SR-D51324 · Issue 523435
Authentication state refreshed after failure in mobile
Resolved in Pega Version 8.4
When using the mobile app, if the log in was started and incorrect credentials or empty fields were submitted and then the credentials screen was X-ed out or canceled, attempting to log in again using the correct information still received the "Authentication failed" error. A subsequent attempt with the correct credentials would then work. This was traced to the server persisting the state from the first request (per browser session), and has been resolved.
SR-D52037 · Issue 519479
Added compatibility for generated SQL to be imported to MSSQL from DB2 Z/OS
Resolved in Pega Version 8.4
After creating an application jar which has schema changes on DB2 Z/OS, attempting to import the jar in a different environment that used an MSSQL database failed to execute the schema changes /SQL statements and reported syntax errors. Investigation showed that MSSQL wraps usernames in [square brackets] in GRANT statements generated by import, and support for this has now been added.
SR-D52142 · Issue 517586
pzinskey LIKE clause removed and agent adde clean stale pr_data_token data
Resolved in Pega Version 8.4
In order to improve performance, an agent has been added to clean up expired accessToken data in pr_data_token and the 'where' clause pzinskey LIKE has been removed and replaced with native SQL to support queries in all databases.
SR-D52969 · Issue 514704
Column population honors thread count of 1
Resolved in Pega Version 8.4
The thread count parameter in the column population activity was not being honored, causing repeated deadlocks when trying to populate columns. Investigation showed that the ExposeCols process did not honor the thread count when it was 1 (the default is 4), and this has been fixed by adding the necessary code so that if the thread count is 1, it will not run in multhreaded mode.
SR-D53838 · Issue 521479
Run Ruleset Cleanup defaults to true
Resolved in Pega Version 8.4
After upgrade, the rule categories and rules were not showing correctly in the App view of the Dev Portal. Many warning messages were also logged related to the Decisioning DM Sample application. This was traced to the rules cleanup script not running properly. While there was a workaround of applying the ruleset cleanup scripts manually after removing the queries that reference the pr_engineclasses table, the cleanup will now be set to run by default (run.ruleset.cleanup=true). In addition, the logic to determine which RuleSets to include has been simplified and most of the pr4_rule_vw deletions have been combined.
SR-D55508 · Issue 521862
CSRF and Fingerprint token handling added to custom URL generation
Resolved in Pega Version 8.4
An error screen appeared with the message "Server response error, no update data returned" while doing a check out and check in of the offer rule. This was traced to CSRF token validation: in this scenario, a custom URL was being framed and the corresponding request did not have a valid CSRF/ Fingerprint token, which can occur when there are custom AJAX/Non-ajax URLs constructed manually in the non-autogenerated/HTML streams. To address this, handling has been added for CSRF and fingerprint tokens as part of the custom URL generation.
SR-D56409 · Issue 520743
URL Encryption and Obfuscation made compatible with site-minder
Resolved in Pega Version 8.4
Attempting to install a DL using Hfix Manager worked when not going through SSO but failed when using SSO. Investigation showed that this was due to the use of URLEncryption: URLEncryption uses a Pega-supplied base64 to encode the cipher text with MIME type encoding by default, which adds newline character after every 72 characters. This is not compatible with site-minder. which has policies to restrict newline characters in the URL. As a result, none of the encrypted requests were being processed. To resolve this, post-processing logic has been added to remove newline characters from encoded text. This change has also been applied top URLObfuscation.
SR-D62949 · Issue 527502
XSS protection added
Resolved in Pega Version 8.4
The CrossScriptingFilter API has been applied to address a potential XSS issue related to stream rule parameters used in the request header.
SR-D63232 · Issue 524295
Support added for Authentication service rule attributes in embedded pages
Resolved in Pega Version 8.4
SSO login was not working, giving the error "Unable to process the SAML WebSSO request : No value specified for Attribute in SAML assertion". Investigation showed the Authentication service rule could only map attributes that are on the top level page and did not consider embedded page values. To resolve this, tools.getProperty will be used to fetch the property reference value instead of find Page and getString.
SR-D63727 · Issue 531726
Authorization header base 64 format error recategorized as debug logging
Resolved in Pega Version 8.4
Numerous messages were generated indicating that the Authorization Header format was invalid when using the format " : " (Base64 Og==) . As this is the default behavior for a particular class of proxy servers, the error statement has been updated to be logged as a debug statement and will be visible only when that logging is enabled.