JavaMail security permissions best practices

In many of its activities, the JavaMail API needs to access certain configuration files. The JavaMail and JavaBeans Activation Framework binary packages themselves already contain the necessary configuration files. However, the JavaMail API allows you to define specific configuration files for your environment to meet special requirements.

The two locations where you can place these configuration files are the <user.home> and <java.home>/lib directories. For example, if the JavaMail API needs to access a file named mailcap when it sends a message, the API:
  1. Tries to access <user.home>/mailcap.
  2. If the first attempt fails due to a lack of security permission or a nonexistent file, the API searches in <java.home>/lib/mailcap.
  3. If the second attempt also fails, the API searches in the META-INF/mailcap location in the class path. This location actually leads to the configuration files contained in the mail-impl.jar and activation-impl.jar files.
Application Server uses JavaMail API configuration files that are contained in the mail-impl.jar and activation-impl.jar files, and there are no mail configuration files in <user.home> and <java.home>/lib directories. To ensure proper functioning of the JavaMail API, Application Server grants file read permission for both the mail-impl.jar and activation-impl.jar files to all of the installed applications.
JavaMail code attempts to access configuration files at <user.home> and <java.home>/lib, which can cause an access control exception to be thrown, since the default configuration does not grant file read permission for those two locations by default. This activity does not affect the proper functioning of the JavaMail API, but you might see a large amount of mail-related security exceptions reported in the system log, and these errors could overshadow harmful errors for which you are looking. This is a sample of the security message, SECJ0314W:
[02/31/08 12:55:38:188 PDT] 00000058 SecurityManag W   SECJ0314W: Current Java 2 Security policy reported a potential violation of Java 2 Security Permission. Please refer to Problem Determination Guide for further information.

Permission:

      D:\o063919\java\jre\lib\javamail.providers : access denied (java.io.FilePermission D:\o063919\java\jre\lib\javamail.providers read)


Code:

     com.ibm.ws.mail.SessionFactory  in  {file:/D:/o063919/lib/runtime.jar}



Stack Trace:

java.security.AccessControlException: access denied (java.io.FilePermission D:\o063919\java\jre\lib\javamail.providers read)
	at java.security.AccessControlContext.checkPermission(AccessControlContext.java(Compiled Code))
	at java.security.AccessController.checkPermission(AccessController.java(Compiled Code))
	at java.lang.SecurityManager.checkPermission(SecurityManager.java(Compiled Code))
	at com.ibm.ws.security.core.SecurityManager.checkPermission(SecurityManager.java(Compiled Code))
	at java.lang.SecurityManager.checkRead(SecurityManager.java(Compiled Code))
	at java.io.FileInputStream.<init>(FileInputStream.java(Compiled Code))
	at java.io.FileInputStream.<init>(FileInputStream.java:89)
	at javax.mail.Session.loadFile(Session.java:1004)
	at javax.mail.Session.loadProviders(Session.java:861)
	at javax.mail.Session.<init>(Session.java:191)
	at javax.mail.Session.getInstance(Session.java:213)
	at com.ibm.ws.mail.SessionFactory.getObjectInstance(SessionFactory.java:67)
	at javax.naming.spi.NamingManager.getObjectInstance(NamingManager.java:314)
	at com.ibm.ws.naming.util.Helpers.processSerializedObjectForLookupExt(Helpers.java:894)
	at com.ibm.ws.naming.util.Helpers.processSerializedObjectForLookup(Helpers.java:701)
	at com.ibm.ws.naming.jndicos.CNContextImpl.processResolveResults(CNContextImpl.java:1937)
	at com.ibm.ws.naming.jndicos.CNContextImpl.doLookup(CNContextImpl.java:1792)
	at com.ibm.ws.naming.jndicos.CNContextImpl.doLookup(CNContextImpl.java:1707)
	at com.ibm.ws.naming.jndicos.CNContextImpl.lookupExt(CNContextImpl.java:1412)
	at com.ibm.ws.naming.jndicos.CNContextImpl.lookup(CNContextImpl.java:1290)
	at com.ibm.ws.naming.util.WsnInitCtx.lookup(WsnInitCtx.java:145)
	at javax.naming.InitialContext.lookup(InitialContext.java:361)
	at emailservice.com.onlinebank.bpel.EmailService20060907T224337EntityAbstractBase$JSE_6.execute(EmailService20060907T224337EntityAbstractBase.java:32)
	at com.ibm.bpe.framework.ProcessBase6.executeJavaSnippet(ProcessBase6.java:256)
	at emailservice.com.onlinebank.bpel.EmailService20060907T224337EntityBase.invokeSnippet(EmailService20060907T224337EntityBase.java:40)
Best practice: If these exceptions are a problem, consider granting read-access permissions for more locations.
The permissions that are required by JavaMail are as follows:
grant codeBase "file:${application}" {
  // The following are required by Java mail
  permission java.io.FilePermission "${was.install.root}${/}lib${/}mail-impl.jar", "read";
  permission java.io.FilePermission "${was.install.root}${/}lib${/}activation-impl.jar", "read";
  permission java.io.FilePermission "${java.home}${/}lib${/}javamail.providers", "read";
  permission java.io.FilePermission "${java.home}${/}lib${/}javamail.address.map", "read";
  permission java.io.FilePermission "${user.home}${/}mailcap", "read";
  permission java.io.FilePermission "${java.home}${/}lib${/}mailcap", "read";
};
bprac



Related tasks
Configuring the was.policy file
Using mail
Reference topic    

Terms of Use | Feedback

Last updated: Aug 29, 2010 10:43:27 PM CDT
http://www14.software.ibm.com/webapp/wsbroker/redirect?version=v602web&product=was-nd-mp&topic=rjtc_security
File name: rmai_security.html