Security and authentication improvements
The following improvements regarding security and authentication have been made.
SMTP authentication using OAuth 2.0 (#657041)
OAuth 2.0 is now supported for authentication with the outgoing email server. The Settings tab of the Email configuration page of the Web Admin Suite has been extended for this purpose. The new Authentication method setting allows to choose whether Basic authentication (previous behavior) or OAuth 2.0 authentication (new) should be used for the SMTP server. If OAuth 2.0 is selected, the following fields need to be filled out:
- User name: Enter the name of the principal.
- Client ID: Enter the application ID from the registration of the ConSol CM application.
- Client secret: Enter the secret value from the registration of the ConSol CM application.
- Client authority: Enter the login URL with the tenant ID from the registration of the ConSol CM application, e.g.
https://login.microsoftonline.com/1234567890
- Scope: Enter the scope, e.g.
https://outlook.office365.com/.default
The following system properties have been added to the module in the module cmas-core-server
to save the settings:
- mail.smtp.email.authentication.method
- mail.smtp.email.client.id
- mail.smtp.email.client.secret
- mail.smtp.email.client.authority
- mail.smtp.email.scope
Maximum number of items returned by REST requests (#658055)
The maximum number of items returned by a single REST request can now be configured. The following system properties were added to the module cmas-restapi-core
for this purpose:
- max.pageSize.ticket: Defines the maximum number of cases that can be returned by a single REST request, default: 250.
- max.pageSize.unit: Defines the maximum number of contacts that can be returned by a single REST request, default: 250.
- max.pageSize.resource: Defines the maximum number of resources that can be returned by a single REST request, default: 250.
- max.pageSize.other: Defines the maximum number of other items, e.g. comments or attachments, that can be returned by a single REST request, default: 1000.
A warning is logged when there is a request which exceeds the configured threshold. A debug message is logged when there is a request without page size.
Behavior of the password reset in CM/Track changed (#658066)
When trying to reset the password of a user in CM/Track, the confirmation window that an email has been sent to the user’s email address is now shown for both existing and non-existing users. The status code returned via REST API is also the same for both cases.
Validity of password reset link changed (#658068)
When a user has forgotten his password for the Web Client or CM/Track, he can request an email with a reset link on the login page of these applications. The default validity of the link to reset the password has been changed to 1 hour. It can be adapted in the system property resetCode.expirationPeriod
from the module cmas-core-security
.
SSO support for the Web Admin Suite added (#659200)
SSO can now be used for authenticating users in the Web Admin Suite. The authentication mechanism is based on OpenID Connect, which can be set up using Microsoft Active Directory Federation Services or Azure AD.
The SSO configuration on the ConSol CM side is done using the following system properties, which are automatically during setup or update:
- oidc.was.enabled.default: Indicates whether user authentication using SSO via OIDC is enabled.
- oidc.was.authority.default: Indicates the URL of the authenticating authority, e.g. ADFS. Example:
https://localhost/adfs
- oidc.was.clientId.default: Indicates the client ID (application ID) of the application, as registered in ADFS or Azure AD.
- oidc.was.clientSecret.default: Indicates the secret of the client, generated using ADFS or Azure AD.
- oidc.was.redirectUri.default: Indicates the redirect URI where authentication responses can be received. This is either the OIDC endpoint on the ConSol CM server or on the load balancer. Example:
https://localhost/was/oidc/
- oidc.was.usernameClaim.default: Indicates the name of the claim in the ID token which is used to map the user to a login in ConSol CM. The value depends on the ADFS settings; the default values are "upn" and "unique_name".
- oidc.was.usernameRegexp.default: Defines the regular expression used for mapping the user name claim values to CM logins.
- "upn" as claim:
(.*)@.*
will transform the claim value "user1@sso.yourdomain.com" to "user1" and look up "user1" in the ConSol CM database. - "unique_name" as claim:
.*\\(.*)
will transform the claim value "SSO\user1" to "user1" and look up "user1" in the ConSol CM database.
- "upn" as claim:
Missing password reset template added (#659599)
The templates which are used for the emails which allows the users to reset their passwords are now added automatically during when setting up a new ConSol CM system. The following templates are created on the Templates page of the Web Admin Suite with the type Email:
password-reset-template
for resetting the password in the Web Clienttrack-password-reset-template
for resetting the password in CM/Track V2track-auth-password-reset-template
for resetting the password in CM/Track V3
You can adapt the template content as needed.
Permission for accessing only contacts of my cases hidden (#659658)
The permissions which allowed users to access only the contacts of their cases have been hidden because of their performance impact when searching for contacts on large systems. The row contacts of my cases has been removed from the Customer groups tab of the Roles page of the Web Admin Suite.
If this kind of permissions is needed, the previous behavior can be restored by setting the system property my.customer.enabled
from the module cmas-core-server
to "true". This will display the permissions again and enable the corresponding behavior.
When updating to ConSol CM version 6.17.0.0, the property is set to its default value false
automatically. Therefore, users whose role only contained permissions to contacts of my cases will not be able to access contacts anymore. You either need to grant them regular customer group permissions are enable the previous behavior.
Third-party library changes
The following third-party libraries have been updated or replaced in this ConSol CM version:
- castor (#658150): Replaced by jackson in the scene export mechanism.
This change affects the structure of the exported XML files. For backwards compatibility purposes, in 6.17.0 it will still be possible to import scenes created in a version prior to 6.17.0. This support will be removed in future versions.
- common-compress (#660588): Updated from version 1.21 to 1.26
- express (#660844): Updated to version 4.19.2
- follow-redirects (#660700): Updated from version 1.15.4 to 1.15.6
- formio (#659315): Updated from version 4.13.7 to 4.15.1.
- froala (#660804): Updated from version 4.0.19 to 4.1.4 in CM/Track
- jackson (#660588): Updated from version 2.13.4 to 2.13.5
- java-uuid-generator (#660352): Updated from version 3.1.3 to 4.1.0.
- jose (#660628): Updated from version 4.15.1 to 4.15.5
- msal4j (#658148, #660585, #660884): Replaced by
spring-security-oauth2-client
andspring-security-oauth2-jose
and updated from version 1.13.0 to 1.14.1 / 1.14.3. - netty (#660857): Updated from version 4.1.101 to 4.1.108 in CM/Doc
The users need to update CM/Doc for this change to become effective.
- sanitize-html (#660590): Updated from version 2.7.3 to 2.12.1
- spring-security (#660884): Updated from version 5.6.12 to 5.8.11