Fix: exceptional resource leaks from coverty

[gigi.git] / src / org / cacert / gigi / Launcher.java

diff --git a/src/org/cacert/gigi/Launcher.java b/src/org/cacert/gigi/Launcher.java
index 177d63eed5925b18bed89a27e873990af3ac2d6e..a399dcddd4388a8bfbc96b91f187af40079adadd 100644 (file)
--- a/src/org/cacert/gigi/Launcher.java
+++ b/src/org/cacert/gigi/Launcher.java
@@ -19,12 +19,14 @@ import javax.net.ssl.SNIServerName;
 import javax.net.ssl.SSLEngine;
 import javax.net.ssl.SSLParameters;
 import javax.net.ssl.SSLSession;
+import javax.servlet.http.HttpServletResponse;
 
 import org.cacert.gigi.api.GigiAPI;
 import org.cacert.gigi.email.EmailProvider;
 import org.cacert.gigi.natives.SetUID;
 import org.cacert.gigi.util.CipherInfo;
 import org.cacert.gigi.util.ServerConstants;
+import org.eclipse.jetty.http.HttpHeader;
 import org.eclipse.jetty.http.HttpVersion;
 import org.eclipse.jetty.server.Connector;
 import org.eclipse.jetty.server.Handler;
@@ -43,6 +45,7 @@ import org.eclipse.jetty.servlet.ErrorPageErrorHandler;
 import org.eclipse.jetty.servlet.ServletContextHandler;
 import org.eclipse.jetty.servlet.ServletHolder;
 import org.eclipse.jetty.util.log.Log;
+import org.eclipse.jetty.util.resource.Resource;
 import org.eclipse.jetty.util.ssl.SslContextFactory;
 
 public class Launcher {
@@ -128,6 +131,7 @@ public class Launcher {
         secureContextFactory.setNeedClientAuth(false);
         final SslContextFactory staticContextFactory = generateSSLContextFactory(conf, "static");
         final SslContextFactory apiContextFactory = generateSSLContextFactory(conf, "api");
+        apiContextFactory.setWantClientAuth(true);
         try {
             secureContextFactory.start();
             staticContextFactory.start();
@@ -194,7 +198,7 @@ public class Launcher {
     }
 
     private static ContextHandler generateGigiServletContext(ServletHolder webAppServlet) {
-        final ResourceHandler rh = new ResourceHandler();
+        final ResourceHandler rh = generateResourceHandler();
         rh.setResourceBase("static/www");
 
         HandlerWrapper hw = new PolicyRedirector();
@@ -205,6 +209,7 @@ public class Launcher {
         servlet.addServlet(webAppServlet, "/*");
         ErrorPageErrorHandler epeh = new ErrorPageErrorHandler();
         epeh.addErrorPage(404, "/error");
+        epeh.addErrorPage(403, "/denied");
         servlet.setErrorHandler(epeh);
 
         HandlerList hl = new HandlerList();
@@ -218,7 +223,7 @@ public class Launcher {
     }
 
     private static Handler generateStaticContext() {
-        final ResourceHandler rh = new ResourceHandler();
+        final ResourceHandler rh = generateResourceHandler();
         rh.setResourceBase("static/static");
 
         ContextHandler ch = new ContextHandler();
@@ -230,6 +235,19 @@ public class Launcher {
         return ch;
     }
 
+    private static ResourceHandler generateResourceHandler() {
+        ResourceHandler rh = new ResourceHandler() {
+
+            @Override
+            protected void doResponseHeaders(HttpServletResponse response, Resource resource, String mimeType) {
+                super.doResponseHeaders(response, resource, mimeType);
+                response.setDateHeader(HttpHeader.EXPIRES.asString(), System.currentTimeMillis() + 1000L * 60 * 60 * 24 * 7);
+            }
+        };
+        rh.setEtags(true);
+        return rh;
+    }
+
     private static Handler generateAPIContext() {
         ServletContextHandler sch = new ServletContextHandler();
 
@@ -264,6 +282,7 @@ public class Launcher {
         scf.setRenegotiationAllowed(false);
 
         scf.setProtocol("TLS");
+        scf.setIncludeProtocols("TLSv1", "TLSv1.1", "TLSv1.2");
         scf.setTrustStore(conf.getTrustStore());
         KeyStore privateStore = conf.getPrivateStore();
         scf.setKeyStorePassword(conf.getPrivateStorePw());