package org.owasp.webgoat.session;

import java.io.IOException;
import java.io.PrintWriter;
import java.sql.Connection;
import java.sql.SQLException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.Enumeration;
import java.util.HashMap;
import java.util.Hashtable;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Vector;

import javax.servlet.ServletContext;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

import org.owasp.webgoat.lessons.AbstractLesson;
import org.owasp.webgoat.lessons.Category;
import org.owasp.webgoat.lessons.admin.RefreshDBScreen;

/**
 * Copyright (c) 2002 Free Software Foundation developed under the custody of the Open Web
 * Application Security Project (http://www.owasp.org) This software package org.owasp.webgoat.is
 * published by OWASP under the GPL. You should read and accept the LICENSE before you use, modify
 * and/or redistribute this software.
 * 
 * @author Jeff Williams <a href="http://www.aspectsecurity.com">Aspect Security</a>
 * @created October 28, 2003
 */
public class WebSession
{
	/**
	 * Description of the Field
	 */
	public final static String ADMIN = "admin";

	/**
	 * Tomcat role for a webgoat user
	 */
	public final static String WEBGOAT_USER = "webgoat_user";

	/**
	 * Tomcat role for a webgoat admin
	 */
	public final static String WEBGOAT_ADMIN = "webgoat_admin";

	/**
	 * Description of the Field
	 */
	public final static String CHALLENGE = "Challenge";

	/**
	 * Description of the Field
	 */
	public final static String COLOR = "color";

	/**
	 * Description of the Field
	 */
	public final static String DATABASE_CONNECTION_STRING = "DatabaseConnectionString";

	/**
	 * Description of the Field
	 */
	public final static String DATABASE_DRIVER = "DatabaseDriver";

	/**
	 * Description of the Field
	 */
	public final static int ERROR = 0;

	public static final String STAGE = "stage";

	/**
	 * Description of the Field
	 */
	public final static String JSESSION_ID = "jsessionid";

	/**
	 * Description of the Field
	 */
	public final static String LOGOUT = "Logout";

	/**
	 * Description of the Field
	 */
	public final static String RESTART = "Restart";


	/**
	 * Description of the Field
	 */
	public final static String MENU = "menu";

	/**
	 * Description of the Field
	 */
	public final static String SCREEN = "Screen";

	/**
	 * Description of the Field
	 */
	public final static String SESSION = "Session";

	/**
	 * Description of the Field
	 */
	public final static String ENTERPRISE = "Enterprise";

	/**
	 * Description of the Field
	 */
	public final static String SHOWCOOKIES = "ShowCookies";

	/**
	 * Description of the Field
	 */
	public final static String SHOWPARAMS = "ShowParams";

	/**
	 * Description of the Field
	 */
	public final static String SHOWREQUEST = "ShowRequest";

	/**
	 * Description of the Field
	 */
	public final static String SHOWSOURCE = "ShowSource";
	
	public final static String SHOWHINTS = "ShowHints";

	public final static String SHOW = "show";

	public final static String SHOW_NEXTHINT = "NextHint";

	public final static String SHOW_PREVIOUSHINT = "PreviousHint";

	public final static String SHOW_PARAMS = "Params";

	public final static String SHOW_COOKIES = "Cookies";

	public final static String SHOW_SOURCE = "Source";

	/**
	 * Description of the Field
	 */
	public final static String DEFUSEOSCOMMANDS = "DefuseOSCommands";

	/**
	 * Description of the Field
	 */
	public final static String FEEDBACK_ADDRESS = "FeedbackAddress";

	/**
	 * Description of the Field
	 */
	public final String DEBUG = "debug";

	/**
	 * Description of the Field
	 */
	public final static int WELCOME = -1;

	private ServletContext context = null;

	private Course course;

	private int currentScreen = WELCOME;

	private int previousScreen = ERROR;

	private static boolean databaseBuilt = false;

	private String databaseConnectionString;

	private String databaseDriver;
	
	private static Connection connection = null;

	private int hintNum = -1;

	private boolean isAdmin = false;

	private boolean isHackedAdmin = false;

	private boolean isAuthenticated = false;

	private boolean isColor = false;

	private boolean isDebug = false;

	private boolean hasHackedHackableAdmin = false;

	private StringBuffer message = new StringBuffer( "" );

	private ParameterParser myParser;

	private HttpServletRequest request = null;

	private HttpServletResponse response = null;

	private String servletName;

	private HashMap session = new HashMap();

	private boolean showCookies = false;

	private boolean showParams = false;

	private boolean showRequest = false;

	private boolean showSource = false;

	private boolean defuseOSCommands = false;

	private boolean enterprise = false;

	private String feedbackAddress = "<A HREF=mailto:webgoat@aspectsecurity.com>webgoat@aspectsecurity.com</A>";

	private boolean completedHackableAdmin = false;

	private int currentMenu;

	/**
	 * Constructor for the WebSession object
	 * 
	 * @param servlet Description of the Parameter
	 * @param context Description of the Parameter
	 */
	public WebSession( HttpServlet servlet, ServletContext context )
	{
		// initialize from web.xml
		showParams = "true".equals( servlet.getInitParameter( SHOWPARAMS ) );
		showCookies = "true".equals( servlet.getInitParameter( SHOWCOOKIES ) );
		showSource = "true".equals( servlet.getInitParameter( SHOWSOURCE ) );
		defuseOSCommands = "true".equals( servlet.getInitParameter( DEFUSEOSCOMMANDS ) );
		enterprise = "true".equals( servlet.getInitParameter( ENTERPRISE ) );
		feedbackAddress = servlet.getInitParameter( FEEDBACK_ADDRESS ) != null ? servlet
				.getInitParameter( FEEDBACK_ADDRESS ) : feedbackAddress;
		showRequest = "true".equals( servlet.getInitParameter( SHOWREQUEST ) );
		isDebug = "true".equals( servlet.getInitParameter( DEBUG ) );
		databaseConnectionString = servlet.getInitParameter( DATABASE_CONNECTION_STRING );
		databaseDriver = servlet.getInitParameter( DATABASE_DRIVER );
		servletName = servlet.getServletName();
		this.context = context;
		course = new Course();
		course.loadCourses( enterprise, context, "/" );

		// FIXME: hack to save context for web service calls
		DatabaseUtilities.servletContextRealPath = context.getRealPath("/");
		System.out.println("Context Path: " + DatabaseUtilities.servletContextRealPath);
		// FIXME: need to solve concurrency problem here -- make tables for this user
		if ( !databaseBuilt )
		{
			new RefreshDBScreen().refreshDB( this );
			databaseBuilt = true;
		}
	}

	public static synchronized Connection getConnection(WebSession s) 
			throws SQLException, ClassNotFoundException
	{
		if ( connection == null )
		{
			connection = DatabaseUtilities.makeConnection( s );
		}
		
		return connection;
	}


	/**
	 * Description of the Method
	 * 
	 * @param key Description of the Parameter
	 * @param value Description of the Parameter
	 */
	public void add( String key, Object value )
	{
		session.put( key, value );
	}

	/**
	 * Description of the Method
	 */
	public void clearMessage()
	{
		message.setLength( 0 );
	}

	/**
	 * Description of the Method
	 */
	public void eatCookies()
	{
		Cookie[] cookies = request.getCookies();

		for ( int loop = 0; loop < cookies.length; loop++ )
		{
			if ( !cookies[loop].getName().startsWith( "JS" ) )
			{// skip jsessionid cookie
				cookies[loop].setMaxAge( 0 );// mark for deletion by browser
				response.addCookie( cookies[loop] );
			}
		}
	}

	/**
	 * Description of the Method
	 * 
	 * @param key Description of the Parameter
	 * @return Description of the Return Value
	 */
	public Object get( String key )
	{
		return ( session.get( key ) );
	}

	/**
	 * Gets the context attribute of the WebSession object
	 * 
	 * @return The context value
	 */
	public ServletContext getContext()
	{
		return context;
	}

	public List getRoles()
	{
		List roles = new ArrayList();

		roles.add(AbstractLesson.USER_ROLE);
		if (isAdmin())
		{
			roles.add(AbstractLesson.ADMIN_ROLE);
		}
		
		return roles;
	}
	
	public String getRole()
	{
		
		String role = "";
		if (isAdmin())
		{
			role = AbstractLesson.ADMIN_ROLE;
		}
		else if (isHackedAdmin())
		{
			role = AbstractLesson.HACKED_ADMIN_ROLE;
		} 
		else if (isChallenge())
		{
			role = AbstractLesson.CHALLENGE_ROLE;
		}
		else
		{
			role = AbstractLesson.USER_ROLE;
		}
		
		return role;
	}
	
	/**
	 * Gets the course attribute of the WebSession object
	 * 
	 * @return The course value
	 */
	public Course getCourse()
	{
		return course;
	}

	public void setCourse( Course course )
	{
		this.course = course;
	}

	/**
	 * Gets the currentScreen attribute of the WebSession object
	 * 
	 * @return The currentScreen value
	 */
	public int getCurrentScreen()
	{
		return ( currentScreen );
	}

	public void setCurrentScreen( int screen )
	{
		currentScreen = screen;
	}

	/**
	 * returns the connection string with the real path to the database directory inserted at the
	 * word PATH
	 * 
	 * @return The databaseConnectionString value
	 */
	public String getDatabaseConnectionString()
	{
		try
		{
			String path = context.getRealPath( "/database" ).replace( '\\', '/' );
			System.out.println( "PATH: " + path );
			String realConnectionString = databaseConnectionString.replaceAll( "PATH", path );
			System.out.println( "Database Connection String: " + realConnectionString );

			return realConnectionString;
		}
		catch ( Exception e )
		{
			System.out.println( "Couldn't open database: check web.xml database parameters" );
			e.printStackTrace();
		}

		return null;
	}

	/**
	 * Gets the databaseDriver attribute of the WebSession object
	 * 
	 * @return The databaseDriver value
	 */
	public String getDatabaseDriver()
	{
		return ( databaseDriver );
	}
	
	public String getRestartLink()
	{
		List parameters = new ArrayList();
		
		String screenValue = request.getParameter(SCREEN);
		if (screenValue != null)
			parameters.add(SCREEN + "=" + screenValue);
		
		String menuValue = request.getParameter(MENU);
		if (menuValue != null)
			parameters.add(MENU + "=" + menuValue);
		
		parameters.add(RESTART + "=" + currentScreen);
		
		return makeQuery("attack", parameters);
	}
	
	private String makeQuery(String resource, List parameters)
	{
		StringBuffer query = new StringBuffer(resource);
		
		boolean isFirstParameter = true;
		Iterator i = parameters.iterator();
		
		while (i.hasNext())
		{
			String parameter = (String) i.next();
			if (isFirstParameter)
			{
				query.append("?");
				isFirstParameter = false;
			}
			else
				query.append("&");
			query.append(parameter);
		}
		
		return query.toString();
	}
	
	public String getCurrentLink()
	{
		String thisLink = "attack";
		Enumeration e = request.getParameterNames();
		boolean isFirstParameter = true;
		while (e.hasMoreElements())
		{
			String name = (String) e.nextElement();
			if (isFirstParameter)
			{
				isFirstParameter = false;
				thisLink += "?";
			}
			else
			{
				thisLink += "&";
			}
			thisLink = thisLink + name + "=" + request.getParameter(name);
		}

		return thisLink;
	}

	public AbstractLesson getCurrentLesson()
	{
		return getCourse().getLesson( this, getCurrentScreen(), getRoles() );
	}
	
	public AbstractLesson getLesson(int id)
	{
		return getCourse().getLesson( this, id, getRoles() );
	}
	
	public List getLessons(Category category)
	{
		return getCourse().getLessons( this, category, getRoles() );
	}
	
	/**
	 * Gets the hint1 attribute of the WebSession object
	 * 
	 * @return The hint1 value
	 */
	private int getHintNum()
	{
		return ( hintNum );
	}

	public String getHint()
	{
		String hint = null;

		if ( getHintNum() >= 0 )
			// FIXME
			hint = getCurrentLesson().getHint( getHintNum() );

		return hint;
	}

	public List getParams()
	{
		Vector params = null;

		if ( showParams() && getParser() != null )
		{
			params = new Vector();

			Enumeration e = getParser().getParameterNames();

			while ( ( e != null ) && e.hasMoreElements() )
			{
				String name = (String) e.nextElement();
				String[] values = getParser().getParameterValues( name );

				for ( int loop = 0; ( values != null ) && ( loop < values.length ); loop++ )
				{
					params.add( new Parameter( name, values[loop] ) );
					// params.add( name + " -> " + values[loop] );
				}
			}

			Collections.sort( params );
		}

		return params;
	}

	public List getCookies()
	{
		List cookies = null;

		if ( showCookies() )
			cookies = Arrays.asList( request.getCookies() );

		/*
		 * List cookies = new Vector();
		 * 
		 * HttpServletRequest request = getRequest(); Cookie[] cookies = request.getCookies();
		 * 
		 * if ( cookies.length == 0 ) { list.addElement( new LI( "No Cookies" ) ); }
		 * 
		 * for ( int i = 0; i < cookies.length; i++ ) { Cookie cookie = cookies[i];
		 * cookies.add(cookie); //list.addElement( new LI( cookie.getName() + " -> " +
		 * cookie.getValue() ) ); }
		 */

		return cookies;
	}

	/**
	 * Gets the cookie attribute of the CookieScreen object
	 * 
	 * @param s Description of the Parameter
	 * @return The cookie value
	 */
	public String getCookie( String cookieName )
	{
		Cookie[] cookies = getRequest().getCookies();

		for ( int i = 0; i < cookies.length; i++ )
		{
			if ( cookies[i].getName().equalsIgnoreCase( cookieName ) )
			{
				return ( cookies[i].getValue() );
			}
		}

		return ( null );
	}
	
	public String getSource()
	{
		return "Sorry.  No Java Source viewing available.";
		//return getCurrentLesson().getSource(this);
	}

	public String getInstructions()
	{
		return getCurrentLesson().getInstructions(this);		
	}
	
	/**
	 * Gets the message attribute of the WebSession object
	 * 
	 * @return The message value
	 */
	public String getMessage()
	{
		return ( message.toString() );
	}

	/**
	 * Gets the parser attribute of the WebSession object
	 * 
	 * @return The parser value
	 */
	public ParameterParser getParser()
	{
		return ( myParser );
	}

	/**
	 * Gets the previousScreen attribute of the WebSession object
	 * 
	 * @return The previousScreen value
	 */
	public int getPreviousScreen()
	{
		return ( previousScreen );
	}

	/**
	 * Gets the request attribute of the WebSession object
	 * 
	 * @return The request value
	 */
	public HttpServletRequest getRequest()
	{
		return request;
	}

	public void setRequest( HttpServletRequest request )
	{
		this.request = request;
	}

	/**
	 * Gets the response attribute of the WebSession object
	 * 
	 * @return The response value
	 */
	public HttpServletResponse getResponse()
	{
		return response;
	}

	/**
	 * Gets the servletName attribute of the WebSession object
	 * 
	 * @return The servletName value
	 */
	public String getServletName()
	{
		return ( servletName );
	}

	/**
	 * Gets the sourceFile attribute of the WebSession object
	 * 
	 * @param screen Description of the Parameter
	 * @return The sourceFile value
	 */
	public String getWebResource( String fileName )
	{
		// Note: doesn't work for admin path! Maybe with a ../ attack
		return ( context.getRealPath( fileName ));
	}

	/**
	 * Gets the admin attribute of the WebSession object
	 * 
	 * @return The admin value
	 */
	public boolean isAdmin()
	{
		return ( isAdmin );
	}

	/**
	 * Gets the hackedAdmin attribute of the WebSession object
	 * 
	 * @return The hackedAdmin value
	 */
	public boolean isHackedAdmin()
	{
		return ( isHackedAdmin );
	}

	/**
	 * Has the user ever hacked the hackable admin
	 * 
	 * @return The hackedAdmin value
	 */
	public boolean completedHackableAdmin()
	{
		return ( completedHackableAdmin );
	}

	/**
	 * Gets the authenticated attribute of the WebSession object
	 * 
	 * @return The authenticated value
	 */
	public boolean isAuthenticated()
	{
		return ( isAuthenticated );
	}
	
	private Map lessonSessions = new Hashtable();

	
	public boolean isAuthenticatedInLesson(AbstractLesson lesson)
	{
		boolean authenticated = false;
		
		LessonSession lessonSession = getLessonSession(lesson);
		if (lessonSession != null)
		{
			authenticated = lessonSession.isAuthenticated();
		}
		//System.out.println("Authenticated for lesson " + lesson + "? " + authenticated);
		
		return authenticated;
	}
	
	public boolean isAuthorizedInLesson(int employeeId, String functionId)
	{
		return getCurrentLesson().isAuthorized(this, employeeId, functionId);
	}
	
	public boolean isAuthorizedInLesson(String role, String functionId)
	{
		return getCurrentLesson().isAuthorized(this, role, functionId);
	}
	
	public int getUserIdInLesson() throws ParameterNotFoundException
	{
		return getCurrentLesson().getUserId(this);
	}
	
	public String getUserNameInLesson() throws ParameterNotFoundException
	{
		return getCurrentLesson().getUserName(this);
	}

	public void openLessonSession(AbstractLesson lesson)
	{
		System.out.println("Opening new lesson session for lesson " + lesson);
		LessonSession lessonSession = new LessonSession();
		lessonSessions.put(lesson, lessonSession);
	}
	
	public void closeLessonSession(AbstractLesson lesson)
	{
		lessonSessions.remove(lesson);
	}
	
	public LessonSession getLessonSession(AbstractLesson lesson)
	{
		return (LessonSession) lessonSessions.get(lesson);
	}

	/**
	 * Gets the challenge attribute of the WebSession object
	 * 
	 * @return The challenge value
	 */
	public boolean isChallenge()
	{
		if ( getCurrentLesson() != null )
		{
			return ( AbstractLesson.CHALLENGE.equals(getCurrentLesson().getCategory()));
		}
		return false;
	}

	/**
	 * Gets the color attribute of the WebSession object
	 * 
	 * @return The color value
	 */
	public boolean isColor()
	{
		return ( isColor );
	}

	/**
	 * Gets the screen attribute of the WebSession object
	 * 
	 * @param value Description of the Parameter
	 * @return The screen value
	 */
	public boolean isScreen( int value )
	{
		return ( getCurrentScreen() == value );
	}

	/**
	 * Gets the user attribute of the WebSession object
	 * 
	 * @return The user value
	 */
	public boolean isUser()
	{
		return ( !isAdmin && !isChallenge() );
	}

	/**
	 * Sets the message attribute of the WebSession object
	 * 
	 * @param text The new message value
	 */
	public void setMessage( String text )
	{
		message.append( "<BR>" + " * " + text);
	}

	/**
	 * Description of the Method
	 * 
	 * @return Description of the Return Value
	 */
	public boolean showCookies()
	{
		return ( showCookies );
	}


	/**
	 * Description of the Method
	 * 
	 * @return Description of the Return Value
	 */
	public boolean showParams()
	{
		return ( showParams );
	}

	/**
	 * Description of the Method
	 * 
	 * @return Description of the Return Value
	 */
	public boolean showRequest()
	{
		return ( showRequest );
	}

	/**
	 * Description of the Method
	 * 
	 * @return Description of the Return Value
	 */
	public boolean showSource()
	{
		return ( showSource );
	}

	/**
	 * Description of the Method
	 * 
	 * @return Description of the Return Value
	 */
	public boolean isDefuseOSCommands()
	{
		return ( defuseOSCommands );
	}

	/**
	 * Description of the Method
	 * 
	 * @return Description of the Return Value
	 */
	public boolean isEnterprise()
	{
		return ( enterprise );
	}

	/**
	 * Description of the Method
	 * 
	 * @return Description of the Return Value
	 */
	public String getFeedbackAddress()
	{
		return ( feedbackAddress );
	}

	/**
	 * Gets the userName attribute of the WebSession object
	 * 
	 * @return The userName value
	 */
	public String getUserName()
	{
		// System.out.println("Request: " + getRequest() );
		// System.out.println("Principal: " + getRequest().getUserPrincipal() );
		// System.out.println("Name: " + getRequest().getUserPrincipal().getName( ) );
		return getRequest().getUserPrincipal().getName();
	}
	
	/**
	 * Parse parameters from the given request, handle any servlet commands, and update this session
	 * based on the parameters.
	 * 
	 * @param request Description of the Parameter
	 * @param response Description of the Parameter
	 * @param name Description of the Parameter
	 */
	public void update( HttpServletRequest request, HttpServletResponse response, String name )
			throws IOException
	{
		String content = null;

		clearMessage();
		this.request = request;
		this.response = response;
		this.servletName = name;

		if ( myParser == null )
		{
			myParser = new ParameterParser( request );
		}
		else
		{
			myParser.update( request );
		}

		// System.out.println("Current Screen 1: " + currentScreen );
		// System.out.println("Previous Screen 1: " + previousScreen );
		// FIXME: requires ?Logout=true
		// FIXME: doesn't work right -- no reauthentication
		if ( myParser.getRawParameter( LOGOUT, null ) != null )
		{
			System.out.println( "Logout " + request.getUserPrincipal() );
			eatCookies();
			request.getSession().invalidate();
			currentScreen = WELCOME;
			previousScreen = ERROR;
		}

		// There are several scenarios where we want the first lesson to be loaded
		// 1) Previous screen is Welcome - Start of the course
		// 2) After a logout and after the session has been reinitialized
		if ( ( this.getPreviousScreen() == WebSession.WELCOME ) || ( getRequest().getSession( false ) != null &&
		// getRequest().getSession(false).isNew() &&
				this.getCurrentScreen() == WebSession.WELCOME && this.getPreviousScreen() == WebSession.ERROR ) )
		{
			currentScreen = course.getFirstLesson().getScreenId();
			hintNum = -1;
		}

		// System.out.println("Current Screen 2: " + currentScreen );
		// System.out.println("Previous Screen 2: " + previousScreen );
		// update the screen variables
		previousScreen = currentScreen;

		try
		{
			// If the request is new there should be no parameters.
			// This can occur from a session timeout or a the starting of a new course.
			if ( !request.getSession().isNew() )
			{
				currentScreen = myParser.getIntParameter( SCREEN, currentScreen );
			}
			else
			{
				if ( !myParser.getRawParameter( SCREEN, "NULL" ).equals( "NULL" ) )
				{
					this.setMessage( "Session Timeout - Starting new Session." );
				}
			}
		}
		catch ( Exception e )
		{
		}

		// clear variables when switching screens
		if ( this.getCurrentScreen() != this.getPreviousScreen() )
		{
			if ( isDebug )
			{
				setMessage( "Changed to a new screen, clearing cookies and hints" );
			}
			eatCookies();
			hintNum = -1;
		}

		// else update global variables for the current screen
		else
		{
			// Handle "restart" commands
			int lessonId = myParser.getIntParameter( RESTART, -1 );
			if ( lessonId != -1 )
			{
				restartLesson(lessonId);
			}
			//if ( myParser.getBooleanParameter( RESTART, false ) )
			//{
			//	getCurrentLesson().getLessonTracker( this ).getLessonProperties().setProperty( CHALLENGE_STAGE, "1" );
			//}
			
			// Handle "show" commands
			String showCommand = myParser.getStringParameter( SHOW, null );
			if ( showCommand != null )
			{
				if ( showCommand.equalsIgnoreCase( SHOW_PARAMS ) )
				{
					showParams = !showParams;
				}
				else if ( showCommand.equalsIgnoreCase( SHOW_COOKIES ) )
				{
					showCookies = !showCookies;
				}
				else if ( showCommand.equalsIgnoreCase( SHOW_SOURCE ) )
				{
					content = getSource();
					//showSource = true;
				}
				else if ( showCommand.equalsIgnoreCase( SHOW_NEXTHINT ) )
				{
					getNextHint();
				}
				else if ( showCommand.equalsIgnoreCase( SHOW_PREVIOUSHINT ) )
				{
					getPreviousHint();
				}
			}

		}

		isAdmin = request.isUserInRole( WEBGOAT_ADMIN );
		isHackedAdmin = myParser.getBooleanParameter( ADMIN, isAdmin );
		if ( isHackedAdmin )
		{
			System.out.println("Hacked admin");
			hasHackedHackableAdmin = true;
		}
		isColor = myParser.getBooleanParameter( COLOR, isColor );
		isDebug = myParser.getBooleanParameter( DEBUG, isDebug );

		// System.out.println( "showParams:" + showParams );
		// System.out.println( "showSource:" + showSource );
		// System.out.println( "showCookies:" + showCookies );
		// System.out.println( "showRequest:" + showRequest );
		
		if (content != null)
		{
			response.setContentType("text/html");
			PrintWriter out = new PrintWriter(response.getOutputStream());
			out.print(content);	
			out.flush();
			out.close();
		}
	}
	
	private void restartLesson(int lessonId)
	{
		System.out.println("Restarting lesson: " + getLesson(lessonId));
		getCurrentLesson().getLessonTracker( this ).setStage(1);
		getCurrentLesson().getLessonTracker( this ).setCompleted(false);
	}

	/**
	 * @param string
	 */
	public void setHasHackableAdmin( String role )
	{
		hasHackedHackableAdmin = ( AbstractLesson.HACKED_ADMIN_ROLE.equals( role ) & hasHackedHackableAdmin );

		// if the user got the Admin=true parameter correct AND they accessed an admin screen
		if ( hasHackedHackableAdmin )
		{
			completedHackableAdmin = true;
		}
	}

	/**
	 * @return Returns the isDebug.
	 */
	public boolean isDebug()
	{
		return isDebug;
	}

	/**
	 * @param header - request header value to return
	 * @return
	 */
	public String getHeader( String header )
	{
		return getRequest().getHeader( header );
	}

	public String getNextHint()
	{
		String hint = null;

		// FIXME
		int maxHints = getCurrentLesson().getHintCount();
		if ( hintNum < maxHints - 1 )
		{
			hintNum++;

			// Hints are indexed from 0
			getCurrentLesson().getLessonTracker( this ).setMaxHintLevel( getHintNum() + 1 );

			hint = (String) getCurrentLesson().getHint( getHintNum() );
		}

		return hint;
	}

	public String getPreviousHint()
	{
		String hint = null;

		if ( hintNum > 0 )
		{
			hintNum--;

			// Hints are indexed from 0
			getCurrentLesson().getLessonTracker( this ).setMaxHintLevel( getHintNum() + 1 );

			hint = (String) getCurrentLesson().getHint( getHintNum() );
		}

		return hint;
	}

	public void setCurrentMenu(Integer ranking) 
	{
		currentMenu = ranking.intValue();
	}
	
	public int getCurrentMenu()
	{
		return currentMenu;	
	}
	
	public String htmlEncode(String s)
	{
		//System.out.println("Testing for stage 4 completion in lesson " + getCurrentLesson().getName());
		if (getCurrentLesson().getName().equals("CrossSiteScripting"))
		{
			if (getCurrentLesson().getStage(this) == 4 && 
					s.indexOf("<script>") > -1 && s.indexOf("alert") > -1 && s.indexOf("</script>") > -1)
			{
				setMessage( "Welcome to stage 5 -- exploiting the data layer" );
				// Set a phantom stage value to setup for the 4-5 transition
				getCurrentLesson().setStage(this, 1005);
			}
		}
		
		return ParameterParser.htmlEncode(s);
	}
}