fix various session issues and cleanup

main change is to force spring security to always send user to welcome.mvc after login which gets their session setup properly before redirecting to start.mvc

Author: lawson89

java/org/owasp/webgoat/HammerHead.java

@@ -182,9 +182,10 @@ public void doPost(HttpServletRequest request, HttpServletResponse response) thr
                 clientBrowser = userAgent;
             }
             request.setAttribute("client.browser", clientBrowser);
-            request.getSession().setAttribute(WebSession.SESSION, mySession);
+            // removed - this is being done in updateSession call
+            //request.getSession().setAttribute(WebSession.SESSION, mySession);
             // not sure why this is being set in the session?
-            request.getSession().setAttribute(WebSession.COURSE, mySession.getCourse());
+            //request.getSession().setAttribute(WebSession.COURSE, mySession.getCourse());
             String viewPage = getViewPage(mySession);
             logger.debug("Forwarding to view: " + viewPage);
             logger.debug("Screen: " + screen);
@@ -374,7 +375,8 @@ protected static void setCacheHeaders(HttpServletResponse response, int expiry)
     protected WebSession updateSession(HttpServletRequest request, HttpServletResponse response, ServletContext context)
             throws IOException {
         HttpSession hs;
-        hs = request.getSession(true);
+        // session should already be created by spring security
+        hs = request.getSession(false);
 
         logger.debug("HH Entering Session_id: " + hs.getId());
         // dumpSession( hs );
@@ -384,6 +386,7 @@ protected WebSession updateSession(HttpServletRequest request, HttpServletRespon
 
         if ((o != null) && o instanceof WebSession) {
             session = (WebSession) o;
+            hs.setAttribute(WebSession.COURSE, session.getCourse());
         } else {
             // Create new custom session and save it in the HTTP session
             logger.warn("HH Creating new WebSession");
@@ -394,13 +397,12 @@ protected WebSession updateSession(HttpServletRequest request, HttpServletRespon
             hs.setAttribute(WebSession.SESSION, session);
             // reset timeout
             hs.setMaxInactiveInterval(sessionTimeoutSeconds);
-
         }
 
+        session.update(request, response, this.getServletName());
         // update last attack request info (cookies, parms)
         // this is so the REST services can have access to them via the session 
         session.updateLastAttackRequestInfo(request);
-        session.update(request, response, this.getServletName());
 
         // to authenticate
         logger.debug("HH Leaving Session_id: " + hs.getId());

java/org/owasp/webgoat/service/BaseService.java

@@ -67,8 +67,11 @@ ExceptionInfo handleException(HttpServletRequest request, Exception ex) {
     public WebSession getWebSession(HttpSession session) {
         WebSession ws;
         Object o = session.getAttribute(WebSession.SESSION);
-        if (o == null || !(o instanceof WebSession)) {
-            throw new IllegalArgumentException("No valid session object found, has session timed out? [" + session.getId() + "]");
+        if (o == null) {
+            throw new IllegalArgumentException("No valid WebSession object found, has session timed out? [" + session.getId() + "]");
+        }
+        if (!(o instanceof WebSession)) {
+            throw new IllegalArgumentException("Invalid WebSession object found, this is probably a bug! [" + o.getClass() + " | " + session.getId() + "]");
         }
         ws = (WebSession) o;
         return ws;

java/org/owasp/webgoat/session/WebSession.java

@@ -782,13 +782,16 @@ public void update(HttpServletRequest request, HttpServletResponse response, Str
         // System.out.println("Previous Screen 1: " + previousScreen );
         // FIXME: requires ?Logout=true
         // FIXME: doesn't work right -- no reauthentication
+        // REMOVED - we have explicit logout now via spriing security
+        /*
         if (myParser.getRawParameter(LOGOUT, null) != null) {
             System.out.println("Logout " + request.getUserPrincipal());
             eatCookies();
             request.getSession().invalidate();
             currentScreen = WELCOME;
             previousScreen = ERROR;
         }
+        */
 
         // There are several scenarios where we want the first lesson to be loaded
         // 1) Previous screen is Welcome - Start of the course

webapp/META-INF/context.xml

@@ -1,2 +1,2 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<Context antiJARLocking="true" path=""/>
+<Context antiJARLocking="true" path="/WebGoat"/>

webapp/WEB-INF/mvc-dispatcher-servlet.xml

@@ -1,50 +1,59 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <beans xmlns="http://www.springframework.org/schema/beans"
-	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-	xmlns:p="http://www.springframework.org/schema/p" 
-	xmlns:context="http://www.springframework.org/schema/context"
-	xmlns:mvc="http://www.springframework.org/schema/mvc"
-	xsi:schemaLocation="http://www.springframework.org/schema/beans 
+       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+       xmlns:p="http://www.springframework.org/schema/p" 
+       xmlns:context="http://www.springframework.org/schema/context"
+       xmlns:mvc="http://www.springframework.org/schema/mvc"
+       xsi:schemaLocation="http://www.springframework.org/schema/beans 
 	   		http://www.springframework.org/schema/beans/spring-beans-3.2.xsd
 	   		http://www.springframework.org/schema/context
 	   		http://www.springframework.org/schema/context/spring-context-3.2.xsd
 			http://www.springframework.org/schema/mvc 
 			http://www.springframework.org/schema/mvc/spring-mvc-3.2.xsd">
 
-    	<context:component-scan base-package="org.owasp.webgoat.controller, org.owasp.webgoat.lessons, org.owasp.webgoat.service" />
+    <context:component-scan base-package="org.owasp.webgoat.controller, org.owasp.webgoat.lessons, org.owasp.webgoat.service" />
 
-	<!--
-	put custom validators here.  E.g.:
-	<bean class="org.owasp.webgoat.validators.MyCustomValidator" />
-	-->
+    <!--
+    put custom validators here.  E.g.:
+    <bean class="org.owasp.webgoat.validators.MyCustomValidator" />
+    -->
 
-	<!-- Activates various annotations to be detected in bean classes -->
-	<context:annotation-config />
+    <!-- Activates various annotations to be detected in bean classes -->
+    <context:annotation-config />
 
-	<!-- Configures the annotation-driven Spring MVC Controller programming model.  -->
-	<mvc:annotation-driven /> 
+    <!-- Configures the annotation-driven Spring MVC Controller programming model.  -->
+    <mvc:annotation-driven /> 
 
-	<!-- Import Tiles-related configuration -->
-	<!--import resource="tiles-context.xml" /-->
+    <!-- Import Tiles-related configuration -->
+    <!--import resource="tiles-context.xml" /-->
 
 
-	<!-- Declare a view resolver -->
-	<!-- Take note of the order. Since we're using TilesViewResolver as well 
-		 We need to define which ViewResolver is called first. 
-		 We chose this InternalResourceViewResolver to be at the bottom order -->
-	<bean 
-		id="viewResolver" 
-		class="org.springframework.web.servlet.view.InternalResourceViewResolver" 
-    	p:prefix="/WEB-INF/pages/" 
-    	p:suffix=".jsp" 
-    	p:order="1"/>
+    <!-- Declare a view resolver -->
+    <!-- Take note of the order. Since we're using TilesViewResolver as well 
+    We need to define which ViewResolver is called first. 
+    We chose this InternalResourceViewResolver to be at the bottom order -->
+    <bean 
+        id="viewResolver" 
+        class="org.springframework.web.servlet.view.InternalResourceViewResolver" 
+        p:prefix="/WEB-INF/pages/" 
+        p:suffix=".jsp" 
+        p:order="1"/>
+        
+    <mvc:interceptors>
+        <bean id="webContentInterceptor" class="org.springframework.web.servlet.mvc.WebContentInterceptor">
+            <property name="cacheSeconds" value="0" />
+            <property name="useExpiresHeader" value="true" />
+            <property name="useCacheControlHeader" value="true" />
+            <property name="useCacheControlNoStore" value="true" />
+        </bean>
+    </mvc:interceptors>
 
 
- 	<!-- Register the Customer.properties 
-	<bean id="messageSource"
-		class="org.springframework.context.support.ResourceBundleMessageSource">
-		<property name="basename" value="org/owasp/webgoat/properties/Customer" />
-	</bean>
-	-->
+    <!-- Register the Customer.properties 
+    <bean id="messageSource"
+            class="org.springframework.context.support.ResourceBundleMessageSource">
+            <property name="basename" value="org/owasp/webgoat/properties/Customer" />
+    </bean>
+    -->
 
 </beans>

webapp/WEB-INF/spring-security.xml

@@ -14,6 +14,9 @@
     <http pattern="/css/**" security="none"/>
     <http pattern="/images/**" security="none"/>
     <http pattern="/javascript/**" security="none"/>
+    <http pattern="/js/**" security="none"/>
+    <http pattern="/fonts/**" security="none"/>
+    <http pattern="/plugins/**" security="none"/>    
     <http pattern="/favicon.ico" security="none"/>    
     <http use-expressions="true">  
         <intercept-url pattern="/login.mvc" access="permitAll" />
@@ -26,7 +29,8 @@
             default-target-url="/welcome.mvc" 
             authentication-failure-url="/login.mvc?error" 
             username-parameter="username"
-            password-parameter="password" />
+            password-parameter="password"
+            always-use-default-target="true"/>
         <logout logout-url="/j_spring_security_logout" logout-success-url="/logout.mvc" />
         <!-- enable csrf protection -->
         <!--csrf/-->