/** * ************************************************************************************************ * This file is part of WebGoat, an Open Web Application Security Project utility. For details, * please see http://www.owasp.org/ *

* Copyright (c) 2002 - 20014 Bruce Mayhew *

* This program is free software; you can redistribute it and/or modify it under the terms of the * GNU General Public License as published by the Free Software Foundation; either version 2 of the * License, or (at your option) any later version. *

* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU * General Public License for more details. *

* You should have received a copy of the GNU General Public License along with this program; if * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA * 02111-1307, USA. *

* Getting Source ============== *

* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software * projects. *

* * @author WebGoat * @version $Id: $Id * @since December 12, 2015 */ package org.owasp.webgoat; import lombok.AllArgsConstructor; import org.owasp.webgoat.users.UserService; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.security.authentication.AuthenticationManager; import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.builders.WebSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.config.annotation.web.configurers.ExpressionUrlAuthorizationConfigurer; import org.springframework.security.core.userdetails.UserDetailsService; import org.springframework.security.crypto.password.NoOpPasswordEncoder; /** * Security configuration for WebGoat. */ @Configuration @AllArgsConstructor @EnableWebSecurity public class WebSecurityConfig extends WebSecurityConfigurerAdapter { private final UserService userDetailsService; @Override protected void configure(HttpSecurity http) throws Exception { ExpressionUrlAuthorizationConfigurer.ExpressionInterceptUrlRegistry security = http .authorizeRequests() .antMatchers("/css/**", "/images/**", "/js/**", "fonts/**", "/plugins/**", "/registration", "/register.mvc").permitAll() .anyRequest().authenticated(); security.and() .formLogin() .loginPage("/login") .defaultSuccessUrl("/welcome.mvc", true) .usernameParameter("username") .passwordParameter("password") .permitAll(); security.and() .logout().deleteCookies("JSESSIONID").invalidateHttpSession(true); security.and().csrf().disable(); http.headers().cacheControl().disable(); http.exceptionHandling().authenticationEntryPoint(new AjaxAuthenticationEntryPoint("/login")); } //// TODO: 11/18/2016 make this a little bit more configurabe last part at least @Override public void configure(WebSecurity web) throws Exception { web.ignoring().antMatchers("/plugin_lessons/**", "/XXE/**"); } @Autowired public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception { auth.userDetailsService(userDetailsService); //.passwordEncoder(bCryptPasswordEncoder()); } @Bean @Override public UserDetailsService userDetailsServiceBean() throws Exception { return userDetailsService; } @Override @Bean protected AuthenticationManager authenticationManager() throws Exception { return super.authenticationManager(); } @SuppressWarnings("deprecation") @Bean public NoOpPasswordEncoder passwordEncoder() { return (NoOpPasswordEncoder) NoOpPasswordEncoder.getInstance(); } }