You are viewing a plain text version of this content. The canonical link for it is here.
Posted to server-dev@james.apache.org by "Guillermo Grandes (JIRA)" <se...@james.apache.org> on 2006/09/23 19:03:25 UTC

[jira] Updated: (JAMES-636) Policy in environment.xml is... ignored?!?

     [ http://issues.apache.org/jira/browse/JAMES-636?page=all ]

Guillermo Grandes updated JAMES-636:
------------------------------------

    Attachment: james.policy

This is mi workarround custom policy to "securize" the James.
Attatch it in case somebody wants to use it of point to begin with. 

Place policy in "$PHOENIX_HOME/bin" and change phoenix.sh to use the new policy:

- >    -Djava.security.policy=jar:file:/opt/james/bin/phoenix-loader.jar!/META-INF/java.policy
+ >    -Djava.security.policy=file:$PHOENIX_HOME/bin/james.policy \


> Policy in environment.xml is... ignored?!?
> ------------------------------------------
>
>                 Key: JAMES-636
>                 URL: http://issues.apache.org/jira/browse/JAMES-636
>             Project: James
>          Issue Type: Bug
>    Affects Versions: Trunk, 2.3.0rc3
>         Environment: James 2.3.0rc3 / 3.0
>            Reporter: Guillermo Grandes
>         Attachments: james.policy
>
>
> I have been testing to securize James, have seen that there was the option to add to policies in the file environment.xml, but in version 2.3 and 3.0 it does not work, I suppose that it will have to do with the migration that became to Phoenix 4.2 from 4.0.1, seems simply that, ignores them quiet and it treats it like a AllPermission, stranger.
> In James 2.2 if no policy is configured, phoenix.log says:
> [Phoenix.] (): No policy specified in server.xml, giving full permissions to ServerApplication.
> In 2.3 / 3.0 no message show...
> I haves used a policy Like this, and... never throws security exceptions... 
>     <policy>
>         <grant code-base="file:${app.home}${/}lib${/}*">
>             <permission class="java.io.FilePermission"
>                         target="${app.home}${/}*"
>                         action="read,write" />
>         </grant>
>     </policy>
> I have even proven to make a FileInputStream of /etc/passwd and... has eaten it, not security exception :(
> In Loom 1.0-rc3 is the same, policy is ignored...
> At the moment the workarround is modifying directly the policy of phoenix-loader.jar and restrict it at global level of the JVM.  
> I have opened a ticket in Codehaus for Loom 1.0rc3, in the case of Phoenix... "two stones" :-)
> See also: http://jira.codehaus.org/browse/LOOM-81
> I inform, in case somebody can make some thing.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

---------------------------------------------------------------------
To unsubscribe, e-mail: server-dev-unsubscribe@james.apache.org
For additional commands, e-mail: server-dev-help@james.apache.org