping.class).path());
+        }
+        if (paths == null) {
+            return null;
+        } else {
+            return Arrays.stream(paths).filter(path -> !"".equals(path)).findFirst().orElse("");
+        }
+    }
+
+    private List<String> getHints(Class<? extends AssignmentEndpoint> e) {
+        if (e.isAnnotationPresent(AssignmentHints.class)) {
+            return List.of(e.getAnnotationsByType(AssignmentHints.class)[0].value());
+        }
+        return Collections.emptyList();
+    }
+}

webgoat-container/src/main/java/org/owasp/webgoat/lessons/Hint.java

@@ -4,7 +4,7 @@
  * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
  * please see http://www.owasp.org/
  * 
- * Copyright (c) 2002 - 20014 Bruce Mayhew
+ * Copyright (c) 2002 - 2014 Bruce Mayhew
  * 
  * This program is free software; you can redistribute it and/or modify it under the terms of the
  * GNU General Public License as published by the Free Software Foundation; either version 2 of the
@@ -24,10 +24,10 @@
  * projects.
  * 
  */
+
 package org.owasp.webgoat.lessons;
 
-import lombok.Getter;
-import lombok.Setter;
+import lombok.Value;
 
 /**
  * <p>Hint class.</p>
@@ -35,12 +35,9 @@ import lombok.Setter;
  * @author rlawson
  * @version $Id: $Id
  */
-@Getter
-@Setter
+@Value
 public class Hint {
 
     private String hint;
-    private String lesson;
     private String assignmentPath;
-    private int number;
 }

webgoat-container/src/main/java/org/owasp/webgoat/lessons/Lesson.java

@@ -1,64 +1,46 @@
-package org.owasp.webgoat.lessons;
-
-import com.google.common.collect.Lists;
-import lombok.Setter;
-import org.owasp.webgoat.session.Screen;
-
-import java.util.List;
-
-/**
- * ************************************************************************************************
- * <p>
- * <p>
- * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
- * please see http://www.owasp.org/
- * <p>
- * Copyright (c) 2002 - 20014 Bruce Mayhew
- * <p>
+/*
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details, please see http://www.owasp.org/
+ *
+ * Copyright (c) 2002 - 2019 Bruce Mayhew
+ *
  * This program is free software; you can redistribute it and/or modify it under the terms of the
  * GNU General Public License as published by the Free Software Foundation; either version 2 of the
  * License, or (at your option) any later version.
- * <p>
+ *
  * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
  * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
  * General Public License for more details.
- * <p>
+ *
  * You should have received a copy of the GNU General Public License along with this program; if
  * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
  * 02111-1307, USA.
- * <p>
- * Getting Source ==============
- * <p>
- * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
- * projects.
  *
- * @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
- * @version $Id: $Id
- * @since October 28, 2003
+ * Getting Source ==============
+ *
+ * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
-public abstract class AbstractLesson extends Screen implements Comparable<Object> {
+
+package org.owasp.webgoat.lessons;
+
+import lombok.Getter;
+import lombok.Setter;
+import lombok.Singular;
+
+import java.util.List;
+
+@Getter
+@Setter
+public abstract class Lesson {
 
     private static int count = 1;
-
     private Integer id = null;
-
-    private Integer ranking;
-
-    @Setter
     private List<Assignment> assignments;
 
-    public List<Assignment> getAssignments() {
-        if (assignments == null) {
-            return Lists.newArrayList();
-        }
-        return assignments;
-    }
-
     /**
      * Constructor for the Lesson object
      */
-    public AbstractLesson() {
-        id = new Integer(++count);
+    public Lesson() {
+        id = ++count;
     }
 
 
@@ -72,34 +54,6 @@ public abstract class AbstractLesson extends Screen implements Comparable<Object
         return className.substring(className.lastIndexOf('.') + 1);
     }
 
-    /**
-     * <p>Setter for the field <code>ranking</code>.</p>
-     *
-     * @param ranking a {@link java.lang.Integer} object.
-     */
-    public void setRanking(Integer ranking) {
-        this.ranking = ranking;
-    }
-
-
-    /**
-     * {@inheritDoc}
-     * <p>
-     * Description of the Method
-     */
-    public int compareTo(Object obj) {
-        return this.getRanking().compareTo(((AbstractLesson) obj).getRanking());
-    }
-
-    /**
-     * {@inheritDoc}
-     * <p>
-     * Description of the Method
-     */
-    public boolean equals(Object obj) {
-        return this.getScreenId() == ((AbstractLesson) obj).getScreenId();
-    }
-
     /**
      * Gets the category attribute of the Lesson object
      *
@@ -109,13 +63,6 @@ public abstract class AbstractLesson extends Screen implements Comparable<Object
         return getDefaultCategory();
     }
 
-    /**
-     * <p>getDefaultRanking.</p>
-     *
-     * @return a {@link java.lang.Integer} object.
-     */
-    protected abstract Integer getDefaultRanking();
-
     /**
      * <p>getDefaultCategory.</p>
      *
@@ -123,29 +70,6 @@ public abstract class AbstractLesson extends Screen implements Comparable<Object
      */
     protected abstract Category getDefaultCategory();
 
-    /**
-     * <p>getDefaultHidden.</p>
-     *
-     * @return a boolean.
-     */
-    protected abstract boolean getDefaultHidden();
-
-    /**
-     * Gets the hintCount attribute of the Lesson object
-     *
-     * @return The hintCount value
-     */
-    public int getHintCount() {
-        return getHints().size();
-    }
-
-    /**
-     * <p>getHints.</p>
-     *
-     * @return a {@link java.util.List} object.
-     */
-    public abstract List<String> getHints();
-
     /**
      * Gets the title attribute of the HelloScreen object
      *
@@ -153,28 +77,6 @@ public abstract class AbstractLesson extends Screen implements Comparable<Object
      */
     public abstract String getTitle();
 
-    /**
-     * Gets the ranking attribute of the Lesson object
-     *
-     * @return The ranking value
-     */
-    public Integer getRanking() {
-        if (ranking != null) {
-            return ranking;
-        } else {
-            return getDefaultRanking();
-        }
-    }
-
-    /**
-     * Gets the uniqueID attribute of the AbstractLesson object
-     *
-     * @return The uniqueID value
-     */
-    public int getScreenId() {
-        return id.intValue();
-    }
-
     /**
      * <p>Returns the default "path" portion of a lesson's URL.</p>
      * <p>
@@ -217,6 +119,7 @@ public abstract class AbstractLesson extends Screen implements Comparable<Object
         return getTitle();
     }
 
-    public abstract String getId();
-
+    public final String getId() {
+        return this.getClass().getSimpleName();
+    }
 }

webgoat-container/src/main/java/org/owasp/webgoat/lessons/LessonAdapter.java

@@ -1,86 +0,0 @@
-/**
- *************************************************************************************************
- *
- *
- * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
- * please see http://www.owasp.org/
- *
- * Copyright (c) 2002 - 20014 Bruce Mayhew
- *
- * This program is free software; you can redistribute it and/or modify it under the terms of the
- * GNU General Public License as published by the Free Software Foundation; either version 2 of the
- * License, or (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
- * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License along with this program; if
- * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
- * 02111-1307, USA.
- *
- * Getting Source ==============
- *
- * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
- * projects.
- *
- * @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
- * @since October 28, 2003
- * @version $Id: $Id
- */
-package org.owasp.webgoat.lessons;
-
-//// TODO: 11/8/2016 remove
-public abstract class LessonAdapter extends AbstractLesson {
-
-
-    /**
-     * <p>getDefaultHidden.</p>
-     *
-     * @return a boolean.
-     */
-    protected boolean getDefaultHidden() {
-        return false;
-    }
-
-    /**
-     * Initiates lesson restart functionality. Lessons should override this for
-     * lesson specific actions
-     */
-    public void restartLesson() {
-        // Do Nothing - called when restart lesson is pressed. Each lesson can do something
-    }
-        
-    private final static Integer DEFAULT_RANKING = new Integer(1000);
-
-    /**
-     * <p>getDefaultRanking.</p>
-     *
-     * @return a {@link java.lang.Integer} object.
-     */
-    protected Integer getDefaultRanking() {
-        return DEFAULT_RANKING;
-    }
-
-    /**
-     * provide a default submitMethod of lesson does not implement
-     *
-     * @return a {@link java.lang.String} object.
-     */
-    public String getSubmitMethod() {
-        return "GET";
-    }
-
-    /**
-     * Fill in a descriptive title for this lesson. The title of the lesson.
-     * This will appear above the control area at the top of the page. This
-     * field will be rendered as html.
-     *
-     * @return The title value
-     */
-    public String getTitle() {
-        return "Untitled Lesson " + getScreenId();
-    }
-
-
-}

webgoat-container/src/main/java/org/owasp/webgoat/lessons/LessonMenuItem.java

@@ -1,32 +1,32 @@
 /**
  * *************************************************************************************************
- *
- *
+ * <p>
+ * <p>
  * This file is part of WebGoat, an Open Web Application Security Project
  * utility. For details, please see http://www.owasp.org/
- *
- * Copyright (c) 2002 - 20014 Bruce Mayhew
- *
+ * <p>
+ * Copyright (c) 2002 - 2014 Bruce Mayhew
+ * <p>
  * This program is free software; you can redistribute it and/or modify it under
  * the terms of the GNU General Public License as published by the Free Software
  * Foundation; either version 2 of the License, or (at your option) any later
  * version.
- *
+ * <p>
  * This program is distributed in the hope that it will be useful, but WITHOUT
  * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
  * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
  * details.
- *
+ * <p>
  * You should have received a copy of the GNU General Public License along with
  * this program; if not, write to the Free Software Foundation, Inc., 59 Temple
  * Place - Suite 330, Boston, MA 02111-1307, USA.
- *
+ * <p>
  * Getting Source ==============
- *
+ * <p>
  * Source for this application is maintained at
  * https://github.com/WebGoat/WebGoat, a repository for free software projects.
- *
  */
+
 package org.owasp.webgoat.lessons;
 
 import java.util.ArrayList;
@@ -45,8 +45,7 @@ public class LessonMenuItem {
     private List<LessonMenuItem> children = new ArrayList<LessonMenuItem>();
     private boolean complete;
     private String link;
-//    private boolean showSource = true;
-//    private boolean showHints = true;
+    private int ranking;
 
     /**
      * <p>Getter for the field <code>name</code>.</p>
@@ -111,7 +110,6 @@ public class LessonMenuItem {
         children.add(child);
     }
 
-    /** {@inheritDoc} */
     @Override
     public String toString() {
         StringBuilder bldr = new StringBuilder();
@@ -156,6 +154,13 @@ public class LessonMenuItem {
         this.link = link;
     }
 
+    public void setRanking(int ranking) {
+        this.ranking = ranking;
+    }
+
+    public int getRanking() {
+        return this.ranking;
+    }
 
 
 }

webgoat-container/src/main/java/org/owasp/webgoat/lessons/LessonMenuItemType.java

@@ -4,7 +4,7 @@
  * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
  * please see http://www.owasp.org/
  * 
- * Copyright (c) 2002 - 20014 Bruce Mayhew
+ * Copyright (c) 2002 - 2014 Bruce Mayhew
  * 
  * This program is free software; you can redistribute it and/or modify it under the terms of the
  * GNU General Public License as published by the Free Software Foundation; either version 2 of the

webgoat-container/src/main/java/org/owasp/webgoat/lessons/RequestParameter.java

@@ -1,78 +0,0 @@
-/**
- * *************************************************************************************************
- *
- *
- * This file is part of WebGoat, an Open Web Application Security Project
- * utility. For details, please see http://www.owasp.org/
- *
- * Copyright (c) 2002 - 20014 Bruce Mayhew
- *
- * This program is free software; you can redistribute it and/or modify it under
- * the terms of the GNU General Public License as published by the Free Software
- * Foundation; either version 2 of the License, or (at your option) any later
- * version.
- *
- * This program is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
- * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
- *
- * You should have received a copy of the GNU General Public License along with
- * this program; if not, write to the Free Software Foundation, Inc., 59 Temple
- * Place - Suite 330, Boston, MA 02111-1307, USA.
- *
- * Getting Source ==============
- *
- * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository
- * for free software projects.
- *
- */
-package org.owasp.webgoat.lessons;
-
-/**
- * <p>RequestParameter class.</p>
- *
- * @author rlawson
- * @version $Id: $Id
- */
-public class RequestParameter implements Comparable<RequestParameter> {
-
-    private final String name;
-    private final String value;
-
-    /**
-     * <p>Constructor for RequestParameter.</p>
-     *
-     * @param name a {@link java.lang.String} object.
-     * @param value a {@link java.lang.String} object.
-     */
-    public RequestParameter(String name, String value) {
-        this.name = name;
-        this.value = value;
-    }
-
-    /**
-     * <p>Getter for the field <code>name</code>.</p>
-     *
-     * @return the name
-     */
-    public String getName() {
-        return name;
-    }
-
-    /**
-     * <p>Getter for the field <code>value</code>.</p>
-     *
-     * @return the values
-     */
-    public String getValue() {
-        return value;
-    }
-
-    /** {@inheritDoc} */
-    @Override
-    public int compareTo(RequestParameter o) {
-        return this.name.compareTo(o.getName());
-    }
-
-}

webgoat-container/src/main/java/org/owasp/webgoat/plugins/PluginEndpointPublisher.java

@@ -1,66 +0,0 @@
-package org.owasp.webgoat.plugins;
-
-import lombok.extern.slf4j.Slf4j;
-import org.owasp.webgoat.assignments.Endpoint;
-import org.springframework.beans.factory.annotation.Autowire;
-import org.springframework.beans.factory.config.BeanDefinition;
-import org.springframework.beans.factory.support.DefaultListableBeanFactory;
-import org.springframework.beans.factory.support.RootBeanDefinition;
-import org.springframework.boot.actuate.endpoint.mvc.MvcEndpoint;
-import org.springframework.context.ApplicationContext;
-import org.springframework.context.support.AbstractApplicationContext;
-
-import java.util.List;
-
-/**
- * ************************************************************************************************
- * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
- * please see http://www.owasp.org/
- * <p>
- * Copyright (c) 2002 - 20014 Bruce Mayhew
- * <p>
- * This program is free software; you can redistribute it and/or modify it under the terms of the
- * GNU General Public License as published by the Free Software Foundation; either version 2 of the
- * License, or (at your option) any later version.
- * <p>
- * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
- * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * General Public License for more details.
- * <p>
- * You should have received a copy of the GNU General Public License along with this program; if
- * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
- * 02111-1307, USA.
- * <p>
- * Getting Source ==============
- * <p>
- * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
- * projects.
- * <p>
- *
- * @author nbaars
- * @version $Id: $Id
- * @since October 16, 2016
- */
-@Slf4j
-public class PluginEndpointPublisher {
-
-    private AbstractApplicationContext applicationContext;
-
-    public PluginEndpointPublisher(ApplicationContext applicationContext) {
-        this.applicationContext = (AbstractApplicationContext) applicationContext;
-    }
-
-    public void publish(List<Class<Endpoint>> endpoints) {
-        endpoints.forEach(e -> publishEndpoint(e));
-    }
-
-    private void publishEndpoint(Class<? extends MvcEndpoint> e) {
-        try {
-            BeanDefinition beanDefinition = new RootBeanDefinition(e, Autowire.BY_TYPE.value(), true);
-            DefaultListableBeanFactory beanFactory = (DefaultListableBeanFactory) applicationContext.getBeanFactory();
-            beanFactory.registerBeanDefinition(beanDefinition.getBeanClassName(), beanDefinition);
-        } catch (Exception ex) {
-            log.error("Failed to register " + e.getSimpleName() + " as endpoint with Spring, skipping...");
-        }
-    }
-}

webgoat-container/src/main/java/org/owasp/webgoat/plugins/PluginLoadingFailure.java

@@ -1,29 +0,0 @@
-package org.owasp.webgoat.plugins;
-
-/**
- * <p>PluginLoadingFailure class.</p>
- *
- * @version $Id: $Id
- * @author dm
- */
-public class PluginLoadingFailure extends RuntimeException {
-
-    /**
-     * <p>Constructor for PluginLoadingFailure.</p>
-     *
-     * @param message a {@link java.lang.String} object.
-     */
-    public PluginLoadingFailure(String message) {
-        super(message);
-    }
-
-    /**
-     * <p>Constructor for PluginLoadingFailure.</p>
-     *
-     * @param message a {@link java.lang.String} object.
-     * @param e a {@link java.lang.Exception} object.
-     */
-    public PluginLoadingFailure(String message, Exception e) {
-        super(message, e);
-    }
-}

webgoat-container/src/main/java/org/owasp/webgoat/plugins/PluginResource.java

@@ -1,46 +0,0 @@
-package org.owasp.webgoat.plugins;
-
-import lombok.AllArgsConstructor;
-import lombok.Getter;
-import org.owasp.webgoat.assignments.AssignmentEndpoint;
-import org.owasp.webgoat.assignments.Endpoint;
-import org.owasp.webgoat.lessons.NewLesson;
-
-import java.net.URL;
-import java.util.List;
-import java.util.stream.Collectors;
-
-/**
- * Plugin resource
- *
- * @author nbaars
- * @since 3/4/17.
- */
-@AllArgsConstructor
-@Getter
-public class PluginResource {
-
-    private final URL location;
-    private final List<Class> classes;
-
-    public List<Class> getLessons() {
-        return classes.stream().filter(c -> c.getSuperclass() == NewLesson.class).collect(Collectors.toList());
-    }
-
-    public List<Class<Endpoint>> getEndpoints() {
-        return classes.stream().
-                filter(c -> c.getSuperclass() == AssignmentEndpoint.class || c.getSuperclass() == Endpoint.class).
-                map(c -> (Class<Endpoint>) c).
-                collect(Collectors.toList());
-    }
-
-    public List<Class<AssignmentEndpoint>> getAssignments(Class lesson) {
-        return classes.stream().
-                filter(c -> c.getSuperclass() == AssignmentEndpoint.class).
-                filter(c -> c.getPackage().equals(lesson.getPackage())).
-                map(c -> (Class<AssignmentEndpoint>) c).
-                collect(Collectors.toList());
-    }
-
-
-}

webgoat-container/src/main/java/org/owasp/webgoat/plugins/PluginsLoader.java

@@ -1,134 +0,0 @@
-package org.owasp.webgoat.plugins;
-
-import com.google.common.collect.Lists;
-import com.google.common.collect.Maps;
-import lombok.AllArgsConstructor;
-import lombok.SneakyThrows;
-import lombok.extern.slf4j.Slf4j;
-import org.owasp.webgoat.assignments.AssignmentEndpoint;
-import org.owasp.webgoat.assignments.AssignmentHints;
-import org.owasp.webgoat.assignments.AssignmentPath;
-import org.owasp.webgoat.lessons.AbstractLesson;
-import org.owasp.webgoat.lessons.Assignment;
-import org.owasp.webgoat.lessons.NewLesson;
-import org.owasp.webgoat.session.Course;
-import org.springframework.beans.factory.config.BeanDefinition;
-import org.springframework.context.annotation.ClassPathScanningCandidateComponentProvider;
-import org.springframework.core.type.filter.RegexPatternTypeFilter;
-
-import java.net.URL;
-import java.util.List;
-import java.util.Map;
-import java.util.Set;
-import java.util.regex.Pattern;
-import java.util.stream.Collectors;
-
-import static java.util.stream.Collectors.toList;
-
-/**
- * ************************************************************************************************
- * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
- * please see http://www.owasp.org/
- * <p>
- * Copyright (c) 2002 - 20014 Bruce Mayhew
- * <p>
- * This program is free software; you can redistribute it and/or modify it under the terms of the
- * GNU General Public License as published by the Free Software Foundation; either version 2 of the
- * License, or (at your option) any later version.
- * <p>
- * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
- * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * General Public License for more details.
- * <p>
- * You should have received a copy of the GNU General Public License along with this program; if
- * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
- * 02111-1307, USA.
- * <p>
- * Getting Source ==============
- * <p>
- * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
- * projects.
- * <p>
- *
- * @author nbaars
- * @version $Id: $Id
- * @since November 25, 2016
- */
-@AllArgsConstructor
-@Slf4j
-public class PluginsLoader {
-
-    private final PluginEndpointPublisher pluginEndpointPublisher;
-
-    /**
-     * <p>createLessonsFromPlugins.</p>
-     */
-    public Course loadPlugins() {
-        List<AbstractLesson> lessons = Lists.newArrayList();
-        for (PluginResource plugin : findPluginResources()) {
-            try {
-                plugin.getLessons().forEach(c -> {
-                    NewLesson lesson = null;
-                    try {
-                        lesson = (NewLesson) c.newInstance();
-                        log.trace("Lesson loaded: {}", lesson.getId());
-                    } catch (Exception e) {
-                        log.error("Error while loading:" + c, e);
-                    }
-                    List<Class<AssignmentEndpoint>> assignments = plugin.getAssignments(c);
-                    lesson.setAssignments(createAssignment(assignments));
-                    lessons.add(lesson);
-                    pluginEndpointPublisher.publish(plugin.getEndpoints());
-                });
-            } catch (Exception e) {
-                log.error("Error in loadLessons: ", e);
-            }
-        }
-        if (lessons.isEmpty()) {
-            log.error("No lessons found if you downloaded an official release of WebGoat please take the time to");
-            log.error("create a new issue at https://github.com/WebGoat/WebGoat/issues/new");
-            log.error("For developers run 'mvn package' first from the root directory.");
-        }
-        return new Course(lessons);
-    }
-
-    private List<Assignment> createAssignment(List<Class<AssignmentEndpoint>> endpoints) {
-        return endpoints.stream().map(e -> new Assignment(e.getSimpleName(), getPath(e), getHints(e))).collect(toList());
-    }
-
-    private String getPath(Class<AssignmentEndpoint> e) {
-        return e.getAnnotationsByType(AssignmentPath.class)[0].value();
-    }
-
-    private List<String> getHints(Class<AssignmentEndpoint> e) {
-        if (e.isAnnotationPresent(AssignmentHints.class)) {
-            return Lists.newArrayList(e.getAnnotationsByType(AssignmentHints.class)[0].value());
-        }
-        return Lists.newArrayList();
-    }
-
-
-
-    @SneakyThrows
-    public List<PluginResource> findPluginResources() {
-        final ClassPathScanningCandidateComponentProvider provider = new ClassPathScanningCandidateComponentProvider(false);
-        provider.addIncludeFilter(new RegexPatternTypeFilter(Pattern.compile(".*")));
-        final Set<BeanDefinition> classes = provider.findCandidateComponents("org.owasp.webgoat.plugin");
-        Map<URL, List<Class>> pluginClasses = Maps.newHashMap();
-        for (BeanDefinition bean : classes) {
-            Class<?> clazz = Class.forName(bean.getBeanClassName());
-            URL location = clazz.getProtectionDomain().getCodeSource().getLocation();
-            List<Class> classFiles = pluginClasses.get(location);
-            if (classFiles == null) {
-                classFiles = Lists.newArrayList(clazz);
-            } else {
-                classFiles.add(clazz);
-            }
-            pluginClasses.put(location, classFiles);
-        }
-        return pluginClasses.entrySet().parallelStream()
-                .map(e -> new PluginResource(e.getKey(), e.getValue()))
-                .collect(Collectors.toList());
-    }
-
-}

webgoat-container/src/main/java/org/owasp/webgoat/service/CookieService.java

@@ -1,63 +0,0 @@
-/**
- * *************************************************************************************************
- *
- *
- * This file is part of WebGoat, an Open Web Application Security Project
- * utility. For details, please see http://www.owasp.org/
- *
- * Copyright (c) 2002 - 20014 Bruce Mayhew
- *
- * This program is free software; you can redistribute it and/or modify it under
- * the terms of the GNU General Public License as published by the Free Software
- * Foundation; either version 2 of the License, or (at your option) any later
- * version.
- *
- * This program is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
- * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
- *
- * You should have received a copy of the GNU General Public License along with
- * this program; if not, write to the Free Software Foundation, Inc., 59 Temple
- * Place - Suite 330, Boston, MA 02111-1307, USA.
- *
- * Getting Source ==============
- *
- * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository
- * for free software projects.
- *
- */
-package org.owasp.webgoat.service;
-
-import com.google.common.collect.Lists;
-import org.springframework.stereotype.Controller;
-import org.springframework.web.bind.annotation.RequestMapping;
-import org.springframework.web.bind.annotation.ResponseBody;
-
-import javax.servlet.http.Cookie;
-import javax.servlet.http.HttpSession;
-import java.util.List;
-
-/**
- * <p>CookieService class.</p>
- *
- * @author rlawson
- * @version $Id: $Id
- */
-@Controller
-public class CookieService {
-
-    /**
-     * Returns cookies for last attack
-     *
-     * @param session a {@link javax.servlet.http.HttpSession} object.
-     * @return a {@link java.util.List} object.
-     */
-    @RequestMapping(path = "/service/cookie.mvc", produces = "application/json")
-    public @ResponseBody
-    List<Cookie> showCookies() {
-        //// TODO: 11/6/2016 to be decided
-        List<Cookie> cookies = Lists.newArrayList();
-        return cookies;
-    }
-}

webgoat-container/src/main/java/org/owasp/webgoat/service/HintService.java

@@ -3,12 +3,12 @@
  * To change this template file, choose Tools | Templates
  * and open the template in the editor.
  */
+
 package org.owasp.webgoat.service;
 
-import com.google.common.collect.Lists;
-import org.owasp.webgoat.lessons.AbstractLesson;
 import org.owasp.webgoat.lessons.Assignment;
 import org.owasp.webgoat.lessons.Hint;
+import org.owasp.webgoat.lessons.Lesson;
 import org.owasp.webgoat.session.WebSession;
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.ResponseBody;
@@ -41,42 +41,22 @@ public class HintService {
      */
     @GetMapping(path = URL_HINTS_MVC, produces = "application/json")
     @ResponseBody
-    public List<Hint> showHint() {
-        AbstractLesson l = webSession.getCurrentLesson();
-        List<Hint> hints = createLessonHints(l);
-        hints.addAll(createAssignmentHints(l));
-        return hints;
-
+    public List<Hint> getHints() {
+        Lesson l = webSession.getCurrentLesson();
+        return createAssignmentHints(l);
     }
 
-    private List<Hint> createLessonHints(AbstractLesson l) {
-        if ( l != null ) {
-            return l.getHints().stream().map(h -> createHint(h, l.getName(), null)).collect(toList());
+    private List<Hint> createAssignmentHints(Lesson l) {
+        if (l != null) {
+            return l.getAssignments().stream()
+                    .map(a -> createHint(a))
+                    .flatMap(hints -> hints.stream())
+                    .collect(toList());
         }
-        return Lists.newArrayList();
+        return List.of();
     }
 
-    private List<Hint> createAssignmentHints(AbstractLesson l) {
-        List<Hint> hints = Lists.newArrayList();
-        if ( l != null) {
-            List<Assignment> assignments = l.getAssignments();
-            assignments.stream().forEach(a -> { a.getHints(); createHints(a, hints);});
-        }
-        return hints;
-    }
-
-    private void createHints(Assignment a, List<Hint> hints) {
-        hints.addAll(a.getHints().stream().map(h -> createHint(h, null, a.getPath())).collect(toList()));
-    }
-
-    private Hint createHint(String hintText, String lesson, String assignmentName) {
-        Hint hint = new Hint();
-        hint.setHint(hintText);
-        if (lesson != null) {
-            hint.setLesson(lesson);
-        } else {
-            hint.setAssignmentPath(assignmentName);
-        }
-        return hint;
+    private List<Hint> createHint(Assignment a) {
+        return a.getHints().stream().map(h -> new Hint(h, a.getPath())).collect(toList());
     }
 }

webgoat-container/src/main/java/org/owasp/webgoat/service/LabelDebugService.java

@@ -1,32 +1,32 @@
 /**
  * *************************************************************************************************
- *
- *
+ * <p>
+ * <p>
  * This file is part of WebGoat, an Open Web Application Security Project
  * utility. For details, please see http://www.owasp.org/
- *
- * Copyright (c) 2002 - 20014 Bruce Mayhew
- *
+ * <p>
+ * Copyright (c) 2002 - 2014 Bruce Mayhew
+ * <p>
  * This program is free software; you can redistribute it and/or modify it under
  * the terms of the GNU General Public License as published by the Free Software
  * Foundation; either version 2 of the License, or (at your option) any later
  * version.
- *
+ * <p>
  * This program is distributed in the hope that it will be useful, but WITHOUT
  * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
  * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
  * details.
- *
+ * <p>
  * You should have received a copy of the GNU General Public License along with
  * this program; if not, write to the Free Software Foundation, Inc., 59 Temple
  * Place - Suite 330, Boston, MA 02111-1307, USA.
- *
+ * <p>
  * Getting Source ==============
- *
+ * <p>
  * Source for this application is maintained at
  * https://github.com/WebGoat/WebGoat, a repository for free software projects.
- *
  */
+
 package org.owasp.webgoat.service;
 
 import lombok.AllArgsConstructor;
@@ -73,20 +73,20 @@ public class LabelDebugService {
         return new ResponseEntity<>(result, HttpStatus.OK);
     }
 
-      /**
-      * Sets the enabled flag on the label debugger to the given parameter
-      * @param enabled {@link org.owasp.webgoat.session.LabelDebugger} object
-      * @throws Exception unhandled exception
-      * @return a {@link org.springframework.http.ResponseEntity} object.
-      */
-     @RequestMapping(value = URL_DEBUG_LABELS_MVC, produces = MediaType.APPLICATION_JSON_VALUE, params = KEY_ENABLED)
-     public @ResponseBody
-     ResponseEntity<Map<String, Object>> setDebuggingStatus(@RequestParam("enabled") Boolean enabled) throws Exception {
-         log.debug("Setting label debugging to {} ", labelDebugger.isEnabled());
-         Map<String, Object> result = createResponse(enabled);
-         labelDebugger.setEnabled(enabled);
-         return new ResponseEntity<>(result, HttpStatus.OK);
-     }
+    /**
+     * Sets the enabled flag on the label debugger to the given parameter
+     * @param enabled {@link org.owasp.webgoat.session.LabelDebugger} object
+     * @throws Exception unhandled exception
+     * @return a {@link org.springframework.http.ResponseEntity} object.
+     */
+    @RequestMapping(value = URL_DEBUG_LABELS_MVC, produces = MediaType.APPLICATION_JSON_VALUE, params = KEY_ENABLED)
+    public @ResponseBody
+    ResponseEntity<Map<String, Object>> setDebuggingStatus(@RequestParam("enabled") Boolean enabled) throws Exception {
+        log.debug("Setting label debugging to {} ", labelDebugger.isEnabled());
+        Map<String, Object> result = createResponse(enabled);
+        labelDebugger.setEnabled(enabled);
+        return new ResponseEntity<>(result, HttpStatus.OK);
+    }
 
     /**
      * @param enabled {@link org.owasp.webgoat.session.LabelDebugger} object

webgoat-container/src/main/java/org/owasp/webgoat/service/LabelService.java

@@ -5,7 +5,7 @@
  * This file is part of WebGoat, an Open Web Application Security Project
  * utility. For details, please see http://www.owasp.org/
  * <p>
- * Copyright (c) 2002 - 20014 Bruce Mayhew
+ * Copyright (c) 2002 - 2014 Bruce Mayhew
  * <p>
  * This program is free software; you can redistribute it and/or modify it under
  * the terms of the GNU General Public License as published by the Free Software
@@ -26,6 +26,7 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository
  * for free software projects.
  */
+
 package org.owasp.webgoat.service;
 
 import lombok.AllArgsConstructor;
@@ -67,21 +68,20 @@ public class LabelService {
      * We use Springs session locale resolver which also gives us the option to change the local later on. For
      * now it uses the accept-language from the HttpRequest. If this language is not found it will default back
      * to messages.properties.
-     *
+     * <p>
      * Note although it is possible to use Spring language interceptor we for now opt for this solution, the UI
      * will always need to fetch the labels with the new language set by the user. So we don't need to intercept each
      * and every request to see if the language param has been set in the request.
      *
      * @param lang the language to fetch labels for (optional)
      * @return a map of labels
-     * @throws Exception
      */
     @GetMapping(path = URL_LABELS_MVC, produces = MediaType.APPLICATION_JSON_VALUE)
     @ResponseBody
-    public ResponseEntity<Properties> fetchLabels(@RequestParam(value = "lang", required = false) String lang, HttpServletRequest request) {
+    public ResponseEntity<Properties> fetchLabels(@RequestParam(value = "lang", required = false) String lang) {
         if (!StringUtils.isEmpty(lang)) {
             Locale locale = Locale.forLanguageTag(lang);
-            ((SessionLocaleResolver)localeResolver).setDefaultLocale(locale);
+            ((SessionLocaleResolver) localeResolver).setDefaultLocale(locale);
             log.debug("Language provided: {} leads to Locale: {}", lang, locale);
         }
         Properties allProperties = new Properties();

webgoat-container/src/main/java/org/owasp/webgoat/service/LessonInfoService.java

@@ -1,7 +1,7 @@
 package org.owasp.webgoat.service;
 
 import lombok.AllArgsConstructor;
-import org.owasp.webgoat.lessons.AbstractLesson;
+import org.owasp.webgoat.lessons.Lesson;
 import org.owasp.webgoat.lessons.LessonInfoModel;
 import org.owasp.webgoat.session.WebSession;
 import org.springframework.web.bind.annotation.RequestMapping;
@@ -29,7 +29,7 @@ public class LessonInfoService {
     @RequestMapping(path = "/service/lessoninfo.mvc", produces = "application/json")
     public @ResponseBody
     LessonInfoModel getLessonInfo() {
-        AbstractLesson lesson = webSession.getCurrentLesson();
+        Lesson lesson = webSession.getCurrentLesson();
         return new LessonInfoModel(lesson.getTitle(), false, false, false);
     }
 

webgoat-container/src/main/java/org/owasp/webgoat/service/LessonMenuService.java

@@ -5,7 +5,7 @@
  * This file is part of WebGoat, an Open Web Application Security Project
  * utility. For details, please see http://www.owasp.org/
  * <p>
- * Copyright (c) 2002 - 20014 Bruce Mayhew
+ * Copyright (c) 2002 - 2014 Bruce Mayhew
  * <p>
  * This program is free software; you can redistribute it and/or modify it under
  * the terms of the GNU General Public License as published by the Free Software
@@ -26,10 +26,12 @@
  * Source for this application is maintained at
  * https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
+
 package org.owasp.webgoat.service;
 
 import lombok.AllArgsConstructor;
-import org.owasp.webgoat.lessons.AbstractLesson;
+import org.owasp.webgoat.lessons.Lesson;
+import org.owasp.webgoat.lessons.Assignment;
 import org.owasp.webgoat.lessons.Category;
 import org.owasp.webgoat.lessons.LessonMenuItem;
 import org.owasp.webgoat.lessons.LessonMenuItemType;
@@ -38,6 +40,7 @@ import org.owasp.webgoat.session.WebSession;
 import org.owasp.webgoat.users.LessonTracker;
 import org.owasp.webgoat.users.UserTracker;
 import org.owasp.webgoat.users.UserTrackerRepository;
+import org.springframework.beans.factory.annotation.Value;
 import org.springframework.stereotype.Controller;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.ResponseBody;
@@ -45,6 +48,7 @@ import org.springframework.web.bind.annotation.ResponseBody;
 import java.util.ArrayList;
 import java.util.Comparator;
 import java.util.List;
+import java.util.Map;
 import java.util.stream.Collectors;
 
 /**
@@ -62,6 +66,12 @@ public class LessonMenuService {
     private final WebSession webSession;
     private UserTrackerRepository userTrackerRepository;
 
+    @Value("#{'${exclude.categories}'.split(',')}")
+    private List<String> excludeCategories;
+
+    @Value("#{'${exclude.lessons}'.split(',')}")
+    private List<String> excludeLessons;
+    
     /**
      * Returns the lesson menu which is used to build the left nav
      *
@@ -76,24 +86,47 @@ public class LessonMenuService {
         UserTracker userTracker = userTrackerRepository.findByUser(webSession.getUserName());
 
         for (Category category : categories) {
+        	if (excludeCategories.contains(category.name())) { 
+        		continue;
+        	}
             LessonMenuItem categoryItem = new LessonMenuItem();
             categoryItem.setName(category.getName());
             categoryItem.setType(LessonMenuItemType.CATEGORY);
             // check for any lessons for this category
-            List<AbstractLesson> lessons = course.getLessons(category);
+            List<Lesson> lessons = course.getLessons(category);
             lessons = lessons.stream().sorted(Comparator.comparing(l -> l.getTitle())).collect(Collectors.toList());
-            for (AbstractLesson lesson : lessons) {
+            for (Lesson lesson : lessons) {
+            	if (excludeLessons.contains(lesson.getName())) {
+            		continue;
+            	}
                 LessonMenuItem lessonItem = new LessonMenuItem();
                 lessonItem.setName(lesson.getTitle());
                 lessonItem.setLink(lesson.getLink());
                 lessonItem.setType(LessonMenuItemType.LESSON);
                 LessonTracker lessonTracker = userTracker.getLessonTracker(lesson);
-                lessonItem.setComplete(lessonTracker.isLessonSolved());
+                boolean lessonSolved = lessonCompleted(lessonTracker.getLessonOverview(), lesson);
+                lessonItem.setComplete(lessonSolved);
                 categoryItem.addChild(lessonItem);
             }
+            categoryItem.getChildren().sort((o1, o2) -> o1.getRanking() - o2.getRanking());
             menu.add(categoryItem);
         }
         return menu;
 
     }
+
+    private boolean lessonCompleted(Map<Assignment, Boolean> map, Lesson currentLesson) {
+        boolean result = true;
+        for (Map.Entry<Assignment, Boolean> entry : map.entrySet()) {
+        	    Assignment storedAssignment = entry.getKey();
+            	for (Assignment lessonAssignment: currentLesson.getAssignments()) {
+            		if (lessonAssignment.getName().equals(storedAssignment.getName())) {
+            			result = result && entry.getValue();
+            			break;
+            		}
+            	}
+            
+        }
+        return result;
+    }
 }

webgoat-container/src/main/java/org/owasp/webgoat/service/LessonPlanService.java

@@ -1,73 +0,0 @@
-/**
- * *************************************************************************************************
- *
- *
- * This file is part of WebGoat, an Open Web Application Security Project
- * utility. For details, please see http://www.owasp.org/
- *
- * Copyright (c) 2002 - 20014 Bruce Mayhew
- *
- * This program is free software; you can redistribute it and/or modify it under
- * the terms of the GNU General Public License as published by the Free Software
- * Foundation; either version 2 of the License, or (at your option) any later
- * version.
- *
- * This program is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
- * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
- *
- * You should have received a copy of the GNU General Public License along with
- * this program; if not, write to the Free Software Foundation, Inc., 59 Temple
- * Place - Suite 330, Boston, MA 02111-1307, USA.
- *
- * Getting Source ==============
- *
- * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository
- * for free software projects.
- *
- */
-package org.owasp.webgoat.service;
-
-import org.owasp.webgoat.session.WebSession;
-import org.springframework.stereotype.Controller;
-import org.springframework.web.bind.annotation.RequestMapping;
-import org.springframework.web.bind.annotation.ResponseBody;
-
-/**
- * <p>LessonPlanService class.</p>
- *
- * @author rlawson
- * @version $Id: $Id
- */
-@Controller
-//TODO remove
-public class LessonPlanService {
-
-    private final WebSession webSession;
-
-    public LessonPlanService(WebSession webSession) {
-        this.webSession = webSession;
-    }
-
-    /**
-     * Returns source for current attack
-     *
-     * @return a {@link java.lang.String} object.
-     */
-    @RequestMapping(path = "/service/lessonplan.mvc", produces = "application/html")
-    public @ResponseBody
-    String showPlan() {
-        String plan = getPlan();
-        return plan;
-    }
-
-    /**
-     * Description of the Method
-     *
-     * @return Description of the Return Value
-     */
-    protected String getPlan() {
-        return "Plan is not available for this lesson.";
-    }
-}

webgoat-container/src/main/java/org/owasp/webgoat/service/LessonProgressService.java

@@ -1,10 +1,8 @@
 package org.owasp.webgoat.service;
 
-import com.google.common.collect.Lists;
-import com.google.common.collect.Maps;
 import lombok.AllArgsConstructor;
 import lombok.Getter;
-import org.owasp.webgoat.lessons.AbstractLesson;
+import org.owasp.webgoat.lessons.Lesson;
 import org.owasp.webgoat.lessons.Assignment;
 import org.owasp.webgoat.lessons.LessonInfoModel;
 import org.owasp.webgoat.session.WebSession;
@@ -16,6 +14,7 @@ import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.ResponseBody;
 
 import java.util.ArrayList;
+import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
 
@@ -29,32 +28,8 @@ import java.util.Map;
 @AllArgsConstructor
 public class LessonProgressService {
 
-    private UserTrackerRepository userTrackerRepository;
-    private WebSession webSession;
-
-    /**
-     * <p>LessonProgressService.</p>
-     *
-     * @return a {@link LessonInfoModel} object.
-     */
-    @RequestMapping(value = "/service/lessonprogress.mvc", produces = "application/json")
-    @ResponseBody
-    public Map getLessonInfo() {
-        Map json = Maps.newHashMap();
-        UserTracker userTracker = userTrackerRepository.findByUser(webSession.getUserName());
-        if (webSession.getCurrentLesson() != null) {
-            LessonTracker lessonTracker = userTracker.getLessonTracker(webSession.getCurrentLesson());
-            String successMessage = "";
-            boolean lessonCompleted = false;
-            if (lessonTracker != null) {
-                lessonCompleted = lessonTracker.isLessonSolved();
-                successMessage = "LessonCompleted"; //@todo we still use this??
-            }
-            json.put("lessonCompleted", lessonCompleted);
-            json.put("successMessage", successMessage);
-        }
-        return json;
-    }
+    private final UserTrackerRepository userTrackerRepository;
+    private final WebSession webSession;
 
     /**
      * Endpoint for fetching the complete lesson overview which informs the user about whether all the assignments are solved.
@@ -66,23 +41,53 @@ public class LessonProgressService {
     @ResponseBody
     public List<LessonOverview> lessonOverview() {
         UserTracker userTracker = userTrackerRepository.findByUser(webSession.getUserName());
-        AbstractLesson currentLesson = webSession.getCurrentLesson();
-        List<LessonOverview> result = Lists.newArrayList();
-        if ( currentLesson != null ) {
+        Lesson currentLesson = webSession.getCurrentLesson();
+        List<LessonOverview> result = new ArrayList<>();
+        if (currentLesson != null) {
             LessonTracker lessonTracker = userTracker.getLessonTracker(currentLesson);
-            result = toJson(lessonTracker.getLessonOverview());
+            result = toJson(lessonTracker.getLessonOverview(), currentLesson);
         }
         return result;
     }
 
-    private List<LessonOverview> toJson(Map<Assignment, Boolean> map) {
-        ArrayList<LessonOverview> result = Lists.newArrayList();
+    private List<LessonOverview> toJson(Map<Assignment, Boolean> map, Lesson currentLesson) {
+        List<LessonOverview> result = new ArrayList();
         for (Map.Entry<Assignment, Boolean> entry : map.entrySet()) {
-            result.add(new LessonOverview(entry.getKey(), entry.getValue()));
+            Assignment storedAssignment = entry.getKey();
+            for (Assignment lessonAssignment : currentLesson.getAssignments()) {
+                if (lessonAssignment.getName().equals(storedAssignment.getName())
+                        && !lessonAssignment.getPath().equals(storedAssignment.getPath())) {
+                    //here a stored path in the assignments table will be corrected for the JSON output
+                    //with the value of the actual expected path
+                    storedAssignment.setPath(lessonAssignment.getPath());
+                    result.add(new LessonOverview(storedAssignment, entry.getValue()));
+                    break;
+
+                } else if (lessonAssignment.getName().equals(storedAssignment.getName())) {
+                    result.add(new LessonOverview(storedAssignment, entry.getValue()));
+                    break;
+                }
+            }
+            //assignments not in the list will not be put in the lesson progress JSON output
+
         }
         return result;
     }
 
+    private boolean isLessonComplete(Map<Assignment, Boolean> map, Lesson currentLesson) {
+        boolean result = true;
+        for (Map.Entry<Assignment, Boolean> entry : map.entrySet()) {
+            Assignment storedAssignment = entry.getKey();
+            for (Assignment lessonAssignment : currentLesson.getAssignments()) {
+                if (lessonAssignment.getName().equals(storedAssignment.getName())) {
+                    result = result && entry.getValue();
+                    break;
+                }
+            }
+
+        }
+        return result;
+    }
 
     @AllArgsConstructor
     @Getter

webgoat-container/src/main/java/org/owasp/webgoat/service/LessonTitleService.java

@@ -1,6 +1,6 @@
 package org.owasp.webgoat.service;
 
-import org.owasp.webgoat.lessons.AbstractLesson;
+import org.owasp.webgoat.lessons.Lesson;
 import org.owasp.webgoat.session.WebSession;
 import org.springframework.stereotype.Controller;
 import org.springframework.web.bind.annotation.RequestMapping;
@@ -31,7 +31,7 @@ public class LessonTitleService {
     public
     @ResponseBody
     String showPlan() {
-        AbstractLesson lesson = webSession.getCurrentLesson();
+        Lesson lesson = webSession.getCurrentLesson();
         return lesson != null ? lesson.getTitle() : "";
     }
 

webgoat-container/src/main/java/org/owasp/webgoat/service/ParameterService.java

@@ -1,65 +0,0 @@
-/**
- * *************************************************************************************************
- *
- *
- * This file is part of WebGoat, an Open Web Application Security Project
- * utility. For details, please see http://www.owasp.org/
- *
- * Copyright (c) 2002 - 20014 Bruce Mayhew
- *
- * This program is free software; you can redistribute it and/or modify it under
- * the terms of the GNU General Public License as published by the Free Software
- * Foundation; either version 2 of the License, or (at your option) any later
- * version.
- *
- * This program is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
- * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
- *
- * You should have received a copy of the GNU General Public License along with
- * this program; if not, write to the Free Software Foundation, Inc., 59 Temple
- * Place - Suite 330, Boston, MA 02111-1307, USA.
- *
- * Getting Source ==============
- *
- * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository
- * for free software projects.
- *
- */
-package org.owasp.webgoat.service;
-
-import com.google.common.collect.Lists;
-import org.owasp.webgoat.lessons.RequestParameter;
-import org.springframework.stereotype.Controller;
-import org.springframework.web.bind.annotation.RequestMapping;
-import org.springframework.web.bind.annotation.ResponseBody;
-
-import javax.servlet.http.HttpSession;
-import java.util.Collections;
-import java.util.List;
-
-/**
- * <p>ParameterService class.</p>
- *
- * @author rlawson
- * @version $Id: $Id
- */
-@Controller
-public class ParameterService {
-
-    /**
-     * Returns request parameters for last attack
-     *
-     * @param session a {@link javax.servlet.http.HttpSession} object.
-     * @return a {@link java.util.List} object.
-     */
-    @RequestMapping(path = "/service/parameter.mvc", produces = "application/json")
-    public @ResponseBody
-    List<RequestParameter> showParameters(HttpSession session) {
-        //// TODO: 11/6/2016 to decide not sure about the role in WebGoat 8
-        List<RequestParameter> listParms = Lists.newArrayList();
-        Collections.sort(listParms);
-        return listParms;
-    }
-}

webgoat-container/src/main/java/org/owasp/webgoat/service/PluginReloadService.java

@@ -1,75 +0,0 @@
-/**
- * *************************************************************************************************
- *
- *
- * This file is part of WebGoat, an Open Web Application Security Project
- * utility. For details, please see http://www.owasp.org/
- *
- * Copyright (c) 2002 - 20014 Bruce Mayhew
- *
- * This program is free software; you can redistribute it and/or modify it under
- * the terms of the GNU General Public License as published by the Free Software
- * Foundation; either version 2 of the License, or (at your option) any later
- * version.
- *
- * This program is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
- * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
- *
- * You should have received a copy of the GNU General Public License along with
- * this program; if not, write to the Free Software Foundation, Inc., 59 Temple
- * Place - Suite 330, Boston, MA 02111-1307, USA.
- *
- * Getting Source ==============
- *
- * Source for this application is maintained at
- * https://github.com/WebGoat/WebGoat, a repository for free software projects.
- *
- */
-package org.owasp.webgoat.service;
-
-import org.springframework.http.HttpStatus;
-import org.springframework.http.MediaType;
-import org.springframework.http.ResponseEntity;
-import org.springframework.stereotype.Controller;
-import org.springframework.web.bind.annotation.RequestMapping;
-import org.springframework.web.bind.annotation.ResponseBody;
-
-import javax.servlet.http.HttpSession;
-import java.util.HashMap;
-import java.util.Map;
-
-/**
- * <p>PluginReloadService class.</p>
- *
- * @author nbaars
- * @version $Id: $Id
- */
-@Controller
-public class PluginReloadService {
-
-    /**
-     * Reload all the plugins
-     *
-     * @param session a {@link javax.servlet.http.HttpSession} object.
-     * @return a {@link org.springframework.http.ResponseEntity} object.
-     */
-    @RequestMapping(path = "/service/reloadplugins.mvc", produces = MediaType.APPLICATION_JSON_VALUE)
-    public @ResponseBody
-    ResponseEntity<Map<String, Object>> reloadPlugins(HttpSession session) {
-//        WebSession webSession = (WebSession) session.getAttribute(WebSession.SESSION);
-//
-//        logger.debug("Loading plugins into cache");
-//        String pluginPath = session.getServletContext().getRealPath("plugin_lessons");
-//        String targetPath = session.getServletContext().getRealPath("plugin_extracted");
-//        //TODO fix me
-//        //new PluginsLoader(Paths.get(pluginPath), Paths.get(targetPath)).copyJars();
-//        //webSession.getCourse().createLessonsFromPlugins();
-
-        Map<String, Object> result = new HashMap<String, Object>();
-        result.put("success", true);
-        result.put("message", "Plugins reloaded");
-        return new ResponseEntity<>(result, HttpStatus.OK);
-    }
-}

webgoat-container/src/main/java/org/owasp/webgoat/service/ReportCardService.java

@@ -5,7 +5,7 @@
  * This file is part of WebGoat, an Open Web Application Security Project
  * utility. For details, please see http://www.owasp.org/
  * <p>
- * Copyright (c) 2002 - 20014 Bruce Mayhew
+ * Copyright (c) 2002 - 2014 Bruce Mayhew
  * <p>
  * This program is free software; you can redistribute it and/or modify it under
  * the terms of the GNU General Public License as published by the Free Software
@@ -26,14 +26,14 @@
  * Source for this application is maintained at
  * https://github.com/WebGoat/WebGoat, a repository for free software projects.
  */
+
 package org.owasp.webgoat.service;
 
-import com.google.common.collect.Lists;
 import lombok.AllArgsConstructor;
 import lombok.Getter;
 import lombok.Setter;
 import org.owasp.webgoat.i18n.PluginMessages;
-import org.owasp.webgoat.lessons.AbstractLesson;
+import org.owasp.webgoat.lessons.Lesson;
 import org.owasp.webgoat.session.Course;
 import org.owasp.webgoat.session.WebSession;
 import org.owasp.webgoat.users.LessonTracker;
@@ -43,6 +43,7 @@ import org.springframework.stereotype.Controller;
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.ResponseBody;
 
+import java.util.ArrayList;
 import java.util.List;
 
 /**
@@ -66,16 +67,16 @@ public class ReportCardService {
     @GetMapping(path = "/service/reportcard.mvc", produces = "application/json")
     @ResponseBody
     public ReportCard reportCard() {
-        UserTracker userTracker = userTrackerRepository.findByUser(webSession.getUserName());
-        List<AbstractLesson> lessons = course.getLessons();
-        ReportCard reportCard = new ReportCard();
+        final ReportCard reportCard = new ReportCard();
         reportCard.setTotalNumberOfLessons(course.getTotalOfLessons());
         reportCard.setTotalNumberOfAssignments(course.getTotalOfAssignments());
+
+        UserTracker userTracker = userTrackerRepository.findByUser(webSession.getUserName());
         reportCard.setNumberOfAssignmentsSolved(userTracker.numberOfAssignmentsSolved());
         reportCard.setNumberOfLessonsSolved(userTracker.numberOfLessonsSolved());
-        for (AbstractLesson lesson : lessons) {
+        for (Lesson lesson : course.getLessons()) {
             LessonTracker lessonTracker = userTracker.getLessonTracker(lesson);
-            LessonStatistics lessonStatistics = new LessonStatistics();
+            final LessonStatistics lessonStatistics = new LessonStatistics();
             lessonStatistics.setName(pluginMessages.getMessage(lesson.getTitle()));
             lessonStatistics.setNumberOfAttempts(lessonTracker.getNumberOfAttempts());
             lessonStatistics.setSolved(lessonTracker.isLessonSolved());
@@ -86,19 +87,19 @@ public class ReportCardService {
 
     @Getter
     @Setter
-    private class ReportCard {
+    private final class ReportCard {
 
         private int totalNumberOfLessons;
         private int totalNumberOfAssignments;
         private int solvedLessons;
         private int numberOfAssignmentsSolved;
         private int numberOfLessonsSolved;
-        private List<LessonStatistics> lessonStatistics = Lists.newArrayList();
+        private List<LessonStatistics> lessonStatistics =  new ArrayList<>();
     }
 
     @Setter
     @Getter
-    private class LessonStatistics {
+    private final class LessonStatistics {
         private String name;
         private boolean solved;
         private int numberOfAttempts;

webgoat-container/src/main/java/org/owasp/webgoat/service/RestartLessonService.java

@@ -2,7 +2,7 @@
  * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
  * please see http://www.owasp.org/
  * <p>
- * Copyright (c) 2002 - 20014 Bruce Mayhew
+ * Copyright (c) 2002 - 2014 Bruce Mayhew
  * <p>
  * This program is free software; you can redistribute it and/or modify it under the terms of the
  * GNU General Public License as published by the Free Software Foundation; either version 2 of the
@@ -21,11 +21,13 @@
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
  * projects.
  */
+
 package org.owasp.webgoat.service;
 
 import lombok.AllArgsConstructor;
 import lombok.extern.slf4j.Slf4j;
-import org.owasp.webgoat.lessons.AbstractLesson;
+import org.flywaydb.core.Flyway;
+import org.owasp.webgoat.lessons.Lesson;
 import org.owasp.webgoat.session.WebSession;
 import org.owasp.webgoat.users.UserTracker;
 import org.owasp.webgoat.users.UserTrackerRepository;
@@ -34,33 +36,26 @@ import org.springframework.stereotype.Controller;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.ResponseStatus;
 
-/**
- * <p>RestartLessonService class.</p>
- *
- * @author rlawson
- * @version $Id: $Id
- */
 @Controller
 @AllArgsConstructor
 @Slf4j
 public class RestartLessonService {
 
     private final WebSession webSession;
-    private UserTrackerRepository userTrackerRepository;
+    private final UserTrackerRepository userTrackerRepository;
+    private final Flyway flywayLessons;
 
-    /**
-     * Returns current lesson
-     *
-     * @return a {@link java.lang.String} object.
-     */
     @RequestMapping(path = "/service/restartlesson.mvc", produces = "text/text")
     @ResponseStatus(value = HttpStatus.OK)
     public void restartLesson() {
-        AbstractLesson al = webSession.getCurrentLesson();
+        Lesson al = webSession.getCurrentLesson();
         log.debug("Restarting lesson: " + al);
 
         UserTracker userTracker = userTrackerRepository.findByUser(webSession.getUserName());
         userTracker.reset(al);
         userTrackerRepository.save(userTracker);
+
+        flywayLessons.clean();
+        flywayLessons.migrate();
     }
 }

webgoat-container/src/main/java/org/owasp/webgoat/service/SessionService.java

@@ -3,6 +3,7 @@
  * To change this template file, choose Tools | Templates
  * and open the template in the editor.
  */
+
 package org.owasp.webgoat.service;
 
 import org.springframework.stereotype.Controller;

webgoat-container/src/main/java/org/owasp/webgoat/session/Course.java

@@ -1,11 +1,9 @@
 package org.owasp.webgoat.session;
 
-import lombok.AllArgsConstructor;
 import lombok.extern.slf4j.Slf4j;
-import org.owasp.webgoat.lessons.AbstractLesson;
+import org.owasp.webgoat.lessons.Lesson;
 import org.owasp.webgoat.lessons.Category;
 
-import java.util.LinkedList;
 import java.util.List;
 
 import static java.util.stream.Collectors.toList;
@@ -17,7 +15,7 @@ import static java.util.stream.Collectors.toList;
  * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
  * please see http://www.owasp.org/
  * <p>
- * Copyright (c) 2002 - 20014 Bruce Mayhew
+ * Copyright (c) 2002 - 2014 Bruce Mayhew
  * <p>
  * This program is free software; you can redistribute it and/or modify it under the terms of the
  * GNU General Public License as published by the Free Software Foundation; either version 2 of the
@@ -41,10 +39,13 @@ import static java.util.stream.Collectors.toList;
  * @since October 28, 2003
  */
 @Slf4j
-@AllArgsConstructor
 public class Course {
 
-    private List<AbstractLesson> lessons = new LinkedList<>();
+    private List<? extends Lesson> lessons;
+
+    public Course(List<? extends Lesson> lessons) {
+        this.lessons = lessons;
+    }
 
     /**
      * Gets the categories attribute of the Course object
@@ -60,7 +61,7 @@ public class Course {
      *
      * @return The firstLesson value
      */
-    public AbstractLesson getFirstLesson() {
+    public Lesson getFirstLesson() {
         // Category 0 is the admin function. We want the first real category
         // to be returned. This is normally the General category and the Http Basics lesson
         return getLessons(getCategories().get(0)).get(0);
@@ -71,7 +72,7 @@ public class Course {
      *
      * @return a {@link java.util.List} object.
      */
-    public List<AbstractLesson> getLessons() {
+    public List<? extends Lesson> getLessons() {
         return this.lessons;
     }
 
@@ -81,11 +82,11 @@ public class Course {
      * @param category a {@link org.owasp.webgoat.lessons.Category} object.
      * @return a {@link java.util.List} object.
      */
-    public List<AbstractLesson> getLessons(Category category) {
-        return this.lessons.stream().filter(l -> l.getCategory() == category).sorted().collect(toList());
+    public List<Lesson> getLessons(Category category) {
+        return this.lessons.stream().filter(l -> l.getCategory() == category).collect(toList());
     }
 
-    public void setLessons(List<AbstractLesson> lessons) {
+    public void setLessons(List<Lesson> lessons) {
         this.lessons = lessons;
     }
 
@@ -94,9 +95,6 @@ public class Course {
     }
 
     public int getTotalOfAssignments() {
-        final int[] total = {0};
-        this.lessons.stream().forEach(l -> total[0] = total[0] + l.getAssignments().size());
-        return total[0];
+        return this.lessons.stream().reduce(0, (total, lesson) -> lesson.getAssignments().size() + total, Integer::sum);
     }
-
 }

webgoat-container/src/main/java/org/owasp/webgoat/session/DatabaseUtilities.java

@@ -1,129 +0,0 @@
-
-package org.owasp.webgoat.session;
-
-import java.sql.Connection;
-import java.sql.DriverManager;
-import java.sql.SQLException;
-import java.util.HashMap;
-import java.util.Map;
-
-
-/**
- *************************************************************************************************
- *
- *
- * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
- * please see http://www.owasp.org/
- *
- * Copyright (c) 2002 - 20014 Bruce Mayhew
- *
- * This program is free software; you can redistribute it and/or modify it under the terms of the
- * GNU General Public License as published by the Free Software Foundation; either version 2 of the
- * License, or (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
- * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License along with this program; if
- * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
- * 02111-1307, USA.
- *
- * Getting Source ==============
- *
- * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
- * projects.
- *
- * @author Jeff Williams <a href="http://www.aspectsecurity.com">Aspect Security</a>
- * @version $Id: $Id
- */
-//TODO: class we need to refactor to new structure, we can put the connection in the current session of the user
-	// start using jdbc template
-public class DatabaseUtilities
-{
-
-	private static Map<String, Connection> connections = new HashMap<String, Connection>();
-	private static Map<String, Boolean> dbBuilt = new HashMap<String, Boolean>();
-
-	/**
-	 * <p>getConnection.</p>
-	 *
-	 * @param s a {@link org.owasp.webgoat.session.WebSession} object.
-	 * @return a {@link java.sql.Connection} object.
-	 * @throws java.sql.SQLException if any.
-	 */
-	public static Connection getConnection(WebSession s) throws SQLException
-	{
-		return getConnection(s.getUserName(), s.getWebgoatContext());
-	}
-
-	/**
-	 * <p>getConnection.</p>
-	 *
-	 * @param user a {@link java.lang.String} object.
-	 * @param context a {@link org.owasp.webgoat.session.WebgoatContext} object.
-	 * @return a {@link java.sql.Connection} object.
-	 * @throws java.sql.SQLException if any.
-	 */
-	public static synchronized Connection getConnection(String user, WebgoatContext context) throws SQLException
-	{
-		Connection conn = connections.get(user);
-		if (conn != null && !conn.isClosed()) return conn;
-		conn = makeConnection(user, context);
-		connections.put(user, conn);
-
-		if (dbBuilt.get(user) == null)
-		{
-			new CreateDB().makeDB(conn);
-			dbBuilt.put(user, Boolean.TRUE);
-		}
-
-		return conn;
-	}
-
-	/**
-	 * <p>returnConnection.</p>
-	 *
-	 * @param user a {@link java.lang.String} object.
-	 */
-	public static synchronized void returnConnection(String user)
-	{
-		try
-		{
-			Connection connection = connections.get(user);
-			if (connection == null || connection.isClosed()) return;
-
-			if (connection.getMetaData().getDatabaseProductName().toLowerCase().contains("oracle")) connection.close();
-		} catch (SQLException sqle)
-		{
-			sqle.printStackTrace();
-		}
-	}
-
-	private static Connection makeConnection(String user, WebgoatContext context) throws SQLException
-	{
-		try
-	{
-		Class.forName(context.getDatabaseDriver());
-
-		if (context.getDatabaseConnectionString().contains("hsqldb")) return getHsqldbConnection(user, context);
-
-		String userPrefix = context.getDatabaseUser();
-		String password = context.getDatabasePassword();
-		String url = context.getDatabaseConnectionString();
-		return DriverManager.getConnection(url, userPrefix + "_" + user, password);
-		} catch (ClassNotFoundException cnfe)
-		{
-			cnfe.printStackTrace();
-			throw new SQLException("Couldn't load the database driver: " + cnfe.getLocalizedMessage());
-		}
-	}
-
-	private static Connection getHsqldbConnection(String user, WebgoatContext context) throws ClassNotFoundException,
-			SQLException
-	{
-		String url = context.getDatabaseConnectionString().replace("{USER}", user);
-		return DriverManager.getConnection(url, "sa", "");
-	}
-	
-}

webgoat-container/src/main/java/org/owasp/webgoat/session/Screen.java

@@ -1,53 +0,0 @@
-package org.owasp.webgoat.session;
-
-/**
- * *************************************************************************************************
- *
- *
- * This file is part of WebGoat, an Open Web Application Security Project
- * utility. For details, please see http://www.owasp.org/
- *
- * Copyright (c) 2002 - 20014 Bruce Mayhew
- *
- * This program is free software; you can redistribute it and/or modify it under
- * the terms of the GNU General Public License as published by the Free Software
- * Foundation; either version 2 of the License, or (at your option) any later
- * version.
- *
- * This program is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
- * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
- *
- * You should have received a copy of the GNU General Public License along with
- * this program; if not, write to the Free Software Foundation, Inc., 59 Temple
- * Place - Suite 330, Boston, MA 02111-1307, USA.
- *
- * Getting Source ==============
- *
- * Source for this application is maintained at
- * https://github.com/WebGoat/WebGoat, a repository for free software projects.
- *
- * @author Jeff Williams <a href="http://www.aspectsecurity.com">Aspect
- * Security</a>
- * @since October 28, 2003
- * @version $Id: $Id
- */
-public abstract class Screen {
-
-    /**
-     * Constructor for the Screen object
-     */
-    public Screen() {
-    }
-
-
-    /**
-     * Fill in a descriptive title for this lesson
-     *
-     * @return The title value
-     */
-    public abstract String getTitle();
-
-
-}

webgoat-container/src/main/java/org/owasp/webgoat/session/WebSession.java

@@ -1,10 +1,10 @@
 package org.owasp.webgoat.session;
 
-import lombok.extern.slf4j.Slf4j;
-import org.owasp.webgoat.lessons.AbstractLesson;
+import org.owasp.webgoat.lessons.Lesson;
 import org.owasp.webgoat.users.WebGoatUser;
 import org.springframework.security.core.context.SecurityContextHolder;
 
+import java.io.Serializable;
 import java.sql.Connection;
 import java.sql.SQLException;
 
@@ -15,7 +15,7 @@ import java.sql.SQLException;
  * This file is part of WebGoat, an Open Web Application Security Project utility. For details, please see
  * http://www.owasp.org/
  * <p>
- * Copyright (c) 2002 - 20014 Bruce Mayhew
+ * Copyright (c) 2002 - 2014 Bruce Mayhew
  * <p>
  * This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public
  * License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later
@@ -37,58 +37,31 @@ import java.sql.SQLException;
  * @version $Id: $Id
  * @since October 28, 2003
  */
-@Slf4j
-public class WebSession {
+public class WebSession implements Serializable {
 
-    private final WebGoatUser currentUser;
-    private final WebgoatContext webgoatContext;
-    private AbstractLesson currentLesson;
+	private static final long serialVersionUID = -4270066103101711560L;
+	private final WebGoatUser currentUser;
+    private Lesson currentLesson;
 
-    /**
-     * Constructor for the WebSession object
-     *
-     * @param webgoatContext a {@link org.owasp.webgoat.session.WebgoatContext} object.
-     */
-    public WebSession(WebgoatContext webgoatContext) {
-        this.webgoatContext = webgoatContext;
+    public WebSession() {
         this.currentUser = (WebGoatUser) SecurityContextHolder.getContext().getAuthentication().getPrincipal();
     }
 
-    /**
-     * <p> getConnection. </p>
-     *
-     * @param s a {@link org.owasp.webgoat.session.WebSession} object.
-     * @return a {@link java.sql.Connection} object.
-     * @throws java.sql.SQLException if any.
-     */
-    public static synchronized Connection getConnection(WebSession s) throws SQLException {
-        return DatabaseUtilities.getConnection(s);
-    }
-
-    /**
-     * <p> returnConnection. </p>
-     *
-     * @param s a {@link org.owasp.webgoat.session.WebSession} object.
-     */
-    public static void returnConnection(WebSession s) {
-        DatabaseUtilities.returnConnection(s.getUserName());
-    }
-
     /**
      * <p> Setter for the field <code>currentScreen</code>. </p>
      *
      * @param lesson current lesson
      */
-    public void setCurrentLesson(AbstractLesson lesson) {
+    public void setCurrentLesson(Lesson lesson) {
         this.currentLesson = lesson;
     }
 
     /**
      * <p> getCurrentLesson. </p>
      *
-     * @return a {@link org.owasp.webgoat.lessons.AbstractLesson} object.
+     * @return a {@link Lesson} object.
      */
-    public AbstractLesson getCurrentLesson() {
+    public Lesson getCurrentLesson() {
         return this.currentLesson;
     }
 
@@ -100,13 +73,4 @@ public class WebSession {
     public String getUserName() {
         return currentUser.getUsername();
     }
-
-    /**
-     * <p> Getter for the field <code>webgoatContext</code>. </p>
-     *
-     * @return a {@link org.owasp.webgoat.session.WebgoatContext} object.
-     */
-    public WebgoatContext getWebgoatContext() {
-        return webgoatContext;
-    }
 }

webgoat-container/src/main/java/org/owasp/webgoat/session/WebgoatContext.java

@@ -1,187 +0,0 @@
-package org.owasp.webgoat.session;
-
-import org.springframework.beans.factory.annotation.Value;
-import org.springframework.context.annotation.Configuration;
-
-/**
- * <p>WebgoatContext class.</p>
- *
- * @version $Id: $Id
- * @author dm
- */
-@Configuration
-public class WebgoatContext {
-
-    @Value("${webgoat.database.connection.string}")
-    private String databaseConnectionString;
-
-    private String realConnectionString = null;
-
-    @Value("${webgoat.database.driver}")
-    private String databaseDriver;
-
-    private String databaseUser;
-
-    private String databasePassword;
-
-    private boolean showCookies = false;
-
-    private boolean showParams = false;
-
-    private boolean showRequest = false;
-
-    private boolean showSource = false;
-
-    private boolean showSolution = false;
-
-    private boolean enterprise = false;
-
-    private boolean codingExercises = false;
-
-    @Value("${webgoat.feedback.address}")
-    private String feedbackAddress;
-
-    @Value("${webgoat.feedback.address.html}")
-    private String feedbackAddressHTML = "";
-
-    private boolean isDebug = false;
-
-    @Value("${webgoat.default.language}")
-    private String defaultLanguage;
-
-    /**
-     * returns the connection string with the real path to the database
-     * directory inserted at the word PATH
-     *
-     * @return The databaseConnectionString value
-     */
-    public String getDatabaseConnectionString() {
-        return this.databaseConnectionString;
-    }
-
-    /**
-     * Gets the databaseDriver attribute of the WebSession object
-     *
-     * @return The databaseDriver value
-     */
-    public String getDatabaseDriver() {
-        return (databaseDriver);
-    }
-
-    /**
-     * Gets the databaseUser attribute of the WebSession object
-     *
-     * @return The databaseUser value
-     */
-    public String getDatabaseUser() {
-        return (databaseUser);
-    }
-
-    /**
-     * Gets the databasePassword attribute of the WebSession object
-     *
-     * @return The databasePassword value
-     */
-    public String getDatabasePassword() {
-        return (databasePassword);
-    }
-
-    /**
-     * <p>isEnterprise.</p>
-     *
-     * @return a boolean.
-     */
-    public boolean isEnterprise() {
-        return enterprise;
-    }
-
-    /**
-     * <p>isCodingExercises.</p>
-     *
-     * @return a boolean.
-     */
-    public boolean isCodingExercises() {
-        return codingExercises;
-    }
-
-    /**
-     * <p>Getter for the field <code>feedbackAddress</code>.</p>
-     *
-     * @return a {@link java.lang.String} object.
-     */
-    public String getFeedbackAddress() {
-        return feedbackAddress;
-    }
-
-    /**
-     * <p>Getter for the field <code>feedbackAddressHTML</code>.</p>
-     *
-     * @return a {@link java.lang.String} object.
-     */
-    public String getFeedbackAddressHTML() {
-        return feedbackAddressHTML;
-    }
-
-    /**
-     * <p>isDebug.</p>
-     *
-     * @return a boolean.
-     */
-    public boolean isDebug() {
-        return isDebug;
-    }
-
-    /**
-     * <p>isShowCookies.</p>
-     *
-     * @return a boolean.
-     */
-    public boolean isShowCookies() {
-        return showCookies;
-    }
-
-    /**
-     * <p>isShowParams.</p>
-     *
-     * @return a boolean.
-     */
-    public boolean isShowParams() {
-        return showParams;
-    }
-
-    /**
-     * <p>isShowRequest.</p>
-     *
-     * @return a boolean.
-     */
-    public boolean isShowRequest() {
-        return showRequest;
-    }
-
-    /**
-     * <p>isShowSource.</p>
-     *
-     * @return a boolean.
-     */
-    public boolean isShowSource() {
-        return showSource;
-    }
-
-    /**
-     * <p>isShowSolution.</p>
-     *
-     * @return a boolean.
-     */
-    public boolean isShowSolution() {
-        return showSolution;
-    }
-
-    /**
-     * <p>Getter for the field <code>defaultLanguage</code>.</p>
-     *
-     * @return a {@link java.lang.String} object.
-     */
-    public String getDefaultLanguage() {
-        return defaultLanguage;
-    }
-}

webgoat-container/src/main/java/org/owasp/webgoat/users/LessonTracker.java

@@ -1,17 +1,12 @@
 
 package org.owasp.webgoat.users;
 
-import com.google.common.collect.Lists;
-import com.google.common.collect.Sets;
 import lombok.Getter;
-import org.owasp.webgoat.lessons.AbstractLesson;
+import org.owasp.webgoat.lessons.Lesson;
 import org.owasp.webgoat.lessons.Assignment;
 
 import javax.persistence.*;
-import java.util.List;
-import java.util.Map;
-import java.util.Optional;
-import java.util.Set;
+import java.util.*;
 import java.util.stream.Collectors;
 
 
@@ -22,7 +17,7 @@ import java.util.stream.Collectors;
  * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
  * please see http://www.owasp.org/
  * <p>
- * Copyright (c) 2002 - 20014 Bruce Mayhew
+ * Copyright (c) 2002 - 2014 Bruce Mayhew
  * <p>
  * This program is free software; you can redistribute it and/or modify it under the terms of the
  * GNU General Public License as published by the Free Software Foundation; either version 2 of the
@@ -54,19 +49,21 @@ public class LessonTracker {
     @Getter
     private String lessonName;
     @OneToMany(cascade = CascadeType.ALL, fetch = FetchType.EAGER)
-    private final Set<Assignment> solvedAssignments = Sets.newHashSet();
+    private final Set<Assignment> solvedAssignments = new HashSet<>();
     @OneToMany(cascade = CascadeType.ALL, fetch = FetchType.EAGER)
-    private final Set<Assignment> allAssignments = Sets.newHashSet();
+    private final Set<Assignment> allAssignments = new HashSet<>();
     @Getter
     private int numberOfAttempts = 0;
+    @Version
+    private Integer version;
 
     private LessonTracker() {
         //JPA
     }
 
-    public LessonTracker(AbstractLesson lesson) {
+    public LessonTracker(Lesson lesson) {
         lessonName = lesson.getId();
-        allAssignments.addAll(lesson.getAssignments());
+        allAssignments.addAll(lesson.getAssignments() == null ? List.of() : lesson.getAssignments());
     }
 
     public Optional<Assignment> getAssignment(String name) {

webgoat-container/src/main/java/org/owasp/webgoat/users/RegistrationController.java

@@ -10,6 +10,7 @@ import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.ModelAttribute;
 import org.springframework.web.bind.annotation.PostMapping;
 
+import javax.servlet.ServletException;
 import javax.servlet.http.HttpServletRequest;
 import javax.validation.Valid;
 
@@ -32,8 +33,7 @@ public class RegistrationController {
     }
 
     @PostMapping("/register.mvc")
-    @SneakyThrows
-    public String registration(@ModelAttribute("userForm") @Valid UserForm userForm, BindingResult bindingResult, HttpServletRequest request) {
+    public String registration(@ModelAttribute("userForm") @Valid UserForm userForm, BindingResult bindingResult, HttpServletRequest request) throws ServletException {
         userValidator.validate(userForm, bindingResult);
 
         if (bindingResult.hasErrors()) {

webgoat-container/src/main/java/org/owasp/webgoat/users/Scoreboard.java

@@ -1,6 +1,5 @@
 package org.owasp.webgoat.users;
 
-import com.google.common.collect.Lists;
 import lombok.AllArgsConstructor;
 import lombok.Getter;
 import org.owasp.webgoat.i18n.PluginMessages;
@@ -8,6 +7,8 @@ import org.owasp.webgoat.session.Course;
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.RestController;
 
+import java.util.ArrayList;
+import java.util.Comparator;
 import java.util.List;
 import java.util.stream.Collectors;
 
@@ -36,16 +37,29 @@ public class Scoreboard {
     @GetMapping("/scoreboard-data")
     public List<Ranking> getRankings() {
         List<WebGoatUser> allUsers = userRepository.findAll();
-        List<Ranking> rankings = Lists.newArrayList();
+        List<Ranking> rankings = new ArrayList<>();
         for (WebGoatUser user : allUsers) {
+        	if (user.getUsername().startsWith("csrf-")) {
+        		//the csrf- assignment specific users do not need to be in the overview
+        		continue;
+        	}
             UserTracker userTracker = userTrackerRepository.findByUser(user.getUsername());
             rankings.add(new Ranking(user.getUsername(), challengesSolved(userTracker)));
         }
+        /* sort on number of captured flags to present an ordered ranking */
+        rankings.sort(new Comparator<Ranking>() {
+
+			@Override
+			public int compare(Ranking o1, Ranking o2) {
+				
+				return o2.getFlagsCaptured().size() - o1.getFlagsCaptured().size();
+			}
+		});
         return rankings;
     }
 
     private List<String> challengesSolved(UserTracker userTracker) {
-        List<String> challenges = Lists.newArrayList("Challenge1", "Challenge2", "Challenge3", "Challenge4", "Challenge5", "Challenge6", "Challenge7", "Challenge8", "Challenge9");
+        List<String> challenges = List.of("Challenge1", "Challenge2", "Challenge3", "Challenge4", "Challenge5", "Challenge6", "Challenge7", "Challenge8", "Challenge9");
         return challenges.stream()
                 .map(c -> userTracker.getLessonTracker(c))
                 .filter(l -> l.isPresent()).map(l -> l.get())

webgoat-container/src/main/java/org/owasp/webgoat/users/UserForm.java

@@ -16,14 +16,14 @@ import javax.validation.constraints.Size;
 public class UserForm {
 
     @NotNull
-    @Size(min=6, max=20)
-    @Pattern(regexp = "[a-zA-Z0-9-]*", message = "can only contain letters, digits, and -")
+    @Size(min = 6, max = 45)
+    @Pattern(regexp = "[a-z0-9-]*", message = "can only contain lowercase letters, digits, and -")
     private String username;
     @NotNull
-    @Size(min=6, max=10)
+    @Size(min = 6, max = 10)
     private String password;
     @NotNull
-    @Size(min=6, max=10)
+    @Size(min = 6, max = 10)
     private String matchingPassword;
     @NotNull
     private String agree;

webgoat-container/src/main/java/org/owasp/webgoat/users/UserService.java

@@ -30,16 +30,28 @@ public class UserService implements UserDetailsService {
     }
 
     public void addUser(String username, String password) {
+        //get user if there exists one by the name
+        WebGoatUser webGoatUser = userRepository.findByUsername(username);
+        //if user exists it will be updated, otherwise created
         userRepository.save(new WebGoatUser(username, password));
-        userTrackerRepository.save(new UserTracker(username));
+        //if user previously existed it will not get another tracker
+        if (webGoatUser == null) {
+            userTrackerRepository.save(new UserTracker(username));
+        }
     }
 
     public void addUser(String username, String password, String role) {
-        userRepository.save(new WebGoatUser(username,password,role));
-        userTrackerRepository.save(new UserTracker(username));
+        //get user if there exists one by the name
+        WebGoatUser webGoatUser = userRepository.findByUsername(username);
+        //if user exists it will be updated, otherwise created
+        userRepository.save(new WebGoatUser(username, password, role));
+        //if user previously existed it will not get another tracker
+        if (webGoatUser == null) {
+            userTrackerRepository.save(new UserTracker(username));
+        }
     }
 
-    public List<WebGoatUser> getAllUsers () {
+    public List<WebGoatUser> getAllUsers() {
         return userRepository.findAll();
     }
 

webgoat-container/src/main/java/org/owasp/webgoat/users/UserTracker.java

@@ -1,14 +1,12 @@
 
 package org.owasp.webgoat.users;
 
-import com.google.common.collect.Lists;
-import com.google.common.collect.Sets;
 import lombok.extern.slf4j.Slf4j;
-import org.owasp.webgoat.lessons.AbstractLesson;
+import org.owasp.webgoat.lessons.Lesson;
 import org.owasp.webgoat.lessons.Assignment;
 
 import javax.persistence.*;
-import java.util.List;
+import java.util.HashSet;
 import java.util.Map;
 import java.util.Optional;
 import java.util.Set;
@@ -22,7 +20,7 @@ import java.util.stream.Collectors;
  * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
  * please see http://www.owasp.org/
  * <p>
- * Copyright (c) 2002 - 20014 Bruce Mayhew
+ * Copyright (c) 2002 - 2014 Bruce Mayhew
  * <p>
  * This program is free software; you can redistribute it and/or modify it under the terms of the
  * GNU General Public License as published by the Free Software Foundation; either version 2 of the
@@ -55,7 +53,7 @@ public class UserTracker {
     @Column(name = "username")
     private String user;
     @OneToMany(cascade = CascadeType.ALL, fetch = FetchType.EAGER)
-    private Set<LessonTracker> lessonTrackers = Sets.newHashSet();
+    private Set<LessonTracker> lessonTrackers = new HashSet<>();
 
     private UserTracker() {}
 
@@ -69,7 +67,7 @@ public class UserTracker {
      * @param lesson the lesson
      * @return a lesson tracker created if not already present
      */
-    public LessonTracker getLessonTracker(AbstractLesson lesson) {
+    public LessonTracker getLessonTracker(Lesson lesson) {
         Optional<LessonTracker> lessonTracker = lessonTrackers
                 .stream().filter(l -> l.getLessonName().equals(lesson.getId())).findFirst();
         if (!lessonTracker.isPresent()) {
@@ -91,18 +89,18 @@ public class UserTracker {
         return lessonTrackers.stream().filter(l -> l.getLessonName().equals(id)).findFirst();
     }
 
-    public void assignmentSolved(AbstractLesson lesson, String assignmentName) {
+    public void assignmentSolved(Lesson lesson, String assignmentName) {
         LessonTracker lessonTracker = getLessonTracker(lesson);
         lessonTracker.incrementAttempts();
         lessonTracker.assignmentSolved(assignmentName);
     }
 
-    public void assignmentFailed(AbstractLesson lesson) {
+    public void assignmentFailed(Lesson lesson) {
         LessonTracker lessonTracker = getLessonTracker(lesson);
         lessonTracker.incrementAttempts();
     }
 
-    public void reset(AbstractLesson al) {
+    public void reset(Lesson al) {
         LessonTracker lessonTracker = getLessonTracker(al);
         lessonTracker.reset();
     }

webgoat-container/src/main/java/org/owasp/webgoat/users/UserValidator.java

@@ -16,8 +16,8 @@ public class UserValidator implements Validator {
     private final UserRepository userRepository;
 
     @Override
-    public boolean supports(Class<?> aClass) {
-        return UserForm.class.equals(aClass);
+    public boolean supports(Class<?> clazz) {
+        return UserForm.class.equals(clazz);
     }
 
     @Override

webgoat-container/src/main/resources/application-webgoat.properties

@@ -1,42 +1,45 @@
 server.error.include-stacktrace=always
 server.error.path=/error.html
-server.session.timeout=600
-server.contextPath=/WebGoat
-server.port=8080
-server.address=127.0.0.1
+server.servlet.context-path=/WebGoat
+server.servlet.session.persistent=false
+server.port=${WEBGOAT_PORT:8080}
+server.address=${WEBGOAT_HOST:127.0.0.1}
 
-spring.datasource.url=jdbc:hsqldb:hsql://localhost:9001/webgoat
-spring.jpa.hibernate.ddl-auto=update
+
+server.ssl.key-store-type=${WEBGOAT_KEYSTORE_TYPE:PKCS12}
+server.ssl.key-store=${WEBGOAT_KEYSTORE:classpath:goatkeystore.pkcs12}
+server.ssl.key-store-password=${WEBGOAT_KEYSTORE_PASSWORD:password}
+server.ssl.key-alias=${WEBGOAT_KEY_ALIAS:goat}
+server.ssl.enabled=${WEBGOAT_SSLENABLED:false}
+
+hsqldb.port=${WEBGOAT_HSQLPORT:9001}
+spring.datasource.url=jdbc:hsqldb:hsql://${server.address}:${hsqldb.port}/webgoat
 spring.jpa.properties.hibernate.dialect=org.hibernate.dialect.HSQLDialect
 spring.datasource.driver-class-name=org.hsqldb.jdbc.JDBCDriver
+spring.jpa.properties.hibernate.default_schema=CONTAINER
 
-
+logging.level.org.thymeleaf=INFO
+logging.level.org.thymeleaf.TemplateEngine.CONFIG=INFO
+logging.level.org.thymeleaf.TemplateEngine.TIMER=INFO
+logging.level.org.thymeleaf.TemplateEngine.cache.TEMPLATE_CACHE=INFO
+logging.level.org.springframework.web=INFO
 logging.level.org.springframework=INFO
 logging.level.org.springframework.boot.devtools=INFO
 logging.level.org.owasp=DEBUG
-logging.level.org.owasp.webgoat=TRACE
-
-# Needed for creating a vulnerable web application
-security.enable-csrf=false
-
-spring.resources.cache-period=0
-spring.thymeleaf.cache=false
+logging.level.org.owasp.webgoat=DEBUG
 
 webgoat.start.hsqldb=true
-webgoat.clean=false
 webgoat.server.directory=${user.home}/.webgoat-${webgoat.build.version}/
 webgoat.user.directory=${user.home}/.webgoat-${webgoat.build.version}/
 webgoat.build.version=@project.version@
-webgoat.build.number=@build.number@
 webgoat.email=webgoat@owasp.org
 webgoat.emaillist=owasp-webgoat@lists.owasp.org
 webgoat.feedback.address=webgoat@owasp.org
 webgoat.feedback.address.html=<A HREF=mailto:webgoat@owasp.org>webgoat@owasp.org</A>
-webgoat.database.driver=org.hsqldb.jdbcDriver
 webgoat.database.connection.string=jdbc:hsqldb:mem:{USER}
 webgoat.default.language=en
 
-webwolf.host=${WEBWOLF_HOST:localhost}
+webwolf.host=${WEBWOLF_HOST:127.0.0.1}
 webwolf.port=${WEBWOLF_PORT:9090}
 webwolf.url=http://${webwolf.host}:${webwolf.port}/WebWolf
 webwolf.url.landingpage=http://${webwolf.host}:${webwolf.port}/landing
@@ -47,3 +50,9 @@ spring.jackson.serialization.write-dates-as-timestamps=false
 
 #For static file refresh ... and faster dev :D
 spring.devtools.restart.additional-paths=webgoat-container/src/main/resources/static/js,webgoat-container/src/main/resources/static/css
+
+exclude.categories=${EXCLUDE_CATEGORIES:none,none}
+#exclude based on the enum of the Category
+
+exclude.lessons=${EXCLUDE_LESSONS:none,none}
+#exclude based on the class name of a lesson e.g.: LessonTemplate

webgoat-container/src/main/resources/db/container/V1__init.sql

@@ -0,0 +1,66 @@
+-- This statement is here the schema is always created even if we use Flyway directly like in test-cases
+-- For the normal WebGoat server there is a bean which already provided the schema (and creates it see DatabaseInitialization)
+CREATE SCHEMA IF NOT EXISTS CONTAINER;
+
+CREATE SEQUENCE CONTAINER.HIBERNATE_SEQUENCE;
+
+CREATE TABLE CONTAINER.ASSIGNMENT (
+  ID BIGINT NOT NULL PRIMARY KEY,
+  NAME VARCHAR(255),
+  PATH VARCHAR(255)
+);
+
+CREATE TABLE CONTAINER.LESSON_TRACKER(
+  ID BIGINT NOT NULL PRIMARY KEY,
+  LESSON_NAME VARCHAR(255),
+  NUMBER_OF_ATTEMPTS INTEGER NOT NULL
+);
+
+CREATE TABLE CONTAINER.LESSON_TRACKER_ALL_ASSIGNMENTS(
+  LESSON_TRACKER_ID BIGINT NOT NULL,
+  ALL_ASSIGNMENTS_ID BIGINT NOT NULL,
+  PRIMARY KEY(LESSON_TRACKER_ID,ALL_ASSIGNMENTS_ID),
+  CONSTRAINT FKNHIDKE27BCJHI8C7WJ9QW6Y3Q FOREIGN KEY(ALL_ASSIGNMENTS_ID) REFERENCES CONTAINER.ASSIGNMENT(ID),
+  CONSTRAINT FKBM51QSDJ7N17O2DNATGAMW7D FOREIGN KEY(LESSON_TRACKER_ID) REFERENCES CONTAINER.LESSON_TRACKER(ID),
+  CONSTRAINT UK_SYGJY2S8O8DDGA2K5YHBMUVEA UNIQUE(ALL_ASSIGNMENTS_ID)
+);
+
+CREATE TABLE CONTAINER.LESSON_TRACKER_SOLVED_ASSIGNMENTS(
+  LESSON_TRACKER_ID BIGINT NOT NULL,
+  SOLVED_ASSIGNMENTS_ID BIGINT NOT NULL,
+  PRIMARY KEY(LESSON_TRACKER_ID,SOLVED_ASSIGNMENTS_ID),
+  CONSTRAINT FKPP850U1MG09YKKL2EQGM0TRJK FOREIGN KEY(SOLVED_ASSIGNMENTS_ID) REFERENCES CONTAINER.ASSIGNMENT(ID),
+  CONSTRAINT FKNKRWGA1UHLOQ6732SQXHXXSCR FOREIGN KEY(LESSON_TRACKER_ID) REFERENCES CONTAINER.LESSON_TRACKER(ID),
+  CONSTRAINT UK_9WFYDUY3TVE1XD05LWOUEG0C1 UNIQUE(SOLVED_ASSIGNMENTS_ID)
+);
+
+CREATE TABLE CONTAINER.USER_TRACKER(
+  ID BIGINT NOT NULL PRIMARY KEY,
+  USERNAME VARCHAR(255)
+);
+
+CREATE TABLE CONTAINER.USER_TRACKER_LESSON_TRACKERS(
+  USER_TRACKER_ID BIGINT NOT NULL,
+  LESSON_TRACKERS_ID BIGINT NOT NULL,
+  PRIMARY KEY(USER_TRACKER_ID,LESSON_TRACKERS_ID),
+  CONSTRAINT FKQJSTCA3YND3OHP35D50PNUH3H FOREIGN KEY(LESSON_TRACKERS_ID) REFERENCES CONTAINER.LESSON_TRACKER(ID),
+  CONSTRAINT FKC9GX8INK7LRC79XC77O2MN9KE FOREIGN KEY(USER_TRACKER_ID) REFERENCES CONTAINER.USER_TRACKER(ID),
+  CONSTRAINT UK_5D8N5I3IC26CVF7DF7N95DOJB UNIQUE(LESSON_TRACKERS_ID)
+);
+
+CREATE TABLE CONTAINER.WEB_GOAT_USER(
+  USERNAME VARCHAR(255) NOT NULL PRIMARY KEY,
+  PASSWORD VARCHAR(255),
+  ROLE VARCHAR(255)
+);
+
+CREATE TABLE CONTAINER.EMAIL(
+  ID BIGINT GENERATED BY DEFAULT AS IDENTITY(START WITH 1) NOT NULL PRIMARY KEY,
+  CONTENTS VARCHAR(1024),
+  RECIPIENT VARCHAR(255),
+  SENDER VARCHAR(255),
+  TIME TIMESTAMP,
+  TITLE VARCHAR(255)
+);
+
+ALTER TABLE CONTAINER.EMAIL ALTER COLUMN ID RESTART WITH 2;

webgoat-container/src/main/resources/db/container/V2__version.sql

@@ -0,0 +1 @@
+ALTER TABLE CONTAINER.LESSON_TRACKER ADD VERSION INTEGER;