JavaMail API 安全许可权最佳实践

在它的很多活动中,JavaMail API 需要访问某些配置文件。JavaMail 和“JavaBeans 激活框架”二进制文件包本身已包含必要的配置文件。但是,JavaMail API 允许用户定义特定于用户和特定于安装的配置文件来满足特殊需要。

您可以布置这些配置文件的两个位置为 <user.home><java.home>/lib 目录。例如,如果 JavaMail API 在发送消息时需要访问名为 mailcap 的文件,那么 API:
  1. 将尝试访问 <user.home>/mailcap
  2. 如果由于缺少安全许可权或文件不存在而导致首次尝试失败,那么 API 将在 <java.home>/lib/mailcap 中进行搜索。
  3. 如果第二次尝试仍然失败,那么 API 将在该类路径的 META-INF/mailcap 位置进行搜索。此位置实际上导向 mail-impl.jar 和 activation-impl.jar 文件中包含的配置文件。
Application Server 使用 mail-impl.jar 和 activation-impl.jar 文件中包含的 JavaMail API 配置文件,并且在 <user.home><java.home>/lib 目录中没有邮件配置文件。 为了确保 JavaMail API 的正常运行,Application Server 将在所有已安装的应用程序中授予 mail-impl.jar 和 activation-impl.jar 文件的文件读许可权。
JavaMail 代码尝试访问 <user.home><java.home>/lib 处的配置文件将导致抛出访问控制异常,因为在缺省情况下,缺省配置不会将文件读许可权授予这两个位置。该活动不影响 JavaMail API 的正确运行,但是系统日志中可能会报告很多与 JavaMail 相关的安全性异常,这些错误可能会使您正在查找的有危害的错误不那么容易被发现。这是安全性消息示例,SECJ0314W:
[02/31/08 12:55:38:188 PDT] 00000058 SecurityManag W   SECJ0314W: Current Java 2 Security policy reported a 
potential violation of Java 2 Security Permission. 
Please refer to Problem Determination Guide for further information.

Permission:

      D:\o063919\java\jre\lib\javamail.providers : access denied (java.io.FilePermission 
D:\o063919\java\jre\lib\javamail.providers read)


Code:

     com.ibm.ws.mail.SessionFactory  in  {file:/D:/o063919/lib/runtime.jar}



Stack Trace:

java.security.AccessControlException: access denied (java.io.FilePermission D:\o063919\java\jre\lib\javamail.providers read)
	at java.security.AccessControlContext.checkPermission(AccessControlContext.java(Compiled Code))
	at java.security.AccessController.checkPermission(AccessController.java(Compiled Code))
	at java.lang.SecurityManager.checkPermission(SecurityManager.java(Compiled Code))
	at com.ibm.ws.security.core.SecurityManager.checkPermission(SecurityManager.java(Compiled Code))
	at java.lang.SecurityManager.checkRead(SecurityManager.java(Compiled Code))
	at java.io.FileInputStream.<init>(FileInputStream.java(Compiled Code))
	at java.io.FileInputStream.<init>(FileInputStream.java:89)
	at javax.mail.Session.loadFile(Session.java:1004)
	at javax.mail.Session.loadProviders(Session.java:861)
	at javax.mail.Session.<init>(Session.java:191)
	at javax.mail.Session.getInstance(Session.java:213)
	at com.ibm.ws.mail.SessionFactory.getObjectInstance(SessionFactory.java:67)
	at javax.naming.spi.NamingManager.getObjectInstance(NamingManager.java:314)
	at com.ibm.ws.naming.util.Helpers.processSerializedObjectForLookupExt(Helpers.java:894)
	at com.ibm.ws.naming.util.Helpers.processSerializedObjectForLookup(Helpers.java:701)
	at com.ibm.ws.naming.jndicos.CNContextImpl.processResolveResults(CNContextImpl.java:1937)
	at com.ibm.ws.naming.jndicos.CNContextImpl.doLookup(CNContextImpl.java:1792)
	at com.ibm.ws.naming.jndicos.CNContextImpl.doLookup(CNContextImpl.java:1707)
	at com.ibm.ws.naming.jndicos.CNContextImpl.lookupExt(CNContextImpl.java:1412)
	at com.ibm.ws.naming.jndicos.CNContextImpl.lookup(CNContextImpl.java:1290)
	at com.ibm.ws.naming.util.WsnInitCtx.lookup(WsnInitCtx.java:145)
	at javax.naming.InitialContext.lookup(InitialContext.java:361)
	at emailservice.com.onlinebank.bpel.EmailService20060907T224337EntityAbstractBase$JSE_6.
execute(EmailService20060907T224337EntityAbstractBase.java:32)
	at com.ibm.bpe.framework.ProcessBase6.executeJavaSnippet(ProcessBase6.java:256)
	at emailservice.com.onlinebank.bpel.EmailService20060907T224337EntityBase.invokeSnippet
(EmailService20060907T224337EntityBase.java:40)
注: 如果该情况确实成问题,那么考虑为更多位置添加更多读访问许可权。如果不能消除日志文件中全部与 JavaMail 相关的无害安全性异常,但这应该能够消除它们中的大多数。
JavaMail 所需要的许可权如下所示:
grant codeBase "file:${application}" {
  // Allow access to default configuration files
  permission java.io.FilePermission "${java.home}${/}jre${/}lib${/}javamail.address.map", "read";
  permission java.io.FilePermission "${java.home}${/}jre${/}lib${/}javamail.providers", "read";
  permission java.io.FilePermission "${java.home}${/}jre${/}lib${/}mailcap", "read";
  permission java.io.FilePermission "${java.home}${/}lib${/}javamail.address.map", "read";
  permission java.io.FilePermission "${java.home}${/}lib${/}javamail.providers", "read";
  permission java.io.FilePermission "${java.home}${/}lib${/}mailcap", "read";
  permission java.io.FilePermission "${user.home}${/}.mailcap", "read";
  permission java.io.FilePermission "${was.install.root}${/}lib${/}activation-impl.jar", "read";
  permission java.io.FilePermission "${was.install.root}${/}lib${/}mail-impl.jar", "read";
  permission java.io.FilePermission "${was.install.root}${/}plugins${/}com.ibm.ws.prereq.javamail.jar", "read";
  // If using an isolated mail provider, 
  // add additional file read permissions for each jar defined
  // for the isolated mail provider
  // permission java.io.FilePermission "path${/}mail.jar, "read";
  
  // Allow connection to mail server using SMTP
  permission java.net.SocketPermission "*:25", "connect,resolve";
  // Allow connection to mail server using SMTPS
  permission java.net.SocketPermission "*:465", "connect,resolve";
  
  // Allow connection to mail server using IMAP
  permission java.net.SocketPermission "*:143", "connect,resolve";
  // Allow connection to mail server using IMAPS
  permission java.net.SocketPermission "*:993", "connect,resolve";
  
  // Allow connection to mail server using POP3
  permission java.net.SocketPermission "*:110", "connect,resolve";
  // Allow connection to mail server using POP3S
  permission java.net.SocketPermission "*:995", "connect,resolve";
  
  // Allow System.getProperties() to be used
  // permission java.util.PropertyPermission "*", "read,write";
  // Otherwise use the following to allow system properties to be read
  permission java.util.PropertyPermission "*", "read";
};

指示主题类型的图标 参考主题



时间戳记图标 最近一次更新时间: last_date
http://www14.software.ibm.com/webapp/wsbroker/redirect?version=cord&product=was-nd-mp&topic=rmai_security
文件名:rmai_security.html