From 936301838e68ffb8d5d12de2f53c4b6a3b3f8d68 Mon Sep 17 00:00:00 2001
From: Bjørn Christian Seime <bjorncs@yahooinc.com>
Date: Thu, 21 Jul 2022 17:08:44 +0200
Subject: Force caller to handle failed capability verification check

---
 jrt/src/com/yahoo/jrt/RequireCapabilitiesFilter.java | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

(limited to 'jrt/src')

diff --git a/jrt/src/com/yahoo/jrt/RequireCapabilitiesFilter.java b/jrt/src/com/yahoo/jrt/RequireCapabilitiesFilter.java
index 8b7fc3c1a46..9bb497e96ed 100644
--- a/jrt/src/com/yahoo/jrt/RequireCapabilitiesFilter.java
+++ b/jrt/src/com/yahoo/jrt/RequireCapabilitiesFilter.java
@@ -3,6 +3,7 @@ package com.yahoo.jrt;
 
 import com.yahoo.security.tls.Capability;
 import com.yahoo.security.tls.CapabilitySet;
+import com.yahoo.security.tls.MissingCapabilitiesException;
 
 /**
  * @author bjorncs
@@ -21,8 +22,13 @@ public class RequireCapabilitiesFilter implements RequestAccessFilter {
 
     @Override
     public boolean allow(Request r) {
-        return r.target().connectionAuthContext()
-                .hasCapabilities(requiredCapabilities, "RPC", r.methodName(), r.target().peerSpec().toString());
+        try {
+            r.target().connectionAuthContext()
+                    .verifyCapabilities(requiredCapabilities, "RPC", r.methodName(), r.target().peerSpec().toString());
+            return true;
+        } catch (MissingCapabilitiesException e) {
+            return false;
+        }
     }
 
 }
-- 
cgit v1.2.3