Even with the following in isis.properties:
the file authorizor is picked up:
13:41:06,268 [FileAuthorizor main INFO ] loading authorization details from allow.properties
13:41:06,269 [FileAuthorizor main INFO ] loading authorization details from allow.properties
13:41:06,269 [JmxBeanServer main INFO ] JMX bean server created
13:41:06,299 [JmxBeanServer main INFO ] file-authorizer JMX mbean registered: org.apache.isis.security.file.authorization.FileAuthorizor@34a083f2
But it does not work - services that are listed in the disallow.properties and services not listed in the allow.properties are still available.