That sounds like a bug. Creating a JIRA and a PR would be helpful if you are able.
On Thu, May 28, 2026 at 5:43 AM Jean-Marie HEITZ <[email protected]> wrote: > Good morning, > > While trying to migrate from SOLR 9 to 10 using the official Docker images, > I noticed that authentication using SSL certificates did not work anymore. > I found out that, as I was using SOLR_SSL_NEED_CLIENT_AUTH, and that the > SSL connection level does work and is established, the request attribute > that carries the client cert is not > "javax.servlet.request.X509Certificate" anymore in jetty-12, which is used > in the Official SOLR Docker image : it > became "jakarta.servlet.request.X509Certificate". I tested the attribute > change by building SOLR and the Docker Image from source : it worked. So I > guess it might be good to change, or add a parameter to be able to > configure the lookup attribute in security.json. > Can someone have a look ? > > Besides that, I also tried the CertAuthPlugin User Principal Extraction , > and noticed something strange with the "subject.dn" path : the order of the > components in the Distinguished Name was not the same as the default > method. In detail : > - openssl x509 -text outputs O, OU and then CN for the SSL certificate > - CertAuthPlugin.DEFAULT_PRINCIPAL_RESOLVER gives CN, OU, O > - Extraction with "subject.dn" gives CN, O, OU > I assume the Role Based Authorization Plugin uses the principal extraction > as a string, so the order of the elements does matter. However, I haven't > investigated this behavior further yet. > > Thanks > > Jean-Marie Heitz > -- http://www.needhamsoftware.com (work) https://a.co/d/b2sZLD9 (my fantasy fiction book)
