Security enhancement in JDBC datastore queries - PingFederate - 11.0

PingFederate Server

bundle
pingfederate-110
ft:publication_title
PingFederate Server
Product_Version_ce
PingFederate 11.0
category
Product
pf-110
pingfederate
ContentType_ce

A security enhancement was made in PingFederate 9.0 to safeguard JDBC datastore queries against back-end SQL injection attacks. This protection is enabled for all new installations.

If you are upgrading from PingFederate 8.4.4 or an earlier version, you can enable this protection by modifying the <pf_install>/pingfederate/server/default/data/config-store/org.sourceid.common.SqlFilterManager.xml file.

  1. Edit the org.sourceid.common.SqlFilterManager.xml file.
  2. Set the <item name="enableSqlFilters"/> element value to true.
    <?xml version="1.0" encoding="UTF-8"?>
    <config xmlns="http://www.sourceid.org/2004/05/config">
        <item name="enableSqlFilters">true</item>
    </config>
  3. Save the file.
  4. Restart PingFederate.
  5. If you have a clustered PingFederate environment, push this change to all engine nodes:
    1. On the administrative console, go to System > Server > Cluster Management.
    2. Click Replicate.
  6. Verify your use cases to make sure your search filters return the expected results.