Published Release Notes

Addition of Servlet Management

Pega Platform™ now has Servlet Management in Pega Cloud® Services, which provides a simple and secure way to make changes to Pega Platform servlet definitions.

Servlet Management provides Pega Cloud Service clients with solutions to manage servlet configurations with self-service options. This reduces the cycle time for delivering configuration changes in Pega Cloud Service installations while also improving upgrade reliability. 

For more information, see Servlet management.

Upgrade impact

Clients with no application servlet customizations will not experience an impact. If you upgrade from Pega Platform version 8.5 or earlier and, prior to the upgrade, the Pega Cloud team provided your application servlet customizations, then following the upgrade, you must manually add, remove, or modify your servlet customizations in your upgraded application using this servlet management landing page in Pega Platform.

What steps are required to update the application to be compatible with this change?

To manually move your pre-upgrade servlet customizations as appropriate or add new ones to your upgraded application using the new servlet management landing page, follow the steps in Adding a servlet.

Monitor standard and custom security events

From the new Security Event Configuration landing page, you can select the standard and custom security events that you want the Pega 7 Platform to log automatically for every user session. The security events are grouped into the following types:

• Authentication
• Data access
• Security administration
• Custom

The API logCustomEvent() is provided so that you can create custom security events that are specific to your applications and that can be monitored by the Pega 7 Platform. For more information, see Security Event Configuration.

Expanded checks for Java injection vulnerabilities (8.4)

The Java injection vulnerability check feature has been enhanced in Pega Platform™ to further prevent Java injection, including Edit validate, Edit input, and JSP rules. Pega Platform reports errors at design time and run time, and does not run any rule that includes any of the following Java code:

• JavaCompiler
• new ProcessBuilder()
• org.dita.dost.invoker
• Runtime.getRuntime()

For more information, see Configuring the Java injection check.

Add custom HTTP response headers in your application

The Pega 7 Platform supports the addition of custom security HTTP headers that are supported by your browser. For example, you can now create custom X-Frame-Options, X-XSS-Protection, and Strict-Transport-Security headers. These headers improve the security of your application against client-based attacks.

For more information, see Creating a custom application header. 

Protect against insecure deserialization

Deserialization is the process of rebuilding a data stream into a Java object. The Open Web Application Security Project (OWASP) has identified insecure deserialization as one of the top 10 security vulnerabilities for web applications. Pega Platform™ protects against this vulnerability by using filters that prevent deserialization of suspect data streams. You can configure these filters from the Deserialization Blacklist landing page.

For more information, see Configuring the deserialization filter.

Token credentials authentication service

You can create a new type of authentication service for token credentials authentication, which is useful for offline mobile applications. With token credentials authentication, users need to enter their credentials only once in a session. Subsequent access to the server is authenticated with a token. The token can be generated by the Pega Platform™ authorization layer (OAuth 2.0) or issued by an external identity provider.

For more information, see Configuring a token credentials authentication service.

Authentication service for basic credentials

A new type of authentication service is available for authenticating operators by using basic credentials (user ID and password). The default Pega Platform™ login is now an instance of this type of authentication service. All basic credentials authentication services include mobile authentication with the OAuth 2.0 protocol and Proof Key for Code Exchange (PKCE). You no longer have to create a custom authentication service to support mobile applications.

For more information, see Configuring a basic authentication service.

Cosmos React-UI supports custom authentication

Pega Platform™ now supports custom authentication in applications that use Cosmos React-UI. Depending on the needs of your users and the functionality of your application, you might need to write custom authentication schemes to meet specific requirements. 

Clients that use custom authentication in their applications can now take advantage of the Cosmos React-UI.

For more information, see Securing Cosmos React-UI applications.

Enhancements to token lifetime limits

Pega Platform™ uses OAuth 2.0 authorization codes, access tokens, and refresh tokens to provide flexible token-based security for applications. Expiration settings for these codes and tokens now adhere to certain strict value range based on industry leading practices. For example, the lifetime specified for the authorization code must be in the range 1-600 seconds.

These can be configured in the OAuth2 Client registration rule form.

For more information, see OAuth 2.0 Management Services.

Guided tours and online help added to application guides

You can now create application guides that display content from a Pega^® Platform help topic or a sequence of tour stops in a guided tour. By providing supporting information in an interactive format, you can help users complete tasks more quickly.

For more information about displaying help topics, tour stops, and other types of information in a task, see Interactive tasks in an application guide.