Release Notes 4.19

What’s New

ArcGIS Enterprise 10.9.x Support

This release introduces compatibility with ArcGIS Enterprise 10.9.x. At the same time, support for ArcGIS Enterprise up to 10.7.1 is dropped.

PostgreSQL 13 Support

From this release on, PostgreSQL 13 is officially supported.

Java 17 Support

In addition to Java 11, Java 17 is now also supported.

Logging Improvements

This release contains logging improvements. The log level is now configurable via the application.properties. Furthermore, it is now possible to log into the Graylog Extended Log Format (GELF). It is now also possible to provide log information to con terra’s service.monitor product for further analysis.

Printing Improvements

Printing of maps does no longer rely on a predefined name for the printing task. Furthermore, asynchronous printing is now supported.

Update Notes

If you skip several versions during the update, please also follow all update notes of the intervening versions.

Remove the Access Logging configuration

Access logging was an optional feature and is not part of the product anymore. If you know that access logging is not activated you can skip the following note.

Check if the feature is active by opening the module files in the [INSTALL_FOLDER]/webapp/wss/WEB-INF/classes/enforcementpoint-modules. If the following entry is not present, nothing has to be done.

  • <Interceptor class="de.conterra.suite.security.interceptor.logging.LoggingInterceptor">…​</Interceptor>

In case you found this entry please remove the element from all module files. Delete the file [INSTALL_FOLDER]/webapp/wss/WEB-INF/classes/log4j.xml if present.

Changed Rollout Folder Structure

Please note that the folder structure of the product delivery has changed.

Deprecated Features

The following features are regarded as deprecated and might be removed in future:

  • Native WSS authentication protocol of the Web Security Service (WSS) component

  • (Json) Token authentication protocol of the Web Security Service (WSS) component. It is recommended to use the - currently named - "agstoken" authentication protocol instead.

  • Protection of Web Coverage Service (WCS)

  • Protection of transactional WFS (WFS-T)

  • INSPIRE View and Download Services as separate service types are maintained within the service types WMS and WFS

  • Access to protected services via Gateway application (tab "Gates" in the security.manager administration)

Known Limitations

The following list contains all limitation known at the time of the release of version 4.20.

Delayed visibility of parallel changes of users and rights by different users or external systems (eg LDAP clients) in the security.manager Administrator

To visualize changes from other users / systems in the tree displayed on the left side of the Administrator interface, simply select the root node of the tree and the reload tree button.

Evaluation of two rights

When two rights are defined that are applicable to a user, it is important to determine the correct sequence in the Security Manager administrator (in the dialog "Policy Set"). For example: It is a legal definition that all users are granted access to a WMS, but with copyright restrictions. A user might be a member of a user group "registered" where another piece of legislation for this WMS defines that the access granted WITHOUT Copyright constraint. Both of these rights are valid if the user group "registered" accesses the WMS. In this case, the first policy in the list is used. To prevent the users of the group "registered" from seeing the same copyright notice as unregistered users, this right must be uppermost in the administration set.

WFS feature types are required to have unique names

The security.manager does not distinguish feature types which have the same name but different namespaces, for example x:city is recognized as equal to y:city. Therefore It is required that feature types have unique names.

Use of variable feature IDs in WFS services as a source of spatial conditions

Care must be taken of the accuracy and stability of the displayed feature IDs when using them to create spatial obligations. Feature IDs of the form fid-4d0f905b_126c17decf6_-7d52 indicate internal auto-generated feature-IDs, which change with each new request and thus can not be used for referencing features. If feature IDs change with each request to the WFS, this is due to a lack of feature IDs in the WFS response. The configuration of the WFS service needs to be reviewed so that stable feature identifiers are delivered correctly.

If installed in an instance of Tomcat which does not yet contain the directory [TOMCAT_HOME]/conf/Catalina/localhost, some configuration files are not created correctly

Alternative 1: Create the folder prior to installation.

Alternative 2: During an installation, the context.xml files are stored in the [SECMAN_INSTALL]/postinstall directory. They can be simply copied into the directory [TOMCAT_HOME]/conf/Catalina/localhost. In the installation type container-managed database, the xml files with the suffix -jndi.xml need to be copied.

The following files must be copied:

  • administration.xml

  • gateway.xml

  • wss.xml

Use of unofficial EPSG codes by ArcGIS Server services

Depending on their configuration, ArcGIS Server services sometimes use unofficial EPSG codes for Gauß-Krüger reference systems. These are internally mapped to the corresponding official EPSG codes, The following mappings are used:

  • EPSG:31492 → EPSG:31466

  • EPSG:31493 → EPSG:31467

  • EPSG:31494 → EPSG:31468

  • EPSG:31495 → EPSG:31469

This mapping is only applied to protected services. For the definition of spatial restrictions via a WFS, only official EPSG codes are supported.

Problem with spatial restrictions for ArcGIS Server WFS

ArcGIS Server WFS do not support multipolygons or more than one polygon within a spatial filter. Thus, spatial restrictions cannot be applied if more than one geometry are selected for this restriction or if the incoming request already contains a spatial filter.

When using a Safari browser, repeated logins might be required. To avoid this, change the security settings to always accept cookies.

Limitation regarding Spatial Obligations for "tiled" ArcGIS Server MapServer

Support for spatial obligations with ArcGIS Server cached MapServer instances requires to use the cache storage format "Compact". If any other storage format is used spatial obligations are ignored.

WMS GetMap requests with SLD parameter blocked if layerDefs parameter would be applied

As described in "Filtering features using the layerDefs parameter in WMS requests" , layerDefs has a lower priority when SLD or SLD-BODY parameter is present and is ignored.

Printing of secured services only possible with ags-relay URLs

URLs of secured MapServer services have to be used with ags-relay URL schema:

http://[HOST]/wss/service/ags-relay/
  [EndpointID]/[AUTH_SCHEME]/arcgis/rest/services/
  [SERVICENAME]/MapService

HTTP chunked transfer encoding must be disabled in security.manager when securing ArcGIS geocoder

The ArcGIS Geocoding Server does not support HTTP chunked transfer encoding. If you want to secure that service, chunked encoding must be manually disabled in the settings file of security.manager. To do that, make sure that the property http.client.chunking in the application.properties file is set to false (SECMAN-658).

Spatial Obligations are not supported for INSPIRE Feature Download Services based on ArcGIS for INSPIRE

ArcGIS for INSPIRE Feature Download Services do not support Polygons in queries with spatial filters. Hence for a spatial restriction is not possible.

Invalid responses from INSPIRE Feature Download Services based on ArcGIS for INSPIRE with stored queries

ArcGIS for INSPIRE Feature Download Services might create invalid responses if a GetFeature request references multiple stored queries or contains multiple query elements.

ArcGIS Server WFS and spatial restrictions as well as OGC Filter Expressions

Access to protected ArcGIS Server-based WFS might fail when spatial obligations or OGC Filter Expression obligations are in play. Affected are ArcGIS Server versions 10.3 and higher, which don’t properly support the OGC specifications. Depending on the WFS versions requested by the client (1.0.0, 1.1.0, 2.0.0) you might encounter different error messages.

UMN MapServer WFS and spatial obligations as well as OGC Filter Expressions

The WFS 1.0.0 and 1.1.0 implementations of UMN MapServer do not support the GML versions as stated in the specifications. Because of this spatial obligations and obligations with OGC Filter Expressions are not supported.

ArcGIS Server WFS and DescribeFeatureType requests

For ArcGIS Server WFS services, DescribeFeatureType requests without listing actual FeatureTypes might lead to exceptions, if this WFS provides many FeatureTypes, or the FeatureTypes have long names.

Performance and protected services with huge number of resources

If a protected service (for example a map service) contains a huge number (> 60) of resources (for example layers) performance of service requests decreases noticeably. Consider splitting up such mapping services into several services.

HTTP Basic Authentication in ArcMap and ArcGIS Pro

When trying to load a protected service into ArcMap or ArcGIS Pro via httpauth login fails although correct credentials were specified if username or password contain non-ASCII characters like german umlauts.

ArcGIS Webadaptor with name "rest" or "services"

When the webadaptor for ArcGIS Server is named "rest" or "services" like http://[HOST]/rest/rest/services or http://[HOST]/services/rest/services, the ArcGIS Server cannot be protected by security.manager. When named "rest", no policies can be created, when named "services" policies cannot be enforced.

ArcGIS Server MapServer /find operation with large result sets and spatial obligations

In combination with spatial obligations, the MapServer /find operation may not return all expected features. Large result sets of the /find operation will be capped if they exceed the server side limit of features to return. Spatial obligations will only be applied to the capped result set.

Changelog

4.19.2

Fixed Security Issues

SECMAN-2184

Potentially unprivileged editing of ArcGIS feature layers

Fixed Issues

SECMAN-2156

Don’t enforce field restriction on "subtypeField" and "typeIdField"

SECMAN-2165

[CORS Filter] Ensure 'Vary: Origin' is added to CORS requests, to ensure caching in browsers or proxy servers is correct

SECMAN-2182

ApplyEdits does not support array syntax in deletes parameter

4.19.1

Fixed Security Issues

SECMAN-2159

Potentially unprivileged access to map image

Fixed Issues

SECMAN-2154

SAML 2.0 Federation forwarding to Identity Provider fails

SECMAN-2155

Metadata stays invalid for a long time when initial request failed

4.19.0

Fixed Security Issues

SECMAN-2132

Update jackson-databind to 2.13.2.1 (CVE-2020-36518)

New Features and Improvements

SECMAN-1175

Secured printing should work with "Webkarte exportieren" instead of "Export Web Map" as well

SECMAN-2088

Remove opensaml 1 dependency

SECMAN-2090

Use default values for LDAP properties 'java.naming.security.authentication' and 'java.naming.factory.initial'

SECMAN-2111

Allow to execute print task asynchronously

SECMAN-2112

Enable access to GetLegendGraphic without SERVICE parameter

SECMAN-2115

Provide logging info to service.monitor

SECMAN-2129

Implement basic support for ArcGIS 10.9.x

SECMAN-2146

Allow to configure log level in application.properties

SECMAN-2148

Support GELF logging

Fixed Issues

SECMAN-1444

supportTrueCurve flag in JSON response is always true

SECMAN-2086

LDAP query for implicit groups using "hasSubordinates=true" causes long query times on LDAP server

SECMAN-2087

CSP header prevents redirect back to login initiator

SECMAN-2100

Resource infos of MapServer layers are not cleaned if layer structure is changed

SECMAN-2113

Query to ArcGIS server map service with spatial obligation fails

SECMAN-2131

URL replacement for attribute xsi:schemaLocation fails if attribute value contains multiple empty characters

SECMAN-2134

[Spatial Obligation] Supported Image Types not reduced to png if 'overwriteServiceExtentsWithObligationExtents' is not enabled

SECMAN-2140

Query with spatial filter fails if filter is completely covered by spatial obligation

SECMAN-2144

ApplyEdits does not work with attribute obligations

SECMAN-2149

Unexpected policy set duplication by adding new policy