Class CsvRulesManager
java.lang.Object
org.kawanfw.sql.api.server.firewall.DefaultSqlFirewallManager
org.kawanfw.sql.api.server.firewall.CsvRulesManager
- All Implemented Interfaces:
SqlFirewallManager
public class CsvRulesManager extends DefaultSqlFirewallManager implements SqlFirewallManager
Firewall manager that checks each SQL request against the content of a CSV
File. The CSV file is loaded in memory at AceQL server startup.
The name of the CSV file that will be used by a database is:
The file must be located in the same directory as the
The CSV file contains the rules for accessing the tables, with semicolon for separator:
Note that:
See an example of CSV file: sampledb_rules_manager.csv
The name of the CSV file that will be used by a database is:
<database>_rules_manager.csv
, where database is the name
of the database declared in the aceql.properties
files.The file must be located in the same directory as the
aceql.properties
file used when starting the AceQL server.The CSV file contains the rules for accessing the tables, with semicolon for separator:
- First line contains the element names:
username;table;delete;insert;select;update;optional comments
- Subsequent lines contain the rules, with the values for each element:
username
: AceQL username of the connected client.table
: the table name to access. Name must not include dots and prefixes.delete
:true
if the username has the right to delete rows of the table, elsefalse
.insert
:true
if the username has the right to insert rows in the table, elsefalse
.select
:true
if the username has the right to select rows of the table, elsefalse
.update
:true
if the username has the right to update rows of the table, elsefalse
.- Optional comments for the rule.
Note that:
public
value may be used for theusername
column and means any username. At execution time: if a rule withpublic
returns true for a CSV column, the rule supersedes other declared rules declared for specific users for the same CSV column.all
value is allowed fortable
column and means any table. At execution time: If a rule withall
returns true for a CSV column, the rule supersedes other specific rules declared for specific tables for the same CSV column.
See an example of CSV file: sampledb_rules_manager.csv
- Since:
- 4.1
- Author:
- Nicolas de Pomereu
-
Constructor Summary
Constructors Constructor Description CsvRulesManager()
-
Method Summary
Modifier and Type Method Description boolean
allowSqlRunAfterAnalysis(String username, String database, Connection connection, String ipAddress, String sql, boolean isPreparedStatement, List<Object> parameterValues)
Allows the execution of the statement if an allowing rules exists in the:<database>_rules_manager.csv
file.void
runIfStatementRefused(String username, String database, Connection connection, String ipAddress, boolean isMetadataQuery, String sql, List<Object> parameterValues)
Logs the info usingDefaultDatabaseConfigurator.getLogger()
Logger
.Methods inherited from class org.kawanfw.sql.api.server.firewall.DefaultSqlFirewallManager
allowExecute, allowExecuteUpdate, allowMetadataQuery, allowStatementClass
Methods inherited from class java.lang.Object
equals, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
Methods inherited from interface org.kawanfw.sql.api.server.firewall.SqlFirewallManager
allowExecute, allowExecuteUpdate, allowMetadataQuery, allowStatementClass
-
Constructor Details
-
CsvRulesManager
public CsvRulesManager()
-
-
Method Details
-
allowSqlRunAfterAnalysis
public boolean allowSqlRunAfterAnalysis(String username, String database, Connection connection, String ipAddress, String sql, boolean isPreparedStatement, List<Object> parameterValues) throws IOException, SQLExceptionAllows the execution of the statement if an allowing rules exists in the:<database>_rules_manager.csv
file.- Specified by:
allowSqlRunAfterAnalysis
in interfaceSqlFirewallManager
- Overrides:
allowSqlRunAfterAnalysis
in classDefaultSqlFirewallManager
- Parameters:
username
- the client username to check the rule for.database
- the database name as defined in the JDBC URL fieldconnection
- The current SQL/JDBCConnection
ipAddress
- the IP address of the client usersql
- the SQL statementisPreparedStatement
- Says if the statement is a prepared statementparameterValues
- the parameter values of a prepared statement in the natural order, empty list for a (non prepared) statement- Returns:
true
. No analysis is done so all SQL statements are authorized.- Throws:
IOException
- if an IOException occursSQLException
- if a SQLException occurs
-
runIfStatementRefused
public void runIfStatementRefused(String username, String database, Connection connection, String ipAddress, boolean isMetadataQuery, String sql, List<Object> parameterValues) throws IOException, SQLExceptionLogs the info usingDefaultDatabaseConfigurator.getLogger()
Logger
.- Specified by:
runIfStatementRefused
in interfaceSqlFirewallManager
- Overrides:
runIfStatementRefused
in classDefaultSqlFirewallManager
- Parameters:
username
- the discarded client usernamedatabase
- the database name as defined in the JDBC URL fieldconnection
- The current SQL/JDBCConnection
ipAddress
- the IP address of the client userisMetadataQuery
- Says if the client request was an AceQL specific Metadata Query APIsql
- the SQL statementparameterValues
- the parameter values of a prepared statement in the natural order, empty list for a (non prepared) statement- Throws:
IOException
- if an IOException occursSQLException
- if a SQLException occurs
-