Security enhancement in JDBC datastore queries - PingFederate - 10.2

PingFederate Server

bundle
pingfederate-102
ft:publication_title
PingFederate Server
Product_Version_ce
PingFederate 10.2
category
Product
pf-102
pingfederate
ContentType_ce

A security enhancement has been made in PingFederate 9.0 to safeguard JDBC datastore queries against back-end SQL injection attacks. This protection is enabled for all new installations.

For upgrades, you can enable this protection by modifying the <pf_install>/pingfederate/server/default/data/config-store/org.sourceid.common.SqlFilterManager.xml file.

To enable this security enhancement:

  1. Edit the org.sourceid.common.SqlFilterManager.xml file.
  2. Set the <item name="enableSqlFilters"/> element value to true; for example:
    <?xml version="1.0" encoding="UTF-8"?>
    <config xmlns="http://www.sourceid.org/2004/05/config">
        <item name="enableSqlFilters">true</item>
    </config>
  3. Save the file.
  4. Restart PingFederate.
    If you have a clustered PingFederate environment:
    1. Perform the previous steps on the console node.
    2. Sign on to the PingFederate administrative console.
    3. Go to the System > Server > Cluster Management window.
    4. Click Replicate Configuration to push this change to all engine nodes.
  5. Verify your use cases to make sure your search filters return the expected results.