Release Notes 4.15

This version introduces two properties to make it easier protecting the security.manager single sign-on cookie (SSO cookie) from security threats: security.sso.cookie.secure and security.sso.cookie.samesite. Both properties are available (but deactivated) in the application.properties of new installations. If you are upgrading security.manager and keeping your application.properties file, add those properties and check if they need to be activated in your environment.

For detailed descriptions of those properties, see Security settings.

Server certificate trustworthiness checking for outgoing HTTPS connections is not enabled by default in security.manager. As of this version, the configuration option security.ssl.trustAny is available in the application.properties. With this option the verification of server certificates can be activated.

You find a more detailed description of this configuration property in the documentation about Installation.

A new section Security Aspects > Outgoing HTTPS Connections is added to the Installation Guide. This chapter contains detailed information about checking the trustworthiness of server certificates in this product.

It is now possible to let security.manager communicate with ArcGIS Server and Portal by using a technical user. This might be necessary to secure services that are not public on ArcGIS Server.

Credentials of the technical user have to be added when configuring a Protected Service in the Administration Web App.

security.manager does no longer accept requests from any origin via CORS.

If, for example, a map.apps application hosted on http://mapapps.example.com:8080 tries to use a service secured by security.manager hosted on http://secman.example.com:8080, any requests from map.apps are blocked by the browser. To allow such requests by the browser, you have to add http://mapapps.example.com:8080 to the new configuration property cors.allowed.origins.