INC-173725 · Issue 656480
Logic updated for DX API retrieving View/Action ID using embedded property
Resolved in Pega Version 8.7
While calling the DX API using Assignment ID and action ID, a 500 error response was logged indicating that the server encountered an unexpected condition that prevented it from fulfilling the request. Investigation traced this to the logic used for resolving an embedded property referenced in a control/field to identify the correct page class. In a non-work object context for flow actions the new assign page doesn't exist, but the system was checking for it and clearing off errors from the named page. This has been corrected.
SR-C74047 · Issue 416352
Automatic Cloud Terminations updated with retry logic and exception handling for nodes being disconnected while in use
Resolved in Pega Version 8.2
Agents were being disabled when a node was about to be shut down and the lock operation timed out. This was traced to an issue where the Hazelcast operation timed out trying to communicate with a node that had not yet dropped out of the cluster but did shortly after, and was due to the refactored code around delegating to a cluster component missing a lock method. In order to ensure the cluster component handles such exceptions gracefully, the lock operation now contains retry logic along with exception handling that will return 'false' instead of raising an exception.
SR-C53056 · Issue 398514
Bulk delete updated and NPE handling improved to resolve deadlock when loading data flow landing page
Resolved in Pega Version 8.2
A large number of data flow objects on the data flow landing page were making the system unresponsive, and bulk delete activity would sometimes fail on a null pointer exception when progress could not be retrieved. To resolve this, the bulk delete activity provided in [Data-Decision-Service] pyDeleteByStatusAndTime has been modified to be more flexible by allowing deletions based only a date or a status, and the documentation for the activity itself has been improved. Additional handling was added for a potential null pointer exception, and the activity will continue trying to delete other runs if a null pointer exception does occur. The system will not load a data flow run object anymore (which can cause issues when rules do not exist), and will instead load the run progress directly from the database.
SR-D2296 · Issue 436876
Enhancement added to support multiple security certificates
Resolved in Pega Version 8.3
When importing IDP metadata, the only the last verification certificate was imported if there were multiple certificates. This caused SAML SSO signing failures in some cases. Support has now been added for importing multiple certificates to enhance encryption security.
INC-176274 · Issue 666390
Timeout check added to authorization to preserve portal context
Resolved in Pega Version 8.7
When using SAML SSO Authentication Service with "Use access group timeout" and "Redirect to IDP login after logout" selected and "Force authentication" not selected, manually logging out correctly returned the view to the custom SSO login page but the timeout logout returned the default Pega login page as if SSO was not in use. Analysis showed there was a "Failed to open portal" error after doing some action post timeout, and this was traced to pyPortal page not having a value. Investigation showed this was blank due to the creation of new thread while the requestor state was perceived as unauthenticated because of the timeout. To resolve this, a timeout check has been added to the following: Authorization#setActiveAccessGroup(java.lang.String, boolean, boolean, java.util.Map) BasicApplicationContextImmutableImpl#applyApplicationProperties
SR-D28460 · Issue 509365
Added timeout handling for non-PRAuth servlets
Resolved in Pega Version 8.2.4
After logging in via external authentication service (SAML Single Sign On) and setting up a timeout in the access group RuleForm, when the user performed any action and the server identified the request to be timed-out, it was expected that a SAML request would be sent from the browser to the external Authentication Server (referred as IDP) and the flow would proceed from there. This worked as expected for a non-AJAX request. To resolve this, handling has been added for timeout when using non-PRAuth authentication services.
SR-D3556 · Issue 445684
Requestor.OperatorID page updated to stay in sync with current OperatorID to enable post-Auth activity mapping
Resolved in Pega Version 8.3
The systems pages were not getting updated to the right operator's context when a post-Auth activity was used for mapping. To support this use, the UpdateOperatorID trigger has been updated to keep the pxRequestor.OperatorID page in sync with the current operatorID page during SAML. The operator will also be saved during provisioning.
SR-D33491 · Issue 511727
Code fragment removed to resolve CookieDisabledException
Resolved in Pega Version 8.2.4
After upgrade, a CookieDisabledException occurred after a post activity was invoked in the single sign-on (SSO) authentication service. This was traced to the site using the deprecated flag "redirectguests" as part of SSO-based login for mashup usecases. This flag was used to check if a cookiedisabled exception was thrown or not, and if there was no cookie, if a requestor was authenticated in first request. However, the flag has been removed as part of work done to omit the Cookie support check on Mobile App UAs. Code that supported the use of this flag remained after that work and led to the exception being generated, but has now been removed as well.
SR-D43811 · Issue 511921
Code fragment removed to resolve CookieDisabledException
Resolved in Pega Version 8.2.4
After upgrade, a CookieDisabledException occurred after a post activity was invoked in the single sign-on (SSO) authentication service. This was traced to the site using the deprecated flag "redirectguests" as part of SSO-based login for mashup usecases. This flag was used to check if a cookiedisabled exception was thrown or not, and if there was no cookie, if a requestor was authenticated in first request. However, the flag has been removed as part of work done to omit the Cookie support check on Mobile App UAs. Code that supported the use of this flag remained after that work and led to the exception being generated, but has now been removed as well.
SR-C50324 · Issue 393499
Synchronized block method added to load keystore set with RUF
Resolved in Pega Version 8.2
A recent enhancement allows for the SAML auth service to use a reference to an external file for the signing certificate keystore. When the keystore had the password set using a Rule-Utility-Function, rather than being static, there were intermittent login fails with the error "unable to process SAML WebSSO request1" on the screen, and the RULES logs contained thousands of entries of an error indicating "Password is wrong". It was sometimes possible to log in by starting a new browser sessions and trying again. This was an issue with the PasswordHash property being changed from a static to a non-static field: it was not thread safe, though each object got its own copy of the instance, because if two or more threads call the setPasswordHash() method on the same object, all of these threads tried to simultaneously update the passwordHash instance variable and incorrect results were seen. To correct this, the system will use a synchronized block when loading the entries into cache in the getKey() method - Caller function of KeystoreCacheImpl.java.