INC-155276 · Issue 626618
Null check added for step page
Resolved in Pega Version 8.6
After creating and adding new Access Roles and application 'Access When' to the privileges instead of Production level, during run time the error "runtime.IndeterminateConditionalException: Trying to evaluate Rule-Access-When conditions L:IsProdAccess when there is no page to evaluate them against" appeared for the specific privileges. This was traced to a missed use case where the system falls back to the step page if the page for evaluating the 'when' condition is null, which did not account for scenarios where the step page can be null. To resolve this, a null check has been added which will fetch the primary page if the step page for the access 'when' condition is null.
INC-155813 · Issue 629505
SAML SSO redirects to correct URL when application and authentication aliases match
Resolved in Pega Version 8.6
Whenever there was a match in the authentication service alias and the application alias, the application alias was replaced with empty after logoff instead of making the authentication service alias empty. For example, given an authentication service with the alias XYZ ("login with XYZ" alias option) and an application name XYZMyOps, the application alias was being changed from XYZMyOps to appMyOps after logoff. As a result, a blue screen error resulted when clicking on button "login with XYZ" again because it redirected to appMyOps, which didn't exist. This has been resolved by removing authservicealias and modifying AuthServiceAliasHelper.adjustPathIfAuthServiceAliasPresent() to change the method for calculating the pathinfo to string tokenizing.
INC-155954 · Issue 622606
HTTP Strict Transport Security update
Resolved in Pega Version 8.6
An update has been made to add HTTP Strict Transport Security (HSTS) headers to the DSS http/responseHeaders by enabling X-Content-Type-Options Header and X-XSS-Protection Header. In addition, the max age of the HSTS header parameter has been increased from 7 days to 1 year.
INC-156128 · Issue 620485
Added mail/telephone link to allowed CSP child frame
Resolved in Pega Version 8.6
After upgrade from v8.3 to v8.5, clicking on the mail / telephone link in the out of the box case participants gadget generated the Content Security Policy error "This content is blocked. Contact the site owner to fix the issue." Examination of the browser dev-tools console indicated the object refused to frame because it violated the Content Security Policy directive: "frame-src *". This behavior was specific to the Google Chrome browser, and has been resolved by adding code so the mailto: and tel: will be added to the frame-src when Data is selected under Child Frame-Source option. Unchecking the Data checkbox for Child Frame-Source on the policy landing page will remove these from allowed actions under CSP.
INC-156647 · Issue 626294
Improved disconnected requestor cleanup for FieldService
Resolved in Pega Version 8.6
A large number of requestors from FieldService with the status as 'Disconnected' were accumulating and causing performance issues. This was traced to the requestors not getting passivated due to users not logging out and new requestors being created for the same users next time, and was caused by the value of the DSS Initialization/PersistRequestor being set as "OnTimeout". When the DSS prconfig/timeout/browser/default is not configured, the default browser requestor timeout is 60 minutes. In this scenario, requestors were not passivating as the requestor passivation timeout was set to the refresh token lifetime for mobile users, which was very large and overwrote the DSS value. This has been resolved by removing the code which set the passivation timeout to the OAuth2 refresh token lifetime.
INC-156797 · Issue 618991
Property check handling updated for Ajax requestor
Resolved in Pega Version 8.6
SECU0001 alerts were seen when submitting a case in the interaction portal. Logging indicated the errors were related to the 'pxRequestor.pyLatitude' and 'pxRequestor.pyLongitude' properties which are included in an Ajax request when they exist in the DOM and the 'pyGeolocationTrackingIsEnabled' when rule is true. The error was traced to a condition where a new thread request results in an unexpected property check that encounters a clipboard which doesn't have any pages created for that thread. To resolve this, the 'pxRequestor.pyLatitude' and 'pxRequestor.pyLongitude' properties have been added to an allow list to handle the unexpected properties check.
INC-158489 · Issue 623452
Captcha control updated to support ClientValidation
Resolved in Pega Version 8.6
The required checkbox for the pzCaptcha control was not working when using a custom configuration, allowing a case to be submitted with a blank captcha even when the required parameter was selected on control. This was traced to a required parameter not being correctly populated to the pzCaptcha control, and has been resolved by adding ClientValidation into the pzCaptcha control so that if a required parameter is selected on the control it will be applied during case execution.
INC-160024 · Issue 625831
Deprecated authentication methods removed
Resolved in Pega Version 8.6
After upgrade, attempting to trigger the Pega hosted API externally through Post Man resulted in the exception "The method getAuthenticationService() is undefined for the type OAuth2AccessTokenValidation". This was traced to the use of references to the methods getAuthenticationService() and getAuthenticationServiceType(), which are not in use from v8.5 onwards in pzOAuth2AuthenticationActivity and have now been removed. For OAuth2 authentication, the service package should use authentication type as OAuth2; the system will then take care of validating the token and establishing the operator context.
INC-161660 · Issue 633032
Authorization token handling and cleanup improved
Resolved in Pega Version 8.6
When using a mobile app configured with default authentication, clicking on the "Trouble logging in?" link opened a new window and displayed the message "please contact your system administrator" along with the error "Only authenticated client may start this activity: RULE-OBJ-ACTIVITY CODE-SECURITY PZGETAUTHORIZATIONCODE". This has been resolved. In addition, the OAuth token generation and handling has been improved, and the purge agent has been updated to accept a DSS setting for the max number of expired records to purge each time it is run. The default value is 5000.
SR-SR-D79737 · Issue 602304
Improvements for Report Definition OperatorID filtering
Resolved in Pega Version 8.6
Report Definition filters were not working as expected when data from the OperatorID page was used and authentication was enabled. This was traced to the OperatorID page not being correctly populated. To resolve this, the authentication logic has been modified to always create the OperatorID page at requestor level, and the HTTP API layer has been updated to remove the thread level OperatorID page if exists. In addition, an enhancement has been added for improved debugging on log appenders provided by log4j which allows log filtering based on the requestor and thread for a given appender at a specific log level.