Clean up in pom files

README.MD

@@ -97,27 +97,10 @@ To change IP address add the following variable to WebGoat/webgoat-container/src
 server.address=x.x.x.x
 ```
 
-# Vagrant
-
-We supply a complete environment using Vagrant, to run WebGoat with Vagrant you must first have Vagrant and Virtualbox installed.
-
-```shell
-   $ cd WebGoat/webgoat-images/vagrant-training
-   $ vagrant up
-```
-
-Once the provisioning is complete login to the Virtualbox with username vagrant and password vagrant.
-WebGoat and WebWolf will automatically start when you login to this image.
-
-
 # Building a new Docker image
 
 NOTE: Travis will create a new Docker image automatically when making a new release.
 
-WebGoat now has Docker support for x86 and ARM (raspberry pi).
-### Docker on x86
-On x86 you can build a container with the following commands:
-
 ```Shell
 cd WebGoat/
 mvn install
@@ -128,31 +111,6 @@ docker login
 docker push webgoat/webgoat-8.0
 ```
 
-### Docker on ARM (Raspberry Pi)
-On a Raspberry Pi (it has yet been tested with a Raspberry Pi 3 and the hypriot Docker image) you need to build JFFI for
-ARM first. This is needed by the docker-maven-plugin ([see here](https://github.com/spotify/docker-maven-plugin/issues/233)):
-
-```Shell
-sudo apt-get install build-essential
-git clone https://github.com/jnr/jffi.git
-cd jffi
-ant jar
-cd build/jni
-sudo cp libjffi-1.2.so /usr/lib
-```
-
-When you have done this you can build the Docker container using the following commands:
-
-```Shell
-cd WebGoat/
-mvn install
-cd webgoat-server
-mvn docker:build -Drpi=true
-docker tag webgoat/webgoat-8.0 webgoat/webgoat-8.0:8.0
-docker login
-docker push webgoat/webgoat-8.0
-```
-
 # Run Instructions:
 
 Once installed connect to http://localhost:8080/WebGoat and http://localhost:9090/WebWolf

pom.xml

@@ -21,7 +21,7 @@
     <parent>
         <groupId>org.springframework.boot</groupId>
         <artifactId>spring-boot-starter-parent</artifactId>
-        <version>1.5.18.RELEASE</version>
+        <version>1.5.21.RELEASE</version>
     </parent>
 
     <licenses>
@@ -116,46 +116,19 @@
 
         <!-- Shared properties with plugins and version numbers across submodules-->
         <activation.version>1.1.1</activation.version>
-        <axis-ant.version>1.4</axis-ant.version>
-        <axis-jaxrpc.version>1.4</axis-jaxrpc.version>
-        <axis-saaj.version>1.4</axis-saaj.version>
-        <axis.version>1.4</axis.version>
-        <build-helper-maven-plugin.version>1.9.1</build-helper-maven-plugin.version>
-        <cobertura-maven-plugin.version>2.7</cobertura-maven-plugin.version>
         <commons-collections.version>3.2.1</commons-collections.version>
-        <commons-digester.version>2.1</commons-digester.version>
-        <commons-discovery.version>0.5</commons-discovery.version>
-        <commons-fileupload.version>1.3.1</commons-fileupload.version>
-        <commons-io.version>2.6</commons-io.version>
         <commons-lang3.version>3.4</commons-lang3.version>
-        <coveralls-maven-plugin.version>4.0.0</coveralls-maven-plugin.version>
-        <gatling.version>2.2.5</gatling.version>
-        <gatling-plugin.version>2.2.4</gatling-plugin.version>
+        <commons-io.version>2.6</commons-io.version>
         <guava.version>18.0</guava.version>
-        <h2.version>1.4.190</h2.version>
         <hsqldb.version>2.3.4</hsqldb.version>
-        <j2h.version>1.3.1</j2h.version>
-        <jackson-core.version>2.6.3</jackson-core.version>
-        <jackson-databind.version>2.6.3</jackson-databind.version>
-        <javaee-api.version>6.0</javaee-api.version>
-        <javax.transaction-api.version>1.3</javax.transaction-api.version>
-        <jcl-over-slf4j.version>1.7.12</jcl-over-slf4j.version>
-        <jtds.version>1.3.1</jtds.version>
         <junit.version>4.12</junit.version>
         <lombok.version>1.18.4</lombok.version>
-        <mail-api.version>1.5.4</mail-api.version>
         <maven-compiler-plugin.version>3.8.0</maven-compiler-plugin.version>
         <maven-failsafe-plugin.version>2.22.0</maven-failsafe-plugin.version>
-        <maven-gpg-plugin.version>1.6</maven-gpg-plugin.version>
-        <maven-jar-plugin.version>3.1.1</maven-jar-plugin.version>
-        <maven-javadoc-plugin.version>2.10.4</maven-javadoc-plugin.version>
-        <maven-release-plugin.version>2.5.2</maven-release-plugin.version>
-        <maven-source-plugin.version>3.0.1</maven-source-plugin.version>
+        <maven-jar-plugin.version>3.1.2</maven-jar-plugin.version>
+        <maven-javadoc-plugin.version>3.1.1</maven-javadoc-plugin.version>
+        <maven-source-plugin.version>3.1.0</maven-source-plugin.version>
         <maven-surefire-plugin.version>2.22.0</maven-surefire-plugin.version>
-        <nexus-staging-maven-plugin.version>1.6.6</nexus-staging-maven-plugin.version>
-        <scala.version>2.11.7</scala.version>
-        <sauce_junit.version>2.1.20</sauce_junit.version>
-        <selenium-java.version>2.48.2</selenium-java.version>
         <spring.security.version>3.2.4.RELEASE</spring.security.version>
     </properties>
 
@@ -166,32 +139,6 @@
         <module>webwolf</module>
     </modules>
 
-    <distributionManagement>
-        <snapshotRepository>
-            <id>ossrh</id>
-            <url>https://oss.sonatype.org/content/repositories/snapshots</url>
-        </snapshotRepository>
-        <repository>
-            <id>ossrh</id>
-            <url>https://oss.sonatype.org/service/local/staging/deploy/maven2/</url>
-        </repository>
-    </distributionManagement>
-
-    <pluginRepositories>
-        <pluginRepository>
-            <id>apache.snapshots</id>
-            <url>http://repository.apache.org/snapshots/</url>
-            <!-- The releases element here is due to an issue in Maven 2.0 that will be
-                 fixed in future releases. This should be able to be disabled altogether. -->
-            <releases>
-                <updatePolicy>daily</updatePolicy>
-            </releases>
-            <snapshots>
-                <updatePolicy>daily</updatePolicy>
-            </snapshots>
-        </pluginRepository>
-    </pluginRepositories>
-
     <dependencies>
         <dependency>
             <groupId>org.projectlombok</groupId>
@@ -224,38 +171,6 @@
                     <encoding>UTF-8</encoding>
                 </configuration>
             </plugin>
-            <plugin>
-                <groupId>org.apache.maven.plugins</groupId>
-                <artifactId>maven-release-plugin</artifactId>
-                <version>${maven-release-plugin.version}</version>
-                <configuration>
-                    <autoVersionSubmodules>true</autoVersionSubmodules>
-                    <useReleaseProfile>false</useReleaseProfile>
-                    <releaseProfiles>release</releaseProfiles>
-                    <tagNameFormat>@{project.version}</tagNameFormat>
-                    <goals>deploy</goals>
-                </configuration>
-            </plugin>
-            <plugin>
-                <groupId>org.eluder.coveralls</groupId>
-                <artifactId>coveralls-maven-plugin</artifactId>
-                <version>${coveralls-maven-plugin.version}</version>
-                <configuration>
-                    <repoToken/>
-                </configuration>
-            </plugin>
-            <plugin>
-                <groupId>org.codehaus.mojo</groupId>
-                <artifactId>cobertura-maven-plugin</artifactId>
-                <version>${cobertura-maven-plugin.version}</version>
-                <configuration>
-                    <check/>
-                    <format>xml</format>
-                    <maxmem>256m</maxmem>
-                    <!-- aggregated reports for multi-module projects -->
-                    <aggregate>true</aggregate>
-                </configuration>
-            </plugin>
         </plugins>
     </build>
 

webgoat-container/pom.xml

@@ -13,29 +13,6 @@
         <version>v8.0.0-SNAPSHOT</version>
     </parent>
 
-    <profiles>
-        <profile>
-            <id>performance</id>
-            <build>
-                <plugins>
-                    <plugin>
-                        <groupId>io.gatling</groupId>
-                        <artifactId>gatling-maven-plugin</artifactId>
-                        <version>${gatling-plugin.version}</version>
-                        <executions>
-                            <execution>
-                                <goals>
-                                    <goal>execute</goal>
-                                </goals>
-                            </execution>
-                        </executions>
-                    </plugin>
-                </plugins>
-            </build>
-        </profile>
-
-    </profiles>
-
     <build>
         <resources>
             <resource>
@@ -69,7 +46,11 @@
                 <artifactId>maven-surefire-plugin</artifactId>
                 <version>${maven-surefire-plugin.version}</version>
                 <configuration>
-                    <forkMode>never</forkMode>
+                    <forkCount>0</forkCount>
+                    <reuseForks>true</reuseForks>
+                    <argLine>
+                        --illegal-access=permit
+                    </argLine>
                 </configuration>
             </plugin>
             <plugin>
@@ -89,12 +70,23 @@
 
     <dependencies>
         <dependency>
-            <groupId>com.fasterxml.jackson.datatype</groupId>
-            <artifactId>jackson-datatype-jsr310</artifactId>
+            <groupId>org.springframework.boot</groupId>
+            <artifactId>spring-boot-starter-undertow</artifactId>
         </dependency>
         <dependency>
             <groupId>org.springframework.boot</groupId>
             <artifactId>spring-boot-starter-web</artifactId>
+            <exclusions>
+                <exclusion>
+                    <groupId>org.springframework.boot</groupId>
+                    <artifactId>spring-boot-starter-tomcat</artifactId>
+                </exclusion>
+            </exclusions>
+        </dependency>
+        <dependency>
+            <groupId>javax.activation</groupId>
+            <artifactId>activation</artifactId>
+            <version>${activation.version}</version>
         </dependency>
         <dependency>
             <groupId>org.springframework.boot</groupId>
@@ -119,14 +111,6 @@
             <artifactId>guava</artifactId>
             <version>${guava.version}</version>
         </dependency>
-
-
-        <dependency>
-            <groupId>io.gatling.highcharts</groupId>
-            <artifactId>gatling-charts-highcharts</artifactId>
-            <version>${gatling.version}</version>
-            <scope>test</scope>
-        </dependency>
         <dependency>
             <groupId>org.springframework.boot</groupId>
             <artifactId>spring-boot-starter-security</artifactId>
@@ -140,28 +124,11 @@
             <artifactId>thymeleaf-extras-springsecurity4</artifactId>
             <version>2.1.2.RELEASE</version>
         </dependency>
-        <dependency>
-            <groupId>javax.activation</groupId>
-            <artifactId>activation</artifactId>
-            <version>${activation.version}</version>
-        </dependency>
         <dependency>
             <groupId>org.hsqldb</groupId>
             <artifactId>hsqldb</artifactId>
             <version>${hsqldb.version}</version>
         </dependency>
-        <dependency>
-            <groupId>javax.transaction</groupId>
-            <artifactId>javax.transaction-api</artifactId>
-            <version>${javax.transaction-api.version}</version>
-        </dependency>
-        <dependency>
-            <groupId>org.scala-lang</groupId>
-            <artifactId>scala-compiler</artifactId>
-            <version>${scala.version}</version>
-            <scope>test</scope>
-        </dependency>
-
 
         <!-- ************* END spring MVC and related dependencies ************** -->
         <!-- ************* START: Dependencies for Unit and Integration Testing ************** -->

webgoat-container/src/main/java/org/owasp/webgoat/AsciiDoctorTemplateResolver.java

@@ -44,9 +44,9 @@
 import org.thymeleaf.templateresolver.TemplateResolver;
 
 import java.io.*;
+import java.nio.charset.StandardCharsets;
 import java.util.Map;
 
-import static org.apache.commons.lang3.CharEncoding.UTF_8;
 import static org.asciidoctor.Asciidoctor.Factory.create;
 
 /**
@@ -92,7 +92,7 @@ public InputStream getResourceAsStream(TemplateProcessingParameters params, Stri
                     extensionRegistry.inlineMacro("webGoatVersion", WebGoatVersionMacro.class);
 
                     asciidoctor.convert(new InputStreamReader(is), writer, createAttributes());
-                    return new ByteArrayInputStream(writer.getBuffer().toString().getBytes(UTF_8));
+                    return new ByteArrayInputStream(writer.getBuffer().toString().getBytes(StandardCharsets.UTF_8));
                 }
             } catch (IOException e) {
                 //no html yet

webgoat-container/src/main/java/org/owasp/webgoat/WebGoat.java

@@ -31,7 +31,6 @@
 package org.owasp.webgoat;
 
 import lombok.extern.slf4j.Slf4j;
-import org.apache.catalina.Context;
 import org.owasp.webgoat.plugins.PluginEndpointPublisher;
 import org.owasp.webgoat.plugins.PluginsLoader;
 import org.owasp.webgoat.session.Course;
@@ -42,9 +41,6 @@
 import org.springframework.boot.SpringApplication;
 import org.springframework.boot.autoconfigure.SpringBootApplication;
 import org.springframework.boot.builder.SpringApplicationBuilder;
-import org.springframework.boot.context.embedded.EmbeddedServletContainerFactory;
-import org.springframework.boot.context.embedded.tomcat.TomcatContextCustomizer;
-import org.springframework.boot.context.embedded.tomcat.TomcatEmbeddedServletContainerFactory;
 import org.springframework.boot.web.support.SpringBootServletInitializer;
 import org.springframework.context.ApplicationContext;
 import org.springframework.context.annotation.Bean;
@@ -53,7 +49,6 @@
 import org.springframework.web.client.RestTemplate;
 
 import java.io.File;
-import java.util.Arrays;
 
 @SpringBootApplication
 @Slf4j
@@ -99,20 +94,4 @@ public Course course(PluginEndpointPublisher pluginEndpointPublisher) {
     public RestTemplate restTemplate() {
         return new RestTemplate();
     }
-
-    @Bean
-    public EmbeddedServletContainerFactory servletContainer() {
-        TomcatEmbeddedServletContainerFactory factory = new TomcatEmbeddedServletContainerFactory();
-        factory.setTomcatContextCustomizers(Arrays.asList(new CustomCustomizer()));
-        return factory;
-    }
-
-    static class CustomCustomizer implements TomcatContextCustomizer {
-        @Override
-        public void customize(Context context) {
-            context.setUseHttpOnly(false);
-        }
-    }
-
-
 }

webgoat-container/src/main/java/org/owasp/webgoat/WebSecurityConfig.java

@@ -58,8 +58,6 @@ protected void configure(HttpSecurity http) throws Exception {
         ExpressionUrlAuthorizationConfigurer<HttpSecurity>.ExpressionInterceptUrlRegistry security = http
                 .authorizeRequests()
                 .antMatchers("/css/**", "/images/**", "/js/**", "fonts/**", "/plugins/**", "/registration", "/register.mvc").permitAll()
-                .antMatchers("/servlet/AdminServlet/**").hasAnyRole("WEBGOAT_ADMIN", "SERVER_ADMIN") //
-                .antMatchers("/JavaSource/**").hasRole("SERVER_ADMIN") //
                 .anyRequest().authenticated();
         security.and()
                 .formLogin()

webgoat-container/src/main/java/org/owasp/webgoat/assignments/AttackResult.java

@@ -25,6 +25,7 @@
 
 package org.owasp.webgoat.assignments;
 
+import com.google.common.base.Strings;
 import lombok.Getter;
 import org.apache.commons.lang3.StringEscapeUtils;
 import org.owasp.webgoat.i18n.PluginMessages;

webgoat-container/src/main/resources/application.properties

@@ -17,7 +17,6 @@ spring.jpa.hibernate.ddl-auto=update
 spring.jpa.properties.hibernate.dialect=org.hibernate.dialect.HSQLDialect
 spring.datasource.driver-class-name=org.hsqldb.jdbc.JDBCDriver
 
-
 logging.level.org.springframework=INFO
 logging.level.org.springframework.boot.devtools=INFO
 logging.level.org.owasp=DEBUG