You are viewing a plain text version of this content. The canonical link for it is here.
Posted to server-dev@james.apache.org by "Norman Maurer (JIRA)" <se...@james.apache.org> on 2010/07/30 13:03:16 UTC

[jira] Resolved: (JAMES-636) Policy in environment.xml is... ignored?!?

     [ https://issues.apache.org/jira/browse/JAMES-636?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Norman Maurer resolved JAMES-636.
---------------------------------

         Assignee: Norman Maurer
    Fix Version/s: 3.0-M1
       Resolution: Won't Fix

The next release of james will not use avalon/phoenix anymore 

> Policy in environment.xml is... ignored?!?
> ------------------------------------------
>
>                 Key: JAMES-636
>                 URL: https://issues.apache.org/jira/browse/JAMES-636
>             Project: JAMES Server
>          Issue Type: Bug
>    Affects Versions: 2.3.0, 3.0
>         Environment: James 2.3.0rc3 / 3.0
>            Reporter: Guillermo Grandes
>            Assignee: Norman Maurer
>             Fix For: 3.0-M1
>
>         Attachments: james.policy
>
>
> I have been testing to securize James, have seen that there was the option to add to policies in the file environment.xml, but in version 2.3 and 3.0 it does not work, I suppose that it will have to do with the migration that became to Phoenix 4.2 from 4.0.1, seems simply that, ignores them quiet and it treats it like a AllPermission, stranger.
> In James 2.2 if no policy is configured, phoenix.log says:
> [Phoenix.] (): No policy specified in server.xml, giving full permissions to ServerApplication.
> In 2.3 / 3.0 no message show...
> I haves used a policy Like this, and... never throws security exceptions... 
>     <policy>
>         <grant code-base="file:${app.home}${/}lib${/}*">
>             <permission class="java.io.FilePermission"
>                         target="${app.home}${/}*"
>                         action="read,write" />
>         </grant>
>     </policy>
> I have even proven to make a FileInputStream of /etc/passwd and... has eaten it, not security exception :(
> In Loom 1.0-rc3 is the same, policy is ignored...
> At the moment the workarround is modifying directly the policy of phoenix-loader.jar and restrict it at global level of the JVM.  
> I have opened a ticket in Codehaus for Loom 1.0rc3, in the case of Phoenix... "two stones" :-)
> See also: http://jira.codehaus.org/browse/LOOM-81
> I inform, in case somebody can make some thing.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


---------------------------------------------------------------------
To unsubscribe, e-mail: server-dev-unsubscribe@james.apache.org
For additional commands, e-mail: server-dev-help@james.apache.org