org.owasp.webgoat.session

Class WebSession

java.lang.Object

org.owasp.webgoat.session.WebSession

public class WebSession
extends Object

************************************************************************************************* This file is part of WebGoat, an Open Web Application Security Project utility. For details, please see http://www.owasp.org/ Copyright (c) 2002 - 20014 Bruce Mayhew This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. Getting Source ============== Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.

Since:

October 28, 2003

Version:

$Id: $Id

Author:

Jeff Williams Aspect Security, Bruce Mayhew WebGoat

Field Summary

Fields

Modifier and Type	Field and Description
static String	ADMIN Description of the Field
static String	CHALLENGE Description of the Field
static String	COLOR Description of the Field
static String	COURSE Constant COURSE="course"
static String	DEBUG Constant DEBUG="debug"
static int	ERROR Error screen number
static String	JSESSION_ID session id string
static String	LANGUAGE Constant LANGUAGE="language"
static String	LOGOUT Logout parameter name
static String	MENU menu parameter name
static String	RESTART Restart parameter name
static String	SCREEN Screen parameter name
static String	SESSION Description of the Field
static String	SHOW Constant SHOW="show"
static String	SHOW_COOKIES Constant SHOW_COOKIES="Cookies"
static String	SHOW_NEXTHINT Constant SHOW_NEXTHINT="NextHint"
static String	SHOW_PARAMS Constant SHOW_PARAMS="Params"
static String	SHOW_PREVIOUSHINT Constant SHOW_PREVIOUSHINT="PreviousHint"
static String	SHOW_SOLUTION Constant SHOW_SOLUTION="Solution"
static String	SHOW_SOURCE Constant SHOW_SOURCE="Source"
static String	SHOWHINTS Constant SHOWHINTS="ShowHints"
static String	SHOWSOLUTION Constant SHOWSOLUTION="ShowSolution"
static String	SHOWSOURCE Constant SHOWSOURCE="ShowSource"
static String	STAGE Constant STAGE="stage"
static String	WEBGOAT_ADMIN Tomcat role for a webgoat admin
static String	WEBGOAT_USER Tomcat role for a webgoat user
static int	WELCOME Description of the Field

Constructor Summary

Constructors

Constructor and Description
WebSession(WebgoatContext webgoatContext, javax.servlet.ServletContext context) Constructor for the WebSession object

Method Summary

Modifier and Type	Method and Description
void	add(String key, Object value) Description of the Method
void	clearMessage() Description of the Method
void	closeLessonSession(AbstractLesson lesson) closeLessonSession.
boolean	completedHackableAdmin() Has the user ever hacked the hackable admin
void	eatCookies() Marks all cookies but the JSESSIONID for deletion and adds them to the response.
Object	get(String key) Description of the Method
static Connection	getConnection(WebSession s) getConnection.
javax.servlet.ServletContext	getContext() Gets the context attribute of the WebSession object
String	getCookie(String cookieName) Gets the cookie attribute of the CookieScreen object
List<javax.servlet.http.Cookie>	getCookies() getCookies.
List<javax.servlet.http.Cookie>	getCookiesOnLastRequest() Getter for the field cookiesOnLastRequest.
Course	getCourse() Gets the course attribute of the WebSession object
AbstractLesson	getCurrentLesson() getCurrentLesson.
String	getCurrentLink() getCurrentLink.
int	getCurrentMenu() Getter for the field currentMenu.
int	getCurrentScreen() Gets the currentScreen attribute of the WebSession object
String	getCurrrentLanguage() getCurrrentLanguage.
String	getHeader(String header) getHeader.
String	getHint() getHint.
String	getInstructions() getInstructions.
AbstractLesson	getLesson(int id) getLesson.
List<AbstractLesson>	getLessons(Category category) getLessons.
LessonSession	getLessonSession(AbstractLesson lesson) getLessonSession.
String	getMessage() Gets the message attribute of the WebSession object
String	getNextHint() getNextHint.
List<Parameter>	getParams() getParams.
List<RequestParameter>	getParmsOnLastRequest() Getter for the field parmsOnLastRequest.
ParameterParser	getParser() Gets the parser attribute of the WebSession object
String	getPreviousHint() getPreviousHint.
int	getPreviousScreen() Gets the previousScreen attribute of the WebSession object
javax.servlet.http.HttpServletRequest	getRequest() Gets the request attribute of the WebSession object
javax.servlet.http.HttpServletResponse	getResponse() Gets the response attribute of the WebSession object
String	getRestartLink() getRestartLink.
String	getRole() getRole.
List<String>	getRoles() getRoles.
String	getServletName() Gets the servletName attribute of the WebSession object
String	getSolution() getSolution.
String	getSource() getSource.
int	getUserIdInLesson() getUserIdInLesson.
String	getUserName() Gets the userName attribute of the WebSession object
String	getUserNameInLesson() getUserNameInLesson.
WebgoatContext	getWebgoatContext() Getter for the field webgoatContext.
String	getWebResource(String fileName) Gets the sourceFile attribute of the WebSession object
boolean	isAdmin() Gets the admin attribute of the WebSession object
boolean	isAuthenticated() Gets the authenticated attribute of the WebSession object
boolean	isAuthenticatedInLesson(AbstractLesson lesson) isAuthenticatedInLesson.
boolean	isAuthorizedInLesson(int employeeId, String functionId) isAuthorizedInLesson.
boolean	isAuthorizedInLesson(String role, String functionId) isAuthorizedInLesson.
boolean	isChallenge() Gets the challenge attribute of the WebSession object
boolean	isColor() Gets the color attribute of the WebSession object
boolean	isDebug() isDebug.
boolean	isHackedAdmin() Gets the hackedAdmin attribute of the WebSession object
boolean	isScreen(int value) Gets the screen attribute of the WebSession object
boolean	isUser() Gets the user attribute of the WebSession object
void	openLessonSession(AbstractLesson lesson) openLessonSession.
void	restartLesson(int lessonId) restartLesson.
static void	returnConnection(WebSession s) returnConnection.
void	setAdmin(boolean state) Sets the admin flag - this routine is ONLY here to allow someone a backdoor to setting the user up as an admin.
void	setCourse(Course course) Setter for the field course.
void	setCurrentMenu(Integer ranking) Setter for the field currentMenu.
void	setCurrentScreen(int screen) Setter for the field currentScreen.
void	setHasHackableAdmin(String role) setHasHackableAdmin.
void	setLineBreak(String text) setLineBreak.
void	setMessage(String text) Sets the message attribute of the WebSession object
void	setRequest(javax.servlet.http.HttpServletRequest request) Setter for the field request.
boolean	showCookies() Description of the Method
boolean	showParams() Description of the Method
boolean	showRequest() Description of the Method
boolean	showSolution() showSolution.
boolean	showSource() Description of the Method
void	update(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response, String name) Parse parameters from the given request, handle any servlet commands, and update this session based on the parameters.
void	updateLastAttackRequestInfo(javax.servlet.http.HttpServletRequest request) updateLastAttackRequestInfo.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

ADMIN

public static final String ADMIN

Description of the Field

See Also:

Constant Field Values

WEBGOAT_USER

public static final String WEBGOAT_USER

Tomcat role for a webgoat user

See Also:

Constant Field Values

WEBGOAT_ADMIN

public static final String WEBGOAT_ADMIN

Tomcat role for a webgoat admin

See Also:

Constant Field Values

CHALLENGE

public static final String CHALLENGE

Description of the Field

See Also:

Constant Field Values

COLOR

public static final String COLOR

Description of the Field

See Also:

Constant Field Values

COURSE

public static final String COURSE

Constant COURSE="course"

See Also:

Constant Field Values

ERROR

public static final int ERROR

Error screen number

See Also:

Constant Field Values

STAGE

public static final String STAGE

Constant STAGE="stage"

See Also:

Constant Field Values

JSESSION_ID

public static final String JSESSION_ID

session id string

See Also:

Constant Field Values

LOGOUT

public static final String LOGOUT

Logout parameter name

See Also:

Constant Field Values

RESTART

public static final String RESTART

Restart parameter name

See Also:

Constant Field Values

MENU

public static final String MENU

menu parameter name

See Also:

Constant Field Values

SCREEN

public static final String SCREEN

Screen parameter name

See Also:

Constant Field Values

SESSION

public static final String SESSION

Description of the Field

See Also:

Constant Field Values

SHOWSOURCE

public static final String SHOWSOURCE

Constant SHOWSOURCE="ShowSource"

See Also:

Constant Field Values

SHOWSOLUTION

public static final String SHOWSOLUTION

Constant SHOWSOLUTION="ShowSolution"

See Also:

Constant Field Values

SHOWHINTS

public static final String SHOWHINTS

Constant SHOWHINTS="ShowHints"

See Also:

Constant Field Values

SHOW

public static final String SHOW

Constant SHOW="show"

See Also:

Constant Field Values

SHOW_NEXTHINT

public static final String SHOW_NEXTHINT

Constant SHOW_NEXTHINT="NextHint"

See Also:

Constant Field Values

SHOW_PREVIOUSHINT

public static final String SHOW_PREVIOUSHINT

Constant SHOW_PREVIOUSHINT="PreviousHint"

See Also:

Constant Field Values

SHOW_PARAMS

public static final String SHOW_PARAMS

Constant SHOW_PARAMS="Params"

See Also:

Constant Field Values

SHOW_COOKIES

public static final String SHOW_COOKIES

Constant SHOW_COOKIES="Cookies"

See Also:

Constant Field Values

SHOW_SOURCE

public static final String SHOW_SOURCE

Constant SHOW_SOURCE="Source"

See Also:

Constant Field Values

SHOW_SOLUTION

public static final String SHOW_SOLUTION

Constant SHOW_SOLUTION="Solution"

See Also:

Constant Field Values

DEBUG

public static final String DEBUG

Constant DEBUG="debug"

See Also:

Constant Field Values

LANGUAGE

public static final String LANGUAGE

Constant LANGUAGE="language"

See Also:

Constant Field Values

WELCOME

public static final int WELCOME

Description of the Field

See Also:

Constant Field Values

Constructor Detail

WebSession

public WebSession(WebgoatContext webgoatContext,
                  javax.servlet.ServletContext context)

Constructor for the WebSession object

Parameters:

webgoatContext - a WebgoatContext object.

context - Description of the Parameter

Method Detail

getConnection

public static Connection getConnection(WebSession s)
                                throws SQLException

getConnection.

Parameters:

s - a WebSession object.

Returns:

a Connection object.

Throws:

SQLException - if any.

returnConnection

public static void returnConnection(WebSession s)

returnConnection.

Parameters:

s - a WebSession object.

add

public void add(String key,
                Object value)

Description of the Method

Parameters:

key - Description of the Parameter

value - Description of the Parameter

clearMessage

public void clearMessage()

Description of the Method

eatCookies

public void eatCookies()

Marks all cookies but the JSESSIONID for deletion and adds them to the response.

get

public Object get(String key)

Description of the Method

Parameters:

key - Description of the Parameter

Returns:

Description of the Return Value

getContext

public javax.servlet.ServletContext getContext()

Gets the context attribute of the WebSession object

Returns:

The context value

getRoles

public List<String> getRoles()

getRoles.

Returns:

a List object.

setAdmin

public void setAdmin(boolean state)

Sets the admin flag - this routine is ONLY here to allow someone a backdoor to setting the user up as an admin. This is also used by the WebSession to set the admin, but the method should be private

Parameters:

state - a boolean.

getRole

public String getRole()

getRole.

Returns:

a String object.

getCourse

public Course getCourse()

Gets the course attribute of the WebSession object

Returns:

The course value

setCourse

public void setCourse(Course course)

Setter for the field course.

Parameters:

course - a Course object.

getCurrentScreen

public int getCurrentScreen()

Gets the currentScreen attribute of the WebSession object

Returns:

The currentScreen value

setCurrentScreen

public void setCurrentScreen(int screen)

Setter for the field currentScreen.

Parameters:

screen - a int.

getRestartLink

public String getRestartLink()

getRestartLink.

Returns:

a String object.

getCurrentLink

public String getCurrentLink()

getCurrentLink.

Returns:

a String object.

getCurrentLesson

public AbstractLesson getCurrentLesson()

getCurrentLesson.

Returns:

a AbstractLesson object.

getLesson

public AbstractLesson getLesson(int id)

getLesson.

Parameters:

id - a int.

Returns:

a AbstractLesson object.

getLessons

public List<AbstractLesson> getLessons(Category category)

getLessons.

Parameters:

category - a Category object.

Returns:

a List object.

getHint

public String getHint()

getHint.

Returns:

a String object.

getParams

public List<Parameter> getParams()

getParams.

Returns:

a List object.

getCookies

public List<javax.servlet.http.Cookie> getCookies()

getCookies.

Returns:

a List object.

getCookie

public String getCookie(String cookieName)

Gets the cookie attribute of the CookieScreen object

Parameters:

cookieName - a String object.

Returns:

The cookie value

getSource

public String getSource()

getSource.

Returns:

a String object.

getSolution

public String getSolution()

getSolution.

Returns:

a String object.

getInstructions

public String getInstructions()

getInstructions.

Returns:

a String object.

getMessage

public String getMessage()

Gets the message attribute of the WebSession object

Returns:

The message value

getParser

public ParameterParser getParser()

Gets the parser attribute of the WebSession object

Returns:

The parser value

getPreviousScreen

public int getPreviousScreen()

Gets the previousScreen attribute of the WebSession object

Returns:

The previousScreen value

getRequest

public javax.servlet.http.HttpServletRequest getRequest()

Gets the request attribute of the WebSession object

Returns:

The request value

setRequest

public void setRequest(javax.servlet.http.HttpServletRequest request)

Setter for the field request.

Parameters:

request - a HttpServletRequest object.

getResponse

public javax.servlet.http.HttpServletResponse getResponse()

Gets the response attribute of the WebSession object

Returns:

The response value

getServletName

public String getServletName()

Gets the servletName attribute of the WebSession object

Returns:

The servletName value

getWebResource

public String getWebResource(String fileName)

Gets the sourceFile attribute of the WebSession object

Parameters:

fileName - a String object.

Returns:

The sourceFile value

isAdmin

public boolean isAdmin()

Gets the admin attribute of the WebSession object

Returns:

The admin value

isHackedAdmin

public boolean isHackedAdmin()

Gets the hackedAdmin attribute of the WebSession object

Returns:

The hackedAdmin value

completedHackableAdmin

public boolean completedHackableAdmin()

Has the user ever hacked the hackable admin

Returns:

The hackedAdmin value

isAuthenticated

public boolean isAuthenticated()

Gets the authenticated attribute of the WebSession object

Returns:

The authenticated value

isAuthenticatedInLesson

public boolean isAuthenticatedInLesson(AbstractLesson lesson)

isAuthenticatedInLesson.

Parameters:

lesson - a AbstractLesson object.

Returns:

a boolean.

isAuthorizedInLesson

public boolean isAuthorizedInLesson(int employeeId,
                                    String functionId)

isAuthorizedInLesson.

Parameters:

employeeId - a int.

functionId - a String object.

Returns:

a boolean.

isAuthorizedInLesson

public boolean isAuthorizedInLesson(String role,
                                    String functionId)

isAuthorizedInLesson.

Parameters:

role - a String object.

functionId - a String object.

Returns:

a boolean.

getUserIdInLesson

public int getUserIdInLesson()
                      throws ParameterNotFoundException

getUserIdInLesson.

Returns:

a int.

Throws:

ParameterNotFoundException - if any.

getUserNameInLesson

public String getUserNameInLesson()
                           throws ParameterNotFoundException

getUserNameInLesson.

Returns:

a String object.

Throws:

ParameterNotFoundException - if any.

openLessonSession

public void openLessonSession(AbstractLesson lesson)

openLessonSession.

Parameters:

lesson - a AbstractLesson object.

closeLessonSession

public void closeLessonSession(AbstractLesson lesson)

closeLessonSession.

Parameters:

lesson - a AbstractLesson object.

getLessonSession

public LessonSession getLessonSession(AbstractLesson lesson)

getLessonSession.

Parameters:

lesson - a AbstractLesson object.

Returns:

a LessonSession object.

isChallenge

public boolean isChallenge()

Gets the challenge attribute of the WebSession object

Returns:

The challenge value

isColor

public boolean isColor()

Gets the color attribute of the WebSession object

Returns:

The color value

isScreen

public boolean isScreen(int value)

Gets the screen attribute of the WebSession object

Parameters:

value - Description of the Parameter

Returns:

The screen value

isUser

public boolean isUser()

Gets the user attribute of the WebSession object

Returns:

The user value

setMessage

public void setMessage(String text)

Sets the message attribute of the WebSession object

Parameters:

text - The new message value

setLineBreak

public void setLineBreak(String text)

setLineBreak.

Parameters:

text - a String object.

showCookies

public boolean showCookies()

Description of the Method

Returns:

Description of the Return Value

showParams

public boolean showParams()

Description of the Method

Returns:

Description of the Return Value

showRequest

public boolean showRequest()

Description of the Method

Returns:

Description of the Return Value

showSource

public boolean showSource()

Description of the Method

Returns:

Description of the Return Value

showSolution

public boolean showSolution()

showSolution.

Returns:

a boolean.

getUserName

public String getUserName()

Gets the userName attribute of the WebSession object

Returns:

The userName value

update

public void update(javax.servlet.http.HttpServletRequest request,
                   javax.servlet.http.HttpServletResponse response,
                   String name)
            throws IOException

Parse parameters from the given request, handle any servlet commands, and update this session based on the parameters.

Parameters:

request - Description of the Parameter

response - Description of the Parameter

name - Description of the Parameter

Throws:

IOException - if any.

updateLastAttackRequestInfo

public void updateLastAttackRequestInfo(javax.servlet.http.HttpServletRequest request)

updateLastAttackRequestInfo.

Parameters:

request - a HttpServletRequest object.

restartLesson

public void restartLesson(int lessonId)

restartLesson.

Parameters:

lessonId - a int.

setHasHackableAdmin

public void setHasHackableAdmin(String role)

setHasHackableAdmin.

Parameters:

role - a String object.

isDebug

public boolean isDebug()

isDebug.

Returns:

Returns the isDebug.

getHeader

public String getHeader(String header)

getHeader.

Parameters:

header - - request header value to return

Returns:

a String object.

getNextHint

public String getNextHint()

getNextHint.

Returns:

a String object.

getPreviousHint

public String getPreviousHint()

getPreviousHint.

Returns:

a String object.

setCurrentMenu

public void setCurrentMenu(Integer ranking)

Setter for the field currentMenu.

Parameters:

ranking - a Integer object.

getCurrentMenu

public int getCurrentMenu()

Getter for the field currentMenu.

Returns:

a int.

getWebgoatContext

public WebgoatContext getWebgoatContext()

Getter for the field webgoatContext.

Returns:

a WebgoatContext object.

getCurrrentLanguage

public String getCurrrentLanguage()

getCurrrentLanguage.

Returns:

a String object.

getCookiesOnLastRequest

public List<javax.servlet.http.Cookie> getCookiesOnLastRequest()

Getter for the field cookiesOnLastRequest.

Returns:

the cookiesOnLastRequest

getParmsOnLastRequest

public List<RequestParameter> getParmsOnLastRequest()

Getter for the field parmsOnLastRequest.

Returns:

the parmsOnLastRequest