[ http://issues.apache.org/jira/browse/JAMES-636?page=comments#action_12437148 ] Guillermo Grandes commented on JAMES-636: -----------------------------------------
I have been watching... for more info about this problem... http://svn.apache.org/repos/asf/avalon/cvs-migration-snapshot/avalon-phoenix/src/java/ org/apache/avalon/phoenix/components/classloader/DefaultClassLoaderManager.java org/apache/avalon/phoenix/components/classloader/SarPolicyResolver.java I see references to: org.realityforge.xmlpolicy.* import org.realityforge.xmlpolicy.builder.PolicyBuilder; import org.realityforge.xmlpolicy.metadata.PolicyMetaData; import org.realityforge.xmlpolicy.reader.PolicyReader; import org.realityforge.xmlpolicy.builder.PolicyResolver; $PHOENIX_HOME/lib/spice-{salt,xmlpolicy,loggerstore,classman}-*.jar In old version snapshoted by kickjava.com: http://www.kickjava.com/src/org/apache/avalon/phoenix/components/classloader/DefaultClassLoaderManager.java.htm can't see references to org.realityforge.xmlpolicy.* Searching for source in google... http://cvs.loom.codehaus.org/browse/~raw,r=1.6/loom/loom/support/xmlpolicy/src/java/org/realityforge/xmlpolicy/builder/PolicyBuilder.java the ideas have finished to me. > Policy in environment.xml is... ignored?!? > ------------------------------------------ > > Key: JAMES-636 > URL: http://issues.apache.org/jira/browse/JAMES-636 > Project: James > Issue Type: Bug > Affects Versions: Trunk, 2.3.0rc3 > Environment: James 2.3.0rc3 / 3.0 > Reporter: Guillermo Grandes > Attachments: james.policy > > > I have been testing to securize James, have seen that there was the option to > add to policies in the file environment.xml, but in version 2.3 and 3.0 it > does not work, I suppose that it will have to do with the migration that > became to Phoenix 4.2 from 4.0.1, seems simply that, ignores them quiet and > it treats it like a AllPermission, stranger. > In James 2.2 if no policy is configured, phoenix.log says: > [Phoenix.] (): No policy specified in server.xml, giving full permissions to > ServerApplication. > In 2.3 / 3.0 no message show... > I haves used a policy Like this, and... never throws security exceptions... > <policy> > <grant code-base="file:${app.home}${/}lib${/}*"> > <permission class="java.io.FilePermission" > target="${app.home}${/}*" > action="read,write" /> > </grant> > </policy> > I have even proven to make a FileInputStream of /etc/passwd and... has eaten > it, not security exception :( > In Loom 1.0-rc3 is the same, policy is ignored... > At the moment the workarround is modifying directly the policy of > phoenix-loader.jar and restrict it at global level of the JVM. > I have opened a ticket in Codehaus for Loom 1.0rc3, in the case of Phoenix... > "two stones" :-) > See also: http://jira.codehaus.org/browse/LOOM-81 > I inform, in case somebody can make some thing. -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
