I've been recently skimming through the 12th chapter of Spring in Action, 2nd edition. In the section which deals with sending mails, the author mentions:
What kind of "security" implications is the author talking about here? Does this refer to the fact that the mail configuration lies in open in plain text as opposed to being published on a server as a managed resource which can be accessed by only those people who have the password for the application-servers' management console?The mail serverís hostname and the username/password pair are explicitly configured in Spring. However, this setup may raise red flags for you with regard to security. Maybe you donít want to hard-code this information in the Spring configuration.
You may already have a javax.mail.MailSession configured in JNDI (or perhaps one was placed there by your application server). If so then Springís JavaMailSenderImpl offers you an option to use the MailSender in JNDI.
What are the practical design decisions which influence your choice of preferring one over the another (JNDI v/s non-JNDI)? Are there any reasons/motivations why an architect would bring in a full-fledged application server in the deployment cycle just to use JNDI?
Some points which I can come up with:
- JNDI not a feasible option unless you are using some kind of full-fledged application server.
- JNDI a wise choice if security really becomes a concern (plain text configuration not a possibility)
Suggestions/opinions/experiences appreciated. TIA,