Class DenyExceptOnWhitelistManager
java.lang.Object
org.kawanfw.sql.api.server.firewall.DenyExceptOnWhitelistManager
- All Implemented Interfaces:
SqlFirewallManager
public class DenyExceptOnWhitelistManager extends Object implements SqlFirewallManager
This SQL Firewall Manager only allows incoming SQL statements that match a
list of SQL statements stored in the following text file sequentially, one
per line.
The name of the text file that will be used by a database is:
The file must be located in the same directory as the
Each line of the text file must contain one statement, without quotes (") or ending semicolon (;).
Note that all statements will be "normalized" using
<database>_deny_except_whitelist.txt
, where
database
is the name of the database declared in the
aceql-server.properties
files.The file must be located in the same directory as the
aceql-server.properties
file used when starting the AceQL server.Each line of the text file must contain one statement, without quotes (") or ending semicolon (;).
Note that all statements will be "normalized" using
StatementNormalizer
before comparison between the statement in the
text file and the incoming one from client side.- Since:
- 11.0
- Author:
- Nicolas de Pomereu
-
Constructor Summary
Constructors Constructor Description DenyExceptOnWhitelistManager()
-
Method Summary
Modifier and Type Method Description boolean
allowMetadataQuery(String username, String database, Connection connection)
Says if the username is allowed call the Metadata Query API for the passed database.boolean
allowSqlRunAfterAnalysis(SqlEvent sqlEvent, Connection connection)
Allows the execution of the statement if it does *not* exist in the:<database>_deny_except_whitelist.txt
file.boolean
allowStatementClass(String username, String database, Connection connection)
Allows to define if the passed username is allowed to create and use aStatement
instance that is not aPreparedStatement
.
-
Constructor Details
-
DenyExceptOnWhitelistManager
public DenyExceptOnWhitelistManager()
-
-
Method Details
-
allowSqlRunAfterAnalysis
public boolean allowSqlRunAfterAnalysis(SqlEvent sqlEvent, Connection connection) throws IOException, SQLExceptionAllows the execution of the statement if it does *not* exist in the:<database>_deny_except_whitelist.txt
file.
Thedatabase
prefix is the value ofSqlEvent.getDatabase()
.- Specified by:
allowSqlRunAfterAnalysis
in interfaceSqlFirewallManager
- Parameters:
sqlEvent
- the SQL event asked by the client side. Contains all info about the SQL call (client username, database name, IP Address of the client, and SQL statement details)connection
- The current SQL/JDBCConnection
- Returns:
true
if the analyzed statement or prepared statement is validated and authorized to run, elsefalse
- Throws:
IOException
- if an IOException occursSQLException
- if a SQLException occurs
-
allowStatementClass
public boolean allowStatementClass(String username, String database, Connection connection) throws IOException, SQLExceptionDescription copied from interface:SqlFirewallManager
Allows to define if the passed username is allowed to create and use aStatement
instance that is not aPreparedStatement
.- Specified by:
allowStatementClass
in interfaceSqlFirewallManager
- Parameters:
username
- the client username to check the rule fordatabase
- the database name as defined in the JDBC URL fieldconnection
- The current SQL/JDBCConnection
- Returns:
true
. (Client programs will be allowed to create rawStatement
, i.e. call statements without parameters.)- Throws:
IOException
- if an IOException occursSQLException
- if a SQLException occurs
-
allowMetadataQuery
public boolean allowMetadataQuery(String username, String database, Connection connection) throws IOException, SQLExceptionDescription copied from interface:SqlFirewallManager
Says if the username is allowed call the Metadata Query API for the passed database.- Specified by:
allowMetadataQuery
in interfaceSqlFirewallManager
- Parameters:
username
- the client username to check the rule fordatabase
- the database name as defined in the JDBC URL fieldconnection
- The current SQL/JDBCConnection
- Returns:
true
. (Client programs will be allowed to call the Metadata Query API).- Throws:
IOException
- if an IOException occursSQLException
- if a SQLException occurs
-