6a96547ef0
git-svn-id: http://webgoat.googlecode.com/svn/branches/webgoat-6.0@485 4033779f-a91e-0410-96ef-6bf7bf53c507
114 lines
5.1 KiB
HTML
114 lines
5.1 KiB
HTML
<!-- Start Instructions -->
|
|
<h1>How To Configure Tomcat</h1><br><br>
|
|
<h2>Introduction</h2>
|
|
<p>WebGoat comes with default configurations for Tomcat. This page will explain these configurations
|
|
and other possible configurations for Tomcat. This is just
|
|
a short description which should be enough in most cases. For more advanced tasks please
|
|
refer to the Tomcat documentation. Please note that all solutions
|
|
are written for the standard configurations on port 80. If you use another port you have
|
|
to adjust the solution to your configuration.</p>
|
|
|
|
<h2>The Standard Configurations</h2>
|
|
<p>There are two standard Tomcat configurations. In the basic configurations you use the server on your localhost.
|
|
Both are identically with the only difference
|
|
that in one tomcat is running on port 80 and 443 (SSL) and in the other tomcat is running on port 8080 and 8443. In Linux you have
|
|
to start WebGoat as root or with sudo if you want to run it on port 80 and
|
|
443.
|
|
As running software as root is dangerous we strongly advice to use
|
|
the port 8080 and 8443. In Windows you can
|
|
run WebGoat.bat to run it on port 80 and WebGoat_8080.bat to run it on port 8080. In Linux you
|
|
can use webgoat.sh and run it with webgoat.sh start80 or webgoat.sh start8080. The user in these
|
|
configurations is guest with password guest
|
|
</p>
|
|
|
|
<h2>Server Configurations</h2>
|
|
<p>
|
|
If you are a single user of WebGoat the standard configurations should be
|
|
enough but if you want to use WebGoat in laboratory or in class there
|
|
might be the need to change the configurations. Before changing
|
|
the configurations we recommend doing a backup of the files you change.
|
|
</p>
|
|
|
|
<h3>Change Ports</h3>
|
|
<p>
|
|
To change the ports open the server_80.xml which you find in tomcat/conf and change the
|
|
non-SSL port. If you want to use it on port 8079 for example:
|
|
</p>
|
|
|
|
<pre>
|
|
<!-- Define a non-SSL HTTP/1.1 Connector on port 8079 -->
|
|
<Connector address="127.0.0.1" port="8079"...
|
|
</pre>
|
|
<p>
|
|
You can also change the SSL connector to another port of course.
|
|
In this example to port 8442:
|
|
</p>
|
|
<pre>
|
|
<!-- Define a SSL HTTP/1.1 Connector on port 8442 -->
|
|
<Connector address="127.0.0.1" port="8442"...
|
|
</pre>
|
|
<br>
|
|
|
|
<h3>Make WebGoat Reachable From Another Client</h3>
|
|
<p>THIS MAKES IT POSSIBLE TO REALLY ATTACK YOUR SERVER! DO NOT DO THIS
|
|
UNTIL YOU KNOW WHAT YOU ARE DOING. THIS CONFIGURATION SHOULD BE ONLY USED IN
|
|
SAFE NETWORKS!</p>
|
|
<p>By its default configurations WebGoat is only
|
|
reachable within the localhost. In a laboratory or a class
|
|
there is maybe the need of having a server and a few clients.
|
|
In this case it is possible to make WebGoat reachable.
|
|
</p>
|
|
<p>The reason why WebGoat is only reachable within the localhost is
|
|
the parameter address in the connectors for the non-SSL and SSL connection in server_80.xml. It is set
|
|
to 127.0.0.1. The applications only listens on the port of this address for
|
|
incoming connections if it is set. If you remove this parameter the server listens on all IPs on the
|
|
specific port.</p>
|
|
|
|
<h3>Permit Only Certain Clients Connection</h3>
|
|
<p>
|
|
If you have made WebGoat reachable it is reachable for
|
|
all clients. If you want to make it reachable only for certain clients specified
|
|
by there IP you can archive this by using a 'Remote Address Filter'.
|
|
The filter can be set in a whitebox or blackbox approach. Here is
|
|
only discussed the whitebox approach. You have to add following lines to the Host section of web_80.xml:
|
|
</p>
|
|
<pre>
|
|
<Valve className="org.apache.catalina.valves.RemoteAddrValve"
|
|
allow="127.0.0.1,ip1,ip2"/>
|
|
</pre>
|
|
<p>In this case only localhost, ip1 and ip2 are permitted to connect.</p>
|
|
|
|
<h2>WebGoat Default Users and Roles for Tomcat</h2>
|
|
<p>
|
|
WebGoat requires the following users and roles to be configured in order for the application to run.
|
|
<br/>
|
|
<pre>
|
|
>role rolename="webgoat_basic"/<
|
|
>role rolename="webgoat_admin"/<
|
|
>role rolename="webgoat_user"/<
|
|
>user username="webgoat" password="webgoat" roles="webgoat_admin"/<
|
|
>user username="basic" password="basic" roles="webgoat_user,webgoat_basic"/<
|
|
>user username="guest" password="guest" roles="webgoat_user"/<
|
|
</pre>
|
|
</p>
|
|
<h2>Adding Users</h2>
|
|
<p>
|
|
Usually using WebGoat you just use the user guest with the password guest.
|
|
But maybe in laboratory you have made a setup with one server and a lot of
|
|
clients. In this case you might want to have a user for every client
|
|
and you have to alter tomcat-users.xml
|
|
in tomcat/conf as the users are stored there. <b>We recommend not to use real passwords
|
|
as the passwords are stored in plain text in this file!</b>
|
|
</p>
|
|
<h3>Add User</h3>
|
|
<p>
|
|
Adding a user is straight forward. You can use the guest entry as an example. The added
|
|
users should have the same role as the guest user. Add lines like this to the file:
|
|
</p>
|
|
<pre>
|
|
<user name="student1" password="password1" roles="webgoat_user"/>
|
|
<user name="student2" password="password2" roles="webgoat_user"/>
|
|
...
|
|
</pre>
|
|
|
|
<!-- Stop Instructions --> |