INC-161260 · Issue 634051
Enhanced logging for CBAC policies
Resolved in Pega Version 8.5.4
Additional logs have been added to assist in easier debugging of any configuration issues with CBAC policies.
INC-161660 · Issue 633030
Authorization token handling and cleanup improved
Resolved in Pega Version 8.5.4
When using a mobile app configured with default authentication, clicking on the "Trouble logging in?" link opened a new window and displayed the message "please contact your system administrator" along with the error "Only authenticated client may start this activity: RULE-OBJ-ACTIVITY CODE-SECURITY PZGETAUTHORIZATIONCODE". This has been resolved. In addition, the OAuth token generation and handling has been improved, and the purge agent has been updated to accept a DSS setting for the max number of expired records to purge each time it is run. The default value is 5000.
INC-162434 · Issue 640052
LookUpList correctly executes during SSO login with model operator
Resolved in Pega Version 8.5.4
After configuring SSO to create operators on fly using a model operator, a new user logging in for the very first time had their operator ID created using the model operator, but after upgrade new users logging in to the system received the error "Only authenticated client may start this activity: RULE-OBJ-ACTIVITY @BASECLASS LOOKUPLIST". This was due to the methods used for additional security on the activity @baseclass LookUpList which allows it to only be run by authenticated users, and has been resolved.
INC-163201 · Issue 646911
BrowserFingerprint updated
Resolved in Pega Version 8.5.4
Security improvements have been added to the browser fingerprint process.
INC-168837 · Issue 646973
CSRF token updated for use with OKTA login
Resolved in Pega Version 8.5.4
An issue seen while connecting via OKTA has been resolved by updating the CSRF token validation for use with IDP initiated SSO login.
INC-169310 · Issue 649713
Cache check added for SQL queries
Resolved in Pega Version 8.5.4
When performing load testing, a high number of gets were seen for some SQL Queries. In order to improve performance, a check has been added in GlobalTrustStoreCacheImpl.java to assess whether the cache has been initialized or not.
INC-169332 · Issue 648298
Added check for blank username in password reset form
Resolved in Pega Version 8.5.4
The "Forgot password?" screen was allowing the form to be submitted with an empty username so it proceeded to the next screen (verification code). This has been resolved by adding a check for a blank username with the appropriate related error message.
INC-170423 · Issue 648984
Added catch for SAML WebSSO duplicate key exception
Resolved in Pega Version 8.5.4
After logging in from SSO, closing the Pega window and opening it again resulted in the error "Unable to process the SAML WebSSO request : Violation of PRIMARY KEY constraint. Cannot insert duplicate key in object." This has been resolved by updating the session index handling and adding a catch for the duplicate key exception.
INC-173294 · Issue 650236
Mobile "Forgot Password" supports circumstanced rule
Resolved in Pega Version 8.5.4
An enhancement has been added to support a circumstanced rule for the "Forgot Password" flow on mobile.
INC-173466 · Issue 651456
Operator security enhancements
Resolved in Pega Version 8.5.4
It was possible to enable an operator from the operator access landing page even when write access was denied in the data admin operator class. This has been corrected.