Techniques for canceling malicious or unauthorized database queries

Stop Query

A three-tier enterprise architecture consists of a client layer, a middle tier, and a data tier. In many java™2 Platform, Enterprise Edition (EE) environments, IBM WebSphere application Server provides the middle tier. WebSphere application Server processes requests from the client layer and enters the data layer (for example, IBM db2®) to retrieve or upgrade the data tier based on client requests and inputs. In many cases, an authentication data alias is used in a client request for database interaction. The lack of identity of the caller can lead to accountability failure. Accountability is important not only to identify who is doing what is important (from a tracking point of view), but also to support WebSphere application Server and database administrators responding to unexpected situations, such as the need to identify and remove unauthorized and malicious database queries.

Figure 1. Three-tier architecture

This article explains how to use the attributes in WebSphere application Server to mark database connections with client information, and how you can apply this markup attribute to interesting solutions, such as identifying and canceling malicious queries.

To mark a database connection with client information

This feature, introduced in WebSphere application Server V6.0, enables you to mark database connections with certain information. The information is then transferred by the application server to the database layer (if the database supports transmission of this information), which can be used at the database level to identify who is working on the connection. The information you can set on a database connection includes:

Client_accounting_info: Specifies the accountability information for the connection. This information is used for client accountability purposes and is used primarily for the DB2 for z/os®.

Client_location: Specifies the client address that drives this request.

CLIENT_ID: Specifies the current client user name for the connection. This username is used for client accountability purposes, not for JDBC connection user values, that is, it is not an authentication data alias.

Client_application_name: Specifies the name of the application that is using the database connection.

In a WebSphere application Server V6.0 application, you can use the Com.ibm.websphere.rsadapter.WSConnection API to set this information on a connection, as shown in Figure 2.

Figure 2. Wsconnection API