in gateway-provider-security-authz-acls/src/main/java/org/apache/knox/gateway/filter/AclsAuthorizationFilter.java [115:171]
protected boolean enforceAclAuthorizationPolicy(ServletRequest request, ServletResponse response, FilterChain chain) {
// before enforcing acls check whether there are no acls defined
// which would mean that there are no restrictions
if (parser.users.isEmpty() && parser.groups.isEmpty() && parser.ipv.getIPAddresses().isEmpty()) {
return true;
}
boolean groupAccess = false;
boolean ipAddrAccess;
final Subject subject = SubjectUtils.getCurrentSubject();
final String effectivePrincipalName = SubjectUtils.getEffectivePrincipalName(subject);
log.effectivePrincipal(effectivePrincipalName);
boolean userAccess = checkUserAcls(effectivePrincipalName);
log.effectivePrincipalHasAccess(userAccess);
Object[] groups = subject.getPrincipals(GroupPrincipal.class).toArray();
if (groups.length > 0) {
groupAccess = checkGroupAcls(groups);
log.groupPrincipalHasAccess(groupAccess);
}
else {
// if we have no groups in the subject then make
// it true if there is an anyGroup acl
// for AND mode and acls like *;*;127.0.0.* we need to
// make it pass
if (parser.anyGroup && "AND".equals(aclProcessingMode)) {
groupAccess = true;
}
}
log.remoteIPAddress(((HttpServletRequest) request).getRemoteAddr());
ipAddrAccess = checkRemoteIpAcls(((HttpServletRequest) request).getRemoteAddr());
log.remoteIPAddressHasAccess(ipAddrAccess);
if ("OR".equals(aclProcessingMode)) {
// need to interpret '*' as excluded for OR semantics
// to make sense and not grant access to everyone by mistake.
// exclusion in OR is equivalent to denied
// so, let's set each one that contains '*' to false.
if (parser.anyUser) {
userAccess = false;
}
if (parser.anyGroup) {
groupAccess = false;
}
if (parser.ipv.allowsAnyIP()) {
ipAddrAccess = false;
}
return (userAccess || groupAccess || ipAddrAccess);
}
else if ("AND".equals(aclProcessingMode)) {
return (userAccess && groupAccess && ipAddrAccess);
}
return false;
}