--- title: PingAccess 8.1 (June 2024) description: Security PA-15610 component: pingaccess version: 8.3 page_id: pingaccess:release_notes:pa_81_rn canonical_url: https://docs.pingidentity.com/pingaccess/8.3/release_notes/pa_81_rn.html revdate: June 14, 2024 section_ids: improved-request-header-security: Improved request header security pingaccess-9-0-will-remove-java-11-support-in-december-2025: PingAccess 9.0 will remove Java 11 support in December 2025 cache-multiple-token-types-for-web-api-applications: Cache multiple token-types for Web + API applications cef-logging: CEF logging skip-the-request-or-response-payload-in-a-pingauthorize-call: Skip the request or response payload in a PingAuthorize call map-static-header-values-to-a-pingauthorize-call: Map static header values to a PingAuthorize call use-pingauthorize-access-control-rules-on-agent-applications-and-resources: Use PingAuthorize access control rules on agent applications and resources set-pingaccess-cookies-with-the-partitioned-attribute: Set PingAccess cookies with the partitioned attribute encrypt-pingaccess-cookies-using-aes-gcm-encryption-algorithms: Encrypt PingAccess cookies using AES-GCM encryption algorithms configure-the-samesitestrict-attribute-on-web-session-cookies: Configure the SameSite=Strict attribute on web session cookies temporarily-promote-a-replica-admin-node-to-the-primary-admin-node: Temporarily promote a replica admin node to the primary admin node opt-out-of-automatic-url-encoding: Opt out of automatic URL encoding fixed-nullpointerexception-with-the-rewrite-content-rule: Fixed NullPointerException with the rewrite content rule fixed-an-issue-with-the-agent-response-returning-a-non-default-token-ttl-for-unprotected-api-resources: Fixed an issue with the agent response returning a non-default token TTL for unprotected API resources fixed-an-issue-with-accessing-global-unprotected-resources: Fixed an issue with accessing global unprotected resources fixed-issues-with-query-parameter-behavior-due-to-automatic-url-encoding: Fixed issues with query parameter behavior due to automatic URL encoding fixed-admin-jwks-endpoint-returning-a-401-or-500-response-instead-of-the-oauth-key-set: Fixed admin JWKS endpoint returning a 401 or 500 response instead of the OAuth key set fixed-engine-self-registration-failure: Fixed engine self-registration failure --- # PingAccess 8.1 (June 2024) ## Improved request header security Security PA-15610 Fixed an issue with connection request header handling. Learn more in [SECADV045](https://support.pingidentity.com/s/article/SECADV045-PA-HTTP-Smuggling). ## PingAccess 9.0 will remove Java 11 support in December 2025 Info Ping Identity intends to remove Java 11 support from PingAccess in December 2025. For more information, including Java 17 support, see [Installation requirements](../installing_and_uninstalling_pingaccess/pa_installation_requirements.html). ## Cache multiple token-types for **Web + API** applications New PA-15516 If you use a **Web + API** application, the `vnd-pi-resource-cache` PingAccess agent protocol (PAAP) header now contains an additional path so **Web + API** applications can cache both cookie and authorization header token-types. A new PAAP header, `vnd-pi-token-cache-oauth-ttl`, helps the agent distinguish between cookie and authorization header cache TTLs. When the application type is **Web + API**, PingAccess only returns the TTL header corresponding with the token-type that it used to make the access decision, `vnd-pi-token-cache-ttl` or `vnd-pi-token-cache-oauth-ttl`. For more information, see [PAAP agent response](../agents_and_integrations/pa_ap_agent_response.html), and, after upcoming agent releases, the `agent.cache.defaultTokenType` property in one of the following agent configuration pages: * [RHEL agent configuration](../agents_and_integrations/pa_apache_rhel_configuration.html) * [SLES agent configuration](../agents_and_integrations/pa_apache_sles_configuration.html) * [Windows agent configuration](../agents_and_integrations/pa_apache_windows_configuration.html) * [IIS agent configuration](../agents_and_integrations/pa_iis_configuration.html) Previously, cache definitions were only maintained for the cookie token-type. Accordingly, the ability to cache cookie and authorization header token-types simultaneously improves system performance because an agent doesn't have to call the PingAccess server every time it receives a request with an authorization header. | | | | - | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | Existing agent environments ignore the new `vnd-pi-token-cache-oauth-ttl` header and additional paths in the `vnd-pi-resource-cache` header.To see the performance boost, upgrade to PingAccess 8.1 and, after upcoming agent releases, upgrade to the latest version of the desired Apache or IIS agent. Otherwise, continue to use an earlier agent version. | ## CEF logging New PA-15579 Enable PingAccess to write any of its five audit logs in Common Event Format (CEF). Learn more in [Writing audit logs in Common Event Format](../configuring_and_customizing_pingaccess/pa_writing_audit_logs_in_common_event_format.html). ## Skip the request or response payload in a PingAuthorize call New PA-15585 You can now control whether to include the request body in a call to PingAuthorize or a response body in the modified response. Excluding request and response bodies improves performance if the request or response body isn't required to make an access decision or to modify the response. Learn more in [Adding PingAuthorize access control rules](../pingaccess_user_interface_reference_guide/pa_adding_pingauth_access_control_rules.html) and [Adding PingAuthorize response filtering rules](../pingaccess_user_interface_reference_guide/pa_adding_pingauthz_response_filtering_rules.html). ## Map static header values to a PingAuthorize call New PA-15586 Declare headers that should be added to the PingAuthorize request or to the modified response. PingAuthorize uses the additional headers to determine the policy set that's most relevant to the request or response context. Learn more in [Adding PingAuthorize access control rules](../pingaccess_user_interface_reference_guide/pa_adding_pingauth_access_control_rules.html) and [Adding PingAuthorize response filtering rules](../pingaccess_user_interface_reference_guide/pa_adding_pingauthz_response_filtering_rules.html). ## Use PingAuthorize access control rules on agent applications and resources New PA-15587 You can now use PingAuthorize access control rules in PingAccess agent deployments. Learn more in [Adding PingAuthorize access control rules](../pingaccess_user_interface_reference_guide/pa_adding_pingauth_access_control_rules.html). ## Set PingAccess cookies with the `partitioned` attribute New PA-15588 and PA-15690 Added the ability to set PingAccess cookies with the `Partitioned` attribute to align with the Cookies Having Independent Partitioned State (CHIPS) specification. This helps maintain support for applications that use an iframe or other third-party embedded context to interact with web resources that PingAccess protects as browsers phase out third-party cookies that don't support CHIPS. CHIPS enables third-party sites to continue to set cross-site cookies as long as they have the `Partitioned` attribute. To limit cross-site tracking, partitioned cookies can only be read within the same context of the top-level site where they were initially set. Learn more about CHIPS in and . In the PingAccess administrative console or API, use the **Partitioned Cookie** setting to control whether to add the `Partitioned` attribute to all cookies that PingAccess sets for a specific [web session](../pingaccess_user_interface_reference_guide/pa_advanced_web_session_settings.html) or the [admin web session](../pingaccess_user_interface_reference_guide/pa_configuring_session_properties.html). In the `run.properties` file, use the `pa.default.cookie.attributes.partitioned.excludedUserAgentPatterns` property to exclude the `Partitioned` attribute only when using a browser that doesn't support it. Learn more in the **Engine properties** section of the [Configuration file reference](../reference_guides/pa_config_file_ref.html). | | | | - | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | The `pa.default.session.cookie.attributes.partitioned` property is also new in PingAccess 8.1, but this property is moreso intended for potential future backports. In PingAccess 8.1 and later, the **Partitioned Cookie** setting is the preferred way to set the `Partitioned` attribute. The **Partitioned Cookie** value overrides the value of the `pa.default.session.cookie.attributes.partitioned` property. | ## Encrypt PingAccess cookies using AES-GCM encryption algorithms New PA-15605 Added support for Advanced Encryption Standard Galois/Counter Mode (AES-GCM) encryption algorithms. Three AES-GCM encryption algorithms are now available in the **Encryption Algorithm** list on the **Web Session Management** page: 1. AES 128 with GCM 2. AES 192 with GCM 3. AES 256 with GCM Learn more about configuring encryption algorithms in [Configuring web session management settings](../pingaccess_user_interface_reference_guide/pa_configuring_web_session_management_settings.html). ## Configure the `SameSite=Strict` attribute on web session cookies New PA-15706 Added a new level of restriction to the **SameSite Cookie** list in advanced web session settings, `SameSite=Strict`. The `SameSite=Strict` attribute provides the strongest level of cross-site request forgery (CSRF) protection, but should not be configured as the sole means of defense against CSRF. Learn more in [Configuring advanced web session settings](../pingaccess_user_interface_reference_guide/pa_advanced_web_session_settings.html) and . ## Temporarily promote a replica admin node to the primary admin node New PA-15707 Added two new endpoints to the replica admin console server: * **GET /adminConfig/replicaAdmin/status** * **POST /adminConfig/replicaAdmin/promote** Made the following endpoints available from the replica admin console server: * **GET /adminConfig/replicaAdmins/** * **GET /adminConfig/replicaAdmins/{id}** In DevOps environments, you can now temporarily promote the replica admin node through the replica admin API if the primary node is unavailable, but you must complete the [Manually promoting the replica administrative node](../reference_guides/pa_manually_promoting_the_replica_admin_node.html) procedure to make this change permanent. This change provides greater availability for the PingAccess admin console by decreasing the amount of time it takes to promote the replica admin node. Learn more in [Using the admin API to temporarily promote the replica admin node](../reference_guides/pa_using_the_admin_api_to_promote_the_replica_admin_node.html). ## Opt out of automatic URL encoding Improved PA-15697 By default, redirect rules and rejection handlers automatically URL encode the admin input redirect URL. This could cause unexpected behavior if an application targeted by a redirect requires the URL to follow a specific format. You can now opt out of automatic URL encoding by deselecting the **Encode URL** check box on a specific application resource logout or redirect response generator, redirect rule, redirect authentication challenge response generator, or redirect rejection handler. Learn more in: * [Adding application resources](../pingaccess_user_interface_reference_guide/pa_adding_application_resources.html) * [Adding redirect rules](../pingaccess_user_interface_reference_guide/pa_adding_redirect_rules.html) * [Authentication challenge response generator descriptions](../pingaccess_user_interface_reference_guide/pa_acr_generator_descriptions.html) * [Creating rejection handlers](../pingaccess_user_interface_reference_guide/pa_creating_rejection_handlers.html) ## Fixed `NullPointerException` with the rewrite content rule Fixed PA-15612 Fixed an issue that caused a `NullPointerException` error when the [rewrite content rule](../pingaccess_user_interface_reference_guide/pa_adding_rewrite_content_rules.html) was used on a resource that returned an empty chunked response body. ## Fixed an issue with the agent response returning a non-default token TTL for unprotected API resources Fixed PA-15622 Fixed an issue that caused unprotected agent API resources to have unexpected OAuth TTL values. ## Fixed an issue with accessing global unprotected resources Fixed PA-15692 Fixed a regression issue that caused a `500` error response when accessing a global unprotected resource on a **Web + API** application. ## Fixed issues with query parameter behavior due to automatic URL encoding Fixed PA-15696 Fixed an issue with automatically URL encoding target redirect URLs that sometimes disrupted query parameter sort order or added a trailing `=` to the end of single value query parameters. This issue affected redirect rules, redirect rejection handlers, redirect virtual resources, logout virtual resources, and redirect authentication challenge policy response generators. ## Fixed admin JWKS endpoint returning a `401` or `500` response instead of the OAuth key set Fixed PA-15723 Fixed an issue that caused PingAccess to override existing handling for the `/pa/oauth/JWKS` endpoint for the admin listener with the engine self-registration handler, prompting requests made to the endpoint to result in `401` unauthorized responses or `500` internal server errors. ## Fixed engine self-registration failure Fixed PA-15725 Fixed an engine self-registration failure issue caused by inability to determine if the engine self-registration token should be a Bearer or DPoP-bound token.