Initial commit of new spring-MVC/spring security/tiles-based functionality

git-svn-id: http://webgoat.googlecode.com/svn/branches/webgoat-6.0@484 4033779f-a91e-0410-96ef-6bf7bf53c507

Author: [email protected]

build.xml

@@ -60,8 +60,8 @@
   	<property name="dist.home"     		   value="${app.home}/dist"/>
   	<property name="dist.owasp"     		   value="${app.home}/owasp_distributions"/>
   	<property name="install.home"     	   value="WebGoat-${app.version}"/>
-  	<property name="maven.war"     	   value="${basedir}/target/WebGoat-5.4-SNAPSHOT.war"/> <!-- UPDATE THIS! -->
-	<property name="maven.target"     	   value="${basedir}/target/WebGoat-5.4-SNAPSHOT"/> <!-- UPDATE THIS! -->
+  	<property name="maven.war"     	   value="${basedir}/target/WebGoat-6.0-SNAPSHOT.war"/> <!-- UPDATE THIS! -->
+	<property name="maven.target"     	   value="${basedir}/target/WebGoat-6.0-SNAPSHOT"/> <!-- UPDATE THIS! -->
 	<property name="maven.home"     	   value="C:/Program Files (x86)/apache/apache-maven-3.0.3"/> <!-- UPDATE THIS! -->
 	 <property name="java32.home"     	   value="C:/Program Files (x86)/Java/jre7"/> <!-- UPDATE THIS! -->
 	 <property name="java32.ubuntu.home"     	   value="C:/RTC/WebGoat/ubuntu_openjava_6_32"/> <!-- UPDATE THIS! -->

pom.xml

@@ -4,7 +4,7 @@
 	<groupId>WebGoat</groupId>
 	<artifactId>WebGoat</artifactId>
 	<packaging>war</packaging>
-	<version>5.4-SNAPSHOT</version>
+	<version>6.0-SNAPSHOT</version>
 
 	<repositories>
 		<repository>
@@ -13,7 +13,13 @@
 			<url>http://download.java.net/maven/2</url>
 		</repository>
 	</repositories>
-	
+    	
+  	<!-- Shared version number properties -->
+	<properties>
+    	<org.springframework.version>3.0.5.RELEASE</org.springframework.version>
+    	<spring.security.version>3.1.2.RELEASE</spring.security.version>
+    	<tiles.version>2.2.2</tiles.version>
+	</properties>	
 
 	<build>
 		<resources>
@@ -149,20 +155,147 @@
 			<groupId>net.sourceforge.jtds</groupId>
 			<artifactId>jtds</artifactId>
 			<version>1.2.2</version>
-		</dependency>
-		
-		<dependency>
-			<groupId>javax.servlet</groupId>
-			<artifactId>servlet-api</artifactId>
-			<version>2.3</version>
-			<scope>provided</scope>
-		</dependency>
+		</dependency>	
  		<dependency>
 			<groupId>org.apache.tomcat</groupId>
 			<artifactId>tomcat-catalina</artifactId>
 			<version>7.0.27</version>
 			<scope>provided</scope>
 		</dependency>
 
+
+		<!-- ************* spring MVC and related dependencies ************** -->
+
+		<!-- servlet API -->
+		<dependency>
+			<groupId>javax</groupId>
+			<artifactId>javaee-api</artifactId>
+			<version>6.0</version>
+			<scope>provided</scope>
+		</dependency>
+		
+		<dependency>
+			<groupId>org.springframework</groupId>
+			<artifactId>spring-core</artifactId>
+			<version>${org.springframework.version}</version>
+		</dependency>
+
+	    <!-- Spring MVC framework --> 
+	    <dependency>
+			<groupId>org.springframework</groupId>
+			<artifactId>spring-webmvc</artifactId>
+			<version>${org.springframework.version}</version>
+			<type>jar</type>			
+	    </dependency>
+	    
+		<dependency>
+			<groupId>org.springframework.security</groupId>
+			<artifactId>spring-security-core</artifactId>
+			<version>${spring.security.version}</version>
+		</dependency>
+		
+		<dependency>
+        	<groupId>org.springframework.security</groupId>
+        	<artifactId>spring-security-config</artifactId>
+        	<version>${spring.security.version}</version>
+    	</dependency>
+    	
+		<dependency>
+        	<groupId>org.springframework.security</groupId>
+        	<artifactId>spring-security-web</artifactId>
+        	<version>${spring.security.version}</version>
+    	</dependency>    	
+
+		<!-- Apache Commons Upload --> 
+		<dependency>
+			<groupId>commons-fileupload</groupId>
+			<artifactId>commons-fileupload</artifactId>
+			<version>1.2.2</version>
+		</dependency>
+
+		<!-- Apache Commons Upload --> 
+		<dependency>
+			<groupId>commons-io</groupId>
+			<artifactId>commons-io</artifactId>
+			<version>1.3.2</version>
+		</dependency>
+
+		<!-- JSTL --> 
+		<dependency>
+			<groupId>javax.servlet</groupId>
+			<artifactId>jstl</artifactId>
+			<version>1.2</version>
+		</dependency>
+
+		<dependency>
+			<groupId>taglibs</groupId>
+			<artifactId>standard</artifactId>
+			<version>1.1.2</version>
+		</dependency>
+		
+		<dependency>
+			<groupId>log4j</groupId>
+			<artifactId>log4j</artifactId>
+			<version>1.2.15</version>
+			<exclusions>
+			    <exclusion>
+					<groupId>javax.jms</groupId>
+					<artifactId>jms</artifactId>
+		    	</exclusion>
+		    	<exclusion>
+					<groupId>com.sun.jdmk</groupId>
+					<artifactId>jmxtools</artifactId>
+		    	</exclusion>
+		    	<exclusion>
+					<groupId>com.sun.jmx</groupId>
+					<artifactId>jmxri</artifactId>
+		    	</exclusion>
+			</exclusions>
+		</dependency>
+		<dependency>
+			<groupId>junit</groupId>
+			<artifactId>junit</artifactId>
+			<version>4.8.1</version>
+			<type>jar</type>
+		</dependency>
+	    <dependency>
+			<groupId>org.apache.tiles</groupId>
+			<artifactId>tiles-core</artifactId>
+			<version>${tiles.version}</version>
+			<type>jar</type>			
+	    </dependency>
+	    <dependency>
+			<groupId>org.apache.tiles</groupId>
+			<artifactId>tiles-template</artifactId>
+			<version>${tiles.version}</version>
+			<type>jar</type>			
+	    </dependency>
+	    <dependency>
+			<groupId>org.apache.tiles</groupId>
+			<artifactId>tiles-servlet</artifactId>
+			<version>${tiles.version}</version>
+			<type>jar</type>
+	    </dependency>
+	    <dependency>
+			<groupId>org.apache.tiles</groupId>
+			<artifactId>tiles-jsp</artifactId>
+			<version>${tiles.version}</version>
+			<type>jar</type>
+	    </dependency>    
+	    <dependency>
+			<groupId>org.slf4j</groupId>
+			<artifactId>slf4j-api</artifactId>
+			<version>1.5.8</version>
+			<type>jar</type>
+	    </dependency>        
+	    <dependency>
+			<groupId>org.slf4j</groupId>
+			<artifactId>slf4j-log4j12</artifactId>
+			<version>1.5.8</version>
+			<type>jar</type>
+	    </dependency>		
+		
+		<!-- ************* END spring MVC and related dependencies ************** -->
+		
 	</dependencies>
 </project>

src/main/java/org/owasp/webgoat/lessons/AbstractLesson.java

@@ -561,6 +561,20 @@ public String getSolution(WebSession s)
 		// Solutions are html files
 		return src;
 	}
+	
+	
+	/**
+	 * <p>Returns the default "path" portion of a lesson's URL.</p>
+	 * 
+	 * <p>Legacy webgoat lesson links are of the form "attack?Screen=Xmenu=Ystage=Z".
+	 * This method returns the path portion of the url, i.e., "attack" in the string above.</p>
+	 * 
+	 * <p>Newer, Spring-Controller-based classes will override this method
+	 * to return "*.do"-styled paths.</p>
+	 */
+	protected String getPath() {
+		return "attack";
+	}
 
 	/**
 	 * Get the link that can be used to request this screen.
@@ -571,7 +585,8 @@ public String getLink()
 	{
 		StringBuffer link = new StringBuffer();
 
-		link.append("attack?");
+		// mvc update:
+		link.append(getPath()).append("?");
 		link.append(WebSession.SCREEN);
 		link.append("=");
 		link.append(getScreenId());

src/main/java/org/owasp/webgoat/lessons/HttpBasicsController.java

@@ -0,0 +1,107 @@
+package org.owasp.webgoat.lessons;
+
+import java.util.ArrayList;
+import java.util.List;
+
+import org.apache.log4j.Logger;
+import org.owasp.webgoat.lessons.model.HttpBasicsModel;
+import org.owasp.webgoat.session.WebSession;
+import org.springframework.stereotype.Controller;
+import org.springframework.ui.ModelMap;
+import org.springframework.web.bind.annotation.ModelAttribute;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RequestMethod;
+import org.springframework.web.servlet.ModelAndView;
+
+/**
+ * <p>
+ * Handles the "HTTP Basics" lesson.  Contains all 
+ * mapping methods for that lesson as well as all helper methods
+ * used by those mappers.
+ * </p>
+ * 
+ */
+@Controller
+public class HttpBasicsController extends LessonAdapter {
+
+	protected static Logger logger = Logger.getLogger("controller");
+	
+	// [url] path used by this lesson 
+	private final String PAGE_PATH = "httpBasics.do";
+
+	// The (apache) tile used by this lesson, as specified in tiles-definitions.xml 
+	private String TILE_NAME = "http-basics";
+	
+	// ID attribute associated with the JSP's form.
+	private String FORM_NAME = "command";
+	
+	
+	/**
+	 * @see {@link org.owasp.webgoat.lessons.AbstractLesson#getPath()}
+	 * @see {@link org.owasp.webgoat.lessons.AbstractLesson#getLink()}
+	 */
+	protected String getPath() {
+		return PAGE_PATH;
+	}
+	   
+	/**
+	 * Handles GET requests for this lesson.
+	 * @return
+	 */
+    @RequestMapping(value = PAGE_PATH, method = RequestMethod.GET)
+    public ModelAndView displayPage() {
+    	return new ModelAndView(TILE_NAME, FORM_NAME, new HttpBasicsModel());
+    }
+    
+    /**
+     * Handles POST requests for this lesson.  Takes the user's name and displays 
+     * a reversed copy of it.
+     * 
+     * @param httpBasicsModel
+     * @param model
+     * @return
+     */
+    @RequestMapping(value = PAGE_PATH, method = RequestMethod.POST)
+    public ModelAndView processSubmit(
+    		@ModelAttribute("")HttpBasicsModel httpBasicsModel, ModelMap model) {
+    	
+    	StringBuffer personName = new StringBuffer(httpBasicsModel.getPersonName());
+    	httpBasicsModel.setPersonName(personName.reverse().toString());
+    	
+    	return new ModelAndView(TILE_NAME, FORM_NAME, httpBasicsModel);
+    }    
+    
+    
+	public Category getCategory()
+	{
+		return Category.GENERAL;
+	}
+
+	/**
+	 * Gets the hints attribute of the HelloScreen object
+	 * 
+	 * @return The hints value
+	 */
+	public List<String> getHints(WebSession s)
+	{
+		List<String> hints = new ArrayList<String>();
+		hints.add("Type in your name and press 'go'");
+		hints.add("Turn on Show Parameters or other features");
+		hints.add("Try to intercept the request with WebScarab");
+		hints.add("Press the Show Lesson Plan button to view a lesson summary");
+		hints.add("Press the Show Solution button to view a lesson solution");
+
+		return hints;
+	}
+
+	protected String getInstructions()
+	{
+		return null;
+	}
+
+	public String getTitle()
+	{
+		// TODO: GET RID OF THE "(Spring MVC)" BELOW LATER!!!!"
+		return "HTTP Basics (Spring MVC)";
+	}    
+}

src/main/java/org/owasp/webgoat/lessons/model/HttpBasicsModel.java

@@ -0,0 +1,21 @@
+package org.owasp.webgoat.lessons.model;
+
+/**
+ * Model component for the Http Basics lesson.  Using a model
+ * for that simple lesson is architectural overkill.  We do it anyway
+ * for illustrative purposes - to demonstrate the pattern that we will 
+ * use for more complex lessons.
+ * 
+ */
+public class HttpBasicsModel {
+
+	private String personName;
+
+	public String getPersonName() {
+		return personName;
+	}
+
+	public void setPersonName(String personName) {
+		this.personName = personName;
+	}
+}