From 56c549e384b1a648c77bbd09a2cc77976e8a64de Mon Sep 17 00:00:00 2001
From: James Moger <james.moger@gitblit.com>
Date: Tue, 24 May 2011 17:39:55 -0400
Subject: [PATCH] Documentation.

---
 src/com/gitblit/GitBlitServer.java |   18 ++++++++++++++++--
 1 files changed, 16 insertions(+), 2 deletions(-)

diff --git a/src/com/gitblit/GitBlitServer.java b/src/com/gitblit/GitBlitServer.java
index 08c9b29..a7b1538 100644
--- a/src/com/gitblit/GitBlitServer.java
+++ b/src/com/gitblit/GitBlitServer.java
@@ -29,6 +29,7 @@
 import org.eclipse.jetty.server.Server;
 import org.eclipse.jetty.server.bio.SocketConnector;
 import org.eclipse.jetty.server.nio.SelectChannelConnector;
+import org.eclipse.jetty.server.session.HashSessionManager;
 import org.eclipse.jetty.server.ssl.SslConnector;
 import org.eclipse.jetty.server.ssl.SslSelectChannelConnector;
 import org.eclipse.jetty.server.ssl.SslSocketConnector;
@@ -192,6 +193,16 @@
 		rootContext.setServer(server);
 		rootContext.setWar(location.toExternalForm());
 		rootContext.setTempDirectory(tempDir);
+		
+		// Mark all cookies HttpOnly so they are not accessible to JavaScript
+		// engines.
+		// http://erlend.oftedal.no/blog/?blogid=33
+		// https://www.owasp.org/index.php/HttpOnly#Browsers_Supporting_HttpOnly
+		HashSessionManager sessionManager = new HashSessionManager();
+		sessionManager.setHttpOnly(true);
+		// Use secure cookies if only serving https
+		sessionManager.setSecureCookies(params.port <= 0 && params.securePort > 0);
+		rootContext.getSessionHandler().setSessionManager(sessionManager);
 
 		// Wicket Filter
 		String wicketPathSpec = "/*";
@@ -200,10 +211,13 @@
 		wicketFilter.setInitParameter(WicketFilter.FILTER_MAPPING_PARAM, wicketPathSpec);
 		wicketFilter.setInitParameter(WicketFilter.IGNORE_PATHS_PARAM, "git/");
 		rootContext.addFilter(wicketFilter, wicketPathSpec, FilterMapping.DEFAULT);
-
+		
+		// Zip Servlet
+		rootContext.addServlet(DownloadZipServlet.class, Constants.ZIP_SERVLET_PATH + "*");
+		
 		// Git Servlet
 		ServletHolder gitServlet = null;
-		String gitServletPathSpec = "/git/*";
+		String gitServletPathSpec = Constants.GIT_SERVLET_PATH + "*";
 		if (fileSettings.getBoolean(Keys.git.enableGitServlet, true)) {
 			gitServlet = rootContext.addServlet(GitBlitServlet.class, gitServletPathSpec);
 			gitServlet.setInitParameter("base-path", params.repositoriesFolder);

--
Gitblit v1.9.1