SR-131072 · Issue 203709
Requestor token creation added for PRExternal authentication
Resolved in Pega Version 7.1.9
When using a PRExternal authentication scheme, the csrfsession requestor token was not created. This caused a heavy volume of INFO logging messages in production due to the null token. This authentication path has now been added and the token will be correctly created for use.
SR-131691 · Issue 202207
Improved performance for incorrect password handling
Resolved in Pega Version 7.1.9
When the operator entered the wrong password in the login screen, numerous "Stream Overwritten" alerts appeared the Alert log. There was no workflow problem involved, but the logging indicated that there was an additional unnecessary call being made to Stream Web-Login, and that unneeded call has been removed to improve system performance and remove the error being logged.
SR-A4056 · Issue 211550
Corrected validation error for Extract rule field length
Resolved in Pega Version 7.1.9
A validation error noting that the field length of the table was limited to 30 characters was occurring when trying to check in an Extract rule even if the field value had been shortened. While checking in the extract rule, a block of code in the Rule-Utility-Function validateTreeProperties was recomputing the pagelist's table name instead of using the one provided by the user. The Rule-Utility-Function validateTreeProperties function has been modified to fix the issue.
SR-D23239 · Issue 499595
Support added for multi-operator SAML logins
Resolved in Pega Version 8.3.1
When a SAML user is logged in by Single Sign-On (SAML), the system processes the login to portal as a different operator if there was a function on the Attribute field under Operator identification in the SAML authentication service. In this scenario, using an expression for operator provisioning did not work because all SAML login sessions resolved to the same first operator due to parseAndEvaluateExpression() in ExpressionHelper.java ignoring new expression arguments if the expression page already existed. To support the use of multiple operator logins in this format, the system has been updated to clone a new expression page for every session and update it with the correct expression arguments.
SR-D47611 · Issue 513113
HTTPS login path issue resolved
Resolved in Pega Version 8.3.1
When using iOS, entering wrong credentials for a login with an https endpoint converted the URL to http. This was traced to a case where the resourcePath was coming as http in SSL enabled system, but the reqURI was still https. To correct this, the system has been updated so that if the reqContextURI starts with https and the requestURL starts with http, then the requestURL will be converted to https.
INC-163914 · Issue 668845
Improved Agile Studio passivation recovery
Resolved in Pega Version 8.6.2
When an Agile Studio session was passivated, the error "SECU0008 : CSRF Detected and Blocked" was seen. Reactivating the session resulted in a blank page. This was traced to the clearing of requestor level registrations added for that particular thread, and has been resolved by adding a new flag to identify if a thread is passivated along with the necessary structure for the conditionalized clearing of requestor level registrations based on this flag.
INC-179360 · Issue 662177
Check added for allowed editing with CSRF
Resolved in Pega Version 8.6.2
After enabling CSRF, it was not possible to edit a data table used to define ACL rules due to security preventing the adding/editing of rows and user group entitlements. This has been resolved by using browser FingerPrint validation to check whether an activity is in a secured list and skipping validation for allowed activities.
INC-180275 · Issue 666455
Collaboration control hidden if data type is delegated
Resolved in Pega Version 8.6.2
When collaborating using a customized CaseManager portal with some delegated data types, the admin user refreshing the Data Type view changed the collaborator's view from the portal to show the Data Type tabs, allowing the second person to open rules (properties, Data Pages, etc) and see the configuration even though they could not make any changes. This has been resolved by updating pzDataTypeDelegated to display the collaboration control only if pzDelegation is false.
INC-180594 · Issue 670955
Filtering added for DisableDormantOperators
Resolved in Pega Version 8.6.2
When running the Disable Dormant Operators agent, many operators were seen which were dormant but not disabled. Investigation showed the activity was fetching all of the operators without filtering the deactivation state. This has been resolved by adding a filter condition in pzDisableDormantOperators to fetch only deactivate state users.
INC-184804 · Issue 669638
Password security enhanced
Resolved in Pega Version 8.6.2
Security and authentication have been enhanced for password handling.