Release Notes 4.16

What’s New

ArcGIS 10.7 and 10.7.1 Support

This version implements support for ArcGIS Enterprise 10.7 and 10.7.1.

Java 11 Support

You can now use Java 11 in addition to Java 8 to run the security.manager web applications.

Update Notes

Configuration Changes

The set of allowed values for the already existing property policymgr.default.wfs.geometryclasses changed due to the update of 3rd party libraries. It controls which feature types are available when selecting the geometries used for spatial obligations. If you added this property to your application.properties file, you need to replace its values' prefix to org.locationtech.jts.geom. A valid value is org.locationtech.jts.geom.MultiPolygon, org.locationtech.jts.geom.Polygon, for example.

Other Changes

  • WFS 1.0.0 is not supported as data source for spatial obligation geometries any more. WFS 1.1.0 is now the required.

  • Some misspelled message keys have been changed in the internationalization files of the security.manager language files. If you added languages files to the existing "en" (default) or "_de" files, you might need to update the message keys accordingly. The following keys were changed in the respecting file:

    • [SECMAN_INSTALL]/webapp/administration/WEB-INF/lib/ct-security-administrator-base-4.16.0.jar/securityAdminResources[_de].properties
      error.common.exceute.cmderror.common.execute.cmd

    • [SECMAN_INSTALL]/webapp/administration/WEB-INF/lib/ct-security-administrator-base-4.16.0.jar/wmtsAdminResources[_de].properties
      wmts.error.update.decription → This property was removed

    • [SECMAN_INSTALL]/webapp/administration/WEB-INF/lib/ct-security-administrator-base-4.16.0.jar/genericLicenseAdminResources[_de].properties
      license.generic.error.update.decriptionlicense.generic.error.update.description

Deprecated Features

The following features are regarded as deprecated and might be removed in future:

  • Native WSS authentication protocol of the Web Security Service (WSS) component

  • (Json) Token authentication protocol of the Web Security Service (WSS) component. It is recommended to use the - currently named - "agstoken" authentication protocol instead.

  • Protection of Web Coverage Service (WCS)

  • Protection of transactional WFS (WFS-T)

  • INSPIRE View and Download Services as separate service types are maintained within the service types WMS and WFS

  • Access to protected services via Gateway application (tab "Gates" in the security.manager administration)

Known Limitations

Delayed visibility of parallel changes of users and rights by different users or external systems (eg LDAP clients) in the security.manager Administrator

To visualize changes from other users / systems in the tree displayed on the left side of the Administrator interface, simply select the root node of the tree and the reload tree button.

Evaluation of two rights

When two rights are defined that are applicable to a user, it is important to determine the correct sequence in the Security Manager administrator (in the dialog "Policy Set"). For example: It is a legal definition that all users are granted access to a WMS, but with copyright restrictions. A user might be a member of a user group "registered" where another piece of legislation for this WMS defines that the access granted WITHOUT Copyright constraint. Both of these rights are valid if the user group "registered" accesses the WMS. In this case, the first policy in the list is used. To prevent the users of the group "registered" from seeing the same copyright notice as unregistered users, this right must be uppermost in the administration set.

WFS feature types are required to have unique names

The security.manager does not distinguish feature types which have the same name but different namespaces, for example x:city is recognized as equal to y:city. Therefore It is required that feature types have unique names.

Use of variable feature IDs in WFS services as a source of spatial conditions

Care must be taken of the accuracy and stability of the displayed feature IDs when using them to create spatial obligations. Feature IDs of the form fid-4d0f905b_126c17decf6_-7d52 indicate internal auto-generated feature-IDs, which change with each new request and thus can not be used for referencing features. If feature IDs change with each request to the WFS, this is due to a lack of feature IDs in the WFS response. The configuration of the WFS service needs to be reviewed so that stable feature identifiers are delivered correctly.

If installed in an instance of Tomcat which does not yet contain the directory [TOMCAT_HOME]/conf/Catalina/localhost, some configuration files are not created correctly

Alternative 1: Create the folder prior to installation.

Alternative 2: During an installation, the context.xml files are stored in the [SECMAN_INSTALL]/postinstall directory. They can be simply copied into the directory [TOMCAT_HOME]/conf/Catalina/localhost. In the installation type container-managed database, the xml files with the suffix -jndi.xml need to be copied.

The following files must be copied:

  • administration.xml

  • gateway.xml

  • wss.xml

Use of unofficial EPSG codes by ArcGIS Server services

Depending on their configuration, ArcGIS Server services sometimes use unofficial EPSG codes for Gauß-Krüger reference systems. These are internally mapped to the corresponding official EPSG codes, The following mappings are used:

  • EPSG:31492 → EPSG:31466

  • EPSG:31493 → EPSG:31467

  • EPSG:31494 → EPSG:31468

  • EPSG:31495 → EPSG:31469

This mapping is only applied to protected services. For the definition of spatial restrictions via a WFS, only official EPSG codes are supported.

Problem with spatial restrictions for ArcGIS Server WFS

ArcGIS Server WFS do not support multipolygons or more than one polygon within a spatial filter. Thus, spatial restrictions cannot be applied if more than one geometry are selected for this restriction or if the incoming request already contains a spatial filter.

When using a Safari browser, repeated logins might be required. To avoid this, change the security settings to always accept cookies.

Limitation regarding Spatial Obligations for "tiled" ArcGIS Server MapServer

Support for spatial obligations with ArcGIS Server cached MapServer instances requires to use the cache storage format "Compact". If any other storage format is used spatial obligations are ignored.

WMS GetMap requests with SLD parameter blocked if layerDefs parameter would be applied

As described in "Filtering features using the layerDefs parameter in WMS requests" , layerDefs has a lower priority when SLD or SLD-BODY parameter is present and is ignored.

Spaces in definition queries are not supported by ArcGIS Server WMS

Spaces are not supported in layerDefs parameter. Do not provide definition queries with spaces.

Printing of secured services only possible with ags-relay URLs

URLs of secured MapServer services have to be used with ags-relay URL schema:

http://[HOST]/wss/service/ags-relay/
  [EndpointID]/[AUTH_SCHEME]/arcgis/rest/services/
  [SERVICENAME]/MapService

HTTP chunked transfer encoding must be disabled in security.manager when securing ArcGIS geocoder

The ArcGIS Geocoding Server does not support HTTP chunked transfer encoding. If you want to secure that service, chunked encoding must be manually disabled in the settings file of security.manager. To do that, make sure that the property http.client.chunking in the application.properties file is set to false (SECMAN-658).

Spatial Obligations are not supported for INSPIRE Feature Download Services based on ArcGIS for INSPIRE

ArcGIS for INSPIRE Feature Download Services do not support Polygons in queries with spatial filters. Hence for a spatial restriction is not possible.

Invalid responses from INSPIRE Feature Download Services based on ArcGIS for INSPIRE with stored queries

ArcGIS for INSPIRE Feature Download Services might create invalid responses if a GetFeature request references multiple stored queries or contains multiple query elements.

ArcGIS Server WFS and spatial restrictions as well as OGC Filter Expressions

Access to protected ArcGIS Server-based WFS might fail when spatial obligations or OGC Filter Expression obligations are in play. Affected are ArcGIS Server versions 10.3 and higher, which don’t properly support the OGC specifications. Depending on the WFS versions requested by the client (1.0.0, 1.1.0, 2.0.0) you might encounter different error messages.

UMN MapServer WFS and spatial obligations as well as OGC Filter Expressions

The WFS 1.0.0 and 1.1.0 implementations of UMN MapServer do not support the GML versions as stated in the specifications. Because of this spatial obligations and obligations with OGC Filter Expressions are not supported.

ArcGIS Server WFS and DescribeFeatureType requests

For ArcGIS Server WFS services, DescribeFeatureType requests without listing actual FeatureTypes might lead to exceptions, if this WFS provides many FeatureTypes, or the FeatureTypes have long names.

Performance and protected services with huge number of resources

If a protected service (for example a map service) contains a huge number (> 60) of resources (for example layers) performance of service requests decreases noticeably. Consider splitting up such mapping services into several services.

HTTP Basic Authentication in ArcMap and ArcGIS Pro

When trying to load a protected service into ArcMap or ArcGIS Pro via httpauth login fails although correct credentials were specified if username or password contain non-ASCII characters like german umlauts.

ArcGIS Webadaptor with name "rest" or "services"

When the webadaptor for ArcGIS Server is named "rest" or "services" like http://[HOST]/rest/rest/services or http://[HOST]/services/rest/services, the ArcGIS Server cannot be protected by security.manager. When named "rest", no policies can be created, when named "services" policies cannot be enforced.

log4j 1.2.17 vulnerable to remote code execution (CVE-2019-17571)

Some vulnerability scanning tools may complain about the log4j library. According to CVE-2019-17571 the library provides a component which is vulnerable to deserialization of untrusted data. This component is not used at all, so the vulnerability can’t be exploited.

ArcGIS Server MapServer /find operation with large result sets and spatial obligations

In combination with spatial obligations, the MapServer /find operation may not return all expected features. Large result sets of the /find operation will be capped if they exceed the server side limit of features to return. Spatial obligations will only be applied to the capped result set.

Changelog

4.16.6

New Features and Improvements

SECMAN-2025

Block WFS request if no service parameter with value 'WFS' is provided

Fixed Issues

SECMAN-1093

SOAP QueryRelatedRecords request is not authorized correctly when SourceTableID points to layer

SECMAN-1122

Export Web Map Task fails if JSON contains null values

SECMAN-1332

Allow to create spatial obligations for protected services that require basic authentication

SECMAN-1545

GetFeatureInfo on WMS returns exception for disallowed areas

SECMAN-1762

Wrong WMS ServiceException code when requesting non-existing layers

SECMAN-1798

Installer option "Drop old database tables" does not work correctly on Oracle 18.4 XE

SECMAN-2001

Required database grant not documented

SECMAN-2005

Error when querying metadata from AGS Map Service

SECMAN-2007

Improve XSS protection means

SECMAN-2009

Prevent NPE if protected server does not provide a response body

SECMAN-2011

WMS should pass on mandatory parameters

4.16.5

New Features and Improvements

SECMAN-543

Allow for configurations of IP ranges in addition to hostnames

Fixed Issues

SECMAN-1714

INSPIRE Feature Download Service: GetFeature does not return features

SECMAN-1885

WFS GetFeature XML request fails when defining custom namespace prefix

SECMAN-1928

Logging interceptor logs wrong timestamps

SECMAN-1956

WFS DescribeFeatureType request fails if no namespace is defined within TYPNAME parameter

SECMAN-1961

Multiple users locked after failed logins by a single user

SECMAN-1971

Web app might fail to start because of API incompatibility

4.16.4

Fixed Issues

SECMAN-765

Printing via protected printing service from ArcGIS Desktop fails

SECMAN-1325

WMTS REST endpoint cannot be secured

SECMAN-1407

Installation folder is missing postinstall\sql\ssosession-db and postinstall\sql\upgrade folder

SECMAN-1903

Wrong SRS URN used if spatial filter added to WFS requests

SECMAN-1914

Cannot create policy for REST-only WMTS

4.16.3

New Features and Improvements

SECMAN-1896

Improve caching of spatial restriction geometries defined for WFS

Fixed Issues

SECMAN-979

WFS GetFeature request with BBOX fails when spatial obligation exists in different SRS

SECMAN-1538

Spatial obligation for WFS fails with XtraServer WFS 2.0

SECMAN-1895

Spatial obligation may not get enforced on WFS

4.16.2

New Features and Improvements

SECMAN-1470

Trim whitespaces when saving LDAP attribute value mappings

SECMAN-1875

Describe configuration for LDAP-S

Fixed Issues

SECMAN-1624

AGS feature services layer metadata may get wiped out on update

SECMAN-1802

Secured UMN Mapserver WFS 2.0.0 does not return feature types for version 1.x.0

SECMAN-1836

Installation fails on Linux if installation path contains spaces

SECMAN-1848

Printing doesn’t work with SSO-secured services when using subfolder in context path for WSS

SECMAN-1849

Attribute fields with "/" get replaced by URLs in ArcGIS Server query response

SECMAN-1851

WFS GetFeature request via HTTP POST fails

SECMAN-1860

Cannot create protected service for WMS when service URL contains query parameters

SECMAN-1870

No attribute values displayed when querying service with joined tables

SECMAN-1871

Map preview not displayed if HTTPS with untrusted certificate is used

SECMAN-1876

Error message when opening a newly added layer

SECMAN-1880

FeatureServer may expose forbidden features

SECMAN-1881

ArcGIS user account locked when using wrong password in enforcement point configuration

SECMAN-1884

User matching a role defined by dn value not displayed

4.16.1

New Features and Improvements

SECMAN-1830

Redirect to profile page if /register or /pwrecovery is accessed by authenticated user

Fixed Issues

SECMAN-823

ImageServer based WMS cannot be requested

SECMAN-1083

Policy Administration does not allow to fetch resources from AGS Token secured WMS, WFS, and WCS services

SECMAN-1368

Logout does not clear IdP cookies

SECMAN-1801

Wrong URL used when displaying queryRelatedRecords results on MapServer request

SECMAN-1803

Broken umlauts in installer

SECMAN-1808

WFS request fails when filter expression obligation is defined

SECMAN-1809

MapServer may allow access to restricted features

SECMAN-1810

Failure when parsing error response from ArcGIS Server >= 10.5

SECMAN-1812

Login with old password is possible after password change for a short time

SECMAN-1831

Spatial obligation not enforced on WFS point or line feature types

4.16.0

New Features and Improvements

SECMAN-1723

Compliance with ArcGIS Enterprise 10.7

SECMAN-1760

Compliance with ArcGIS Enterprise 10.7.1

SECMAN-1779

Ensure that ArcGIS Server SOAP URL is used when creating a protected service

SECMAN-1791

Remove servlet container selection dialog from installer

SECMAN-1795

Render URLs to ArcGIS Server services in policy and resource as clickable HTML links

SECMAN-1796

Support Java 11

Fixed Issues

SECMAN-954

URL replacement in HTML REST browsing output fails if ArcGIS Server residing on the same host like sec.man

SECMAN-1153

"Content-Disposition" header is not forwarded

SECMAN-1358

'resultRecordCount' parameter not respected for MapServer queries

SECMAN-1509

Improve salutation when sending email when user’s gender is not set

SECMAN-1696

URL replacement in ArcGIS Server HTML REST browsing output fails

SECMAN-1701

XtraServer authorization header is missing when accessing external resources

SECMAN-1703

security.manager can’t handle AGS labelExpression in some cases

SECMAN-1739

Accessing secured JSON file via URL protection increases CPU load dramatically

SECMAN-1740

Protected Feature Service returns "Access denied to some of the requested features" on /applyEdits

SECMAN-1742

Cannot navigate from a role to a user having that role

SECMAN-1754

Use '…​' instead of <…​> in sec.man logs to avoid incorrect HTML rendering in the AGS logger

SECMAN-1755

Features are shown outside of spatial restriction

SECMAN-1756

Button "Show Users" does not show up in role administration UI

SECMAN-1757

StoredQuery request fails

SECMAN-1761

WFS GET request fails when DEBUG log enabled

SECMAN-1764

Fix typo in properties name error.common.exceute.cmd

SECMAN-1776

Cannot create policy sets for AGS services containing umlauts in service name

SECMAN-1777

Fix typos in property names license.generic.error.update.decription and wmts.error.update.decription

SECMAN-1778

Special chars not encoded in AGS HTML browsing

SECMAN-1788

HTML product link points to an invalid location

SECMAN-1794

/query fails in HTML browsing