dsmiley commented on code in PR #4474:
URL: https://github.com/apache/solr/pull/4474#discussion_r3609068443
##########
solr/core/src/java/org/apache/solr/security/CertAuthPlugin.java:
##########
@@ -102,7 +109,10 @@ public boolean doAuthenticate(
HttpServletRequest request, HttpServletResponse response, FilterChain
filterChain)
throws Exception {
X509Certificate[] certs =
- (X509Certificate[])
request.getAttribute("javax.servlet.request.X509Certificate");
Review Comment:
ugh... so this was broken and we didn't notice. Several of us did a broad
look for "javax" including @iamsanjay , @gus-asf , and me. Yet we didn't act
here. Speaking for myself... probably thought to myself -- well if tests pass
then, probably fine? Hmm. I wonder we we had copilot review, maybe it would
have flagged the concern. The upgrade PR was massive & tiring to review for us
humans.
##########
solr/core/src/java/org/apache/solr/security/CertAuthPlugin.java:
##########
@@ -102,7 +106,10 @@ public boolean doAuthenticate(
HttpServletRequest request, HttpServletResponse response, FilterChain
filterChain)
throws Exception {
X509Certificate[] certs =
- (X509Certificate[])
request.getAttribute("javax.servlet.request.X509Certificate");
+ (X509Certificate[])
request.getAttribute(JAKARTA_REQUEST_ATTRIBUTE_NAME);
Review Comment:
I don't see the point of a fallback.
##########
changelog/unreleased/SOLR-18270-easy-fix-without-parametrization.yml:
##########
@@ -0,0 +1,8 @@
+title: Update looked up attribute for SSL authentication
Review Comment:
Should this mention SSL? the lack of mention of SSL might cause folks to
overlook the context.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]