SR-131072 · Issue 203709
Requestor token creation added for PRExternal authentication
Resolved in Pega Version 7.1.9
When using a PRExternal authentication scheme, the csrfsession requestor token was not created. This caused a heavy volume of INFO logging messages in production due to the null token. This authentication path has now been added and the token will be correctly created for use.
SR-131691 · Issue 202207
Improved performance for incorrect password handling
Resolved in Pega Version 7.1.9
When the operator entered the wrong password in the login screen, numerous "Stream Overwritten" alerts appeared the Alert log. There was no workflow problem involved, but the logging indicated that there was an additional unnecessary call being made to Stream Web-Login, and that unneeded call has been removed to improve system performance and remove the error being logged.
SR-A4056 · Issue 211550
Corrected validation error for Extract rule field length
Resolved in Pega Version 7.1.9
A validation error noting that the field length of the table was limited to 30 characters was occurring when trying to check in an Extract rule even if the field value had been shortened. While checking in the extract rule, a block of code in the Rule-Utility-Function validateTreeProperties was recomputing the pagelist's table name instead of using the one provided by the user. The Rule-Utility-Function validateTreeProperties function has been modified to fix the issue.
INC-173596 · Issue 673104
Apache Commons HttpClient dependency removed
Resolved in Pega Version 8.8
As part of moving from the Apache Commons HttpClient project (which is at end of life and no longer being developed) to the Apache HttpComponents project, openws dependencies on the commons-httpclient jar have been removed.
INC-188127 · Issue 678350
Updated cache key generation for ROPC
Resolved in Pega Version 8.8
After configuring outbound email functionality using MSGraph with OAuth 2.0, sending the emails failed consistently following passivation. Running "Test connectivity" in the Email Account data instance then seemed to restart the functionality and the automation "Create And Send Email" subsequently worked. This was traced to a missing username in the cache key generation for the Resource Owner Password Credentials (ROPC), which caused the same token to be fetched when attempting to dynamically generate different usernames, and has been resolved.
INC-194865 · Issue 695620
Corrected report definition save-as-image option
Resolved in Pega Version 8.8
Attempting to save a report definition as an image resulted in an access denied error stating "Browser fingerprint validation failed : A request was received with an invalid or missing browser fingerprint. The request was denied", and the user session was closed. The security SECU0017 alert is generated when a request is sent to a Pega application and the browser fingerprint is either missing or does not match the expected value. The system tries to check the type of request for every requestor ID and fetch the CSRF token, but in this case it was not matching with the token present on the requestor thread. This has been resolved by adding scripts to send the hidden input value needed.
INC-198571 · Issue 708634
SSO update
Resolved in Pega Version 8.8
In order to ensure shared SSO direct links are used as intended, an update has been made which will explicitly require re-authentication for each use of a direct link.
INC-202702 · Issue 713725
Ruleset creation process updated to maintain thread scope
Resolved in Pega Version 8.8
On creating a ruleset, the system generated the error "There has been an issue. Please consult your system administrator." If browser cookies and site settings were cleared and the browser was relaunched before logging in and creating a ruleset, the issue did not occur. Investigation showed that the Application page was at the Requestor scope for some of the threads due to handling in the ruleset creation process that removed the Application page and recreated it in the default scope of the thread with the latest state. To resolve this, the process for deleting the Application page and recreating it on the Requestor page has been removed.
INC-210168 · Issue 732069
Added handling for Node Level Data Pages not loading automatically
Resolved in Pega Version 8.8
After update, the MQ listeners were not starting. This was traced to the Global Resource Setting references in the listener rules that utilize data page lookups; MQ listeners started as expected when they were hard-coded with the values present on the data page. Investigation showed this was caused by the activity running in an unauthenticated context, and has been resolved by allowing the app requestor to skip authentication.
INC-211426 · Issue 706059
UI and code changes to support Client Assertion in Open ID Connect
Resolved in Pega Version 8.8
In order to support private_key_jwt, an enhancement has been added which will pass the “Client ID” and “Client assertion” (in the form of a signed JWT) as part of the authorization code grant flow for an IDP-initiated SSO. The Authorization Server will then authenticate Pega (the client) to verify the signature and payload of assertion by retrieving the public key via Pega’s JWKS endpoint.