1 Atributo secure
The attribute secure serves to check if if there is permission to execute the SQL statement and to inherit the security of the BD connection group to which belows the used, if the value true is explicitly indicated. By default is false. Check the permission for the execution of the SQL instruction. For the following tags, the permission to perform the operation is checked:
|Tag||Connection group permission.|
The setting of this permissions is performed is the wic_conf. In the following image, indicated with a 1, we can see the form with which the permissions are configured.
For now, only in the SQL sentences (SELECTS) are added the SQL restrictions of the SQL security role assigned to the DB connection group for which the user belongs on the connection DB. The configuration of the restrictions of the role of SQL security is performed opening the following window.
This flag is always true if the select is being executed from dbconmgr or soap call with embebed xsql code. The embebed code in a dictionary is considered secure to be executed by an user because the "cataloger" is responsible for what programs and has permissions to perform applications on a determined database. If you make an insert in a table in a catalogued program, the system does not analize if the database connection group can make the insert or not. However, the the non-catalog code is insecure and therefore the runner script increases the security level automatically.
When the query operations are used (select), it is checked if there is a cross-access database and in that case it is prohibited.
2 Execution from dbconmgr
The following shows the operation of this attribute from the BD connection desktop tool. From this tool, an un-catalog XSQL-Script is executed and the security will be always applied, it meants that the implied value in this case is always true no possibility of change . The following code is executed directly from the tool.
<call> <![CDATA[ <xsql-script> <body> <update table='cdiary'> <column name='nomdia'>test</column> </update> </body> </xsql-script> ] ]> </call>
If the BD connection group to which belows the users can not perform the update transactions to the connection database, the system will return the corresponding error:
0 deister.webstudio.core.xsql.script. XSQLScriptException: Operation 'update' not allowed for user 'jab' in secure mode (remote=false)
error.....: deister.webstudio.core.xsql.script.XSQLScriptException: Operation 'update' not allowed for user 'jab' in secure mode (remote=false) tag.......: update line......: 3 code......: <update table="cdiarios"> <column name="nomdia">test</column> </update> root cause: deister.webstudio.core.xsql.script.XSQLScriptException: deister.webstudio.core.xsql.script.XSQLScriptException: Operation 'update' not allowed for user 'jab' in secure mode (remote=false) at deister.webstudio.core.xsql.script.XSQLScriptRunner.getTransformedSQL(XSQLScriptRunner.java:4263) at deister.webstudio.core.xsql.script.functions.f_sql.function_update.a(function_update.java:105) at deister.webstudio.core.xsql.script.XSQLScriptRunner.a(XSQLScriptRunner.java:6056) at deister.webstudio.core.xsql.script.XSQLScriptRunner.__exec_xsql_command(XSQLScriptRunner.java:5952) at deister.webstudio.core.xsql.script.XSQLScriptRunner.a(XSQLScriptRunner.java:3593) at deister.webstudio.core.xsql.script.XSQLScriptRunner.run(XSQLScriptRunner.java:3502) at java.lang.Thread.run(Thread.java:595)
The execution from dbconmgr actives always the security when it is about non-catalog code, it meants that it always applies the security of the BD connection group to which belows the user. It also applies the conditions of SQL restrictions of the role asigned to the BD connection group (if there is).
3 Execution of the catalogued code
A XSQL-Script catalogued allows to check which exist permission for the execution of the SQL sentences (select, insert, delete, update, execute-procedure ...) and to inheret the SQL restrictions of the BD connection group for the select sentences. The following XSQL-Script is a catalogued program in a database dictionary. The value true is indicated for the attribute secure. First, it is checked if there is permission to perform the sentence. If there is permission, the conditions of the SQL restrictions of the BD connection group are added (if any).
<xsql-script> <body> <return> <select secure='true'> <columns>*</columns> <from table='cdiarios' /> </select> </return> </body> </xsql-script>
If it exist permission of SELECT and the SQL security role is:
code LIKE 'C%'
The sentence which will be executed would be:
SELECT * FROM cdiarys WHERE -- ================================================================================= -- getSecurityFilter (table) user: jab dbms: demo_formacion table: cdiary -- ================================================================================= -- wic_user_role_jsql_obj ROLE: COMBCN OBJECT: cdiary codigo LIKE 'C%'