[Owasp-webgoat] LAB: Role Based Access Control - exception

Andrew Petukhov petand at lvk.cs.msu.su
Wed Oct 8 01:35:07 EDT 2008 

Hi, everybody.
Perhaps, this topic was already discussed in this list - the I am sorry.
At least I haven't found the answer using google.
The trouble is that I cannot create user accounts in the "LAB: Role
Based Access Control".
The sequence of steps:
1. http://localhost:9090/WebGoat/attack
2. Start Web Goat
3. Click on "LAB: Role Based Access Control"
4. Login for example by John the Admin.
5. Click on CreateProfile.

As a result webgoat HR application forcefully expires my session by John
the Admin and present blank page with "Login" button.
The Tomcat console reports the following error:

Wed Oct 08 09:11:56 MSD 2008 | 127.0.0.1:127.0.0.1 |
org.owasp.webgoat.lessons.RoleBasedAccessControl.RoleBasedAccessControl
| [Screen=37,password=john,action=Login,employee_id=111,menu=200]
org.owasp.webgoat.session.ParameterNotFoundException: employee_id not found
        at
org.owasp.webgoat.session.ParameterParser.getStringParameter(ParameterParser.java:679)
        at
org.owasp.webgoat.session.ParameterParser.getIntParameter(ParameterParser.java:462)
        at
org.owasp.webgoat.lessons.RoleBasedAccessControl.EditProfile.handleRequest(EditProfile.java:59)
        at
org.owasp.webgoat.lessons.RoleBasedAccessControl.RoleBasedAccessControl.handleRequest(RoleBasedAccessControl.java:243)
        at org.owasp.webgoat.HammerHead.makeScreen(HammerHead.java:324)
        at org.owasp.webgoat.HammerHead.doPost(HammerHead.java:146)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:709)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:802)
        at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:237)
        at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:157)
        at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:214)
        at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:178)
        at
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:482)
        at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:126)
        at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:105)
        at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:107)
        at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:148)
        at
org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:825)
        at
org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.processConnection(Http11Protocol.java:731)
        at
org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:526)
        at
org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:80)
        at
org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:684)
        at java.lang.Thread.run(Thread.java:619)
- WebGoat: Wed Oct 08 09:11:58 MSD 2008 | 127.0.0.1:127.0.0.1 |
org.owasp.webgoat.lessons.RoleBasedAccessControl.RoleBasedAccessControl
| [Screen=37,action=CreateProfile,menu=200]
Wed Oct 08 09:11:58 MSD 2008 | 127.0.0.1:127.0.0.1 |
org.owasp.webgoat.lessons.RoleBasedAccessControl.RoleBasedAccessControl
| [Screen=37,action=CreateProfile,menu=200]


So, anybody knows solution to this? I'd be very grateful!

Thanks in advance!

Andrew

More information about the Owasp-webgoat mailing list