FAQ: Can Sentry Proxy ODBC or JDBC Database Calls?


Sentry can not directly act as a proxy for database connections using ODBC or JDBC. However Sentry can be used as a secure abstraction layer to connect to databases using API calls instead of direct ODBC and JDBC calls.  Sentry supports MySQL, SQL Server, Oracle, and DB2.

Client applications can make HTTPS / REST calls into Sentry which will then make the database query (via JDBC) on behalf of the client.  This creates a secure standards-based API layer in front of your databases and allows for more security and identity capabilities, access control, and logging.

HTTPS Client --> Sentry --> Database via JDBC call

The API parameters provided in the call to Sentry can be located in the payload, URL, or headers and these can be collected by Sentry to use in the SQL query.  Once the query executes, Sentry can return a customizable response back to the client via HTTPS (or any of the other protocols Sentry supports).  If the query returns data from the database, the HTTP response can simply include that data, or provide a success of fail response based on the result of the query executed.  This behavior is customizable through policy workflows.

In addition to the HTTPS --> JDBC brokering, all of the security and identity processing features in Sentry can be used to control access to the HTTPS endpoint and ultimately the database.  This includes - TLS, user authentication / authorization, IP access restrictions, request content inspection, response content inspection, rate throttling, etc. In addition to controlling access Sentry can inspect the queries and results to ensure they conform to expected data policy formats.

The Forum Sentry Data Source Policies are used to connect to databases.  There are schemas for each database type available in the WebAdmin which can be used for the both runtime features (i.e. cookie persistence) and admin features (i.e. Sentry configuration storage).


To call a database directly from Sentry you can use the Query Database task.  The task uses the Data Source policy to connect to the server to run a customizable user-defined query.  The Query Database task does not use a defined schema, it provides you with a customizable means to run your choice of query commands.  The associated Data Source policy is used only for the connection properties to access the database.

The Query Database task also supports variables in the SQL.  Variables are defined by using the “?” character where you can dynamically generate the queries using variables from sources such as user attributes, query parameters from the request, header values, etc.   With variables, you set the Source Type and Source Name for the variables (e.g. if you were using the dynamic value from a URL query parameter named "lastName" you'd select Query Parameter as the Source Type and use "lastName" (without the quotes) for the Source Name).

The database query response can be converted to XML or JSON or simply mapped to user attributes for further task list processing.


Please contact Forum Systems Support if you'd like to discuss these options further.

For more information see: Best Practices: Using Databases with Sentry


Article is closed for comments.