I have a serious problem that I can't solve. System: w2k3 and tomcat 4.1.29 On my webserver there is a smtp server installed, where I have to authenticate to send mail with. Everyone can send mail through the smtp server, but they have to authenticate first with a special username and pw. There is no problem using the smtp server with a mail client. In my webapp I have a service where every user can send a mail with their own email address. I'm using the Java Mail API to send mail. But as soon as I try to authenticate with the special username and pw for the smtp server, I get a java security exception, access to session denied: sessionobj = Session.getDefaultInstance(props, new MailAuthenticator(user, password)); The API Documentation tells me: <QUTE> Since the default session is potentially available to all code executing in the same Java virtual machine, and the session can contain security sensitive information such as user names and passwords, access to the default session is restricted. The Authenticator object, which must be created by the caller, is used indirectly to check access permission. The Authenticator object passed in when the session is created is compared with the Authenticator object passed in to subsequent requests to get the default session. If both objects are the same, or are from the same ClassLoader, the request is allowed. Otherwise, it is denied. </QUOTE> in catalina.policy I have added: permission java.net.SocketPermission "mailto.t-online.de:25", "connect,resolve" ; and in server.xml <Resource name="mail/Session" auth="Container" type="javax.mail.Session"/> <ResourceParams name="mail/Session"> <parameter> <name>smtp.host</name> <value>mailout.myserver.de</value> </parameter> <parameter> <name>mail.smtp.user</name> <value>mailmaster</value> </parameter> <parameter> <name>mail.from</name> <value>email@example.com</value> </parameter> </ResourceParams> mailmaster is the special username I use to login into the smtp server. After reading the API Docs I think that the problem is, that the mailmaster is not the user that has created the session object and that is why he has no access to the session object and I get a security exception. Maybe I'm wrong, because I don't understand the context between session.getDefaultInstance and the Autheniticator. Maybe I just have to add a security policy to catalina.policy, that my webapp has accesss to the session object, but I don't know how to do it. Without authentification, I'm able to send mail. Can someone tell me what I have to do that I can send mail with any username and authentification so I don't get the security exception. Thank you.
Joined: Dec 20, 2003
I have added permission java.util.RuntimePermission "javax.mail.Session.*"; to the catalina.policy. Now I don't get the security exception anymore. When I try to send email with authentification, I just get the stupid exception message "smtp". Without authentification I get the following message: nested exception is: javax.mail.MessagingException: 530 5.7.3 Client was not authenticated I still can use my email client to send mail through the smtp server with authentication, but not with the JAVA Mail API. Any help is appreciated. Thank you.