dsmiley commented on code in PR #4474:
URL: https://github.com/apache/solr/pull/4474#discussion_r3609068443


##########
solr/core/src/java/org/apache/solr/security/CertAuthPlugin.java:
##########
@@ -102,7 +109,10 @@ public boolean doAuthenticate(
       HttpServletRequest request, HttpServletResponse response, FilterChain 
filterChain)
       throws Exception {
     X509Certificate[] certs =
-        (X509Certificate[]) 
request.getAttribute("javax.servlet.request.X509Certificate");

Review Comment:
   ugh... so this was broken and we didn't notice.  Several of us did a broad 
look for "javax" including @iamsanjay , @gus-asf , and me.  Yet we didn't act 
here.  Speaking for myself... probably thought to myself -- well if tests pass 
then, probably fine?  Hmm.  I wonder we we had copilot review, maybe it would 
have flagged the concern.  The upgrade PR was massive & tiring to review for us 
humans.



##########
solr/core/src/java/org/apache/solr/security/CertAuthPlugin.java:
##########
@@ -102,7 +106,10 @@ public boolean doAuthenticate(
       HttpServletRequest request, HttpServletResponse response, FilterChain 
filterChain)
       throws Exception {
     X509Certificate[] certs =
-        (X509Certificate[]) 
request.getAttribute("javax.servlet.request.X509Certificate");
+        (X509Certificate[]) 
request.getAttribute(JAKARTA_REQUEST_ATTRIBUTE_NAME);

Review Comment:
   I don't see the point of a fallback.



##########
changelog/unreleased/SOLR-18270-easy-fix-without-parametrization.yml:
##########
@@ -0,0 +1,8 @@
+title: Update looked up attribute for SSL authentication

Review Comment:
   Should this mention SSL?  the lack of mention of SSL might cause folks to 
overlook the context.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to