[jira] Resolved: (JAMES-636) Policy in environment.xml is... ignored?!?

Fri, 30 Jul 2010 04:03:42 -0700 

     [ 
https://issues.apache.org/jira/browse/JAMES-636?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Norman Maurer resolved JAMES-636.
---------------------------------

         Assignee: Norman Maurer
    Fix Version/s: 3.0-M1
       Resolution: Won't Fix

The next release of james will not use avalon/phoenix anymore 

> Policy in environment.xml is... ignored?!?
> ------------------------------------------
>
>                 Key: JAMES-636
>                 URL: https://issues.apache.org/jira/browse/JAMES-636
>             Project: JAMES Server
>          Issue Type: Bug
>    Affects Versions: 2.3.0, 3.0
>         Environment: James 2.3.0rc3 / 3.0
>            Reporter: Guillermo Grandes
>            Assignee: Norman Maurer
>             Fix For: 3.0-M1
>
>         Attachments: james.policy
>
>
> I have been testing to securize James, have seen that there was the option to 
> add to policies in the file environment.xml, but in version 2.3 and 3.0 it 
> does not work, I suppose that it will have to do with the migration that 
> became to Phoenix 4.2 from 4.0.1, seems simply that, ignores them quiet and 
> it treats it like a AllPermission, stranger.
> In James 2.2 if no policy is configured, phoenix.log says:
> [Phoenix.] (): No policy specified in server.xml, giving full permissions to 
> ServerApplication.
> In 2.3 / 3.0 no message show...
> I haves used a policy Like this, and... never throws security exceptions... 
>     <policy>
>         <grant code-base="file:${app.home}${/}lib${/}*">
>             <permission class="java.io.FilePermission"
>                         target="${app.home}${/}*"
>                         action="read,write" />
>         </grant>
>     </policy>
> I have even proven to make a FileInputStream of /etc/passwd and... has eaten 
> it, not security exception :(
> In Loom 1.0-rc3 is the same, policy is ignored...
> At the moment the workarround is modifying directly the policy of 
> phoenix-loader.jar and restrict it at global level of the JVM.  
> I have opened a ticket in Codehaus for Loom 1.0rc3, in the case of Phoenix... 
> "two stones" :-)
> See also: http://jira.codehaus.org/browse/LOOM-81
> I inform, in case somebody can make some thing.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to