Send more flexible decision requests with policy queries
With the new Policy Query API, you can now issue decision
requests containing valueless and multivalued attributes to receive decisions
more complex than
Permit
or Deny
, enabling you
to dynamically drive user interfaces. For more information, see Policy queries.Cache dynamic service responses
To improve decision evaluation performance and reduce latency, you
can cache dynamic service response values for faster retrieval on subsequent
requests. When enabling caching for HTTP services, you can exclude certain
headers from the service response. This prevents invalidation of the cache when
values of those headers change. For more information, see Service caching.
Copy Trust Framework attribute resolvers
To build your authorization logic more efficiently, you can make
editable copies of attribute resolvers. For more information, see Copying elements.
Disable rules in the policy tree
To control the granularity of policy evaluation, you can disable
rules in policies. This causes the decision engine to skip disabled rules during
policy evaluation and allows you more flexibility in testing and deployment of
policy logic. For more information, see Creating policies and policy sets.
Added support for Apache Camel 3.21.2
Although Camel services have been removed from the default
PingAuthorize configuration, you can
now enable Camel version 3.21.2 if your policies depend on such services. For
more information, see Apache Camel availability.
Added support for Java 17 and removed support for Java 8
We have added support for Java 17 and removed support for Java 8.
For more information, see System requirements. For information on
upgrading from a PingAuthorize instance
installed with Java 8, see Upgrade considerations introduced in PingAuthorize 10.0.
Disabled SNI hostname checks by default
To avoid
HTTP 400
responses when SNI hostname
checks fail, these checks are now disabled by default for the PingAuthorize server and Policy Editor. We added
a new setup
option,
--disableSniHostnameChecks
, to control whether PingAuthorize performs this check. For important
considerations when upgrading from a previous version and attempting to reuse
your configuration, see Upgrade considerations introduced in PingAuthorize 10.0.Disabled OIDC Implicit grant flow
We have disabled the OIDC Implicit flow implementation in the
Policy Editor because the OAuth Working Group no longer recommends its use. In
its place, you should use the Authorization Code with PKCE flow. For more
information, see Configuring an OIDC provider for single sign-on requests from PingAuthorize.
Added indexes to improve database query performance
We added two database indexes to the
db-cli
module to improve performance when querying the
CurrentEntityVersion
and
EnetityRelationship
tables.Fixed SCIM case-sensitivity issue
We fixed an issue where requests to create SCIM entries were not
always observing the
case-exact=false
property, leading to
incorrect case-sensitivity errors.Fixed attribute caching memory error
We fixed an issue where the decision engine only checked if an
attribute cache entry had expired when accessing that entry, leading to
Out of Memory
errors. Now, attribute caching uses the Redis
library directly, allowing a unique Time to Live (TTL)
for each cache entry. Redis instances invalidate cache entries once the TTL has
elapsed, rather than when the entries are accessed. For more information, see
Attribute caching.Fixed missing statements array in policy testing
We fixed an issue, where, in the Response
tab of policy testing, the root-level
statements
array was not
appearing if left empty in the testing scenario.Fixed error response
handling in APP WARN
We fixed an issue where the HTTP Service Executor was not properly
capturing error messages in the
APP WARN
logs from the policy
information provider (PIP) endpoint.Removed
--serverRoot
requirement from the
check-replication-domains
tool
We fixed the
check-replication-domains
tool so
that the --serverRoot
argument is no longer required. This
argument now defaults to the server's root directory.Fixed duplication issue
when running dsjavaproperties --initialize
We fixed an issue where running
dsjavaproperties
--initialize
would append duplicate arguments to the
common.java-args
in the
java.properties file.Replaced
NullPointerException
error for alert handlers lacking
configuration
We fixed an issue where a
NullPointerException
error occurred when an alert or alarm was raised, and one more of the alert
handlers was not configured. An alert notification is now recorded in
logs/errors instead.Addressed inability of LDAP Request Handlers to respond to incoming client requests
We fixed an issue where TLS timeouts prevented LDAP Request
Handlers from responding to client requests. The
request-handler-per-connection
configuration property is
now available for LDAP and LDAPS Connection Handlers.