Fix: exceptional resource leaks from coverty

[gigi.git] / src / org / cacert / gigi / Launcher.java

diff --git a/src/org/cacert/gigi/Launcher.java b/src/org/cacert/gigi/Launcher.java
index 983c18dcd03fbff23b632e840328849697bfb713..a399dcddd4388a8bfbc96b91f187af40079adadd 100644 (file)
--- a/src/org/cacert/gigi/Launcher.java
+++ b/src/org/cacert/gigi/Launcher.java
@@ -19,12 +19,14 @@ import javax.net.ssl.SNIServerName;
 import javax.net.ssl.SSLEngine;
 import javax.net.ssl.SSLParameters;
 import javax.net.ssl.SSLSession;
+import javax.servlet.http.HttpServletResponse;
 
 import org.cacert.gigi.api.GigiAPI;
 import org.cacert.gigi.email.EmailProvider;
 import org.cacert.gigi.natives.SetUID;
 import org.cacert.gigi.util.CipherInfo;
 import org.cacert.gigi.util.ServerConstants;
+import org.eclipse.jetty.http.HttpHeader;
 import org.eclipse.jetty.http.HttpVersion;
 import org.eclipse.jetty.server.Connector;
 import org.eclipse.jetty.server.Handler;
@@ -43,13 +45,20 @@ import org.eclipse.jetty.servlet.ErrorPageErrorHandler;
 import org.eclipse.jetty.servlet.ServletContextHandler;
 import org.eclipse.jetty.servlet.ServletHolder;
 import org.eclipse.jetty.util.log.Log;
+import org.eclipse.jetty.util.resource.Resource;
 import org.eclipse.jetty.util.ssl.SslContextFactory;
 
 public class Launcher {
 
     public static void main(String[] args) throws Exception {
+        System.setProperty("jdk.tls.ephemeralDHKeySize", "4096");
+        boot();
+    }
+
+    public static void boot() throws Exception {
         Locale.setDefault(Locale.ENGLISH);
         TimeZone.setDefault(TimeZone.getTimeZone("UTC"));
+
         GigiConfig conf = GigiConfig.parse(System.in);
         ServerConstants.init(conf.getMainProps());
         initEmails(conf);
@@ -78,6 +87,9 @@ public class Launcher {
                 Log.getLogger(Launcher.class).warn("Couldn't set uid!");
             }
         }
+        if (conf.getMainProps().containsKey("testrunner")) {
+            DevelLauncher.addDevelPage();
+        }
     }
 
     private static ServerConnector createConnector(GigiConfig conf, Server s, HttpConfiguration httpConfig, boolean doHttps) throws GeneralSecurityException, IOException {
@@ -119,6 +131,7 @@ public class Launcher {
         secureContextFactory.setNeedClientAuth(false);
         final SslContextFactory staticContextFactory = generateSSLContextFactory(conf, "static");
         final SslContextFactory apiContextFactory = generateSSLContextFactory(conf, "api");
+        apiContextFactory.setWantClientAuth(true);
         try {
             secureContextFactory.start();
             staticContextFactory.start();
@@ -185,7 +198,7 @@ public class Launcher {
     }
 
     private static ContextHandler generateGigiServletContext(ServletHolder webAppServlet) {
-        final ResourceHandler rh = new ResourceHandler();
+        final ResourceHandler rh = generateResourceHandler();
         rh.setResourceBase("static/www");
 
         HandlerWrapper hw = new PolicyRedirector();
@@ -196,6 +209,7 @@ public class Launcher {
         servlet.addServlet(webAppServlet, "/*");
         ErrorPageErrorHandler epeh = new ErrorPageErrorHandler();
         epeh.addErrorPage(404, "/error");
+        epeh.addErrorPage(403, "/denied");
         servlet.setErrorHandler(epeh);
 
         HandlerList hl = new HandlerList();
@@ -209,7 +223,7 @@ public class Launcher {
     }
 
     private static Handler generateStaticContext() {
-        final ResourceHandler rh = new ResourceHandler();
+        final ResourceHandler rh = generateResourceHandler();
         rh.setResourceBase("static/static");
 
         ContextHandler ch = new ContextHandler();
@@ -221,6 +235,19 @@ public class Launcher {
         return ch;
     }
 
+    private static ResourceHandler generateResourceHandler() {
+        ResourceHandler rh = new ResourceHandler() {
+
+            @Override
+            protected void doResponseHeaders(HttpServletResponse response, Resource resource, String mimeType) {
+                super.doResponseHeaders(response, resource, mimeType);
+                response.setDateHeader(HttpHeader.EXPIRES.asString(), System.currentTimeMillis() + 1000L * 60 * 60 * 24 * 7);
+            }
+        };
+        rh.setEtags(true);
+        return rh;
+    }
+
     private static Handler generateAPIContext() {
         ServletContextHandler sch = new ServletContextHandler();
 
@@ -255,6 +282,7 @@ public class Launcher {
         scf.setRenegotiationAllowed(false);
 
         scf.setProtocol("TLS");
+        scf.setIncludeProtocols("TLSv1", "TLSv1.1", "TLSv1.2");
         scf.setTrustStore(conf.getTrustStore());
         KeyStore privateStore = conf.getPrivateStore();
         scf.setKeyStorePassword(conf.getPrivateStorePw());