org.kawanfw.sql.api.server.firewall.DenyDatabaseWriteManager Maven / Gradle / Ivy

Go to download

Show more of this group Show more artifacts with this name
Show all versions of aceql-http Show documentation

AceQL HTTP is a framework of REST like http APIs that allow to access to remote SQL databases over http from any device that supports http. AceQL HTTP is provided with four client SDK: - The AceQL C# Client SDK allows to wrap the HTTP APIs using Microsoft SQL Server like calls in their code, just like they would for a local database. - The AceQL Java Client SDK allows to wrap the HTTP APIs using JDBC calls in their code, just like they would for a local database. - The AceQL Python Client SDK allows SQL calls to be encoded with standard unmodified DB-API 2.0 syntax

There is a newer version: 12.2

Show newest version

/*
 * Copyright (c)2022 KawanSoft S.A.S. All rights reserved.
 * 
 * Use of this software is governed by the Business Source License included
 * in the LICENSE.TXT file in the project's root directory.
 *
 * Change Date: 2026-11-01
 *
 * On the date above, in accordance with the Business Source License, use
 * of this software will be governed by version 2.0 of the Apache License.
 */
package org.kawanfw.sql.api.server.firewall;

import java.io.IOException;
import java.sql.Connection;
import java.sql.SQLException;

import org.kawanfw.sql.api.server.SqlEvent;
import org.kawanfw.sql.api.server.StatementAnalyzer;

/**
 * Firewall manager that denies any update of the database for the passed user.
 * The database is thus guaranteed to be accessed in read only from client side.
 * 

 * {@code DenyDatabaseWriteManager} should be used only in order to monitor
 * users who try to force writes on database. 

 * If you don't need to monitor users and detect hackers, it's better to set the
 * property {@code database.defaultReadOnly=true} in the
 * {@code aceql-server.properties} file: it will launch a
 * {@link Connection#setReadOnly(boolean)} JDBC call at server startup that will
 *  write-protect efficiently the SQL database.
 *
 * @author Nicolas de Pomereu
 * @since 11.0
 */
public class DenyDatabaseWriteManager implements SqlFirewallManager {

    /**
     * @return false if the passed SQL statement tries to update the
     *         database, else true
     */
    @Override
    public boolean allowSqlRunAfterAnalysis(SqlEvent sqlEvent, Connection connection) throws IOException, SQLException {
	StatementAnalyzer analyzer = new StatementAnalyzer(sqlEvent.getSql(), sqlEvent.getParameterValues());
	return !(analyzer.isDelete() || analyzer.isInsert() || analyzer.isUpdate() || analyzer.isDcl()
		|| analyzer.isDdl() || analyzer.isTcl());
    }
    
	/**
     * @return true. (Client programs will be allowed to create
     *         raw Statement, i.e. call statements without parameters.)
     */
    @Override
    public boolean allowStatementClass(String username, String database, Connection connection)
	    throws IOException, SQLException {
	return true;
    }


    /**
     * @return true. (Client programs will be allowed to call
     *         the Metadata Query API).
     */
    @Override
    public boolean allowMetadataQuery(String username, String database, Connection connection)
	    throws IOException, SQLException {
	return true;
    }
}