SR-131072 · Issue 203709
Requestor token creation added for PRExternal authentication
Resolved in Pega Version 7.1.9
When using a PRExternal authentication scheme, the csrfsession requestor token was not created. This caused a heavy volume of INFO logging messages in production due to the null token. This authentication path has now been added and the token will be correctly created for use.
SR-131691 · Issue 202207
Improved performance for incorrect password handling
Resolved in Pega Version 7.1.9
When the operator entered the wrong password in the login screen, numerous "Stream Overwritten" alerts appeared the Alert log. There was no workflow problem involved, but the logging indicated that there was an additional unnecessary call being made to Stream Web-Login, and that unneeded call has been removed to improve system performance and remove the error being logged.
SR-A4056 · Issue 211550
Corrected validation error for Extract rule field length
Resolved in Pega Version 7.1.9
A validation error noting that the field length of the table was limited to 30 characters was occurring when trying to check in an Extract rule even if the field value had been shortened. While checking in the extract rule, a block of code in the Rule-Utility-Function validateTreeProperties was recomputing the pagelist's table name instead of using the one provided by the user. The Rule-Utility-Function validateTreeProperties function has been modified to fix the issue.
INC-118838 · Issue 560691
OKTA receives parameters on logout
Resolved in Pega Version 8.2.7
When using an OIDC logout endpoint with a parameter set as a data page value, the data page retrieved the ID Token from the DB, but when logout was clicked the datapage name was being displayed in the browser instead of the IDToken. To resolve this, code has been added to support sending ID token parameters for logoff endpoint for OKTA logoff using OpeniD connect.
SR-D95148 · Issue 557483
Port validation updated for redirect URI
Resolved in Pega Version 8.2.7
When an offline app for windows client was generated, trying to login via SSO resulted in the error "invalid redirect_uri". This was traced to the system validating the whole loopback redirection URL, e.g. "http://127.0.0.1:1234/redirection", including the port number. To enhance flexibility, an update has been made so that the port number will not be validated, allowing the client to establish it based on availability at the moment of the request to the authorization service. NOTE: As a best practice, a loopback URL should not be configured as a redirect URI. If a loopback URL is configured, then at run time the port number will not be validated, and the client application can use any available port on the system including ports that may not be intended for use.
INC-227878 · Issue 727855
UPDATE IMPACT FOR PEGA CALL
Resolved in Pega Version 8.7.3
Log4j-1.2.14.jar and Log4j-1.2.17.jar have been removed to address the security concerns with these versions, and logger jars have been upgraded to 12.7.2 version (from 12.7.1 version) to make Pega Call compatible. This change will impact Pega Call customer environments due to Avaya or Genesys, which are part of Pega Call, having an internal dependency on Log4j1.x version jars. As a result, the SDK logging for Avaya or Genesys will not be available in the 8.7.3 release unless the Log4j-1.x jar files are reimported locally.
INC-173596 · Issue 673089
Apache Commons HttpClient dependency removed
Resolved in Pega Version 8.7.3
As part of moving from the Apache Commons HttpClient project (which is at end of life and no longer being developed) to the Apache HttpComponents project, openws dependencies on the commons-httpclient jar have been removed.
INC-228169 · Issue 729187
Login error messages updated
Resolved in Pega Version 8.7.3
Exception response messages have been updated in order to improve security around attempts to bypass operator authentication.