migrate from container managed authentication to spring security

updated spring and spring security versions

.gitignore

@@ -0,0 +1,2 @@
+/nb-configuration.xml
+/nbactions.xml

pom.xml

@@ -17,7 +17,7 @@
 	<!-- Shared version number properties -->
 	<properties>
 		<org.springframework.version>3.2.4.RELEASE</org.springframework.version>
-		<spring.security.version>3.1.2.RELEASE</spring.security.version>
+		<spring.security.version>3.2.4.RELEASE</spring.security.version>
 		<tiles.version>2.2.2</tiles.version>
 	</properties>
 

webapp/META-INF/context.xml

@@ -0,0 +1,2 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<Context antiJARLocking="true" path=""/>

webapp/WEB-INF/mvc-dispatcher-servlet.xml

@@ -1,50 +1,50 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<beans xmlns="http://www.springframework.org/schema/beans"
-	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-	xmlns:p="http://www.springframework.org/schema/p" 
-	xmlns:context="http://www.springframework.org/schema/context"
-	xmlns:mvc="http://www.springframework.org/schema/mvc"
-	xsi:schemaLocation="http://www.springframework.org/schema/beans 
-	   		http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
-	   		http://www.springframework.org/schema/context
-	   		http://www.springframework.org/schema/context/spring-context-3.0.xsd
-			http://www.springframework.org/schema/mvc 
-			http://www.springframework.org/schema/mvc/spring-mvc-3.0.xsd">
-
-	<context:component-scan base-package="org.owasp.webgoat.lessons" />
-
-	<!--
-	put custom validators here.  E.g.:
-	<bean class="org.owasp.webgoat.validators.MyCustomValidator" />
-	-->
-
-	<!-- Activates various annotations to be detected in bean classes -->
-	<context:annotation-config />
-
-	<!-- Configures the annotation-driven Spring MVC Controller programming model.  -->
-	<mvc:annotation-driven /> 
-
-	<!-- Import Tiles-related configuration -->
-	<import resource="tiles-context.xml" />
-
-
-	<!-- Declare a view resolver -->
-	<!-- Take note of the order. Since we're using TilesViewResolver as well 
-		 We need to define which ViewResolver is called first. 
-		 We chose this InternalResourceViewResolver to be at the bottom order -->
-	<bean 
-		id="viewResolver" 
-		class="org.springframework.web.servlet.view.InternalResourceViewResolver" 
-    	p:prefix="/WEB-INF/pages/" 
-    	p:suffix=".jsp" 
-    	p:order="1"/>
-
-
- 	<!-- Register the Customer.properties 
-	<bean id="messageSource"
-		class="org.springframework.context.support.ResourceBundleMessageSource">
-		<property name="basename" value="org/owasp/webgoat/properties/Customer" />
-	</bean>
-	-->
-
+<?xml version="1.0" encoding="UTF-8"?>
+<beans xmlns="http://www.springframework.org/schema/beans"
+	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+	xmlns:p="http://www.springframework.org/schema/p" 
+	xmlns:context="http://www.springframework.org/schema/context"
+	xmlns:mvc="http://www.springframework.org/schema/mvc"
+	xsi:schemaLocation="http://www.springframework.org/schema/beans 
+	   		http://www.springframework.org/schema/beans/spring-beans-3.2.xsd
+	   		http://www.springframework.org/schema/context
+	   		http://www.springframework.org/schema/context/spring-context-3.2.xsd
+			http://www.springframework.org/schema/mvc 
+			http://www.springframework.org/schema/mvc/spring-mvc-3.2.xsd">
+
+	<context:component-scan base-package="org.owasp.webgoat.lessons" />
+
+	<!--
+	put custom validators here.  E.g.:
+	<bean class="org.owasp.webgoat.validators.MyCustomValidator" />
+	-->
+
+	<!-- Activates various annotations to be detected in bean classes -->
+	<context:annotation-config />
+
+	<!-- Configures the annotation-driven Spring MVC Controller programming model.  -->
+	<mvc:annotation-driven /> 
+
+	<!-- Import Tiles-related configuration -->
+	<import resource="tiles-context.xml" />
+
+
+	<!-- Declare a view resolver -->
+	<!-- Take note of the order. Since we're using TilesViewResolver as well 
+		 We need to define which ViewResolver is called first. 
+		 We chose this InternalResourceViewResolver to be at the bottom order -->
+	<bean 
+		id="viewResolver" 
+		class="org.springframework.web.servlet.view.InternalResourceViewResolver" 
+    	p:prefix="/WEB-INF/pages/" 
+    	p:suffix=".jsp" 
+    	p:order="1"/>
+
+
+ 	<!-- Register the Customer.properties 
+	<bean id="messageSource"
+		class="org.springframework.context.support.ResourceBundleMessageSource">
+		<property name="basename" value="org/owasp/webgoat/properties/Customer" />
+	</bean>
+	-->
+
 </beans>

webapp/WEB-INF/spring-security.xml

@@ -1,28 +1,45 @@
-<beans:beans xmlns="http://www.springframework.org/schema/security"
-	xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-	xsi:schemaLocation="http://www.springframework.org/schema/beans
-	http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
-	http://www.springframework.org/schema/security
-	http://www.springframework.org/schema/security/spring-security-3.1.xsd">
-
-	<!--
-		PCS 8/27/2012
-		NOTE: Without Spring security, HttpServletRequest.getUserPrincipal() returns null when called from pages under Spring's control.
-		That method is used extensively in legacy webgoat code.  Integrating Spring security into the application resolves this issue.
-	-->  
-    <http auto-config='true'>    	
-        <intercept-url pattern="/**" access="ROLE_USER" />
-        <http-basic/>
-    </http>
-
-    <!-- Authentication Manager -->
-    <authentication-manager alias="authenticationManager">
-        <authentication-provider>
-        	<user-service>
-        		<!-- TODO: credentials in the config - this isn't something I'm proud of - get rid of this ASAP --> 
-            	<user name="guest" password="guest" authorities="ROLE_USER" />
-        	</user-service>
-    	</authentication-provider>
-    </authentication-manager>  
-
+<beans:beans xmlns="http://www.springframework.org/schema/security"
+             xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+             xsi:schemaLocation="http://www.springframework.org/schema/beans
+	http://www.springframework.org/schema/beans/spring-beans-3.2.xsd
+	http://www.springframework.org/schema/security
+	http://www.springframework.org/schema/security/spring-security-3.2.xsd">
+
+    <!--
+            PCS 8/27/2012
+            NOTE: Without Spring security, HttpServletRequest.getUserPrincipal() returns null when called from pages under Spring's control.
+            That method is used extensively in legacy webgoat code.  Integrating Spring security into the application resolves this issue.
+    -->  
+    <http>     
+        <intercept-url pattern="/servlet/AdminServlet/**" access="ROLE_WEBGOAT_ADMIN" />
+        <intercept-url pattern="/JavaSource/**" access="ROLE_SERVER_ADMIN" />          	
+        <intercept-url pattern="/**" access="ROLE_WEBGOAT_USER" />
+        <http-basic />
+    </http>
+
+    <!-- Authentication Manager -->
+    <authentication-manager alias="authenticationManager">
+        <authentication-provider>
+            <user-service>
+                <!-- TODO: credentials in the config - this isn't something I'm proud of - get rid of this ASAP --> 
+                <user name="guest" password="guest" authorities="ROLE_WEBGOAT_USER" />
+                <user name="webgoat" password="webgoat" authorities="ROLE_WEBGOAT_ADMIN" />
+                <user name="server" password="server" authorities="ROLE_SERVER_ADMIN" />
+            </user-service>
+        </authentication-provider>
+    </authentication-manager>  
+
+    <!-- Role hierarchy -->
+    <!--
+    <beans:bean id="roleHierarchy"
+          class="org.springframework.security.access.hierarchicalroles.RoleHierarchyImpl">
+        <beans:property name="hierarchy">
+            <beans:value>
+                server_admin > webgoat_admin
+                webgoat_admin > webgoat_challenge
+                webgoat_challenge > webgoat_user
+            </beans:value>
+        </beans:property>
+    </beans:bean>
+    -->
 </beans:beans>