Class DefaultSqlFirewallManager
java.lang.Object
org.kawanfw.sql.api.server.firewall.DefaultSqlFirewallManager
- All Implemented Interfaces:
SqlFirewallManager
- Direct Known Subclasses:
CsvRulesManager,DenyDclManager,DenyDdlManager,DenyExecuteUpdateManager,DenyMetadataQueryManager,DenyStatementClassManager,DenyTclManager
public class DefaultSqlFirewallManager extends Object implements SqlFirewallManager
Default firewall manager for all SQL databases.
WARNING: This default implementation will allow to start immediate remote SQL calls but is *not* at all secured.
It is highly recommended to override this class with a secured implementation for all methods.
WARNING: This default implementation will allow to start immediate remote SQL calls but is *not* at all secured.
It is highly recommended to override this class with a secured implementation for all methods.
- Since:
- 4.0
- Author:
- Nicolas de Pomereu
-
Constructor Summary
Constructors Constructor Description DefaultSqlFirewallManager() -
Method Summary
Modifier and Type Method Description booleanallowExecute(String username, String database, Connection connection)Allows to define if the passed username is allowed to call a raw JDBCStatement.execute.booleanallowExecuteUpdate(String username, String database, Connection connection)Allows to define if the passed username is allowed to call a statement that updates the database.booleanallowMetadataQuery(String username, String database, Connection connection)Says if the username is allowed call the Metadata Query API for the passed database.booleanallowSqlRunAfterAnalysis(String username, String database, Connection connection, String ipAddress, String sql, boolean isPreparedStatement, List<Object> parameterValues)Allows, for the passed client username and its IP address, to know if statement is a prepared statement an to analyze the string representation of the SQL statement that is received on the server.booleanallowStatementClass(String username, String database, Connection connection)Allows to define if the passed username is allowed to create and use aStatementinstance that is not aPreparedStatementvoidrunIfStatementRefused(String username, String database, Connection connection, String ipAddress, boolean isMetadataQuery, String sql, List<Object> parameterValues)Logs the info usingDefaultDatabaseConfigurator.getLogger()Logger.
-
Constructor Details
-
DefaultSqlFirewallManager
public DefaultSqlFirewallManager()
-
-
Method Details
-
allowStatementClass
public boolean allowStatementClass(String username, String database, Connection connection) throws IOException, SQLExceptionDescription copied from interface:SqlFirewallManagerAllows to define if the passed username is allowed to create and use aStatementinstance that is not aPreparedStatement- Specified by:
allowStatementClassin interfaceSqlFirewallManager- Parameters:
username- the client username to check the rule for.database- the database name as defined in the JDBC URL fieldconnection- The current SQL/JDBCConnection- Returns:
true. (Client programs will be allowed to create rawStatement, i.e. call statements without parameters.)- Throws:
IOException- if an IOException occursSQLException- if a SQLException occurs
-
allowSqlRunAfterAnalysis
public boolean allowSqlRunAfterAnalysis(String username, String database, Connection connection, String ipAddress, String sql, boolean isPreparedStatement, List<Object> parameterValues) throws IOException, SQLExceptionDescription copied from interface:SqlFirewallManagerAllows, for the passed client username and its IP address, to know if statement is a prepared statement an to analyze the string representation of the SQL statement that is received on the server.
If the analysis defined by the method returns false, the SQL statement won't be executed.- Specified by:
allowSqlRunAfterAnalysisin interfaceSqlFirewallManager- Parameters:
username- the client username to check the rule for.database- the database name as defined in the JDBC URL fieldconnection- The current SQL/JDBCConnectionipAddress- the IP address of the client usersql- the SQL statementisPreparedStatement- Says if the statement is a prepared statementparameterValues- the parameter values of a prepared statement in the natural order, empty list for a (non prepared) statement- Returns:
true. No analysis is done so all SQL statements are authorized.- Throws:
IOException- if an IOException occursSQLException- if a SQLException occurs
-
allowExecute
public boolean allowExecute(String username, String database, Connection connection) throws IOException, SQLExceptionDescription copied from interface:SqlFirewallManagerAllows to define if the passed username is allowed to call a raw JDBCStatement.execute.- Specified by:
allowExecutein interfaceSqlFirewallManager- Parameters:
username- the client username to check the rule for.database- the database name as defined in the JDBC URL fieldconnection- The current SQL/JDBCConnection- Returns:
true. (Client programs will be allowed to call a JDBC rawStatement.execute.)- Throws:
IOException- if an IOException occursSQLException- if a SQLException occurs
-
allowExecuteUpdate
public boolean allowExecuteUpdate(String username, String database, Connection connection) throws IOException, SQLExceptionDescription copied from interface:SqlFirewallManagerAllows to define if the passed username is allowed to call a statement that updates the database.- Specified by:
allowExecuteUpdatein interfaceSqlFirewallManager- Parameters:
username- the client username to check the rule for.database- the database name as defined in the JDBC URL fieldconnection- The current SQL/JDBCConnection- Returns:
true. (Client programs will be allowed to call a database update statement.)- Throws:
IOException- if an IOException occursSQLException- if a SQLException occurs
-
allowMetadataQuery
public boolean allowMetadataQuery(String username, String database, Connection connection) throws IOException, SQLExceptionDescription copied from interface:SqlFirewallManagerSays if the username is allowed call the Metadata Query API for the passed database.- Specified by:
allowMetadataQueryin interfaceSqlFirewallManager- Parameters:
username- the client username to check the rule for.database- the database name as defined in the JDBC URL fieldconnection- The current SQL/JDBCConnection- Returns:
true. (Client programs will be allowed to call the Metadata Query API).- Throws:
IOException- if an IOException occursSQLException- if a SQLException occurs
-
runIfStatementRefused
public void runIfStatementRefused(String username, String database, Connection connection, String ipAddress, boolean isMetadataQuery, String sql, List<Object> parameterValues) throws IOException, SQLExceptionLogs the info usingDefaultDatabaseConfigurator.getLogger()Logger.- Specified by:
runIfStatementRefusedin interfaceSqlFirewallManager- Parameters:
username- the discarded client usernamedatabase- the database name as defined in the JDBC URL fieldconnection- The current SQL/JDBCConnectionipAddress- the IP address of the client userisMetadataQuery- Says if the client request was an AceQL specific Metadata Query APIsql- the SQL statementparameterValues- the parameter values of a prepared statement in the natural order, empty list for a (non prepared) statement- Throws:
IOException- if an IOException occursSQLException- if a SQLException occurs
-