Package org.kawanfw.sql.api.server.firewall

Class CsvRulesManager

java.lang.Object

org.kawanfw.sql.api.server.firewall.DefaultSqlFirewallManager

org.kawanfw.sql.api.server.firewall.CsvRulesManager

All Implemented Interfaces:

SqlFirewallManager

public class CsvRulesManager
extends DefaultSqlFirewallManager
implements SqlFirewallManager

Firewall manager that checks each SQL request against the content of a CSV File. The CSV file is loaded in memory at AceQL server startup.

The name of the CSV file that will be used by a database is: <database>_rules_manager.csv, where database is the name of the database declared in the aceql.properties files.
The file must be located in the same directory as the aceql.properties file used when starting the AceQL server.

The CSV file contains the rules for accessing the tables, with semicolon for separator:

• First line contains the element names: username;table;delete;insert;select;update;optional comments
• Subsequent lines contain the rules, with the values for each element:
  • username: AceQL username of the connected client.
  • table: the table name to access. Name must not include dots and prefixes.
  • delete: true if the username has the right to delete rows of the table, else false.
  • insert: true if the username has the right to insert rows in the table, else false.
  • select: true if the username has the right to select rows of the table, else false.
  • update: true if the username has the right to update rows of the table, else false.
  • Optional comments for the rule.

Note that:

• public value may be used for the username column and means any username. At execution time: if a rule with public returns true for a CSV column, the rule supersedes other declared rules declared for specific users for the same CSV column.
• all value is allowed for table column and means any table. At execution time: If a rule with all returns true for a CSV column, the rule supersedes other specific rules declared for specific tables for the same CSV column.

See an example of CSV file: sampledb_rules_manager.csv

Since:

4.1

Author:

Nicolas de Pomereu

Constructor Summary

Constructors

Constructor	Description
CsvRulesManager()

Method Summary

Modifier and Type	Method	Description
boolean	allowSqlRunAfterAnalysis(String username, String database, Connection connection, String ipAddress, String sql, boolean isPreparedStatement, List<Object> parameterValues)	Allows the execution of the statement if an allowing rules exists in the: <database>_rules_manager.csv file.
void	runIfStatementRefused(String username, String database, Connection connection, String ipAddress, boolean isMetadataQuery, String sql, List<Object> parameterValues)	Logs the info using DefaultDatabaseConfigurator.getLogger() Logger.

Methods inherited from class org.kawanfw.sql.api.server.firewall.DefaultSqlFirewallManager

allowExecute, allowExecuteUpdate, allowMetadataQuery, allowStatementClass

Methods inherited from class java.lang.Object

equals, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface org.kawanfw.sql.api.server.firewall.SqlFirewallManager

allowExecute, allowExecuteUpdate, allowMetadataQuery, allowStatementClass

Constructor Details

CsvRulesManager

public CsvRulesManager()

Method Details

allowSqlRunAfterAnalysis

public boolean allowSqlRunAfterAnalysis(String username,
String database,
Connection connection,
String ipAddress,
String sql,
boolean isPreparedStatement,
List<Object> parameterValues)
                                 throws IOException,
SQLException

Allows the execution of the statement if an allowing rules exists in the: <database>_rules_manager.csv file.

Specified by:

allowSqlRunAfterAnalysis in interface SqlFirewallManager

Overrides:

allowSqlRunAfterAnalysis in class DefaultSqlFirewallManager

Parameters:

username - the client username to check the rule for.

database - the database name as defined in the JDBC URL field

connection - The current SQL/JDBC Connection

ipAddress - the IP address of the client user

sql - the SQL statement

isPreparedStatement - Says if the statement is a prepared statement

parameterValues - the parameter values of a prepared statement in the natural order, empty list for a (non prepared) statement

Returns:

true. No analysis is done so all SQL statements are authorized.

Throws:

IOException - if an IOException occurs

SQLException - if a SQLException occurs

runIfStatementRefused

public void runIfStatementRefused(String username,
String database,
Connection connection,
String ipAddress,
boolean isMetadataQuery,
String sql,
List<Object> parameterValues)
                           throws IOException,
SQLException

Logs the info using DefaultDatabaseConfigurator.getLogger() Logger.

Specified by:

runIfStatementRefused in interface SqlFirewallManager

Overrides:

runIfStatementRefused in class DefaultSqlFirewallManager

Parameters:

username - the discarded client username

database - the database name as defined in the JDBC URL field

connection - The current SQL/JDBC Connection

ipAddress - the IP address of the client user

isMetadataQuery - Says if the client request was an AceQL specific Metadata Query API

sql - the SQL statement

parameterValues - the parameter values of a prepared statement in the natural order, empty list for a (non prepared) statement

Throws:

IOException - if an IOException occurs

SQLException - if a SQLException occurs