--- title: PingAuthorize 10.0.0.0 (December 2023) description: New component: pingauthorize version: 10.1 page_id: pingauthorize:release_notes:paz_rn_100 canonical_url: https://docs.pingidentity.com/pingauthorize/10.1/release_notes/paz_rn_100.html revdate: February 5, 2025 section_ids: send-more-flexible-decision-requests-with-policy-queries: Send more flexible decision requests with policy queries cache-dynamic-service-responses: Cache dynamic service responses copy-trust-framework-attribute-resolvers: Copy Trust Framework attribute resolvers disable-rules-in-the-policy-tree: Disable rules in the policy tree added-support-for-apache-camel-3-21-2: Added support for Apache Camel 3.21.2 added-support-for-java-17-and-removed-support-for-java-8: Added support for Java 17 and removed support for Java 8 disabled-sni-hostname-checks-by-default: Disabled SNI hostname checks by default disabled-oidc-implicit-grant-flow: Disabled OIDC Implicit grant flow added-indexes-to-improve-database-query-performance: Added indexes to improve database query performance fixed-scim-case-sensitivity-issue: Fixed SCIM case-sensitivity issue fixed-attribute-caching-memory-error: Fixed attribute caching memory error fixed-missing-statements-array-in-policy-testing: Fixed missing statements array in policy testing fixed-error-response-handling-in-app-warn: Fixed error response handling in APP WARN removed-serverroot-requirement-from-the-check-replication-domains-tool: Removed --serverRoot requirement from the check-replication-domains tool fixed-duplication-issue-when-running-dsjavaproperties-initialize: Fixed duplication issue when running dsjavaproperties --initialize replaced-nullpointerexception-error-for-alert-handlers-lacking-configuration: Replaced NullPointerException error for alert handlers lacking configuration addressed-inability-of-ldap-request-handlers-to-respond-to-incoming-client-requests: Addressed inability of LDAP Request Handlers to respond to incoming client requests --- # PingAuthorize 10.0.0.0 (December 2023) ## Send more flexible decision requests with policy queries New With the new Policy Query API, you can now issue decision requests containing valueless and multivalued attributes to receive decisions more complex than `Permit` or `Deny`, enabling you to dynamically drive user interfaces. For more information, see [Policy queries](../pingauthorize_policy_administration_guide/paz_policy_queries.html). ## Cache dynamic service responses New To improve decision evaluation performance and reduce latency, you can cache dynamic service response values for faster retrieval on subsequent requests. When enabling caching for HTTP services, you can exclude certain headers from the service response. This prevents invalidation of the cache when values of those headers change. For more information, see [Service caching](../pingauthorize_policy_administration_guide/paz_service_caching.html). ## Copy Trust Framework attribute resolvers New To build your authorization logic more efficiently, you can make editable copies of attribute resolvers. For more information, see [Copying elements](../pingauthorize_policy_administration_guide/paz_entity_copy.html). ## Disable rules in the policy tree New To control the granularity of policy evaluation, you can disable rules in policies. This causes the decision engine to skip disabled rules during policy evaluation and allows you more flexibility in testing and deployment of policy logic. For more information, see [Creating policies and policy sets](../pingauthorize_policy_administration_guide/paz_create_policy_sets.html). ## Added support for Apache Camel 3.21.2 Info Although Camel services have been removed from the default PingAuthorize configuration, you can now enable Camel version 3.21.2 if your policies depend on such services. For more information, see [Apache Camel availability](../_orphan_files/paz_camel_availability.html). ## Added support for Java 17 and removed support for Java 8 Info We have added support for Java 17 and removed support for Java 8. For more information, see [System requirements](../installing_and_uninstalling_pingauthorize/paz_system_requirements.html). For information on upgrading from a PingAuthorize instance installed with Java 8, see [Upgrade considerations introduced in PingAuthorize 10.0](../upgrading_pingauthorize/paz_upgrade_consids_100.html). ## Disabled SNI hostname checks by default Info PAZ-10754 To avoid `HTTP 400` responses when SNI hostname checks fail, these checks are now disabled by default for the PingAuthorize server and Policy Editor. We added a new `setup` option, `--disableSniHostnameChecks`, to control whether PingAuthorize performs this check. For important considerations when upgrading from a previous version and attempting to reuse your configuration, see [Upgrade considerations introduced in PingAuthorize 10.0](../upgrading_pingauthorize/paz_upgrade_consids_100.html). ## Disabled OIDC Implicit grant flow Info PAZ-1795 We have disabled the OIDC Implicit flow implementation in the Policy Editor because the OAuth Working Group no longer recommends its use. In its place, you should use the Authorization Code with PKCE flow. For more information, see [Configuring an OIDC provider for single sign-on requests from PingAuthorize](../installing_and_uninstalling_pingauthorize/paz_config_authn_server_openid_connect.html). ## Added indexes to improve database query performance Improved We added two database indexes to the `db-cli` module to improve performance when querying the `CurrentEntityVersion` and `EntityRelationship` tables. ## Fixed SCIM case-sensitivity issue Fixed PAZ-8473 We fixed an issue where requests to create SCIM entries were not always observing the `case-exact=false` property, leading to incorrect case-sensitivity errors. ## Fixed attribute caching memory error Fixed PAZ-10643 We fixed an issue where the decision engine only checked if an attribute cache entry had expired when accessing that entry, leading to `Out of Memory` errors. Now, attribute caching uses the Redis library directly, allowing a unique Time to Live (TTL) for each cache entry. Redis instances invalidate cache entries once the TTL has elapsed, rather than when the entries are accessed. For more information, see [Attribute caching](../pingauthorize_policy_administration_guide/paz_attr_caching.html). ## Fixed missing statements array in policy testing Fixed PAZ-6335 We fixed an issue, where, in the Response tab of policy testing, the root-level `statements` array was not appearing if left empty in the testing scenario. ## Fixed error response handling in `APP WARN` Fixed PAZ-10350 We fixed an issue where the HTTP Service Executor was not properly capturing error messages in the `APP WARN` logs from the policy information provider (PIP) endpoint. ## Removed `--serverRoot` requirement from the `check-replication-domains` tool Fixed DS-47655 We fixed the `check-replication-domains` tool so that the `--serverRoot` argument is no longer required. This argument now defaults to the server's root directory. ## Fixed duplication issue when running `dsjavaproperties --initialize` Fixed DS-45206 We fixed an issue where running `dsjavaproperties --initialize` would append duplicate arguments to the `common.java-args` in the `java.properties` file. ## Replaced `NullPointerException` error for alert handlers lacking configuration Fixed DS-47455 We fixed an issue where a `NullPointerException` error occurred when an alert or alarm was raised, and one more of the alert handlers was not configured. An alert notification is now recorded in `logs/errors` instead. ## Addressed inability of LDAP Request Handlers to respond to incoming client requests Fixed DS-46312 We fixed an issue where TLS timeouts prevented LDAP Request Handlers from responding to client requests. The `request-handler-per-connection` configuration property is now available for LDAP and LDAPS Connection Handlers.