org.kawanfw.sql.api.server.firewall.CsvRulesManager

All Implemented Interfaces:: SqlFirewallManager

Direct Known Subclasses:: CsvRulesManagerNoReload

public class CsvRulesManager
extends Object
implements SqlFirewallManager

Firewall manager that checks each SQL request against the content of a CSV File. The CSV file is loaded in memory at AceQL server startup.

The name of the CSV file that will be used by a database is: <database>_rules_manager.csv, where database is the name of the database declared in the aceql-server.properties files.
The file must be located in the same directory as the aceql-server.properties file used when starting the AceQL server.

The CSV file contains the rules for accessing the tables, with semicolon for separator:

First line contains the element names: username;table;delete;insert;select;update;optional comments
Subsequent lines contain the rules, with the values for each element:
- username: AceQL username of the connected client.
- table: the table name to access. Name must not include dots and prefixes.
- delete: true if the username has the right to delete rows of the table, else false.
- insert: true if the username has the right to insert rows in the table, else false.
- select: true if the username has the right to select rows of the table, else false.
- update: true if the username has the right to update rows of the table, else false.
- Optional comments for the rule.

Note that:

public value may be used for the username column and means any username. At execution time: if a rule with public returns true for a CSV column, the rule supersedes other declared rules declared for specific users for the same CSV column.
all value is allowed for table column and means any table. At execution time: If a rule with all returns true for a CSV column, the rule supersedes other specific rules declared for specific tables for the same CSV column.

Note that updating the CSV file will reload the rules. If you prefer to disallow dynamic reloading, use a CsvRulesManagerNoReload implementation.

See an example of CSV file: sampledb_rules_manager.csv

Since:: 4.1
Author:: Nicolas de Pomereu

Constructor Summary

Constructors

Constructor Description

CsvRulesManager()

Method Summary

Modifier and Type	Method	Description
`boolean`	`allowMetadataQuery(String username, String database, Connection connection)`	Says if the username is allowed call the Metadata Query API for the passed database.
`boolean`	`allowSqlRunAfterAnalysis(SqlEvent sqlEvent, Connection connection)`	Allows the execution of the statement if an allowing rules exists in the: `<database>_rules_manager.csv` file.
`boolean`	`allowStatementClass(String username, String database, Connection connection)`	Allows to define if the passed username is allowed to create and use a `Statement` instance that is not a `PreparedStatement`.

Methods inherited from class java.lang.Object

equals, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Details
- CsvRulesManager
  
  public CsvRulesManager()
Method Details
- allowSqlRunAfterAnalysis
  
  public boolean allowSqlRunAfterAnalysis(SqlEvent sqlEvent, Connection connection) throws IOException, SQLException
  
  Allows the execution of the statement if an allowing rules exists in the: <database>_rules_manager.csv file.
  
  Specified by:
  
  allowSqlRunAfterAnalysis in interface SqlFirewallManager
  
  Parameters:
  
  sqlEvent - the SQL event asked by the client side. Contains all info about the SQL call (client username, database name, IP Address of the client, and SQL statement details)
  
  connection - The current SQL/JDBC Connection
  
  Returns:
  
  true if the analyzed statement or prepared statement is validated and authorized to run, else false
  
  Throws:
  
  IOException - if an IOException occurs
  
  SQLException - if a SQLException occurs
- allowStatementClass
  
  public boolean allowStatementClass(String username, String database, Connection connection) throws IOException, SQLException
  
  Description copied from interface: SqlFirewallManager
  
  Allows to define if the passed username is allowed to create and use a Statement instance that is not a PreparedStatement.
  
  Specified by:
  
  allowStatementClass in interface SqlFirewallManager
  
  Parameters:
  
  username - the client username to check the rule for
  
  database - the database name as defined in the JDBC URL field
  
  connection - The current SQL/JDBC Connection
  
  Returns:
  
  true. (Client programs will be allowed to create raw Statement, i.e. call statements without parameters.)
  
  Throws:
  
  IOException - if an IOException occurs
  
  SQLException - if a SQLException occurs
- allowMetadataQuery
  
  public boolean allowMetadataQuery(String username, String database, Connection connection) throws IOException, SQLException
  
  Description copied from interface: SqlFirewallManager
  
  Says if the username is allowed call the Metadata Query API for the passed database.
  
  Specified by:
  
  allowMetadataQuery in interface SqlFirewallManager
  
  Parameters:
  
  username - the client username to check the rule for
  
  database - the database name as defined in the JDBC URL field
  
  connection - The current SQL/JDBC Connection
  
  Returns:
  
  true. (Client programs will be allowed to call the Metadata Query API).
  
  Throws:
  
  IOException - if an IOException occurs
  
  SQLException - if a SQLException occurs

Class CsvRulesManager

Constructor Summary

Method Summary

Methods inherited from class java.lang.Object

Constructor Details

CsvRulesManager

Method Details

allowSqlRunAfterAnalysis

allowStatementClass

allowMetadataQuery