Package org.kawanfw.sql.api.server.firewall

Class DenySqlInjectionManager

java.lang.Object
org.kawanfw.sql.api.server.firewall.DenySqlInjectionManager
All Implemented Interfaces:
SqlFirewallManager
public class DenySqlInjectionManager
extends Object
implements SqlFirewallManager
A firewall manager that allows detecting SQL injection attacks, using the third-party Cloudmersive API:
Usage requires getting a Cloudmersive API key through a free or paying account creation at www.cloudmersive.com/pricing.

The Cloudmersive parameters (API key, detection level, ...) are stored in the cloudmersive.properties file that is loaded at the AceQL server startup.
The file must be located in the same directory as the aceql-server.properties file used when starting the AceQL server.

Note that SQL injections are detected synchronously, which will slow down the SQL calls. The DenySqlInjectionManagerAsync SQLFirewallManager is provided for asynchronous detection.
Since:
11.0
Author:
Nicolas de Pomereu
See Also:
DenySqlInjectionManagerAsync

  • Constructor Details

    • DenySqlInjectionManager

      public DenySqlInjectionManager()

  • Method Details

    • allowSqlRunAfterAnalysis

      public boolean allowSqlRunAfterAnalysis​(SqlEvent sqlEvent, Connection connection) throws IOException, SQLException
      Says if Cloudmersive SQL injection detector accepts the SQL statement.
      Specified by:
      allowSqlRunAfterAnalysis in interface SqlFirewallManager
      Parameters:
      sqlEvent - the SQL event asked by the client side. Contains all info about the SQL call (client username, database name, IP Address of the client, and SQL statement details)
      connection - The current SQL/JDBC Connection
      Returns:
      true if the analyzed statement or prepared statement is validated and authorized to run, else false

      Throws:
      IOException - if an IOException occurs
      SQLException - if a SQLException occurs

    • allowStatementClass

      public boolean allowStatementClass​(String username, String database, Connection connection) throws IOException, SQLException
      Description copied from interface: SqlFirewallManager
      Allows to define if the passed username is allowed to create and use a Statement instance that is not a PreparedStatement.
      Specified by:
      allowStatementClass in interface SqlFirewallManager
      Parameters:
      username - the client username to check the rule for
      database - the database name as defined in the JDBC URL field
      connection - The current SQL/JDBC Connection
      Returns:
      true. (Client programs will be allowed to create raw Statement, i.e. call statements without parameters.)
      Throws:
      IOException - if an IOException occurs
      SQLException - if a SQLException occurs

    • allowMetadataQuery

      public boolean allowMetadataQuery​(String username, String database, Connection connection) throws IOException, SQLException
      Description copied from interface: SqlFirewallManager
      Says if the username is allowed call the Metadata Query API for the passed database.
      Specified by:
      allowMetadataQuery in interface SqlFirewallManager
      Parameters:
      username - the client username to check the rule for
      database - the database name as defined in the JDBC URL field
      connection - The current SQL/JDBC Connection
      Returns:
      true. (Client programs will be allowed to call the Metadata Query API).
      Throws:
      IOException - if an IOException occurs
      SQLException - if a SQLException occurs