JavaMail API security permissions best practices
In many of its activities, the JavaMail API needs to access certain configuration files. The JavaMail and JavaBeans Activation Framework binary packages themselves already contain the necessary configuration files. However, the JavaMail API allows the user to define user-specific and installation-specific configuration files to meet special requirements.
The two locations where we can place these configuration files are the <user.home> and <java.home>/lib directories. For example, if the JavaMail API needs to access a file named mailcap when it sends a message, the API:
- Tries to access <user.home>/mailcap.
- If the first attempt fails due to a lack of security permission or a nonexistent file, the API searches in <java.home>/lib/mailcap.
- If the second attempt also fails, the API searches in the META-INF/mailcap location in the class path. This location actually leads to the configuration files contained in the mail-impl.jar and activation-impl.jar files.
Application Server uses JavaMail API configuration files that are contained in the mail-impl.jar and activation-impl.jar files, and there are no mail configuration files in <user.home> and <java.home>/lib directories. To ensure proper functioning of the JavaMail API, Application Server grants file read permission for both the mail-impl.jar and activation-impl.jar files to all of the installed applications.
JavaMail code attempts to access configuration files at <user.home> and <java.home>/lib, which can cause an access control exception to be thrown, since the default configuration does not grant file read permission for those two locations by default. This activity does not affect the proper functioning of the JavaMail API, but we might see a large amount of mail-related security exceptions reported in the system log, and these errors could overshadow harmful errors for which we are looking. This is a sample of the security message, SECJ0314W:
[02/31/08 12:55:38:188 PDT] 00000058 SecurityManag W SECJ0314W: Current Java 2 Security policy reported a potential violation of Java 2 Security Permission. Please refer to Problem Determination Guide for further information. Permission: D:\o063919\java\jre\lib\javamail.providers : access denied (java.io.FilePermission D:\o063919\java\jre\lib\javamail.providers read) Code: com.ibm.ws.mail.SessionFactory in {file:/D:/o063919/lib/runtime.jar} Stack Trace: java.security.AccessControlException: access denied (java.io.FilePermission D:\o063919\java\jre\lib\javamail.providers read) at java.security.AccessControlContext.checkPermission(AccessControlContext.java(Compiled Code)) at java.security.AccessController.checkPermission(AccessController.java(Compiled Code)) at java.lang.SecurityManager.checkPermission(SecurityManager.java(Compiled Code)) at com.ibm.ws.security.core.SecurityManager.checkPermission(SecurityManager.java(Compiled Code)) at java.lang.SecurityManager.checkRead(SecurityManager.java(Compiled Code)) at java.io.FileInputStream.<init>(FileInputStream.java(Compiled Code)) at java.io.FileInputStream.<init>(FileInputStream.java:89) at javax.mail.Session.loadFile(Session.java:1004) at javax.mail.Session.loadProviders(Session.java:861) at javax.mail.Session.<init>(Session.java:191) at javax.mail.Session.getInstance(Session.java:213) at com.ibm.ws.mail.SessionFactory.getObjectInstance(SessionFactory.java:67) at javax.naming.spi.NamingManager.getObjectInstance(NamingManager.java:314) at com.ibm.ws.naming.util.Helpers.processSerializedObjectForLookupExt(Helpers.java:894) at com.ibm.ws.naming.util.Helpers.processSerializedObjectForLookup(Helpers.java:701) at com.ibm.ws.naming.jndicos.CNContextImpl.processResolveResults(CNContextImpl.java:1937) at com.ibm.ws.naming.jndicos.CNContextImpl.doLookup(CNContextImpl.java:1792) at com.ibm.ws.naming.jndicos.CNContextImpl.doLookup(CNContextImpl.java:1707) at com.ibm.ws.naming.jndicos.CNContextImpl.lookupExt(CNContextImpl.java:1412) at com.ibm.ws.naming.jndicos.CNContextImpl.lookup(CNContextImpl.java:1290) at com.ibm.ws.naming.util.WsnInitCtx.lookup(WsnInitCtx.java:145) at javax.naming.InitialContext.lookup(InitialContext.java:361) at emailservice.com.onlinebank.bpel.EmailService20060907T224337EntityAbstractBase$JSE_6. execute(EmailService20060907T224337EntityAbstractBase.java:32) at com.ibm.bpe.framework.ProcessBase6.executeJavaSnippet(ProcessBase6.java:256) at emailservice.com.onlinebank.bpel.EmailService20060907T224337EntityBase.invokeSnippet (EmailService20060907T224337EntityBase.java:40)If this situation is a problem, consider adding more read access permissions for more locations. This should eliminate most, if not all, JavaMail-related harmless security exceptions from the log file.
The permissions required by JavaMail are as follows:
grant codeBase "file:${application}" { // Allow access to default configuration files permission java.io.FilePermission "${java.home}${/}jre${/}lib${/}javamail.address.map", "read"; permission java.io.FilePermission "${java.home}${/}jre${/}lib${/}javamail.providers", "read"; permission java.io.FilePermission "${java.home}${/}jre${/}lib${/}mailcap", "read"; permission java.io.FilePermission "${java.home}${/}lib${/}javamail.address.map", "read"; permission java.io.FilePermission "${java.home}${/}lib${/}javamail.providers", "read"; permission java.io.FilePermission "${java.home}${/}lib${/}mailcap", "read"; permission java.io.FilePermission "${user.home}${/}.mailcap", "read"; permission java.io.FilePermission "${was.install.root}${/}lib${/}activation-impl.jar", "read"; permission java.io.FilePermission "${was.install.root}${/}lib${/}mail-impl.jar", "read"; permission java.io.FilePermission "${was.install.root}${/}plugins${/}com.ibm.ws.prereq.javamail.jar", "read"; // If using an isolated mail provider, // add additional file read permissions for each jar defined // for the isolated mail provider // permission java.io.FilePermission "path${/}mail.jar, "read"; // Allow connection to mail server using SMTP permission java.net.SocketPermission "*:25", "connect,resolve"; // Allow connection to mail server using SMTPS permission java.net.SocketPermission "*:465", "connect,resolve"; // Allow connection to mail server using IMAP permission java.net.SocketPermission "*:143", "connect,resolve"; // Allow connection to mail server using IMAPS permission java.net.SocketPermission "*:993", "connect,resolve"; // Allow connection to mail server using POP3 permission java.net.SocketPermission "*:110", "connect,resolve"; // Allow connection to mail server using POP3S permission java.net.SocketPermission "*:995", "connect,resolve"; // Allow System.getProperties() to be used // permission java.util.PropertyPermission "*", "read,write"; // Otherwise use the following to allow system properties to be read permission java.util.PropertyPermission "*", "read"; };