JavaMail API security permissions best practices
In many of its activities, the JavaMail API needs to access certain configuration files. The JavaMail and JavaBeans Activation Framework binary packages themselves already contain the necessary configuration files. However, the JavaMail API allows the user to define user-specific and installation-specific configuration files to meet special requirements.
The two locations where you can place these configuration
files
are the <user.home> and <java.home>/lib directories.
For example, if the JavaMail API needs to access a file named mailcap
when it sends a message, the API:
- Tries to access <user.home>/mailcap.
- If the first attempt fails due to a lack of security permission or a nonexistent file, the API searches in <java.home>/lib/mailcap.
- If the second attempt also fails, the API searches in the META-INF/mailcap location in the class path. This location actually leads to the configuration files contained in the mail-impl.jar and activation-impl.jar files.
JavaMail code attempts to access configuration files at <user.home> and <java.home>/lib,
which can cause an access control exception to be thrown, since the
default configuration does not grant file read permission for those
two locations by default. This activity does not affect the proper
functioning of the JavaMail API, but you might see a large amount
of mail-related security exceptions reported in the system log, and
these errors could overshadow harmful errors for which you are looking.
This is a sample of the security message, SECJ0314W:
[02/31/08 12:55:38:188 PDT] 00000058 SecurityManag W SECJ0314W: Current Java 2 Security policy reported a
potential violation of Java 2 Security Permission.
Please refer to Problem Determination Guide for further information.
Permission:
D:\o063919\java\jre\lib\javamail.providers : access denied (java.io.FilePermission
D:\o063919\java\jre\lib\javamail.providers read)
Code:
com.ibm.ws.mail.SessionFactory in {file:/D:/o063919/lib/runtime.jar}
Stack Trace:
java.security.AccessControlException: access denied (java.io.FilePermission D:\o063919\java\jre\lib\javamail.providers read)
at java.security.AccessControlContext.checkPermission(AccessControlContext.java(Compiled Code))
at java.security.AccessController.checkPermission(AccessController.java(Compiled Code))
at java.lang.SecurityManager.checkPermission(SecurityManager.java(Compiled Code))
at com.ibm.ws.security.core.SecurityManager.checkPermission(SecurityManager.java(Compiled Code))
at java.lang.SecurityManager.checkRead(SecurityManager.java(Compiled Code))
at java.io.FileInputStream.<init>(FileInputStream.java(Compiled Code))
at java.io.FileInputStream.<init>(FileInputStream.java:89)
at javax.mail.Session.loadFile(Session.java:1004)
at javax.mail.Session.loadProviders(Session.java:861)
at javax.mail.Session.<init>(Session.java:191)
at javax.mail.Session.getInstance(Session.java:213)
at com.ibm.ws.mail.SessionFactory.getObjectInstance(SessionFactory.java:67)
at javax.naming.spi.NamingManager.getObjectInstance(NamingManager.java:314)
at com.ibm.ws.naming.util.Helpers.processSerializedObjectForLookupExt(Helpers.java:894)
at com.ibm.ws.naming.util.Helpers.processSerializedObjectForLookup(Helpers.java:701)
at com.ibm.ws.naming.jndicos.CNContextImpl.processResolveResults(CNContextImpl.java:1937)
at com.ibm.ws.naming.jndicos.CNContextImpl.doLookup(CNContextImpl.java:1792)
at com.ibm.ws.naming.jndicos.CNContextImpl.doLookup(CNContextImpl.java:1707)
at com.ibm.ws.naming.jndicos.CNContextImpl.lookupExt(CNContextImpl.java:1412)
at com.ibm.ws.naming.jndicos.CNContextImpl.lookup(CNContextImpl.java:1290)
at com.ibm.ws.naming.util.WsnInitCtx.lookup(WsnInitCtx.java:145)
at javax.naming.InitialContext.lookup(InitialContext.java:361)
at emailservice.com.onlinebank.bpel.EmailService20060907T224337EntityAbstractBase$JSE_6.
execute(EmailService20060907T224337EntityAbstractBase.java:32)
at com.ibm.bpe.framework.ProcessBase6.executeJavaSnippet(ProcessBase6.java:256)
at emailservice.com.onlinebank.bpel.EmailService20060907T224337EntityBase.invokeSnippet
(EmailService20060907T224337EntityBase.java:40)
Note: If this situation is a problem, consider adding
more read access permissions for more locations. This should eliminate
most, if not all, JavaMail-related harmless security exceptions from
the log file.
The permissions required by JavaMail are as follows:
grant codeBase "file:${application}" {
// Allow access to default configuration files
permission java.io.FilePermission "${java.home}${/}jre${/}lib${/}javamail.address.map", "read";
permission java.io.FilePermission "${java.home}${/}jre${/}lib${/}javamail.providers", "read";
permission java.io.FilePermission "${java.home}${/}jre${/}lib${/}mailcap", "read";
permission java.io.FilePermission "${java.home}${/}lib${/}javamail.address.map", "read";
permission java.io.FilePermission "${java.home}${/}lib${/}javamail.providers", "read";
permission java.io.FilePermission "${java.home}${/}lib${/}mailcap", "read";
permission java.io.FilePermission "${user.home}${/}.mailcap", "read";
permission java.io.FilePermission "${was.install.root}${/}lib${/}activation-impl.jar", "read";
permission java.io.FilePermission "${was.install.root}${/}lib${/}mail-impl.jar", "read";
permission java.io.FilePermission "${was.install.root}${/}plugins${/}com.ibm.ws.prereq.javamail.jar", "read";
// If using an isolated mail provider,
// add additional file read permissions for each jar defined
// for the isolated mail provider
// permission java.io.FilePermission "path${/}mail.jar, "read";
// Allow connection to mail server using SMTP
permission java.net.SocketPermission "*:25", "connect,resolve";
// Allow connection to mail server using SMTPS
permission java.net.SocketPermission "*:465", "connect,resolve";
// Allow connection to mail server using IMAP
permission java.net.SocketPermission "*:143", "connect,resolve";
// Allow connection to mail server using IMAPS
permission java.net.SocketPermission "*:993", "connect,resolve";
// Allow connection to mail server using POP3
permission java.net.SocketPermission "*:110", "connect,resolve";
// Allow connection to mail server using POP3S
permission java.net.SocketPermission "*:995", "connect,resolve";
// Allow System.getProperties() to be used
// permission java.util.PropertyPermission "*", "read,write";
// Otherwise use the following to allow system properties to be read
permission java.util.PropertyPermission "*", "read";
};