From 617d16d8a7c7a0914e45c659927c939133dbf616 Mon Sep 17 00:00:00 2001
From: lawson89 <rick.lawson@infor.com>
Date: Thu, 29 May 2014 18:43:40 -0400
Subject: [PATCH] migrate from container managed authentication to spring
 security updated spring and spring security versions

---
 .gitignore                                |   2 +
 pom.xml                                   |   2 +-
 webapp/META-INF/context.xml               |   2 +
 webapp/WEB-INF/mvc-dispatcher-servlet.xml |  98 +--
 webapp/WEB-INF/spring-security.xml        |  71 +-
 webapp/WEB-INF/web.xml                    | 804 +++++++++++-----------
 6 files changed, 501 insertions(+), 478 deletions(-)
 create mode 100644 .gitignore
 create mode 100644 webapp/META-INF/context.xml

diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000000..d944cc49c4
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,2 @@
+/nb-configuration.xml
+/nbactions.xml
\ No newline at end of file
diff --git a/pom.xml b/pom.xml
index 9a8ead4c36..f726b45da6 100644
--- a/pom.xml
+++ b/pom.xml
@@ -17,7 +17,7 @@
 	<!-- Shared version number properties -->
 	<properties>
 		<org.springframework.version>3.2.4.RELEASE</org.springframework.version>
-		<spring.security.version>3.1.2.RELEASE</spring.security.version>
+		<spring.security.version>3.2.4.RELEASE</spring.security.version>
 		<tiles.version>2.2.2</tiles.version>
 	</properties>
 
diff --git a/webapp/META-INF/context.xml b/webapp/META-INF/context.xml
new file mode 100644
index 0000000000..5bee3dc30f
--- /dev/null
+++ b/webapp/META-INF/context.xml
@@ -0,0 +1,2 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<Context antiJARLocking="true" path=""/>
diff --git a/webapp/WEB-INF/mvc-dispatcher-servlet.xml b/webapp/WEB-INF/mvc-dispatcher-servlet.xml
index e39db65274..d9483ac241 100644
--- a/webapp/WEB-INF/mvc-dispatcher-servlet.xml
+++ b/webapp/WEB-INF/mvc-dispatcher-servlet.xml
@@ -1,50 +1,50 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<beans xmlns="http://www.springframework.org/schema/beans"
-	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-	xmlns:p="http://www.springframework.org/schema/p" 
-	xmlns:context="http://www.springframework.org/schema/context"
-	xmlns:mvc="http://www.springframework.org/schema/mvc"
-	xsi:schemaLocation="http://www.springframework.org/schema/beans 
-	   		http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
-	   		http://www.springframework.org/schema/context
-	   		http://www.springframework.org/schema/context/spring-context-3.0.xsd
-			http://www.springframework.org/schema/mvc 
-			http://www.springframework.org/schema/mvc/spring-mvc-3.0.xsd">
-
-	<context:component-scan base-package="org.owasp.webgoat.lessons" />
-	
-	<!--
-	put custom validators here.  E.g.:
-	<bean class="org.owasp.webgoat.validators.MyCustomValidator" />
-	-->
-	
-	<!-- Activates various annotations to be detected in bean classes -->
-	<context:annotation-config />
-	
-	<!-- Configures the annotation-driven Spring MVC Controller programming model.  -->
-	<mvc:annotation-driven /> 
-	
-	<!-- Import Tiles-related configuration -->
-	<import resource="tiles-context.xml" />
-	
-		
-	<!-- Declare a view resolver -->
-	<!-- Take note of the order. Since we're using TilesViewResolver as well 
-		 We need to define which ViewResolver is called first. 
-		 We chose this InternalResourceViewResolver to be at the bottom order -->
-	<bean 
-		id="viewResolver" 
-		class="org.springframework.web.servlet.view.InternalResourceViewResolver" 
-    	p:prefix="/WEB-INF/pages/" 
-    	p:suffix=".jsp" 
-    	p:order="1"/>
-    	
-	
- 	<!-- Register the Customer.properties 
-	<bean id="messageSource"
-		class="org.springframework.context.support.ResourceBundleMessageSource">
-		<property name="basename" value="org/owasp/webgoat/properties/Customer" />
-	</bean>
-	-->
-
+<?xml version="1.0" encoding="UTF-8"?>
+<beans xmlns="http://www.springframework.org/schema/beans"
+	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+	xmlns:p="http://www.springframework.org/schema/p" 
+	xmlns:context="http://www.springframework.org/schema/context"
+	xmlns:mvc="http://www.springframework.org/schema/mvc"
+	xsi:schemaLocation="http://www.springframework.org/schema/beans 
+	   		http://www.springframework.org/schema/beans/spring-beans-3.2.xsd
+	   		http://www.springframework.org/schema/context
+	   		http://www.springframework.org/schema/context/spring-context-3.2.xsd
+			http://www.springframework.org/schema/mvc 
+			http://www.springframework.org/schema/mvc/spring-mvc-3.2.xsd">
+
+	<context:component-scan base-package="org.owasp.webgoat.lessons" />
+	
+	<!--
+	put custom validators here.  E.g.:
+	<bean class="org.owasp.webgoat.validators.MyCustomValidator" />
+	-->
+	
+	<!-- Activates various annotations to be detected in bean classes -->
+	<context:annotation-config />
+	
+	<!-- Configures the annotation-driven Spring MVC Controller programming model.  -->
+	<mvc:annotation-driven /> 
+	
+	<!-- Import Tiles-related configuration -->
+	<import resource="tiles-context.xml" />
+	
+		
+	<!-- Declare a view resolver -->
+	<!-- Take note of the order. Since we're using TilesViewResolver as well 
+		 We need to define which ViewResolver is called first. 
+		 We chose this InternalResourceViewResolver to be at the bottom order -->
+	<bean 
+		id="viewResolver" 
+		class="org.springframework.web.servlet.view.InternalResourceViewResolver" 
+    	p:prefix="/WEB-INF/pages/" 
+    	p:suffix=".jsp" 
+    	p:order="1"/>
+    	
+	
+ 	<!-- Register the Customer.properties 
+	<bean id="messageSource"
+		class="org.springframework.context.support.ResourceBundleMessageSource">
+		<property name="basename" value="org/owasp/webgoat/properties/Customer" />
+	</bean>
+	-->
+
 </beans>
\ No newline at end of file
diff --git a/webapp/WEB-INF/spring-security.xml b/webapp/WEB-INF/spring-security.xml
index a7a0082e47..98003eafcf 100644
--- a/webapp/WEB-INF/spring-security.xml
+++ b/webapp/WEB-INF/spring-security.xml
@@ -1,28 +1,45 @@
-<beans:beans xmlns="http://www.springframework.org/schema/security"
-	xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-	xsi:schemaLocation="http://www.springframework.org/schema/beans
-	http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
-	http://www.springframework.org/schema/security
-	http://www.springframework.org/schema/security/spring-security-3.1.xsd">
-
-	<!--
-		PCS 8/27/2012
-		NOTE: Without Spring security, HttpServletRequest.getUserPrincipal() returns null when called from pages under Spring's control.
-		That method is used extensively in legacy webgoat code.  Integrating Spring security into the application resolves this issue.
-	-->  
-    <http auto-config='true'>    	
-        <intercept-url pattern="/**" access="ROLE_USER" />
-        <http-basic/>
-    </http>
-
-    <!-- Authentication Manager -->
-    <authentication-manager alias="authenticationManager">
-        <authentication-provider>
-        	<user-service>
-        		<!-- TODO: credentials in the config - this isn't something I'm proud of - get rid of this ASAP --> 
-            	<user name="guest" password="guest" authorities="ROLE_USER" />
-        	</user-service>
-    	</authentication-provider>
-    </authentication-manager>  
-    
+<beans:beans xmlns="http://www.springframework.org/schema/security"
+             xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+             xsi:schemaLocation="http://www.springframework.org/schema/beans
+	http://www.springframework.org/schema/beans/spring-beans-3.2.xsd
+	http://www.springframework.org/schema/security
+	http://www.springframework.org/schema/security/spring-security-3.2.xsd">
+
+    <!--
+            PCS 8/27/2012
+            NOTE: Without Spring security, HttpServletRequest.getUserPrincipal() returns null when called from pages under Spring's control.
+            That method is used extensively in legacy webgoat code.  Integrating Spring security into the application resolves this issue.
+    -->  
+    <http>     
+        <intercept-url pattern="/servlet/AdminServlet/**" access="ROLE_WEBGOAT_ADMIN" />
+        <intercept-url pattern="/JavaSource/**" access="ROLE_SERVER_ADMIN" />          	
+        <intercept-url pattern="/**" access="ROLE_WEBGOAT_USER" />
+        <http-basic />
+    </http>
+
+    <!-- Authentication Manager -->
+    <authentication-manager alias="authenticationManager">
+        <authentication-provider>
+            <user-service>
+                <!-- TODO: credentials in the config - this isn't something I'm proud of - get rid of this ASAP --> 
+                <user name="guest" password="guest" authorities="ROLE_WEBGOAT_USER" />
+                <user name="webgoat" password="webgoat" authorities="ROLE_WEBGOAT_ADMIN" />
+                <user name="server" password="server" authorities="ROLE_SERVER_ADMIN" />
+            </user-service>
+        </authentication-provider>
+    </authentication-manager>  
+    
+    <!-- Role hierarchy -->
+    <!--
+    <beans:bean id="roleHierarchy"
+          class="org.springframework.security.access.hierarchicalroles.RoleHierarchyImpl">
+        <beans:property name="hierarchy">
+            <beans:value>
+                server_admin > webgoat_admin
+                webgoat_admin > webgoat_challenge
+                webgoat_challenge > webgoat_user
+            </beans:value>
+        </beans:property>
+    </beans:bean>
+    -->
 </beans:beans>
\ No newline at end of file
diff --git a/webapp/WEB-INF/web.xml b/webapp/WEB-INF/web.xml
index 1490812cca..209cf9db0c 100644
--- a/webapp/WEB-INF/web.xml
+++ b/webapp/WEB-INF/web.xml
@@ -1,401 +1,403 @@
-<?xml version="1.0" encoding="ISO-8859-1"?>
-<web-app 
-    xmlns="http://java.sun.com/xml/ns/javaee"
-    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-    xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
-    version="2.5">
-
-    <!-- General description of your web application -->
-    <display-name>WebGoat</display-name>
-    <description>
-      This web application is designed to demonstrate web
-      application security flaws for the purpose of educating
-      developers and security professionals about web
-      application security problems. Please contact Bruce Mayhew 
-      (webgoat@owasp.org) if you have any questions.
-    </description>
-
-
-
-   <!-- Context initialization parameters that define shared
-         String constants used within your application, which
-         can be customized by the system administrator who is
-         installing your application.  The values actually
-         assigned to these parameters can be retrieved in a
-         servlet or JSP page by calling:
-
-             String value =
-               getServletContext().getInitParameter("name");
-
-         where "name" matches the <param-name> element of
-         one of these initialization parameters.
-
-         You can define any number of context initialization
-         parameters, including zero.
-    -->
-
-    <context-param>
-      <param-name>email</param-name>
-      <param-value>WebGoat@owasp.org</param-value>
-      <description>
-        The EMAIL address of the administrator to whom questions
-        and comments about this application should be addressed.
-      </description>
-    </context-param>
-    
-    <!-- spring MVC -->
-  	<context-param>
-		<param-name>contextConfigLocation</param-name>
-		<param-value>
-			/WEB-INF/mvc-dispatcher-servlet.xml,
-			/WEB-INF/spring-security.xml
-		</param-value>
-  	</context-param>
-  
-
-    <!-- Servlet definitions for the servlets that make up
-         your web application, including initialization
-         parameters.  With Tomcat, you can also send requests
-         to servlets not listed here with a request like this:
-
-           http://localhost:8080/{context-path}/servlet/{classname}
-
-         but this usage is not guaranteed to be portable.  It also
-         makes relative references to images and other resources
-         required by your servlet more complicated, so defining
-         all of your servlets (and defining a mapping to them with
-         a servlet-mapping element) is recommended.
-
-         Servlet initialization parameters can be retrieved in a
-         servlet or JSP page by calling:
-
-            String value =
-               getServletConfig().getInitParameter("name");
-
-         where "name" matches the <param-name> element of
-         one of these initialization parameters.
-
-         You can define any number of servlets, including zero.
-    -->
-
-    <servlet>
-      <servlet-name>AxisServlet</servlet-name>
-      <display-name>Apache-Axis Servlet</display-name>
-      <servlet-class>
-          org.apache.axis.transport.http.AxisServlet
-      </servlet-class>
-    </servlet>
- 
-    <servlet>
-      <servlet-name>AdminServlet</servlet-name>
-      <display-name>Axis Admin Servlet</display-name>
-      <servlet-class>
-          org.apache.axis.transport.http.AdminServlet
-      </servlet-class>
-      <load-on-startup>100</load-on-startup>
-    </servlet>
-
-    <servlet>
-      <servlet-name>SOAPMonitorService</servlet-name>
-      <display-name>SOAPMonitorService</display-name>
-      <servlet-class>
-          org.apache.axis.monitor.SOAPMonitorService
-      </servlet-class>
-      <init-param>
-        <param-name>SOAPMonitorPort</param-name>
-        <param-value>5001</param-value>
-      </init-param>
-      <load-on-startup>100</load-on-startup>
-    </servlet>
- 
-    <servlet>
-      <servlet-name>WebGoat</servlet-name>
-      <description>
-        This servlet plays the "controller" role in the MVC architecture
-        used in this application.
-
-        The initialization parameter namess for this servlet are the
-        "servlet path" that will be received by this servlet (after the
-        filename extension is removed).  The corresponding value is the
-        name of the action class that will be used to process this request.
-      </description>
-      <servlet-class>org.owasp.webgoat.HammerHead</servlet-class>
-
- 	  <init-param>
-      		<param-name>email</param-name>
-      		<param-value>WebGoat@owasp.org</param-value>
-      		<description>
-        		The EMAIL address of the administrator to whom questions
-        		and comments about this application should be addressed.
-      		</description>
-      </init-param>
-      
-	  <init-param>
-            <param-name>debug</param-name>
-            <param-value>false</param-value>
-      </init-param>
-
-      <init-param>
-            <param-name>CookieDebug</param-name>
-            <param-value>true</param-value>
-      </init-param>
-
-      <init-param>
-            <param-name>DefuseOSCommands</param-name>
-            <param-value>false</param-value>
-      </init-param>
-      
-      <init-param>
-            <param-name>Enterprise</param-name>
-            <param-value>true</param-value>
-      </init-param>
-      
-      <init-param>
-            <param-name>CodingExercises</param-name>
-            <param-value>true</param-value>
-      </init-param>
-      
-      <init-param>
-      		<!-- Specify an address where you would like comments to be sent.  -->
-      		<!-- This can be any URL or HTML tags, and will appear on the report card and lesson incomplete pages -->
-      		<!-- Use iso8859-1 encoding to represent special characters that might confuse XML parser. For 
-      			 example, replace "<" with "&lt;" and ">" with "&gt;". -->
-            <param-name>FeedbackAddress</param-name>
-            <param-value>
-				&lt;A HREF=mailto:webgoat@owasp.org&gt;webgoat@owasp.org&lt;/A&gt;
-            </param-value>
-      </init-param>
-      
-      <init-param>
-            <param-name>DatabaseDriver</param-name>
-            <param-value>
-		    	org.hsqldb.jdbcDriver
-            </param-value>
-      </init-param>
-
-      <init-param>
-            <param-name>DatabaseConnectionString</param-name>
-            <!-- 
-            The string "${USER}" in the connection string will be replaced by the active username
-            when making a connection.
-             -->
-            <param-value>
-				jdbc:hsqldb:mem:${USER}
-		    </param-value>
-      </init-param>
-
-      <!-- Load this servlet at server startup time -->
-
-      <load-on-startup>5</load-on-startup>
-
-    </servlet>
-
-
-    <servlet>
-      <servlet-name>LessonSource</servlet-name>
-      <description>
-        This servlet returns the Java source of the current lesson. 
-      </description>
-      <servlet-class>org.owasp.webgoat.LessonSource</servlet-class>
-    </servlet>
-
-    <servlet>
-      <servlet-name>Catcher</servlet-name>
-      <description>
-        This servlet catches any posts and marks the appropriate lesson property. 
-      </description>
-      <servlet-class>org.owasp.webgoat.Catcher</servlet-class>
-    </servlet>
-
-    <servlet>
-	 <servlet-name>conf</servlet-name>
-	 <jsp-file>/lessons/ConfManagement/config.jsp</jsp-file>
-    </servlet>
-    
-    
-    <!-- spring MVC -->
-  <servlet>
-  	<servlet-name>mvc-dispatcher</servlet-name>
-    <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
-    <load-on-startup>1</load-on-startup>
-  </servlet>
-
-  <servlet-mapping>
- 	<servlet-name>mvc-dispatcher</servlet-name>
-    <url-pattern>*.do</url-pattern>
-  </servlet-mapping>
-  
-  <listener>
-    <listener-class>
-      org.springframework.web.context.ContextLoaderListener
-    </listener-class>
-  </listener>
-  <!-- end spring MVC --> 
-
-  <!-- spring security -->
-  <filter>
-    <filter-name>springSecurityFilterChain</filter-name>
-    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
-  </filter>
-
-  <filter-mapping>
-    <filter-name>springSecurityFilterChain</filter-name>
-    <url-pattern>/*</url-pattern>
-  </filter-mapping>
-  <!-- end spring security -->
-   
-
-    
-    
-    <!-- Define mappings that are used by the servlet container to
-         translate a particular request URI (context-relative) to a
-         particular servlet.  The examples below correspond to the
-         servlet descriptions above.  Thus, a request URI like:
-
-           http://localhost:8080/{contextpath}/graph
-
-         will be mapped to the "graph" servlet, while a request like:
-
-           http://localhost:8080/{contextpath}/saveCustomer.do
-
-         will be mapped to the "controller" servlet.
-
-         You may define any number of servlet mappings, including zero.
-         It is also legal to define more than one mapping for the same
-         servlet, if you wish to.
-    -->
-
-
-    <servlet-mapping>
-      <servlet-name>AxisServlet</servlet-name>
-      <url-pattern>/servlet/AxisServlet</url-pattern>
-    </servlet-mapping>
- 
-    <servlet-mapping>
-      <servlet-name>AxisServlet</servlet-name>
-      <url-pattern>*.jws</url-pattern>
-    </servlet-mapping>
- 
-    <servlet-mapping>
-      <servlet-name>AxisServlet</servlet-name>
-      <url-pattern>/services/*</url-pattern>
-    </servlet-mapping>
- 
-    <servlet-mapping>
-      <servlet-name>SOAPMonitorService</servlet-name>
-      <url-pattern>/SOAPMonitor</url-pattern>
-    </servlet-mapping>
- 
-    <!-- uncomment this if you want the admin servlet -->
-    <!--
-    <servlet-mapping>
-      <servlet-name>AdminServlet</servlet-name>
-      <url-pattern>/servlet/AdminServlet</url-pattern>
-    </servlet-mapping>
-     -->
-
-    <servlet-mapping>
-      <servlet-name>WebGoat</servlet-name>
-      <url-pattern>/attack</url-pattern>
-    </servlet-mapping>
-    
-    <servlet-mapping>
-      <servlet-name>LessonSource</servlet-name>
-      <url-pattern>/source</url-pattern>
-    </servlet-mapping>
-
-    <servlet-mapping>
-      <servlet-name>Catcher</servlet-name>
-      <url-pattern>/catcher</url-pattern>
-    </servlet-mapping>
-
-    <servlet-mapping>
-      <servlet-name>conf</servlet-name>
-      <url-pattern>/conf</url-pattern>
-    </servlet-mapping>
-    
-    
-
-    <!-- Define the default session timeout for your application,
-         in minutes.  From a servlet or JSP page, you can modify
-         the timeout for a particular session dynamically by using
-         HttpSession.getMaxInactiveInterval(). -->
-
-    <session-config>
-    	<!-- 2 days -->
-        <session-timeout>2880</session-timeout>
-    </session-config>
-
-    <mime-mapping>
-        <extension>wmv</extension>
-        <mime-type>video/x-ms-wmv</mime-type>
-    </mime-mapping>
-
-	<!-- Define reference to the user database for looking up roles -->
-	<resource-env-ref>
-	    <description>
-	      Link to the UserDatabase instance from which we request lists of
-	      defined role names.  Typically, this will be connected to the global
-	      user database with a ResourceLink element in server.xml or the context
-	      configuration file for the Manager web application.
-	    </description>
-	    <resource-env-ref-name>users</resource-env-ref-name>
-	    <resource-env-ref-type>
-	      org.apache.catalina.UserDatabase
-	    </resource-env-ref-type>
-	</resource-env-ref>
-	
-
-	<!-- Define a Security Constraint on this Application -->
-	<security-constraint>
-	    <web-resource-collection>
-	      <web-resource-name>WebGoat Application</web-resource-name>
-	      <url-pattern>/*</url-pattern>
-	    </web-resource-collection>
-	    <auth-constraint>
-	       <role-name>webgoat_user</role-name>
-	       <role-name>webgoat_admin</role-name>
-	       <role-name>webgoat_challenge</role-name>
-	    </auth-constraint>
-	</security-constraint>
-	
-	<security-constraint>
-	    <web-resource-collection>
-	      <web-resource-name>WebGoat Application Source</web-resource-name>
-	      <url-pattern>/JavaSource/*</url-pattern>
-	    </web-resource-collection>
-	    <auth-constraint>
-	       <role-name>server_admin</role-name>
-	    </auth-constraint>
-	</security-constraint>
-   
-	
-	<!-- Login configuration uses BASIC authentication -->
-	<login-config>
-	    <auth-method>BASIC</auth-method>
-	    <realm-name>WebGoat Application</realm-name>
-	</login-config>
-	
-	<!-- Security roles referenced by this web application -->
-	<security-role>
-	    <description>The role that is required to administrate WebGoat</description>
-	    <role-name>webgoat_admin</role-name>
-	</security-role>
-	
-	<security-role>
-	    <description>The role that is required to start the challenge log viewer</description>
-	    <role-name>webgoat_challenge</role-name>
-	</security-role>
-
-	<security-role>
-	    <description>The role that is required to use WebGoat</description>
-	    <role-name>webgoat_user</role-name>
-	</security-role>
-
-	<security-role>
-	    <description>This role is for admins only</description>
-	    <role-name>server_admin</role-name>
-	</security-role>
-
-</web-app>
-
+<?xml version="1.0" encoding="ISO-8859-1"?>
+<web-app 
+    xmlns="http://java.sun.com/xml/ns/javaee"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
+    version="2.5">
+
+    <!-- General description of your web application -->
+    <display-name>WebGoat</display-name>
+    <description>
+      This web application is designed to demonstrate web
+      application security flaws for the purpose of educating
+      developers and security professionals about web
+      application security problems. Please contact Bruce Mayhew 
+      (webgoat@owasp.org) if you have any questions.
+    </description>
+
+
+
+   <!-- Context initialization parameters that define shared
+         String constants used within your application, which
+         can be customized by the system administrator who is
+         installing your application.  The values actually
+         assigned to these parameters can be retrieved in a
+         servlet or JSP page by calling:
+
+             String value =
+               getServletContext().getInitParameter("name");
+
+         where "name" matches the <param-name> element of
+         one of these initialization parameters.
+
+         You can define any number of context initialization
+         parameters, including zero.
+    -->
+
+    <context-param>
+      <param-name>email</param-name>
+      <param-value>WebGoat@owasp.org</param-value>
+      <description>
+        The EMAIL address of the administrator to whom questions
+        and comments about this application should be addressed.
+      </description>
+    </context-param>
+    
+    <!-- spring MVC -->
+  	<context-param>
+		<param-name>contextConfigLocation</param-name>
+		<param-value>
+			/WEB-INF/mvc-dispatcher-servlet.xml,
+			/WEB-INF/spring-security.xml
+		</param-value>
+  	</context-param>
+  
+
+    <!-- Servlet definitions for the servlets that make up
+         your web application, including initialization
+         parameters.  With Tomcat, you can also send requests
+         to servlets not listed here with a request like this:
+
+           http://localhost:8080/{context-path}/servlet/{classname}
+
+         but this usage is not guaranteed to be portable.  It also
+         makes relative references to images and other resources
+         required by your servlet more complicated, so defining
+         all of your servlets (and defining a mapping to them with
+         a servlet-mapping element) is recommended.
+
+         Servlet initialization parameters can be retrieved in a
+         servlet or JSP page by calling:
+
+            String value =
+               getServletConfig().getInitParameter("name");
+
+         where "name" matches the <param-name> element of
+         one of these initialization parameters.
+
+         You can define any number of servlets, including zero.
+    -->
+
+    <servlet>
+      <servlet-name>AxisServlet</servlet-name>
+      <display-name>Apache-Axis Servlet</display-name>
+      <servlet-class>
+          org.apache.axis.transport.http.AxisServlet
+      </servlet-class>
+    </servlet>
+ 
+    <servlet>
+      <servlet-name>AdminServlet</servlet-name>
+      <display-name>Axis Admin Servlet</display-name>
+      <servlet-class>
+          org.apache.axis.transport.http.AdminServlet
+      </servlet-class>
+      <load-on-startup>100</load-on-startup>
+    </servlet>
+
+    <servlet>
+      <servlet-name>SOAPMonitorService</servlet-name>
+      <display-name>SOAPMonitorService</display-name>
+      <servlet-class>
+          org.apache.axis.monitor.SOAPMonitorService
+      </servlet-class>
+      <init-param>
+        <param-name>SOAPMonitorPort</param-name>
+        <param-value>5001</param-value>
+      </init-param>
+      <load-on-startup>100</load-on-startup>
+    </servlet>
+ 
+    <servlet>
+      <servlet-name>WebGoat</servlet-name>
+      <description>
+        This servlet plays the "controller" role in the MVC architecture
+        used in this application.
+
+        The initialization parameter namess for this servlet are the
+        "servlet path" that will be received by this servlet (after the
+        filename extension is removed).  The corresponding value is the
+        name of the action class that will be used to process this request.
+      </description>
+      <servlet-class>org.owasp.webgoat.HammerHead</servlet-class>
+
+ 	  <init-param>
+      		<param-name>email</param-name>
+      		<param-value>WebGoat@owasp.org</param-value>
+      		<description>
+        		The EMAIL address of the administrator to whom questions
+        		and comments about this application should be addressed.
+      		</description>
+      </init-param>
+      
+	  <init-param>
+            <param-name>debug</param-name>
+            <param-value>false</param-value>
+      </init-param>
+
+      <init-param>
+            <param-name>CookieDebug</param-name>
+            <param-value>true</param-value>
+      </init-param>
+
+      <init-param>
+            <param-name>DefuseOSCommands</param-name>
+            <param-value>false</param-value>
+      </init-param>
+      
+      <init-param>
+            <param-name>Enterprise</param-name>
+            <param-value>true</param-value>
+      </init-param>
+      
+      <init-param>
+            <param-name>CodingExercises</param-name>
+            <param-value>true</param-value>
+      </init-param>
+      
+      <init-param>
+      		<!-- Specify an address where you would like comments to be sent.  -->
+      		<!-- This can be any URL or HTML tags, and will appear on the report card and lesson incomplete pages -->
+      		<!-- Use iso8859-1 encoding to represent special characters that might confuse XML parser. For 
+      			 example, replace "<" with "&lt;" and ">" with "&gt;". -->
+            <param-name>FeedbackAddress</param-name>
+            <param-value>
+				&lt;A HREF=mailto:webgoat@owasp.org&gt;webgoat@owasp.org&lt;/A&gt;
+            </param-value>
+      </init-param>
+      
+      <init-param>
+            <param-name>DatabaseDriver</param-name>
+            <param-value>
+		    	org.hsqldb.jdbcDriver
+            </param-value>
+      </init-param>
+
+      <init-param>
+            <param-name>DatabaseConnectionString</param-name>
+            <!-- 
+            The string "${USER}" in the connection string will be replaced by the active username
+            when making a connection.
+             -->
+            <param-value>
+				jdbc:hsqldb:mem:${USER}
+		    </param-value>
+      </init-param>
+
+      <!-- Load this servlet at server startup time -->
+
+      <load-on-startup>5</load-on-startup>
+
+    </servlet>
+
+
+    <servlet>
+      <servlet-name>LessonSource</servlet-name>
+      <description>
+        This servlet returns the Java source of the current lesson. 
+      </description>
+      <servlet-class>org.owasp.webgoat.LessonSource</servlet-class>
+    </servlet>
+
+    <servlet>
+      <servlet-name>Catcher</servlet-name>
+      <description>
+        This servlet catches any posts and marks the appropriate lesson property. 
+      </description>
+      <servlet-class>org.owasp.webgoat.Catcher</servlet-class>
+    </servlet>
+
+    <servlet>
+	 <servlet-name>conf</servlet-name>
+	 <jsp-file>/lessons/ConfManagement/config.jsp</jsp-file>
+    </servlet>
+    
+    
+    <!-- spring MVC -->
+  <servlet>
+  	<servlet-name>mvc-dispatcher</servlet-name>
+    <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
+    <load-on-startup>1</load-on-startup>
+  </servlet>
+
+  <servlet-mapping>
+ 	<servlet-name>mvc-dispatcher</servlet-name>
+    <url-pattern>*.do</url-pattern>
+  </servlet-mapping>
+  
+  <listener>
+    <listener-class>
+      org.springframework.web.context.ContextLoaderListener
+    </listener-class>
+  </listener>
+  <!-- end spring MVC --> 
+
+  <!-- spring security -->
+  <filter>
+    <filter-name>springSecurityFilterChain</filter-name>
+    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
+  </filter>
+
+  <filter-mapping>
+    <filter-name>springSecurityFilterChain</filter-name>
+    <url-pattern>/*</url-pattern>
+  </filter-mapping>
+  <!-- end spring security -->
+   
+
+    
+    
+    <!-- Define mappings that are used by the servlet container to
+         translate a particular request URI (context-relative) to a
+         particular servlet.  The examples below correspond to the
+         servlet descriptions above.  Thus, a request URI like:
+
+           http://localhost:8080/{contextpath}/graph
+
+         will be mapped to the "graph" servlet, while a request like:
+
+           http://localhost:8080/{contextpath}/saveCustomer.do
+
+         will be mapped to the "controller" servlet.
+
+         You may define any number of servlet mappings, including zero.
+         It is also legal to define more than one mapping for the same
+         servlet, if you wish to.
+    -->
+
+
+    <servlet-mapping>
+      <servlet-name>AxisServlet</servlet-name>
+      <url-pattern>/servlet/AxisServlet</url-pattern>
+    </servlet-mapping>
+ 
+    <servlet-mapping>
+      <servlet-name>AxisServlet</servlet-name>
+      <url-pattern>*.jws</url-pattern>
+    </servlet-mapping>
+ 
+    <servlet-mapping>
+      <servlet-name>AxisServlet</servlet-name>
+      <url-pattern>/services/*</url-pattern>
+    </servlet-mapping>
+ 
+    <servlet-mapping>
+      <servlet-name>SOAPMonitorService</servlet-name>
+      <url-pattern>/SOAPMonitor</url-pattern>
+    </servlet-mapping>
+ 
+    <!-- uncomment this if you want the admin servlet -->
+    <servlet-mapping>
+      <servlet-name>AdminServlet</servlet-name>
+      <url-pattern>/servlet/AdminServlet</url-pattern>
+    </servlet-mapping>
+
+    <servlet-mapping>
+      <servlet-name>WebGoat</servlet-name>
+      <url-pattern>/attack</url-pattern>
+    </servlet-mapping>
+    
+    <servlet-mapping>
+      <servlet-name>LessonSource</servlet-name>
+      <url-pattern>/source</url-pattern>
+    </servlet-mapping>
+
+    <servlet-mapping>
+      <servlet-name>Catcher</servlet-name>
+      <url-pattern>/catcher</url-pattern>
+    </servlet-mapping>
+
+    <servlet-mapping>
+      <servlet-name>conf</servlet-name>
+      <url-pattern>/conf</url-pattern>
+    </servlet-mapping>
+    
+    
+
+    <!-- Define the default session timeout for your application,
+         in minutes.  From a servlet or JSP page, you can modify
+         the timeout for a particular session dynamically by using
+         HttpSession.getMaxInactiveInterval(). -->
+
+    <session-config>
+    	<!-- 2 days -->
+        <session-timeout>2880</session-timeout>
+    </session-config>
+
+    <mime-mapping>
+        <extension>wmv</extension>
+        <mime-type>video/x-ms-wmv</mime-type>
+    </mime-mapping>
+
+	<!-- Define reference to the user database for looking up roles -->
+        <!--
+	<resource-env-ref>
+	    <description>
+	      Link to the UserDatabase instance from which we request lists of
+	      defined role names.  Typically, this will be connected to the global
+	      user database with a ResourceLink element in server.xml or the context
+	      configuration file for the Manager web application.
+	    </description>
+	    <resource-env-ref-name>users</resource-env-ref-name>
+	    <resource-env-ref-type>
+	      org.apache.catalina.UserDatabase
+	    </resource-env-ref-type>
+	</resource-env-ref>
+	-->
+
+	<!-- Define a Security Constraint on this Application -->
+        <!--
+	<security-constraint>
+	    <web-resource-collection>
+	      <web-resource-name>WebGoat Application</web-resource-name>
+	      <url-pattern>/*</url-pattern>
+	    </web-resource-collection>
+	    <auth-constraint>
+	       <role-name>webgoat_user</role-name>
+	       <role-name>webgoat_admin</role-name>
+	       <role-name>webgoat_challenge</role-name>
+	    </auth-constraint>
+	</security-constraint>
+	
+	<security-constraint>
+	    <web-resource-collection>
+	      <web-resource-name>WebGoat Application Source</web-resource-name>
+	      <url-pattern>/JavaSource/*</url-pattern>
+	    </web-resource-collection>
+	    <auth-constraint>
+	       <role-name>server_admin</role-name>
+	    </auth-constraint>
+	</security-constraint>
+   -->
+	
+	<!-- Login configuration uses BASIC authentication -->
+        <!--
+	<login-config>
+	    <auth-method>BASIC</auth-method>
+	    <realm-name>WebGoat Application</realm-name>
+	</login-config>
+	-->
+	<!-- Security roles referenced by this web application -->
+        <!--
+	<security-role>
+	    <description>The role that is required to administrate WebGoat</description>
+	    <role-name>webgoat_admin</role-name>
+	</security-role>
+	
+	<security-role>
+	    <description>The role that is required to start the challenge log viewer</description>
+	    <role-name>webgoat_challenge</role-name>
+	</security-role>
+
+	<security-role>
+	    <description>The role that is required to use WebGoat</description>
+	    <role-name>webgoat_user</role-name>
+	</security-role>
+
+            <security-role>
+                <description>This role is for admins only</description>
+                <role-name>server_admin</role-name>
+            </security-role>
+    -->
+</web-app>
+