Deprecate usage of javax.mail package

Comments (14)

1. 

   Connect2id OSS

   Hi Thomas,

   It's apparently used to represent Content-Type headers and email addresses:

   $ grep javax.mail -R src/main/
   src/main/java/com/nimbusds/openid/connect/sdk/UserInfoSuccessResponse.java:import javax.mail.internet.ContentType;
   src/main/java/com/nimbusds/openid/connect/sdk/claims/ClaimsSet.java:import javax.mail.internet.InternetAddress;
   src/main/java/com/nimbusds/openid/connect/sdk/claims/UserInfo.java:import javax.mail.internet.InternetAddress;
   src/main/java/com/nimbusds/oauth2/sdk/auth/ClientSecretPost.java:import javax.mail.internet.ContentType;
   src/main/java/com/nimbusds/oauth2/sdk/auth/JWTAuthentication.java:import javax.mail.internet.ContentType;
   src/main/java/com/nimbusds/oauth2/sdk/http/DefaultResourceRetriever.java:import javax.mail.internet.ContentType;
   src/main/java/com/nimbusds/oauth2/sdk/http/DefaultResourceRetriever.java:import javax.mail.internet.ParseException;
   src/main/java/com/nimbusds/oauth2/sdk/http/Resource.java:import javax.mail.internet.ContentType;
   src/main/java/com/nimbusds/oauth2/sdk/http/CommonContentTypes.java:import javax.mail.internet.ContentType;
   src/main/java/com/nimbusds/oauth2/sdk/http/CommonContentTypes.java:import javax.mail.internet.ParameterList;
   src/main/java/com/nimbusds/oauth2/sdk/http/HTTPMessage.java:import javax.mail.internet.ContentType;
   src/main/java/com/nimbusds/oauth2/sdk/http/HTTPMessage.java:            } catch (javax.mail.internet.ParseException e) {
   src/main/java/com/nimbusds/oauth2/sdk/http/HTTPMessage.java:            } catch (javax.mail.internet.ParseException e) {
   src/main/java/com/nimbusds/oauth2/sdk/client/ClientMetadata.java:import javax.mail.internet.AddressException;
   src/main/java/com/nimbusds/oauth2/sdk/client/ClientMetadata.java:import javax.mail.internet.InternetAddress;
   src/main/java/com/nimbusds/oauth2/sdk/util/JSONObjectUtils.java:import javax.mail.internet.AddressException;
   src/main/java/com/nimbusds/oauth2/sdk/util/JSONObjectUtils.java:import javax.mail.internet.InternetAddress;
   src/main/java/com/nimbusds/oauth2/sdk/util/JSONObjectUtils.java:         * {@code javax.mail.internet.InternetAddress}.
   src/main/java/com/nimbusds/oauth2/sdk/util/ContentTypeUtils.java:import javax.mail.internet.ContentType;
   

   Is that a potential issue?

   • 2016-09-27T16:13:56+00:00
2. 

   Tomáš Hanus reporter

   Probably no. Maybe we can use other lib?

   • 2016-09-29T07:44:35+00:00
3. 

   Vladimir Dzhuvinov

   Hi, I'm the core maintainer of the OIDC SDK.

   I'm not aware of a suitable Java lib replacement for these two classes - for representing emails and content type headers.

   One way around that is to deprecate the associated getters / setters in favor of simple string based ones, and mark javax.mail as optional dependency.

   While the mail and content-type format checking can probably be replicated some way.

   What is your take on this?

   • 2016-09-29T07:52:12+00:00
4. 

   Tomáš Hanus reporter

   Hi,

   maybe apacha.http.core or org.springframework.http. But I think that optional dependency is appropriate solution.

   Thanks, Tomas

   • 2016-09-29T11:18:57+00:00
5. 

   Connect2id OSS

   • marked as proposal
   • marked as major

   Categorised as proposal to represent content types and email addresses as plain strings.

   • 2016-11-03T10:28:23+00:00
6. 

   Tomáš Hanus reporter

   Ok, agree.

   • 2016-11-12T12:54:55+00:00
7. 

   Connect2id OSS

   • changed title to Deprecate usage of javax.mail package

   The javax.mail CVE-2007-6059 vulnerability brought forward by reporter doesn't affect the SDK, but let's deprecate usage of this package.

   • 2016-11-19T06:52:10+00:00
8. 

   Connect2id OSS

   Deprecated use of javax.mail.internet.InternetAddress (commit 25a3273).

   ContentType will need more work.

   • 2016-11-19T06:53:39+00:00
9. 

   Yavor Vasilev

   Issue #266 was marked as a duplicate of this issue.

   • 2019-10-09T08:06:58+00:00
10. 

    Tom Billiet

    This also breaks the usage of this library on android, since javax.mail is not usable there:

    ‌

    Caused by: java.lang.ClassNotFoundException: Didn't find class "java.awt.datatransfer.Transferable" on path: 
      at java.lang.Class dalvik.system.BaseDexClassLoader.findClass(java.lang.String) (BaseDexClassLoader.java:134)
      at java.lang.Class java.lang.ClassLoader.loadClass(java.lang.String, boolean) (ClassLoader.java:379)
      at java.lang.Class java.lang.ClassLoader.loadClass(java.lang.String) (ClassLoader.java:312)
      at java.lang.String javax.mail.internet.MimeUtility.quote(java.lang.String, java.lang.String) (MimeUtility.java:1013)
      at java.lang.String javax.mail.internet.ParameterList.quote(java.lang.String) (ParameterList.java:772)
      at java.lang.String javax.mail.internet.ParameterList.toString(int) (ParameterList.java:719)
      at java.lang.String javax.mail.internet.ContentType.toString() (ContentType.java:229)
      at void com.nimbusds.oauth2.sdk.http.HTTPMessage.setContentType(javax.mail.internet.ContentType) (HTTPMessage.java:81)
      at void com.nimbusds.oauth2.sdk.http.HTTPRequest.setContentType(javax.mail.internet.ContentType) (HTTPRequest.java:69)
      at com.nimbusds.oauth2.sdk.http.HTTPRequest com.nimbusds.oauth2.sdk.TokenRequest.toHTTPRequest() (TokenRequest.java:429)
    

    ‌

    • 2019-10-25T07:45:43+00:00
11. 

    Yavor Vasilev

    • edited description
    • changed status to resolved

    bf171497 -> Makes com.sun.mail:javax.mail optional, use kept only in deprecated API calls that depend on it

    • 2020-02-05T09:16:38+00:00
12. 

    Connect2id OSS

    Released as part of v7.0 to Maven Central

    • 2020-02-16T16:52:51+00:00
13. 

    Yavor Vasilev

    • changed status to open

    Due to class loading issues javax.mail was restored as non-optional dep in 7.1.1, see issue #291. Will be completely removed in v8.0.

    • 2020-02-25T15:15:40+00:00
14. 

    Yavor Vasilev

    • changed status to resolved

    Removed javax.mail for 8.0: 63677d20

    • 2020-04-29T14:38:32+00:00
15. Log in to comment