<beans:beans xmlns="http://www.springframework.org/schema/security" xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.2.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.2.xsd"> <!-- PCS 8/27/2012 NOTE: Without Spring security, HttpServletRequest.getUserPrincipal() returns null when called from pages under Spring's control. That method is used extensively in legacy webgoat code. Integrating Spring security into the application resolves this issue. --> <http auto-config="true" use-expressions="true"> <intercept-url pattern="/login.do" access="permitAll" /> <intercept-url pattern="/logout.do" access="permitAll" /> <intercept-url pattern="/servlet/AdminServlet/**" access="hasRole('ROLE_WEBGOAT_ADMIN')" /> <intercept-url pattern="/JavaSource/**" access="hasRole('ROLE_SERVER_ADMIN')" /> <intercept-url pattern="/**" access="hasRole('ROLE_WEBGOAT_USER')" /> <form-login login-page="/login.do" default-target-url="/attack" authentication-failure-url="/login.do?error" username-parameter="username" password-parameter="password" /> <logout logout-success-url="/logout.do" /> <!-- enable csrf protection --> <csrf/> </http> <!-- Authentication Manager --> <authentication-manager alias="authenticationManager"> <authentication-provider> <user-service> <!-- TODO: credentials in the config - this isn't something I'm proud of - get rid of this ASAP --> <user name="guest" password="guest" authorities="ROLE_WEBGOAT_USER" /> <user name="webgoat" password="webgoat" authorities="ROLE_WEBGOAT_ADMIN" /> <user name="server" password="server" authorities="ROLE_SERVER_ADMIN" /> </user-service> </authentication-provider> </authentication-manager> <!-- Role hierarchy --> <!-- <beans:bean id="roleHierarchy" class="org.springframework.security.access.hierarchicalroles.RoleHierarchyImpl"> <beans:property name="hierarchy"> <beans:value> server_admin > webgoat_admin webgoat_admin > webgoat_challenge webgoat_challenge > webgoat_user </beans:value> </beans:property> </beans:bean> --> </beans:beans>