Package org.kawanfw.sql.api.server.firewall

Class DenySqlInjectionManagerAsync

java.lang.Object
org.kawanfw.sql.api.server.firewall.DenySqlInjectionManagerAsync
All Implemented Interfaces:
SqlFirewallManager
public class DenySqlInjectionManagerAsync
extends Object
implements SqlFirewallManager
A firewall manager that allows detecting SQL asynchronously injection attacks, using the third-party Cloudmersive API:
Usage requires getting a Cloudmersive API key through a free or paying account creation at www.cloudmersive.com/pricing.

The Cloudmersive parameters (API key, detection level, ...) are stored in the cloudmersive.properties file that is loaded at the AceQL server startup.
The file must be located in the same directory as the aceql-server.properties file used when starting the AceQL server.

The SQL injection detection is asynchronous: this means that allowSqlRunAfterAnalysis will always immediately return true and that the result of the analysis will trigger later all SqlFirewallTrigger defined in the aceql-server.properties file.

Note that because of the asynchronous behavior, a new Connection will be extracted from the pool in order to process the SqlFirewallTrigger.runIfStatementRefused(SqlEvent, SqlFirewallManager, Connection) methods.
The Connection will be cleanly released after all calls.
Since:
11.0
Author:
Nicolas de Pomereu
See Also:
DenySqlInjectionManager

  • Constructor Details

    • DenySqlInjectionManagerAsync

      public DenySqlInjectionManagerAsync()

  • Method Details

    • allowSqlRunAfterAnalysis

      public boolean allowSqlRunAfterAnalysis​(SqlEvent sqlEvent, Connection connection) throws IOException, SQLException
      Allows detecting in background / asynchronously if Cloudmersive SQL injection detector accepts the SQL statement. (The allowSqlRunAfterAnalysis call thus always returns immediately true).
      Specified by:
      allowSqlRunAfterAnalysis in interface SqlFirewallManager
      Parameters:
      sqlEvent - the SQL event asked by the client side. Contains all info about the SQL call (client username, database name, IP Address of the client, and SQL statement details)
      connection - The current SQL/JDBC Connection
      Returns:
      true if the analyzed statement or prepared statement is validated and authorized to run, else false

      Throws:
      IOException - if an IOException occurs
      SQLException - if a SQLException occurs

    • allowStatementClass

      public boolean allowStatementClass​(String username, String database, Connection connection) throws IOException, SQLException
      Description copied from interface: SqlFirewallManager
      Allows to define if the passed username is allowed to create and use a Statement instance that is not a PreparedStatement.
      Specified by:
      allowStatementClass in interface SqlFirewallManager
      Parameters:
      username - the client username to check the rule for
      database - the database name as defined in the JDBC URL field
      connection - The current SQL/JDBC Connection
      Returns:
      true. (Client programs will be allowed to create raw Statement, i.e. call statements without parameters.)
      Throws:
      IOException - if an IOException occurs
      SQLException - if a SQLException occurs

    • allowMetadataQuery

      public boolean allowMetadataQuery​(String username, String database, Connection connection) throws IOException, SQLException
      Description copied from interface: SqlFirewallManager
      Says if the username is allowed call the Metadata Query API for the passed database.
      Specified by:
      allowMetadataQuery in interface SqlFirewallManager
      Parameters:
      username - the client username to check the rule for
      database - the database name as defined in the JDBC URL field
      connection - The current SQL/JDBC Connection
      Returns:
      true. (Client programs will be allowed to call the Metadata Query API).
      Throws:
      IOException - if an IOException occurs
      SQLException - if a SQLException occurs