Resolution: Won't Fix
Affects Version/s: 2.3.0, 3.0.0
Fix Version/s: 3.0-M1
Environment:James 2.3.0rc3 / 3.0
I have been testing to securize James, have seen that there was the option to add to policies in the file environment.xml, but in version 2.3 and 3.0 it does not work, I suppose that it will have to do with the migration that became to Phoenix 4.2 from 4.0.1, seems simply that, ignores them quiet and it treats it like a AllPermission, stranger.
In James 2.2 if no policy is configured, phoenix.log says:
[Phoenix.] (): No policy specified in server.xml, giving full permissions to ServerApplication.
In 2.3 / 3.0 no message show...
I haves used a policy Like this, and... never throws security exceptions...
I have even proven to make a FileInputStream of /etc/passwd and... has eaten it, not security exception
In Loom 1.0-rc3 is the same, policy is ignored...
At the moment the workarround is modifying directly the policy of phoenix-loader.jar and restrict it at global level of the JVM.
I have opened a ticket in Codehaus for Loom 1.0rc3, in the case of Phoenix... "two stones"
See also: http://jira.codehaus.org/browse/LOOM-81
I inform, in case somebody can make some thing.