Class DenyExceptOnWhitelistManager

java.lang.Object
org.kawanfw.sql.api.server.firewall.DenyExceptOnWhitelistManager
All Implemented Interfaces:
SqlFirewallManager

public class DenyExceptOnWhitelistManager
extends Object
implements SqlFirewallManager
This SQL Firewall Manager only allows incoming SQL statements that match a list of SQL statements stored in the following text file sequentially, one per line. The name of the text file that will be used by a database is:   <database>_deny_except_whitelist.txt, where database is the name of the database declared in the aceql-server.properties files.
The file must be located in the same directory as the aceql-server.properties file used when starting the AceQL server.

Each line of the text file must contain one statement, without quotes (") or ending semicolon (;).

Note that all statements will be "normalized" using StatementNormalizer before comparison between the statement in the text file and the incoming one from client side.
Since:
11.0
Author:
Nicolas de Pomereu
  • Constructor Details

    • DenyExceptOnWhitelistManager

      public DenyExceptOnWhitelistManager()
  • Method Details

    • allowSqlRunAfterAnalysis

      public boolean allowSqlRunAfterAnalysis​(SqlEvent sqlEvent, Connection connection) throws IOException, SQLException
      Allows the execution of the statement if it does *not* exist in the:  <database>_deny_except_whitelist.txt file.
      The database prefix is the value of SqlEvent.getDatabase().
      Specified by:
      allowSqlRunAfterAnalysis in interface SqlFirewallManager
      Parameters:
      sqlEvent - the SQL event asked by the client side. Contains all info about the SQL call (client username, database name, IP Address of the client, and SQL statement details)
      connection - The current SQL/JDBC Connection
      Returns:
      true if the analyzed statement or prepared statement is validated and authorized to run, else false

      Throws:
      IOException - if an IOException occurs
      SQLException - if a SQLException occurs
    • allowStatementClass

      public boolean allowStatementClass​(String username, String database, Connection connection) throws IOException, SQLException
      Description copied from interface: SqlFirewallManager
      Allows to define if the passed username is allowed to create and use a Statement instance that is not a PreparedStatement.
      Specified by:
      allowStatementClass in interface SqlFirewallManager
      Parameters:
      username - the client username to check the rule for
      database - the database name as defined in the JDBC URL field
      connection - The current SQL/JDBC Connection
      Returns:
      true. (Client programs will be allowed to create raw Statement, i.e. call statements without parameters.)
      Throws:
      IOException - if an IOException occurs
      SQLException - if a SQLException occurs
    • allowMetadataQuery

      public boolean allowMetadataQuery​(String username, String database, Connection connection) throws IOException, SQLException
      Description copied from interface: SqlFirewallManager
      Says if the username is allowed call the Metadata Query API for the passed database.
      Specified by:
      allowMetadataQuery in interface SqlFirewallManager
      Parameters:
      username - the client username to check the rule for
      database - the database name as defined in the JDBC URL field
      connection - The current SQL/JDBC Connection
      Returns:
      true. (Client programs will be allowed to call the Metadata Query API).
      Throws:
      IOException - if an IOException occurs
      SQLException - if a SQLException occurs