james-server-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Serge Knystautas" <ser...@lokitech.com>
Subject Re: javax.mail.Session access protection
Date Thu, 07 Mar 2002 20:16:14 GMT
What default instance are you getting?  I don't think anything in James
would be using this... the only code that needs javax.mail.Session I believe
is the remote delivery thread, and it constructs separate Session objects
per delivery threads.  I assume this is some code in a mailet you're running
inside the James JVM... I'm not sure how you're allowing other people or
applications to run in the same JVM as James...

Serge Knystautas
Loki Technologies - Unstoppable Websites
http://www.lokitech.com/
----- Original Message -----
From: "Michael Kaegi" <kam@brainware.ch>
To: <james-dev@jakarta.apache.org>
Sent: Thursday, March 07, 2002 12:50 PM
Subject: javax.mail.Session access protection


Hi


How can I protect the JAMES javax.mail.Session?

The problem is that my java application (or an other), which is on the
same machine like JAMES, can access the JAMES javax.mail.Session.


How?
Session session = Session.getDefaultInstance(props, null);


The JavaMail 1.2 Specification says in the chapter 5: The Mail Session:

"The first call to the getDefaultInstance method creates a new Session
object and associates it with the Authenticator object. Subsequent calls
to the getDefaultInstance method compare the Authenticator object passed
in with the Authenticator object saved in the default session. Access to
the default session is allowed if both objects have been loaded by the
same class loader. Typically, this is the case when both the default
session creator and the program requesting default session access are in
the same "security domain." Also, if both objects are null, access is
allowed. Using null to gain access is discouraged, because this allows
access to the
default session from any security domain."

I think "security domain" can mean JVM.

My application requires JAMES therefore JAMES will be started first.
=> The first call to the getDefaultInstance method creates a new Session
object.
Then my application will be started.
=> Subsequent calls to the getDefaultInstance method get the default
session from James if the authenticator is null.


Now, how can I protect the JAMES javax.mail.Session? Or have I understood
something completely wrong? Or is this a bug?

Thanx, for your time?

Bye
Michi


--
To unsubscribe, e-mail:   <mailto:james-dev-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:james-dev-help@jakarta.apache.org>


Mime
View raw message