+

Search Tips   |   Advanced Search

Java Mail security permissions best practices


In many of its activities, the Java Mail API needs to access certain configuration files. The Java Mail and Java BeansActivation Framework binary packages themselves already contain the necessary configuration files. However, the Java Mail API allows the user to define user-specific and installation-specific configuration files to meet special requirements.

The two locations where we can place these configuration files are the <user.home> and <java.home>/lib directories. For example, if the Java Mail API needs to access a file named mailcap when it sends a message, the API:

  1. Tries to access <user.home>/mailcap.

  2. If the first attempt fails due to a lack of security permission or a nonexistent file, the API searches in <java.home>/lib/mailcap.

  3. If the second attempt also fails, the API searches in the META-INF/mailcap location in the class path. This location actually leads to the configuration files contained in the mail-impl.jar and activation-impl.jar files.
Application Server uses Java Mail API configuration files that are contained in the mail-impl.jar and activation-impl.jar files, and there are no mail configuration files in <user.home> and <java.home>/lib directories. To ensure proper functioning of the Java Mail API, Application Server grants file read permission for both the mail-impl.jar and activation-impl.jar files to all of the installed applications.

Java Mail code attempts to access configuration files at <user.home> and <java.home>/lib, which can cause an access control exception to be thrown, since the default configuration does not grant file read permission for those two locations by default. This activity does not affect the proper functioning of the Java Mail API, but we might see a large amount of mail-related security exceptions reported in the system log, and these errors could overshadow harmful errors for which we are looking. This is a sample of the security message, SECJ0314W: 

[02/31/08 12:55:38:188 PDT] 00000058 SecurityManag W   SECJ0314W: Current Java 2 Security policy reported a  potential violation of Java 2 Security Permission.  Please refer to Problem Determination Guide for further information.

 Permission:

      D:\o063919\java\jre\lib\javamail.providers : access denied (java.io.FilePermission  D:\o063919\java\jre\lib\javamail.providers read)


 Code:

     com.ibm.ws.mail.SessionFactory  in  {file:/D:/o063919/lib/runtime.jar}



 Stack Trace:
 java.security.AccessControlException: access denied (java.io.FilePermission D:\o063919\java\jre\lib\javamail.providers read)
  at java.security.AccessControlContext.checkPermission(AccessControlContext.java(Compiled Code))
  at java.security.AccessController.checkPermission(AccessController.java(Compiled Code))
  at java.lang.SecurityManager.checkPermission(SecurityManager.java(Compiled Code))
  at com.ibm.ws.security.core.SecurityManager.checkPermission(SecurityManager.java(Compiled Code))
  at java.lang.SecurityManager.checkRead(SecurityManager.java(Compiled Code))
  at java.io.FileInputStream.<init>(FileInputStream.java(Compiled Code))
  at java.io.FileInputStream.<init>(FileInputStream.java:89)
  at javax.mail.Session.loadFile(Session.java:1004)
  at javax.mail.Session.loadProviders(Session.java:861)
  at javax.mail.Session.<init>(Session.java:191)
  at javax.mail.Session.getInstance(Session.java:213)
  at com.ibm.ws.mail.SessionFactory.getObjectInstance(SessionFactory.java:67)
  at javax.naming.spi.NamingManager.getObjectInstance(NamingManager.java:314)
  at com.ibm.ws.naming.util.Helpers.processSerializedObjectForLookupExt(Helpers.java:894)
  at com.ibm.ws.naming.util.Helpers.processSerializedObjectForLookup(Helpers.java:701)
  at com.ibm.ws.naming.jndicos.CNContextImpl.processResolveResults(CNContextImpl.java:1937)
  at com.ibm.ws.naming.jndicos.CNContextImpl.doLookup(CNContextImpl.java:1792)
  at com.ibm.ws.naming.jndicos.CNContextImpl.doLookup(CNContextImpl.java:1707)
  at com.ibm.ws.naming.jndicos.CNContextImpl.lookupExt(CNContextImpl.java:1412)
  at com.ibm.ws.naming.jndicos.CNContextImpl.lookup(CNContextImpl.java:1290)
  at com.ibm.ws.naming.util.WsnInitCtx.lookup(WsnInitCtx.java:145)
  at javax.naming.InitialContext.lookup(InitialContext.java:361)
  at emailservice.com.onlinebank.bpel.EmailService20060907T224337EntityAbstractBase$JSE_6. execute(EmailService20060907T224337EntityAbstractBase.java:32)
  at com.ibm.bpe.framework.ProcessBase6.executeJava Snippet(ProcessBase6.java:256)
  at emailservice.com.onlinebank.bpel.EmailService20060907T224337EntityBase.invokeSnippet (EmailService20060907T224337EntityBase.java:40)

If this situation is a problem, consider adding more read access permissions for more locations. This should eliminate most, if not all, Java Mail-related harmless security exceptions from the log file. The permissions required by Java Mail are as follows: 

grant codeBase "file:${application}" {
  
// Allow access to default configuration files
  permission java.io.FilePermission "${java.home}${/}jre${/}lib${/}javamail.address.map", "read";
  permission java.io.FilePermission "${java.home}${/}jre${/}lib${/}javamail.providers", "read";
  permission java.io.FilePermission "${java.home}${/}jre${/}lib${/}mailcap", "read";
  permission java.io.FilePermission "${java.home}${/}lib${/}javamail.address.map", "read";
  permission java.io.FilePermission "${java.home}${/}lib${/}javamail.providers", "read";
  permission java.io.FilePermission "${java.home}${/}lib${/}mailcap", "read";
  permission java.io.FilePermission "${user.home}${/}.mailcap", "read";
  permission java.io.FilePermission "${was.install.root}${/}lib${/}activation-impl.jar", "read";
  permission java.io.FilePermission "${was.install.root}${/}lib${/}mail-impl.jar", "read";
  permission java.io.FilePermission "${was.install.root}${/}plugins${/}com.ibm.ws.prereq.javamail.jar", "read";
  
// If using an isolated mail provider, 
  
// add additional file read permissions for each jar defined
  
// for the isolated mail provider
  
// permission java.io.FilePermission "path${/}mail.jar, "read";
  
  
// Allow connection to mail server using SMTP
  permission java.net.SocketPermission "*:25", "connect,resolve";
  
// Allow connection to mail server using SMTPS
  permission java.net.SocketPermission "*:465", "connect,resolve";
  
  
// Allow connection to mail server using IMAP
  permission java.net.SocketPermission "*:143", "connect,resolve";
  
// Allow connection to mail server using IMAPS
  permission java.net.SocketPermission "*:993", "connect,resolve";
  
  
// Allow connection to mail server using POP3
  permission java.net.SocketPermission "*:110", "connect,resolve";
  
// Allow connection to mail server using POP3S
  permission java.net.SocketPermission "*:995", "connect,resolve";
  
  
// Allow System.getProperties() to be used
  
// permission java.util.PropertyPermission "*", "read,write";
  
// Otherwise use the following to allow system properties to be read
  permission java.util.PropertyPermission "*", "read";
};



 

Related tasks


Use mail