INC-155276 · Issue 622816
Null check added for step page
Resolved in Pega Version 8.3.6
After creating and adding new Access Roles and application 'Access When' to the privileges instead of Production level, during run time the error "runtime.IndeterminateConditionalException: Trying to evaluate Rule-Access-When conditions L:IsProdAccess when there is no page to evaluate them against" appeared for the specific privileges. This was traced to a missed use case where the system falls back to the step page if the page for evaluating the 'when' condition is null, which did not account for scenarios where the step page can be null. To resolve this, a null check has been added which will fetch the primary page if the step page for the access 'when' condition is null.
INC-156647 · Issue 626293
Improved disconnected requestor cleanup for FieldService
Resolved in Pega Version 8.3.6
A large number of requestors from FieldService with the status as 'Disconnected' were accumulating and causing performance issues. This was traced to the requestors not getting passivated due to users not logging out and new requestors being created for the same users next time, and was caused by the value of the DSS Initialization/PersistRequestor being set as "OnTimeout". When the DSS prconfig/timeout/browser/default is not configured, the default browser requestor timeout is 60 minutes. In this scenario, requestors were not passivating as the requestor passivation timeout was set to the refresh token lifetime for mobile users, which was very large and overwrote the DSS value. This has been resolved by removing the code which set the passivation timeout to the OAuth2 refresh token lifetime.
INC-167311 · Issue 646477
Updated upgrade handling for migrating work objects
Resolved in Pega Version 8.3.6
After upgrading from Pega 6.2 to 8.3, the work migrated work objects were missing SLAs due to missed entries in the assignment tables (PC_ASSIGN_WORKLIST/ PC_ASSIGN_WORKBASKET) . The SLA was firing, but the processing failed due to the fact the runtime could not resolve a 'AddHistoryPage' library function. In this case, multiple upgrades of the application dating back to Pega 4 resulted in the runtime context containing older ruleset versions in higher ruleset versions, hiding the underlying Pega 8 version of the rule. For releases prior to Pega 7.3, Rule-Application was stored in pr4_rule and will be migrated to pr4_rule_application during upgrades. However, since Context Upgrade is run before Optimize Newly Exposed Columns, the pyDependsOnName won't always be populated. To resolve this, the system will filter based on the value in the blob rather than the exposed column so there will be a value regardless of the upgrade-from version.
INC-172675 · Issue 649451
Configuration added for extending queue processor timeout
Resolved in Pega Version 8.3.6
Alerts for queue processor (QP) items which took more than 15 minutes to run could result in the system marking the node as 'unhealthy'. In environments with Pega Health Check enabled, this would shut down the node gracefully. It was not possible to change this default as it was hardcoded. In order to support systems that may have custom processes that run beyond 15 minutes, a a new setting has been exposed that allows configuration of the interval after which a node with long-running queue processor is marked as unhealthy and is restarted. By default this remains 900000 milliseconds / 900 seconds / 15 minutes, but it may be adjusted up to 24 hours to avoid premature node shutdown. The stale thread detection mechanism will take that setting into account and use the provided value or default to 15 minutes if the value was not provided. In addition, the threshold's units in the UI have been changed from ms to seconds.
INC-166995 · Issue 642440
DeleteDocumentPg added to allow list
Resolved in Pega Version 8.7
During performance testing with CSRF settings enabled, a '403 Forbidden' error was seen in the network trace when FinishAssignment called pyActivity=pyDeleteDocument on close action. This has been resolved by adding pyDeleteDocumentPg to the list of allowed activities.
SR-D28060 · Issue 505637
Cross-site scripting protection added to Pega App Studio Spaces
Resolved in Pega Version 8.2.4
Ajax Request's callback success method has a mechanism to process the response object's HTML responseText, initiate and modify the changeTracker changes, and eventually call renderUI to render the DOM. However, the response object sometimes may return a different type (JSON) that may expose cross-site scripting vulnerabilities. To improve security for the Pega App Studio, the system will process the Ajax request's response text only if the response date type is not JSON by accepting a flag in the callback object passed by the caller.
SR-D26244 · Issue 504223
Label control cross-site scripting protection added
Resolved in Pega Version 8.2.4
cross-site scripting protection has been added to label control.
SR-D30215 · Issue 503682
cross-site scripting protection added to ClientDynamicData
Resolved in Pega Version 8.2.4
Cross-site scripting protection has been added to the "DesignViewIframe" & "pzHarnessID" parameters in the pzClientDynamicData HTML rule.
SR-D25972 · Issue 501482
Handling added for custom error message in post-authentication activity
Resolved in Pega Version 8.2.4
The error message in post authentication activity was always appearing as 'Login terminated because a post-authentication activity or policy failed' irrespective of the actual message being conditionally set in the activity based on post authentication logic. Investigation showed that the parameter page in the SSO post-authentication activity was not being passed to the 'pzShowAuthPolicyError' activity due to the post-authentication activity executing in authenticated context whereas the HTML fragment executed in the un-authenticated context. In order to support this use, post-authentication activity will set the error message on a predefined property and propagate that to the HTML fragment by appending the error message as a query parameter in the redirect exception URL post-authentication failure.
SR-D23862 · Issue 503896
Corrected test connection for LDAP AuthService using keystore
Resolved in Pega Version 8.2.4
When using a AuthService rule defined for LDAP using ldaps:// and a KeyStore rule that was defined to reference a local file in the server, the Test Connection button on the AuthService rule did not work and generated the following exception: "com.pega.apache.commons.httpclient.contrib.ssl.AuthSSLInitializationError: I/O error reading keystore/truststore file: null". Investigation showed that file reference keystore did not work with an LDAPS test connection because while run time used the LDAPVerifyCredentials activity, the design time validation used the activity “ValidateInfrastructure” which did not have the required code to support file reference keystore. This has been corrected.