Release Notes 4.22
What’s New
Support of Tomcat 10 and Java 21
You can now run security.manager on Tomcat 10 and Java 21. Therefore, support for Tomcat 9 and Java 11 is dropped. Please refer to the system requirements for further details.
Update Notes
If you skip several versions during the update, please also follow all update notes of the intervening versions. |
Update Tomcat and Java
Please update you Tomcat instance to version 10. In case you have been using Java 11 so far, please update to version 17 or 21.
Breaking change for queries used in definition query obligations (since 4.22.1)
Policies allow to define definition query obligations to limit access to features of a layer. Definition query obligations require you to define a query that may contain references to attributes of the requesting user like this:
LEVEL <= ${user.customattribute0}
security.manager now checks that user attributes only resolve to SQL literal values when they are replaced in query expressions. By default, non-literal values are rejected and will cause a request failure.
If you have to accept user attribute values resolving to anything else than SQL literals, you must now explicitly mark them as insecure
inside the query.
Otherwise user requests will fail with errors.
The following example demonstrates how to flag a user attribute that should be replaced with the provided value without any checks.
LEVEL <= ${user.customattribute0;insecure}
Deprecated Features
The following features are regarded as deprecated and might be removed in future:
-
Native WSS authentication protocol of the Web Security Service (WSS) component
-
(Json) Token authentication protocol of the Web Security Service (WSS) component. It is recommended to use the - currently named - "agstoken" authentication protocol instead.
-
Protection of Web Coverage Service (WCS)
-
Protection of transactional WFS (WFS-T)
-
INSPIRE View and Download Services as separate service types are maintained within the service types WMS and WFS
-
Access to protected services via Gateway application (tab "Gates" in the security.manager administration)
-
Protection of ArcGIS Server services
Known Limitations
The following list contains all limitation known at the time of the release of version 4.22.
Phasing out support for 'Third-Party Cookies' in Google Chrome
Google has announced that support for 'Third-Party Cookies' in Google Chrome will be phased out by the end of 2024.
This can be read at Update on the plan for phase out of third party cookies on chrome .
The security.manager uses 'Third-Party Cookies' for user authentication when integrating protected services into external websites via the /sso
endpoint.
An example of this is the integration of security.manager protected services into ArcGIS Online via the /sso
endpoint.
In this case, communication takes place via the browser from an external website (www.arcgis.com) to the security.manager (e.g. security.example.com).
We recommend switching to the agstoken
authentication method, as it does not rely on Third-Party Cookies
.
Additionally, we recommend disabling the use of Third-Party Cookies
by setting the option security.sso.cookie.samesite=true
.
Delayed visibility of parallel changes of users and rights by different users or external systems (eg LDAP clients) in the security.manager Administrator
To visualize changes from other users / systems in the tree displayed on the left side of the Administrator interface, simply select the root node of the tree and the reload tree button.
Evaluation of two rights
When two rights are defined that are applicable to a user, it is important to determine the correct sequence in the Security Manager administrator (in the dialog "Policy Set"). For example: It is a legal definition that all users are granted access to a WMS, but with copyright restrictions. A user might be a member of a user group "registered" where another piece of legislation for this WMS defines that the access granted WITHOUT Copyright constraint. Both of these rights are valid if the user group "registered" accesses the WMS. In this case, the first policy in the list is used. To prevent the users of the group "registered" from seeing the same copyright notice as unregistered users, this right must be uppermost in the administration set.
WFS feature types are required to have unique names
The security.manager does not distinguish feature types which have the same name but different namespaces, for example x:city
is recognized as equal to y:city
.
Therefore It is required that feature types have unique names.
Use of variable feature IDs in WFS services as a source of spatial conditions
Care must be taken of the accuracy and stability of the displayed feature IDs when using them to create spatial obligations.
Feature IDs of the form fid-4d0f905b_126c17decf6_-7d52
indicate internal auto-generated feature-IDs, which change with each new request and thus can not be used for referencing features.
If feature IDs change with each request to the WFS, this is due to a lack of feature IDs in the WFS response.
The configuration of the WFS service needs to be reviewed so that stable feature identifiers are delivered correctly.
If installed in an instance of Tomcat which does not yet contain the directory [TOMCAT_HOME]/conf/Catalina/localhost
, some configuration files are not created correctly
Alternative 1: Create the folder prior to installation.
Alternative 2: During an installation, the context.xml
files are stored in the [SECMAN_INSTALL]/postinstall
directory.
They can be simply copied into the directory [TOMCAT_HOME]/conf/Catalina/localhost
.
In the installation type container-managed database, the xml files with the suffix -jndi.xml
need to be copied.
The following files must be copied:
-
administration.xml
-
gateway.xml
-
wss.xml
Use of unofficial EPSG codes by ArcGIS Server services
Depending on their configuration, ArcGIS Server services sometimes use unofficial EPSG codes for Gauß-Krüger reference systems. These are internally mapped to the corresponding official EPSG codes, The following mappings are used:
-
EPSG:31492 → EPSG:31466
-
EPSG:31493 → EPSG:31467
-
EPSG:31494 → EPSG:31468
-
EPSG:31495 → EPSG:31469
This mapping is only applied to protected services. For the definition of spatial restrictions via a WFS, only official EPSG codes are supported.
Problem with spatial restrictions for ArcGIS Server WFS
ArcGIS Server WFS do not support multipolygons or more than one polygon within a spatial filter. Thus, spatial restrictions cannot be applied if more than one geometry are selected for this restriction or if the incoming request already contains a spatial filter.
Cookie handling with Safari browser
When using a Safari browser, repeated logins might be required. To avoid this, change the security settings to always accept cookies.
Limitation regarding Spatial Obligations for "tiled" ArcGIS Server MapServer
Support for spatial obligations with ArcGIS Server cached MapServer instances requires to use the cache storage format "Compact". If any other storage format is used spatial obligations are ignored.
WMS GetMap requests with SLD parameter blocked if layerDefs parameter would be applied
As described in "Filtering features using the layerDefs parameter in WMS requests" , layerDefs has a lower priority when SLD or SLD-BODY parameter is present and is ignored.
Printing of secured services only possible with ags-relay URLs
URLs of secured MapServer services have to be used with ags-relay URL schema:
http://[HOST]/wss/service/ags-relay/ [EndpointID]/[AUTH_SCHEME]/arcgis/rest/services/ [SERVICENAME]/MapService
HTTP chunked transfer encoding must be disabled in security.manager when securing ArcGIS geocoder
The ArcGIS Geocoding Server does not support HTTP chunked transfer encoding.
If you want to secure that service, chunked encoding must be manually disabled in the settings file of security.manager.
To do that, make sure that the property http.client.chunking
in the application.properties
file is set to false (SECMAN-658).
Spatial Obligations are not supported for INSPIRE Feature Download Services based on ArcGIS for INSPIRE
ArcGIS for INSPIRE Feature Download Services do not support Polygons in queries with spatial filters. Hence for a spatial restriction is not possible.
Invalid responses from INSPIRE Feature Download Services based on ArcGIS for INSPIRE with stored queries
ArcGIS for INSPIRE Feature Download Services might create invalid responses if a GetFeature request references multiple stored queries or contains multiple query elements.
ArcGIS Server WFS and spatial restrictions as well as OGC Filter Expressions
Access to protected ArcGIS Server-based WFS might fail when spatial obligations or OGC Filter Expression obligations are in play. Affected are ArcGIS Server versions 10.3 and higher, which don’t properly support the OGC specifications. Depending on the WFS versions requested by the client (1.0.0, 1.1.0, 2.0.0) you might encounter different error messages.
UMN MapServer WFS and spatial obligations as well as OGC Filter Expressions
The WFS 1.0.0 and 1.1.0 implementations of UMN MapServer do not support the GML versions as stated in the specifications. Because of this spatial obligations and obligations with OGC Filter Expressions are not supported.
ArcGIS Server WFS and DescribeFeatureType requests
For ArcGIS Server WFS services, DescribeFeatureType requests without listing actual FeatureTypes might lead to exceptions, if this WFS provides many FeatureTypes, or the FeatureTypes have long names.
Performance and protected services with huge number of resources
If a protected service (for example a map service) contains a huge number (> 60) of resources (for example layers) performance of service requests decreases noticeably. Consider splitting up such mapping services into several services.
HTTP Basic Authentication in ArcMap and ArcGIS Pro
When trying to load a protected service into ArcMap or ArcGIS Pro via httpauth login fails although correct credentials were specified if username or password contain non-ASCII characters like german umlauts.
ArcGIS Webadaptor with name "rest" or "services"
When the webadaptor for ArcGIS Server is named "rest" or "services" like http://[HOST]/rest/rest/services
or http://[HOST]/services/rest/services
, the ArcGIS Server cannot be protected by security.manager.
When named "rest", no policies can be created, when named "services" policies cannot be enforced.
ArcGIS Server MapServer /find
operation with large result sets and spatial obligations
In combination with spatial obligations, the MapServer /find
operation may not return all expected features.
Large result sets of the /find
operation will be capped if they exceed the server side limit of features to return.
Spatial obligations will only be applied to the capped result set.
Changelog
4.22.3
New Features and Improvements
|
Support newer signing algorithms for SAML workflow |
|
Don’t pollute Administrator web app logs with warning about missing attribute URN |
|
Drop hostname check from IPAndHostnameVerifier |
|
[service.monitor integration] Integrate support for ingest pipelines of service.monitor 4.10 |
Fixed Issues
|
Redirection to ADFS IdP fails with message "MSIS7903: The message is not signed with expected signature algorithm" |
|
CVE-2024-47554 reported for commons-io depedency |
|
Password recovery does not send e-mails |
|
Inconsistent database state on failed policy set upload |
|
Log file reports error "Invalid column name 'STATE'" on login |
|
Parsing of layer parameter during a /dynamiclayer/query request with null renderer leads to error |
|
Login with LDAP fails when using "scope = onelevel" |
4.22.2
New Features and Improvements
|
Document known issue regarding use of SSO cookie handling with upcoming change in Google Chrome browser |
|
Don’t log stacktrace when XSLT class lookup fails |
Fixed Issues
|
Orphaned entries in POLICY_OBL |
|
Accessing protected WFS that does not support WFS 2.0.0 fails |
|
Raise log level of certificate error messages, such as "time part […] was out of range" |
|
Creating groups with leading blanks prevents assigned users from signing in |
|
[Gateway] header X-Content-Type-Options:nosniff wrongly added to /gateto endpoint. |
|
WAS creates invalid SAML 1 assertion IDs |
|
GPServer service description not displayed |