Security enhancement in JDBC datastore queries - PingFederate

Page created: 16 Jul 2021 |

Page updated: 19 Jan 2022

| 1 min read

Product PingFederate 11.0 Upgrading User task Product documentation Content Type Administrator Audience Software Deployment Method

A security enhancement was made in PingFederate 9.0 to safeguard JDBC datastore queries against back-end SQL injection attacks. This protection is enabled for all new installations.

If you are upgrading from PingFederate 8.4.4 or an earlier version, you can enable this protection by modifying the <pf_install>/pingfederate/server/default/data/config-store/org.sourceid.common.SqlFilterManager.xml file.

Edit the org.sourceid.common.SqlFilterManager.xml file.

Set the <item name="enableSqlFilters"/> element value to true.

In the following example, the true value has been bolded for visibility.

<?xml version="1.0" encoding="UTF-8"?>
<config xmlns="http://www.sourceid.org/2004/05/config">
    <item name="enableSqlFilters">true</item>
</config>

Save the file.
Restart PingFederate.

If you have a clustered PingFederate environment:
1. Perform the previous steps on the console node.
2. Sign on to the PingFederate administrative console.
3. Go to System > Server > Cluster Management.
4. Click Replicate Configuration to push this change to all engine nodes.
Verify your use cases to make sure your search filters return the expected results.

Security enhancement in JDBC datastore queries - PingFederate - 11.0

PingFederate Server