6a96547ef0
git-svn-id: http://webgoat.googlecode.com/svn/branches/webgoat-6.0@485 4033779f-a91e-0410-96ef-6bf7bf53c507
331 lines
9.0 KiB
Java
331 lines
9.0 KiB
Java
|
|
package org.owasp.webgoat.lessons.GoatHillsFinancial;
|
|
|
|
import java.sql.PreparedStatement;
|
|
import java.sql.ResultSet;
|
|
import java.sql.SQLException;
|
|
import java.sql.Statement;
|
|
import org.owasp.webgoat.lessons.RoleBasedAccessControl.RoleBasedAccessControl;
|
|
import org.owasp.webgoat.session.ParameterNotFoundException;
|
|
import org.owasp.webgoat.session.UnauthenticatedException;
|
|
import org.owasp.webgoat.session.UnauthorizedException;
|
|
import org.owasp.webgoat.session.ValidationException;
|
|
import org.owasp.webgoat.session.WebSession;
|
|
|
|
|
|
/***************************************************************************************************
|
|
*
|
|
*
|
|
* This file is part of WebGoat, an Open Web Application Security Project utility. For details,
|
|
* please see http://www.owasp.org/
|
|
*
|
|
* Copyright (c) 2002 - 2007 Bruce Mayhew
|
|
*
|
|
* This program is free software; you can redistribute it and/or modify it under the terms of the
|
|
* GNU General Public License as published by the Free Software Foundation; either version 2 of the
|
|
* License, or (at your option) any later version.
|
|
*
|
|
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
|
|
* even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
* General Public License for more details.
|
|
*
|
|
* You should have received a copy of the GNU General Public License along with this program; if
|
|
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
|
|
* 02111-1307, USA.
|
|
*
|
|
* Getting Source ==============
|
|
*
|
|
* Source for this application is maintained at code.google.com, a repository for free software
|
|
* projects.
|
|
*
|
|
* For details, please see http://code.google.com/p/webgoat/
|
|
*/
|
|
public abstract class DefaultLessonAction implements LessonAction
|
|
{
|
|
// FIXME: We could parse this class name to get defaults for these fields.
|
|
private String lessonName;
|
|
private String actionName;
|
|
|
|
private GoatHillsFinancial lesson;
|
|
|
|
public DefaultLessonAction(GoatHillsFinancial lesson, String lessonName, String actionName)
|
|
{
|
|
this.lesson = lesson;
|
|
this.lessonName = lessonName;
|
|
this.actionName = actionName;
|
|
}
|
|
|
|
public void handleRequest(WebSession s) throws ParameterNotFoundException, UnauthenticatedException,
|
|
UnauthorizedException, ValidationException
|
|
{
|
|
getLesson().setCurrentAction(s, getActionName());
|
|
|
|
if (isAuthenticated(s))
|
|
{
|
|
}
|
|
else
|
|
throw new UnauthenticatedException();
|
|
}
|
|
|
|
public abstract String getNextPage(WebSession s);
|
|
|
|
public GoatHillsFinancial getLesson()
|
|
{
|
|
return lesson;
|
|
}
|
|
|
|
public String getLessonName()
|
|
{
|
|
return lessonName;
|
|
}
|
|
|
|
public String getActionName()
|
|
{
|
|
return actionName;
|
|
}
|
|
|
|
public void setSessionAttribute(WebSession s, String name, Object value)
|
|
{
|
|
s.getRequest().getSession().setAttribute(name, value);
|
|
}
|
|
|
|
public void setRequestAttribute(WebSession s, String name, Object value)
|
|
{
|
|
s.getRequest().setAttribute(name, value);
|
|
}
|
|
|
|
public void removeSessionAttribute(WebSession s, String name)
|
|
{
|
|
s.getRequest().getSession().removeAttribute(name);
|
|
}
|
|
|
|
protected String getSessionAttribute(WebSession s, String name) throws ParameterNotFoundException
|
|
{
|
|
String value = (String) s.getRequest().getSession().getAttribute(name);
|
|
if (value == null) { throw new ParameterNotFoundException(); }
|
|
|
|
return value;
|
|
}
|
|
|
|
protected boolean getBooleanSessionAttribute(WebSession s, String name) throws ParameterNotFoundException
|
|
{
|
|
boolean value = false;
|
|
|
|
Object attribute = s.getRequest().getSession().getAttribute(name);
|
|
if (attribute == null)
|
|
{
|
|
throw new ParameterNotFoundException();
|
|
}
|
|
else
|
|
{
|
|
// System.out.println("Attribute " + name + " is of type " +
|
|
// s.getRequest().getSession().getAttribute(name).getClass().getName());
|
|
// System.out.println("Attribute value: " +
|
|
// s.getRequest().getSession().getAttribute(name));
|
|
value = ((Boolean) attribute).booleanValue();
|
|
}
|
|
return value;
|
|
}
|
|
|
|
protected int getIntSessionAttribute(WebSession s, String name) throws ParameterNotFoundException
|
|
{
|
|
int value = -1;
|
|
String ss = (String) s.getRequest().getSession().getAttribute(name);
|
|
if (ss == null)
|
|
{
|
|
throw new ParameterNotFoundException();
|
|
}
|
|
else
|
|
{
|
|
try
|
|
{
|
|
value = Integer.parseInt(ss);
|
|
} catch (NumberFormatException nfe)
|
|
{
|
|
}
|
|
}
|
|
|
|
return value;
|
|
}
|
|
|
|
protected String getRequestAttribute(WebSession s, String name) throws ParameterNotFoundException
|
|
{
|
|
String value = (String) s.getRequest().getAttribute(name);
|
|
if (value == null) { throw new ParameterNotFoundException(); }
|
|
|
|
return value;
|
|
}
|
|
|
|
protected int getIntRequestAttribute(WebSession s, String name) throws ParameterNotFoundException
|
|
{
|
|
int value = -1;
|
|
String ss = (String) s.getRequest().getAttribute(name);
|
|
if (ss == null)
|
|
{
|
|
throw new ParameterNotFoundException();
|
|
}
|
|
else
|
|
{
|
|
try
|
|
{
|
|
value = Integer.parseInt(ss);
|
|
} catch (NumberFormatException nfe)
|
|
{
|
|
}
|
|
}
|
|
|
|
return value;
|
|
}
|
|
|
|
public int getUserId(WebSession s) throws ParameterNotFoundException
|
|
{
|
|
return getIntSessionAttribute(s, getLessonName() + "." + RoleBasedAccessControl.USER_ID);
|
|
}
|
|
|
|
public String getUserName(WebSession s) throws ParameterNotFoundException
|
|
{
|
|
String name = null;
|
|
|
|
int employeeId = getUserId(s);
|
|
try
|
|
{
|
|
String query = "SELECT first_name FROM employee WHERE userid = " + employeeId;
|
|
|
|
try
|
|
{
|
|
Statement answer_statement = WebSession.getConnection(s)
|
|
.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY);
|
|
ResultSet answer_results = answer_statement.executeQuery(query);
|
|
if (answer_results.next()) name = answer_results.getString("first_name");
|
|
} catch (SQLException sqle)
|
|
{
|
|
s.setMessage("Error getting user name");
|
|
sqle.printStackTrace();
|
|
}
|
|
} catch (Exception e)
|
|
{
|
|
s.setMessage("Error getting user name");
|
|
e.printStackTrace();
|
|
}
|
|
|
|
return name;
|
|
}
|
|
|
|
public boolean requiresAuthentication()
|
|
{
|
|
// Default to true
|
|
return true;
|
|
}
|
|
|
|
public boolean isAuthenticated(WebSession s)
|
|
{
|
|
boolean authenticated = false;
|
|
|
|
try
|
|
{
|
|
authenticated = getBooleanSessionAttribute(s, getLessonName() + ".isAuthenticated");
|
|
} catch (ParameterNotFoundException e)
|
|
{
|
|
}
|
|
|
|
return authenticated;
|
|
}
|
|
|
|
public boolean isAuthorized(WebSession s, int employeeId, String functionId)
|
|
{
|
|
String employer_id = (String) s.getRequest().getSession()
|
|
.getAttribute(getLessonName() + "." + RoleBasedAccessControl.USER_ID);
|
|
// System.out.println("Authorizing " + employeeId + " for use of function: " + functionId +
|
|
// " having USER_ID = "
|
|
// + employer_id );
|
|
boolean authorized = false;
|
|
|
|
try
|
|
{
|
|
String query = "SELECT * FROM auth WHERE auth.role in (SELECT roles.role FROM roles WHERE userid = "
|
|
+ employeeId + ") and functionid = '" + functionId + "'";
|
|
|
|
try
|
|
{
|
|
Statement answer_statement = WebSession.getConnection(s)
|
|
.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY);
|
|
ResultSet answer_results = answer_statement.executeQuery(query);
|
|
authorized = answer_results.first();
|
|
|
|
/*
|
|
* User is validated for function, but can the user perform that function on the
|
|
* specified user?
|
|
*/
|
|
if (authorized)
|
|
{
|
|
authorized = isAuthorizedForEmployee(s, Integer.parseInt(employer_id), employeeId);
|
|
}
|
|
} catch (SQLException sqle)
|
|
{
|
|
s.setMessage("Error authorizing");
|
|
sqle.printStackTrace();
|
|
}
|
|
} catch (Exception e)
|
|
{
|
|
s.setMessage("Error authorizing");
|
|
e.printStackTrace();
|
|
}
|
|
|
|
// System.out.println("Authorized? " + authorized);
|
|
return authorized;
|
|
}
|
|
|
|
public boolean isAuthorizedForEmployee(WebSession s, int userId, int employeeId)
|
|
{
|
|
// System.out.println("Authorizing " + userId + " for access to employee: " + employeeId);
|
|
boolean authorized = false;
|
|
|
|
try
|
|
{
|
|
String query = "SELECT * FROM ownership WHERE employer_id = ? AND employee_id = ?";
|
|
|
|
try
|
|
{
|
|
|
|
PreparedStatement answer_statement = WebSession.getConnection(s)
|
|
.prepareStatement(query, ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY);
|
|
answer_statement.setInt(1, userId);
|
|
answer_statement.setInt(2, employeeId);
|
|
ResultSet answer_results = answer_statement.executeQuery();
|
|
authorized = answer_results.first();
|
|
} catch (SQLException sqle)
|
|
{
|
|
s.setMessage("Error authorizing");
|
|
sqle.printStackTrace();
|
|
}
|
|
} catch (Exception e)
|
|
{
|
|
s.setMessage("Error authorizing");
|
|
e.printStackTrace();
|
|
}
|
|
|
|
return authorized;
|
|
}
|
|
|
|
protected void setStage(WebSession s, String stage)
|
|
{
|
|
getLesson().setStage(s, stage);
|
|
}
|
|
|
|
protected void setStageComplete(WebSession s, String stage)
|
|
{
|
|
getLesson().setStageComplete(s, stage);
|
|
}
|
|
|
|
protected String getStage(WebSession s)
|
|
{
|
|
return getLesson().getStage(s);
|
|
}
|
|
|
|
public String toString()
|
|
{
|
|
return getActionName();
|
|
}
|
|
|
|
}
|