SR-D31734 · Issue 515656
Cross-site scripting protection added for parameter page properties
Resolved in Pega Version 8.2.6
An Cross-site scripting vulnerability was seen with the Edge browser when run on visibility on client check was enabled with dynamic layouts and some properties were accessed from parameter page. Because run on visibility on client check is not required in this scenario, is has been removed and the values will be accessed from the server instead.
SR-D23239 · Issue 499595
Support added for multi-operator SAML logins
Resolved in Pega Version 8.3.1
When a SAML user is logged in by Single Sign-On (SAML), the system processes the login to portal as a different operator if there was a function on the Attribute field under Operator identification in the SAML authentication service. In this scenario, using an expression for operator provisioning did not work because all SAML login sessions resolved to the same first operator due to parseAndEvaluateExpression() in ExpressionHelper.java ignoring new expression arguments if the expression page already existed. To support the use of multiple operator logins in this format, the system has been updated to clone a new expression page for every session and update it with the correct expression arguments.
SR-D47611 · Issue 513113
HTTPS login path issue resolved
Resolved in Pega Version 8.3.1
When using iOS, entering wrong credentials for a login with an https endpoint converted the URL to http. This was traced to a case where the resourcePath was coming as http in SSL enabled system, but the reqURI was still https. To correct this, the system has been updated so that if the reqContextURI starts with https and the requestURL starts with http, then the requestURL will be converted to https.
INC-173596 · Issue 673104
Apache Commons HttpClient dependency removed
Resolved in Pega Version 8.8
As part of moving from the Apache Commons HttpClient project (which is at end of life and no longer being developed) to the Apache HttpComponents project, openws dependencies on the commons-httpclient jar have been removed.
INC-188127 · Issue 678350
Updated cache key generation for ROPC
Resolved in Pega Version 8.8
After configuring outbound email functionality using MSGraph with OAuth 2.0, sending the emails failed consistently following passivation. Running "Test connectivity" in the Email Account data instance then seemed to restart the functionality and the automation "Create And Send Email" subsequently worked. This was traced to a missing username in the cache key generation for the Resource Owner Password Credentials (ROPC), which caused the same token to be fetched when attempting to dynamically generate different usernames, and has been resolved.
INC-194865 · Issue 695620
Corrected report definition save-as-image option
Resolved in Pega Version 8.8
Attempting to save a report definition as an image resulted in an access denied error stating "Browser fingerprint validation failed : A request was received with an invalid or missing browser fingerprint. The request was denied", and the user session was closed. The security SECU0017 alert is generated when a request is sent to a Pega application and the browser fingerprint is either missing or does not match the expected value. The system tries to check the type of request for every requestor ID and fetch the CSRF token, but in this case it was not matching with the token present on the requestor thread. This has been resolved by adding scripts to send the hidden input value needed.
INC-198571 · Issue 708634
SSO update
Resolved in Pega Version 8.8
In order to ensure shared SSO direct links are used as intended, an update has been made which will explicitly require re-authentication for each use of a direct link.
INC-202702 · Issue 713725
Ruleset creation process updated to maintain thread scope
Resolved in Pega Version 8.8
On creating a ruleset, the system generated the error "There has been an issue. Please consult your system administrator." If browser cookies and site settings were cleared and the browser was relaunched before logging in and creating a ruleset, the issue did not occur. Investigation showed that the Application page was at the Requestor scope for some of the threads due to handling in the ruleset creation process that removed the Application page and recreated it in the default scope of the thread with the latest state. To resolve this, the process for deleting the Application page and recreating it on the Requestor page has been removed.
INC-210168 · Issue 732069
Added handling for Node Level Data Pages not loading automatically
Resolved in Pega Version 8.8
After update, the MQ listeners were not starting. This was traced to the Global Resource Setting references in the listener rules that utilize data page lookups; MQ listeners started as expected when they were hard-coded with the values present on the data page. Investigation showed this was caused by the activity running in an unauthenticated context, and has been resolved by allowing the app requestor to skip authentication.
INC-211426 · Issue 706059
UI and code changes to support Client Assertion in Open ID Connect
Resolved in Pega Version 8.8
In order to support private_key_jwt, an enhancement has been added which will pass the “Client ID” and “Client assertion” (in the form of a signed JWT) as part of the authorization code grant flow for an IDP-initiated SSO. The Authorization Server will then authenticate Pega (the client) to verify the signature and payload of assertion by retrieving the public key via Pega’s JWKS endpoint.