Package org.kawanfw.sql.api.server.firewall

Class CsvRulesManager

java.lang.Object
org.kawanfw.sql.api.server.firewall.DefaultSqlFirewallManager
org.kawanfw.sql.api.server.firewall.CsvRulesManager
All Implemented Interfaces:
SqlFirewallManager
Direct Known Subclasses:
CsvRulesManagerNoReload
public class CsvRulesManager
extends DefaultSqlFirewallManager
implements SqlFirewallManager
Firewall manager that checks each SQL request against the content of a CSV File. The CSV file is loaded in memory at AceQL server startup.

The name of the CSV file that will be used by a database is:  <database>_rules_manager.csv, where database is the name of the database declared in the aceql.properties files.
The file must be located in the same directory as the aceql.properties file used when starting the AceQL server.

The CSV file contains the rules for accessing the tables, with semicolon for separator:
  • First line contains the element names: username;table;delete;insert;select;update;optional comments
  • Subsequent lines contain the rules, with the values for each element:
    • username: AceQL username of the connected client.
    • table: the table name to access. Name must not include dots and prefixes.
    • delete: true if the username has the right to delete rows of the table, else false.
    • insert: true if the username has the right to insert rows in the table, else false.
    • select: true if the username has the right to select rows of the table, else false.
    • update: true if the username has the right to update rows of the table, else false.
    • Optional comments for the rule.

Note that:
  • public value may be used for the username column and means any username. At execution time: if a rule with public returns true for a CSV column, the rule supersedes other declared rules declared for specific users for the same CSV column.
  • all value is allowed for table column and means any table. At execution time: If a rule with all returns true for a CSV column, the rule supersedes other specific rules declared for specific tables for the same CSV column.

Note that updating the CSV file will reload the rules. If you prefer to disallow dynamic reloading, use a CsvRulesManagerNoReload implementation.

See an example of CSV file: sampledb_rules_manager.csv

Since:
4.1
Author:
Nicolas de Pomereu

  • Constructor Details

    • CsvRulesManager

      public CsvRulesManager()

  • Method Details

    • allowSqlRunAfterAnalysis

      public boolean allowSqlRunAfterAnalysis​(SqlEvent sqlEvent, Connection connection) throws IOException, SQLException
      Allows the execution of the statement if an allowing rules exists in the:  <database>_rules_manager.csv file.
      Specified by:
      allowSqlRunAfterAnalysis in interface SqlFirewallManager
      Overrides:
      allowSqlRunAfterAnalysis in class DefaultSqlFirewallManager
      Parameters:
      sqlEvent - the SQL event asked by the client side. Contains all info about the SQL call (client username, database name, IP Address of the client, and SQL statement details)
      connection - The current SQL/JDBC Connection
      Returns:
      true. No analysis is done so all SQL statements are authorized.
      Throws:
      IOException - if an IOException occurs
      SQLException - if a SQLException occurs