WebGoat/webapp/WEB-INF/spring-security.xml

<beans:beans xmlns="http://www.springframework.org/schema/security"
             xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
             xsi:schemaLocation="http://www.springframework.org/schema/beans
	http://www.springframework.org/schema/beans/spring-beans-3.2.xsd
	http://www.springframework.org/schema/security
	http://www.springframework.org/schema/security/spring-security-3.2.xsd">
    
    <global-method-security pre-post-annotations="enabled" />
    <!--
            PCS 8/27/2012
            NOTE: Without Spring security, HttpServletRequest.getUserPrincipal() returns null when called from pages under Spring's control.
            That method is used extensively in legacy webgoat code.  Integrating Spring security into the application resolves this issue.
    -->  
    <http auto-config="true"  use-expressions="true">  
        <intercept-url pattern="/login.do" access="permitAll" />
        <intercept-url pattern="/logout.do" access="permitAll" />   
        <intercept-url pattern="/servlet/AdminServlet/**" access="hasAnyRole('ROLE_WEBGOAT_ADMIN','ROLE_SERVER_ADMIN')" />
        <intercept-url pattern="/JavaSource/**" access="hasRole('ROLE_SERVER_ADMIN')" />          	
        <intercept-url pattern="/**" access="hasAnyRole('ROLE_WEBGOAT_USER','ROLE_WEBGOAT_ADMIN','ROLE_SERVER_ADMIN')" />
        <form-login 
            login-page="/login.do" 
            default-target-url="/attack" 
            authentication-failure-url="/login.do?error" 
            username-parameter="username"
            password-parameter="password" />
        <logout logout-success-url="/logout.do" />
        <!-- enable csrf protection -->
        <csrf/>
    </http>

    <!-- Authentication Manager -->
    <authentication-manager alias="authenticationManager">
        <authentication-provider>
            <user-service>
                <!-- TODO: credentials in the config - this isn't something I'm proud of - get rid of this ASAP --> 
                <user name="guest" password="guest" authorities="ROLE_WEBGOAT_USER" />
                <user name="webgoat" password="webgoat" authorities="ROLE_WEBGOAT_ADMIN" />
                <user name="server" password="server" authorities="ROLE_SERVER_ADMIN" />
            </user-service>
        </authentication-provider>
    </authentication-manager>  
    
</beans:beans>