Release Notes

Release notes, distributed with each release, contain all corrections, changes, and enhancements made.

 

BUILD_20240214_1, February 27, 2024

  • SAML upgrade. New SPRING security
  • Fixing beagle-w080-1 issue with the csrf modify AccessDeniedHandler to forward requests to the error page.
  • Adding IdP certificate drop-down to SP page.
  • Adding new uid scope and fixing redirectUris list on the RP page.
  • Fixing brand banner page to allow update brand banner.
  • Fix large header issue when expose brand banner model attribute in redirect view.
  • Switching consent toggle button default value on the RP page and PKCE Refresh token rotation check box.

 

BUILD_20231201_2, December 12, 2023

  • Fixing brand banner CSRF issue for multipart file upload.

 

BUILD_20231031_1, November 28, 2023

  • Enabled TFA.
  • Enabled Dynatrace.

 

BUILD_20231011_1, October 12, 2023

  • NYC.ID now supports OpenID Connect. NYC.ID console allows creating Relying Parties.
  • Brand banner update. Only one brand banner per Relying Party. Google Chrome and other browsers restrict the "referrer" because of the strict-origin-when-cross-origin. Host name must match fully not only top level domain https://hra.nyc.gov/mickey to https://nyc.gov/account will not preserve the query part anymore.
  • Therefore we've removed the discriminator and Target Context Path from the brand banner page.
  • Registration page work with the client_id and target same way as spName and target for SAML.
  • Login page can be customized same way as SAML login page under Relying party in the console.
  • Forgot password, Validate email, Feedback also using client_id for brand banner logic.
  • Pre-enrollment with oidc client_id
  • AWS Monitoring tools such as RUM and Open telemetry added.
  • When disableUsername is selected in SP console, label on the login page changes to "Email Address".
  • Adding ui_locales parameter to change language for OpenID Connect.
  • TFA has been disabled.
  • Delete user is ready but disabled.

 

BUILD_20230307_1, March 7, 2023

  • Fixing NYCID console error issue by adding missing SSL cert.
  • Removed GET method from authenticate webservice (only POST is allowed).
  • Added a new error message "Query String not supported. Send request in the body." when calling authenticate webservice.
  • Spring security logging only ERRORS config change.
  • Removed deprecated HmacSHA1 signatures used for Web Service authentication.
  • Accessing any NYC.ID URL with the /cpui context path will return a HTTP Not Found (404) error.
  • Security - The Authenticate Web Service no longer supports the HTTP GET method.

 

BUILD_20230225_2, February 25, 2023

  • Moving application to AWS deploying to Fargate with Springboot and Docker
  • Accessing any NYC.ID URL with the /cpui context path will return a HTTP Not Found (404) error.
  • The Search Web Service always performs lower case searches of email addresses but now with support of case insensitive searches.
  • Removed facebook social button
  • POSTPONED! Two-factor authentication. POSTPONED!! Users are sent to NYC.ID to enable TFA if an application requires TFA. SAML assertion, api/user.htm, api/getUsers.htm and /api/oauth/user.htm WS calls include new tfa parameter.
  • Added "Two-factor authentication" feedback topic.
  • arcgis.com, hatsandladders.com, olr.nyc, identity-staged.nowpow.com and unqork.io was added as a valid domain in NON-PRD.
  • Within the NYC.ID Console, a Service Provider may be configured to use the user's email address as the Name ID.
  • Updated downloadable licensed ComponentSpace libraries to the NYC.ID Console.
  • Defect - NYC.ID Console Service Providers tab Disable Usernames check box fixed.
  • Upgraded to Gigya Java SDK 3.2.3 (https://developers.gigya.com/display/GD/Java+Change+Log).
  • Fixed create account page to show CAPTCHA after 3 bad attempts.
  • Added IPv6 Client IP validation to be used for DoITT CAPTCHA service.(Already in production with a hot fix)
  • Externalizing maxBrandBanners property.
  • Adding search feature to the console.
  • Adding overloaded method, to ignore User object validation when SAML success is returned.
  • Modal with forgot password instructions were added on the feedback page, when user select forgot password option.
  • Disclaimer was added on the login screen.
  • Defect - API /account/api/oauth/user.htm webservice call. When Prevent Reply attack check-box was selected and dateTime parameter was set WS call incorrectly returned signature validation error due to typo in datetime parameter.
  • Delete enrollment link from the list in the profile page has been removed. Reference release notes from 2.3.0. #4
  • Adding nychhc.org to the list of invalid email address domains.
  • Fixing missing link to download Component Space core 3.1.0

 

2.4.0, February 4, 2020

  • The Authenticate V3 Web Service returns a reason of wrongCaptcha after five failed authentication attempts. Previously, it returned a reason of locked.
  • Passwords may now contain the user's first name, last name or email address.
  • Within the NYC.ID Console, a Service Provider may be configured to prevent users from creating an account with a username.
  • salesforce.com and submittable.com were added to the list of valid domains.
  • Removed the deprecated termsOfUse and userType fields from JSON-formatted Users.
  • Defect – Users are notified when the SAML X.509 Encryption Certificate is expired or about to expire.
  • SAML Service Providers are disabled when the X.509 Certificate or X.509 Encryption Certificate is expired.
  • On the NYC.ID Feedback page, when a user's comments are not written in English, they are translated and included with the user's original comments.
  • Social identity providers can be disabled when using OAuth.
  • Within the NYC.ID Console, a Service Account can contain a list of email addresses that should be notified of important updates to NYC.ID.
  • Security – Within the Get OAuth User Web Service and Delete OAuth User Web Service, the "accessToken" must be provided in the Authorization header (i.e., Authorization: Bearer ). Providing the "accessToken" in the query string is no longer supported.
  • The NYC.ID NON-PRD UI will display a maintenance page when the site is unavailable for maintenance.
  • The NYC.ID NON-PRD Web Services will return a HTTP Status Code of 503 when the site is unavailable for maintenance.
  • Sign in With Apple has been added as a Social Identity Provider.
  • Social identity provider buttons are now colorized.

 

2.3.0, October 15, 2019

  • hra.nycnet was added to the list of valid domains.
  • In the NON-PRD environment, user accounts that have not logged in and have not been updated in the last six months will be deleted.
  • Defect – A user's last name may contain commas.
  • Removed the deprecated Enrollment Web Services.
  • Removed the deprecated Terms of Use Web Service.
  • Added CAPTCHA to Account Profile forms that ask for the user's current password.
  • On the Account Profile pages, a user's account will no longer be locked by entering an incorrect current password.
  • Defect – Validation links in some translated emails are no longer malformed. This is a regression introduced in Release 2.1.0.
  • Internationalization – Replaced quotation marks and apostrophes in error messages with italics to improve translation formatting.
  • Internationalization – Some content styling was modified to improve the quality of translations.

 

2.2.1, August 19, 2019

  • Defect – When invoking IdP Logout from within an iframe, the parent windows is notified, via Window​.post​Message(), that the user has been logged out.
  • The "userType" parameter is optional within the Create Enrollment Web Service and the Delete Enrollment Web Service. The "userType" parameter defaults to EDIRSSO.
  • On the Login page, added a period to the end of the error message, "To login, confirm you are not a robot."
  • On the Login page, added missing translations for Urdu, Haitian Creole, and Bengali.
  • Defect – A user is now able to validate his email address when an unlinked account exists for the same email address. Previously, the user was unable to validate his email address and therefore unable to login.
  • The NON-PRD environment will throttle SAML Logins.
  • The Profile link no longer displays in header when logout is in progress.
  • The LinkedIn identity provider has been re-enabled.

 

2.2.0, June 20, 2019

  • Defect – Dynamically adding all valid domains to the Content-Security-Policy header, frame-ancestors section, to allow IdP Logout to be performed via iframe.
  • Defect – JSON Web Tokens (JWTs) are no longer updated when a user updates his account profile.
  • Defect – When invoked with a JWT, the Get OAuth User Web Service now returns the latest user information.
  • The LinkedIn identity provider has been temporarily disabled.
  • Defect – HTML entities in translations are now properly formatted.
  • azurewebsites.net was added to the list of valid domains.

 

2.1.0, May 14, 2019

  • Added downloadable licensed ComponentSpace libraries to the NYC.ID Console.
  • Added downloadable ComponentSpace saml.config and appsettings.json to the NYC.ID Console.
  • Defect – The Google Translate widget is now enabled on the Login page.
  • On the Account Profile - Deactivate page, removed superfluous "via email", since user accounts with email addresses can't be unlocked via security questions.
  • Upgraded to Gigya Java SDK 3.2.2.
  • Defect – Fixed content appearing in random locales.
  • Defect – When logged in via the NYC Employees IdP, logging out of Account Profile logs the user out of the NYC Employees IdP.
  • Added description above applications listed on the Logout page.
  • Updated the maximum number of service accounts and service providers on NON-PRD from 30 to 100.
  • The Authenticate V2 Web Service returns a reason of pending when authentication succeeds and the user does not have security questions or has not accepted the latest terms of use.
  • The NYC Employees identity provider can be hidden on the Login page, configurable within the NYC.ID Console.
  • Defect – An unregistered user with an un-validated email address is now able to validate it.
  • The NYC.ID Console now displays the users that have access to edit each Service Account.

 

2.0.1, May 14, 2019

  • On the Login page, if a user does not login within 5 minutes, the user is redirected to the SP's home page.
  • planninglabs.nyc was added as a valid domain in NON-PRD.
  • If the user arrives on the Login page via bookmark (i.e., the request has a null HTTP referer), the user is redirected the SP's home page.
  • On the NYC.ID Feedback page, the Which application are you using? field is no longer required.
  • Defect – The Authenticate Web Service will enroll a user when authentication succeeds.
  • Defect – Fixed a NPE that occurred when sending the email notification of an expired SAML SP certificate.
  • Added and expanded date formats in the NYC.ID Console.
  • A user's first name may contain parenthesis.
  • Added an additional error message when a NYC email address is used on the Create Account, Email Confirmation Required, and Forgot Password pages.
  • The OAuth Web Services can be configured to return JSON Web Tokens (JWTs), configured via the NYC.ID Console.
  • Defect – OAuth 2.0 access tokens are now created with the correct username, and are correctly destroyed during logout.
  • Defect – Invoking an IdP Logout via /account/idpLogout.htm will revoke all existing access tokens for the logged in user.
  • NYC.ID documentation on NYC4D was moved to NYC.gov

 

2.0.0, March 15, 2019

  • Unusued Email Validation links are expired.
  • Unusued Deactivation links are expired.
  • Security – The Get Enrollments Web Service has been removed.
  • Deactivated users are returned via the Search Web Service.
  • A JSON-formatted user will contain the user's activation status.
  • The Get Users Web Service "startDate" and "endDate" parameters are now inclusive.
  • On the Create Account page, the Security section can be hidden using the "hideSecurityQuestionFields" query string parameter. Note: if the user attemps to create an account with a username, he or she must select and answer one security question.
  • Newly registered users will have a 32 character GUID. Federated identity provider GUIDs are no longer valid when invoking most APIs.
  • On the Login page, the "lang" parameter is use to set the language. Previously, the parameter was called "localeLanguage". A HTTP cookie must be used instead. Learn about Internationalization and Localization.
  • Applications are required to display all federated identity provider on the Login page. An exception will be granted for applications accessed from kiosks that do not have access to the Internet.
  • A user may link his or her accounts such that any federated identity providers can be used to log into the same NYC.ID account.
  • The Authenticate Web Service returns a reason of notFound if the email address does not exist.
  • The Authenticate Web Service returns a reason of pending if the userName does not have an associated security question and answer.
  • The Authenticate Web Service no longer returns HTTP Status 420 – Precondition Required.
  • Added static Terms of Use page, which is accessible from the Registration Completion page.
  • Security question answers are allowed to contain double quote and less-than symbols.
  • On the Account Profile page, a user with a federated identity may change his or her name.
  • Removed 1.10.0-HOTFIX, March 27, 2018.
  • Security – Added support for HTTP Strict Transport Security (HSTS).
  • All Enrollment Web Services are deprecated. The system will now enroll users automatically when the user logs in to Service Provider (SP).
  • Security – Removed clickjacking protection previously configured using the X-Frame-Options header.
  • After a user validates his or her email address, the deactivate your account link will not deactivate the user's account.
  • On the Create Account, Email Confirmation Required, Forgot Password, Terms of Use, and Account Profile pages, an Application Brand Banner can be specified using the "spName" query string parameter.
  • Users who login with the NYC Employees button will be required to accept the NYC.ID Terms of Use on the Registration Completion page.
  • The following changes have been made to the SAML Assertion:
    • GUID – Always 8 or 32 characters
    • middleName – This attribute will always be provided
    • sn – A value of N_A no longer indicates that the surname is empty
    • nycExtEmailValidationFlag – Returned values will be True instead of TRUE and False instead of FALSE
    • nycExtTOUVersion (deprecated) – Always 0.0 or 1.0, but should be ignored
    • userType (deprecated) – Always EDIRSSO, but should be ignored
  • The user's GUID alone is sufficient to determine uniqueness. Previously, the user's GUID and userType determined uniqueness.
  • Valid domains can be added or removed without restarting the Web application.
  • Users are required to select and answer one security question, instead of three.
  • A user with an email address can no longer reset his or her password using security questions.
  • After logging in, migrated users without an email address will be prompted to select and answer one security question.
  • The Authenticate Web Service returns a reason of pending if the userName does not have a security question and answer.
  • Windows 8.1 is no longer supported.
  • The Authenticate Web Service can be used to authenticate NYC employees.
  • Accessibility – Hyperlinks are underlined on hover.
  • When logging in via Facebook, the user's email address may not be provided in the SAML Assertion.
  • When invoking the OAuth2 authorize end-point, the redirect_uri query string parameter is validated against registered redirect URIs of the NYC.ID Service Account.
  • Added the NYC.ID Console.
  • The Search Web Service may be used to determine if a user is a NYC Employee.
  • Added support for the SAML 2.0 Single Logout Service HTTP-Redirect binding.
  • The "fromKiosk" parameter is deprecated. The "spName" parameter should be used instead.
  • Defect – The Search Web Service no longer returns and error message when searching for a user via email address.
  • Defect – Left aligned the list of items within the help dialog on the Account Profile: Password page.
  • The "returnOnSave" parameter functions on the Account Profile: Password page.
  • A user will receive a notification when changing his or her password on the Account Profile: Password page.
  • A user must enter his or her current password on the Account Profile: Email Address page and Account Profile: Email Address with Username page.
  • SAML Single Logout is optional, however IdP Logout is required if SAML Single Logout is not supported by the SP.
  • Security – Added rel="noopener noreferrer" to all hyperlinks with attribute target equal to "blank".
  • Security – Added X-Content-Type-Options header to all responses.
  • Security – Added X-XSS-Protection header to all responses.
  • Security – Preventing session fixation by updating the session identifier after login.
  • Removed the ability for applications to invoke a SAML Logout via /account/saml/logout and the "RelayState" parameter.
  • Security – Added the ability for users to delete enrollments on the Account Profile page.
  • On the Account Profile page, a user's first name and last name cannot be saved when empty.
  • The "showNameFields" parameter is deprecated. The "spName" parameter should be used instead.
  • Security – Added an authentication delay when Web Service authentication fails.
  • Web Service authentication will fail if /cpui is used (instead of /account) or /api is not included in the request.
  • On the Create Account page, the First Name and Last Name fields are required when shown.
  • samaratin.com was added to the list of valid domains.
  • Security – Added Content-Security-Policy header to all responses.
  • Security – Added the X-Frame-Options header, which was previously removed.
  • Accessibility – Associated Terms of Use label with checkbox.
  • Accessibility – Fixed broken ARIA references for help dialogs.
  • Accessibility – On the Create Account page, added text that all fields are required.
  • QC1602 – A user that has changed his username to an email address may now deactivate his account.
  • Security – Updated CityShare LDAP DNS name.
  • The Text Size link now opens a new Web browser tab.
  • Security – When a SP is configured for Kiosk Mode, a SP's Session Lifetime is equal to 5 minutes instead of 4 hours.
  • Defect – A user is now enrolled during Single Sign-On. Previously, a user was only enrolled when directly logging into an application.
  • Defect – The Email Address Required page, the Continue to Profile button's "target" parameter is now Base64-encoded.
  • Defect – Added the Show Name Fields checkbox when configuring a SAML Service Provider. When checked, it shows the First Name, Last Name and Middle Initial fields when clicking on the Create Account link on the Login page.
  • Performance – Improved Web page response times by removing several unused JavaScript and CSS files.
  • Performance – Improved Logout response time by removing superfluous steps.
  • Defect – Fixed the broken Report and Issue link on the Account Profile page.
  • Defect – On the Create SAML Service Provider page, removed the Name and Issuer field validations.
  • Defect – The Application Brand Banner no longer ignores its text color.
  • Defect – The correct Application Brand Banner displays on Login page when using a discriminator.
  • Within the NYC.ID Console, Service Accounts, SAML Service Providers and Application Brand Banners are now orderd by name.
  • Defect – Fixed a NPE when CAPTCHA is disabled via the DoITT CAPTCHA Service.
  • Defect – Fixed discriminator logic when more than one Application Brand Banner is configured for a SP.
  • Performance – Improved logout performance by removing NYC Employees Logout.
  • Defect – Fixed missing NYC.gov logo in header.
  • Defect – Fixed incorrect URL encoding of Profile hyperlink in the header.
  • Defect – Fixed a NPE when updating additional information within OAuth tokens.
  • Security – Added X-Frame-Options header configuration when invoking idpLogout.htm. All other URLs cannot be embedded in an iFrame.
  • Defect – Fixed SAML Single Logout caused by incompatbilities between the Spring Security SAML2 Framework and Gigya's SAML Login and Logout responses.
  • Defect – The Email Validation Web Service no longer returns a HttpStatus of 500 when attempting to validate a GUID that does not have an email address.
  • Regression – The Email Address Required page now appears when logging into Facebook without providing an email address.
  • Defect – On the Account Profile page, the user's last login date is no longer missing after submitting a form that fails validation.
  • The maximum number of NYC.ID Console Service Accounts and Service Providers has increased from 20 to 30.
  • Defect – Fixed incorrect Application Brand Banner locale due to incorrect storage of locale cookie.
  • Defect – On the Email Address Required page, the Continue to Profile button now includes the "spName" query string parameter.
  • Defect – On the Email Address Required page, the Continue to Profile button link the user to the The Account Profile: Email Address page.
  • Defect – The Authenticate Web Service now succeeds when invoked via HTTP POST.
  • Defect – Fixed alignment of Create Account, Forgot Password, and Report and Issue hyperlinks.
  • Defect – When using the Search Web Service to find a user that is pending registration, that user's ToU is set to false. Previously, this user failed validation and an exception occurred.
  • Certificate validation succeeds when -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- are included in the Base64-encoded certificate.
  • Defect – The Search Web Service always performs lower case searches of email addresses since Gigya does not support case insensitive searches.
  • Defect – The Search Web Service returns the correct error message when an email address is not found.
  • Defect – Fixed a URL encoding error that caused enrollments to fail after login.
  • Version 2 of the Authenticate Web Service no longer returns the status of pending. This change is immediately deprecated and will be reverted in Release 2.1.0.
  • A user is prevented from using the Web browser Back button to replay a successful login.
  • Defect – The Get Users Web Service no longer returns an exception when searching for a user that does not have a valid profile.
  • Defect – On the Email Confirmation Required page, the "emailAddress" parameter will correctly detect usernames appended with a non-lowercase @noemail.nyc.gov.
  • Security – On the Log Out Success page, added the text, "We recommend closing your Web browser."
  • Defect – Dynamically adding all valid domains to the Content-Security-Policy header to allow SAML Single Logout to be performed via iframe.
  • Defect – Valid domains are refreshed from the database every 5 minutes and no longer requires a restart of the application.
  • The Name and Display Name of a NYC.ID Service Account cannot be less than 5 characters.
  • Security – When invoking any Web Service, the length of the NYC.ID Service Account userName must be between 5 and 50 characters.
  • When invoking any Web Service, if the userName is not provided, the error message returned is "invalid" instead of "required".
  • Security – Within the Get OAuth User Web Service and Delete OAuth User Web Service, the access token can be provided within the Authorization header (i.e., Authorization: Bearer <accessToken>). Providing the access token in the query string is deprecated.
  • Defect – On the Account Profile page, the Email Address tab is active, instead of the Name tab, after a user changes his or her email address.
  • Social identity providers can be hidden on the Login page. This is configurable within the NYC.ID Console.
  • Usernames must have a minimum length of 3 characters.
  • Removed the ability to set the locale via HTTP cookie as it's no longer needed to set the language on the Login page.
  • communityneeds.nyc was added as a valid domain.
  • Defect – A migrated user that has not accepted the ToU is now able to reset his or her password.
  • The NON-PRD environment will throttle API requests that invoke Gigya APIs to prevent unit, integration, security, and performance testing from negatively impacting the NYC.ID production environment.
  • Security – Removed X-Frame-Option header because SAML IdP-initiated logout uses iFrames.
  • Defect – Fixed a NPE in DefaultAuthenticationKeyGenerator within Spring's OAuth 2.0 API.
  • Defect – Preserving the "target" parameter on the Reset Password: Security Question page.
  • Defect – Preventing duplicate NYC.ID Service Account names and display names, differentiated only by white space characters, from being saved via the NYC.ID Console.
  • appgeo.com and ukrosoft.com.ua were added to the list of valid domains.
  • Defect – On the Login page, the Create Account and Forgot Password links contained an invalid base64-encoded "target" parameter.
  • Defect – The Authenticate v2 Web Service now correctly returns a reason of notFound when a NYC Employee account has not yet logged into the IdP.

 

1.10.1-HOTFIX, November 13, 2018

  • redcapcloud.com was added as a valid domain.
  •  

1.10.1-HOTFIX, September 26, 2018

  • Defect – Fixed Email Address or Username label on the Login page.

 

1.10.1, June 12, 2018

  • QC1601 – The user no longer sees the Error page when loading the Create Account page in the Arabic locale.
  • Defect – Preventing double form submissions on Internet Explorer.

 

1.10.0-HOTFIX, May 22, 2018

  • Added redirect from www.nyc.gov/account to www1.nyc.gov/account.

 

1.10.0-HOTFIX, April 19, 2018

  • Defect – When attempting to login to the Welcome page without a password, a blank page is no longer displayed.

 

1.10.0-HOTFIX, April 4, 2018

  • NYC employee email addresses can no longer login.

 

1.10.0-HOTFIX, April 3, 2018

  • microsoftonline.com was added to list of valid domains.

 

1.10.0-HOTFIX, March 29, 2018

 

1.10.0-HOTFIX, March 27, 2018

  • Reverted modifications to the Get Enrollment Web Service for several NYC.ID Service Accounts.

 

1.10.0, March 1, 2018

 

1.9.10-HOTFIX, January 23, 2018

 

1.9.10-HOTFIX, January 12, 2018

 

1.9.10-HOTFIX, January 11, 2018

 

1.9.10, December 19, 2017

  • Hosting the NetIQ production IdP metadata on NYC.gov without the signature element.

 

1.9.9, December 8, 2017

 

1.9.8, December 1, 2017

  • On the Create Account page, the Create Account button can only be clicked once.
  • Security – Removed security question answers from application logs.

 

1.9.7-HOTFIX, November 29, 2017

  • Defect – A user, logged in with a federated identity with a GUID greater than 30 characters, no longer receives an error after clicking the Submit button on the Terms of Use page.
  • Security – Disabled WebLogic access logs to prevent logging of the user's password in the query string of the Authenticate Web Service.
  • Security – Disable OHS access logs from logging the query string of the Authenticate Web Service.

 

1.9.7, November 21, 2017

  • Added the ability for an application using the OAuth to invoke a SAML logout (i.e., /account/saml/logout) and redirect the user to an arbitrary URL via the "RelayState" query string parameter.
  • fdnycloud.org was added to the list of valid domains.

 

1.9.6, November 15, 2017

  • Defect – The Create Account button on the Create Account page no longer double submits the form on Internet Explorer.

 

1.9.5, November 8, 2017

  • Defect – Fixed java.lang.NoClassDefFoundError: com/fasterxml/jackson/databind/Module.
  • Defect – Correctly handling timeout-or-duplicate error code return from the Google reCAPTCHA API.
  • Defect – Temporarily removed the activity indicator on the Create Account page, which is causing a double form submission.

 

1.9.4, October 24, 2017

  • Defect – The CAPTCHA challenge will no longer be displayed to the user after it has been solved.
  • Supports NYC.gov over https.

 

1.9.3, September 28, 2017

  • Defect – A user without security questions no longer receives an error when clicking on the Save Password button on the Reset Password: Security Questions page.
  • Added the ability to hide an application from displaying on the Log Out Success page.
  • getinfo.nyc was added to the list of valid domains.

 

1.9.2, September 7, 2017

  • Replay attacks can be prevented by including the "dateTime" parameter with any Web service request.
  • A NYC.ID Service Account can be required to prevent against replay attacks. Once enabled, all Web Service requests must include the "dateTime" parameter. This feature will be enabled for all NYC.ID Service Accounts created for NYC.ID version 2.0.0.
  • Fixed java.lang.LinkageError when enabling DEBUG log level for OpenSAML.
  • CSS versions of Application Brand Banners are no longer supported.
  • HTML versions of Application Brand Banners support internationalization. NYC.ID Cloud Access does not support Application Brand Banners with internationalization.
  • QC1596 – The "showNameFields" parameter is preserved when a page is reloaded due to Cross-Site Request Forgery (CSRF) prevention.
  • The HRA Provider Portal Brand Banner will display when the target context path is siteminderagent and the target URI contains providerredirect.
  • Security – The Search Web Service returns only those users that are enrolled with the NYC.ID Service Account which made the request.
  • On the Account Profile page, "Your email address was changed. You cannot log in with the new email address until it is confirmed. To confirm your new email address, click on the link in the email that was sent to the new email address. If you have not received the email, check your spam/junk folder." was changed to "Your new email address is pending confirmation. To confirm your new email address, click on the link in the email that was sent to your new email address. If you are prompted to login, enter your current email address or username and password. If you have not received the email, check your spam/junk folder." (requires translation)
  • Security – Added clickjacking protection using the X-Frame-Options header.
  • Defect – On the Login page, fixed encoding of "Report an Issue" translations.
  • dynamics.com and dynamics365portals.us were added to the list of valid domains.

 

1.9.1, August 21, 2017

  • Defect – Fixed a typo in the cpui.oauth.invalidOauthAccessTokenScope error code.
  • The "target" and "fromKiosk" parameters are preserved when a page is reloaded due to Cross-Site Request Forgery (CSRF) prevention.
  • NYC.ID Service Accounts names can only contain the characters a through z, A through Z, 0 through 9, @, -, (, ), and space.
  • Security – Fixed reflected XSS vulnerability through the "target" parameter.
  • Defect – Attempting to validate an unknown email address results in an error message instead of an error page.
  • Security – On the Create Account page, fixed multiple XSS vulnerabilities.
  • Defect – A user will no longer be prompted to validate an already validated email address when visiting his or her Account Profile.

 

1.9.0, CANCELLED

  • Adding additional logging to help troubleshoot timeout exceptions.
  • When a "target" parameter domain name is cityofnewyork.us, the subdomain is used to determine the location of the Application Brand Banner.
  • Defect – When a "target" parameter is an invalid URI, an error message is display instead of a partially blank page.
  • Extended the session timeout from 15 minutes to 30 minutes.

 

1.8.1-HOTFIX, July 25, 2017

  • cityofnewyork.us was added to the list of valid domains.

 

1.8.0, July 11, 2017

  • Created version three of the Authenticate Web Service, which requires a user to have a validated email address for authentication to succeed.
  • A user may deactivate his or her account by clicking on a deactivate link included in body of the create account email.
  • A logout from Account Profile, including SAML Single Logout, will revoke the user's OAuth 2.0 Access Token.
  • dcas.nycnet was added to the list of valid domains.
  • dhs.nycnet was added to the list of valid domains.
  • On the Create Account page, added a Back link.
  • On the Create Account page, removed the Username Warning Dialog.
  • On the Create Account page, added an activity indicator, which appears during account creation.
  • Security – All password fields have the autocomplete attribute set to off.
  • Security – On the NYC.ID Feedback page, fixed multiple XSS vulnerabilities.
  • Defect – On the NYC.ID Feedback page, when an error occurs, the value of Which application are you using? field is preserved.
  • Defect – On the Account Profile page, fixed a defect where the Security Questions and Deactivate tabs were both active.
  • On the Account Profile page, added a Back link when a user is logged in with a social identity provider.
  • Security – Fixed a path traversal vulnerability with the lang parameter.

 

1.7.1, May 25, 2017

  • Fixed a memory leak when a user does not complete the Forgot Password flow.

 

1.7.0-HOTFIX, April 14, 2017

  • QC1595 – Translated "Report an Issue" on the Login page.
  • Removed the NetIQ logo from the NYC Employees Login page that appears momentarily during login.

 

1.7.0, February 28, 2017

  • Defect – Fixed a NPE when invoking the Create Enrollment Web Service with an unknown GUID.
  • Enabled OAuth 2.0 support for easier native mobile application integration.
  • NYC.ID-integrated applications will appear on the Log Out Success page.
  • Defect – If a user attempted to create an account on a kiosk, and the email address is in use, but un-validated, the user will remain on the Create Account page. Previously, the user was taken to the Email Confirmation Required page.
  • When a "target" parameter is an invalid URI, the Error page will be displayed, instead of a blank page.
  • A JSON-formatted user will contain the user's userType.
  • When SAML authentication fails, the Error page will be displayed, instead of an error message. The error message will be logged.
  • ivalua.us was added to the list of valid domains.
  • sbs.nycnet was added to the list of valid domains.
  • Application Brand Banners can be ADA Section 508-compliant. Internationalization is not supported.
  • QC1588 – On the Account Profile page, New Email Address and Confirm New Email Address fields are trimmed before validation.
  • QC1461 – On the Create Account page, Email Address or Username and Confirm Email Address or Username fields are trimmed before validation.
  • gcomsoft.com was added to the list of valid domains.
  • Added French (fr) translations.
  • records.nycnet was added to the list of valid domains.
  • dohmh.nycnet was added to the list of valid domains.
  • QC1590 – Decreased modal dialog width to 320px.
  • Translated text used for the password strength meter.
  • QC1589 – Aligned Show and Hide radio buttons on mobile devices.
  • Increased the size of the Terms of Use checkbox.

 

1.6.1-HOTIFX, December 23, 2016

  • cs.nycnet was added to the list of valid domains.

 

1.6.1, December 6, 2016

  • Defect – "target" parameters containing a plus symbol no longer produce errors.

 

1.6.0, November 22, 2016

  • WR853 – A user with an email address may deactivate his or her account via Account Profile.
  • When the user has reached the CAPTCHA throttler threshold of three failed attempts, reCAPTCHA will continue to display until the CAPTCHA is solved.
  • QC1560 – When a user attempts to validate his or her new email address, but is logged in as a user that did not initiate the change email address, the user will be shown an error message instead of the Error page.
  • QC1561 – Added favicon.
  • Defect – Enrollments will appear for federated identity providers.
  • Defect – Fixed Tab key order of the NYC.gov link in Application Header.
  • Defect – On the Create Account page, the HTML alt text for the help link will be translated.
  • Content - Added "Password" to the password strength indicator.
  • Accessibility – Added ARIA Live Region to the div holding the password strength indicator to notify screen readers of the appearance and updating of the password strength indicator.
  • QC1565 – On the Create Account page, semantically tied each text box to corresponding label for first name, last name, and middle initial fields.
  • QC1567 – Replaced HTML span with label element for terms of use checkbox.
  • QC1564 – Improved color contrast of password strength indicators.
  • Defect – The Authenticate Web Service will automatically append "@noemail.nyc.gov" to usernames.
  • Created a new version of the Authenticate Web Service, which always returns the authenticate attribute, and if authentication was successful, the user that authenticated.
  • The Search Web Service returns the user's terms of use and email validation statuses.
  • The "target" parameter will support URIs (e.g., todolist://ww1.nyc.gov?aParam=true#anchor).
  • QC1571 – "CLOSE ALL BROWSER WINDOWS" change to "Log out and log in to use your new email address" (English locale only)
  • Email notification subjects begin with "NYC.gov - NYC.ID" (English locale only)
  • Defect – Hide/Show security question answers configured to use appropriate HTML elements for accessibility.
  • Defect – Improved accessibility of help icons.
  • Accessibility – Added alt text attribute to the NYC.gov logo.
  • The Get Enrollment Web Service and Get Enrollments Web Service will return an empty JSON array instead of an exception when the specified guid is not found.

 

1.5.3-HOTFIX, July 15, 2016

  • Defect – When signed in via the NYC Employees button, a SAML Single Logout will log the user out of NYC.ID.
  • QC1575, QC1576 – After a user logs in to a NYC.ID-integrated application via a social identity provider (e.g., Facebook), when prompted, a user will be able to log into a NYC.ID-integrated application that does not support federated identity providers.

 

1.5.3-HOTFIX, June 21, 2016

  • hpdnyc.org was added to the list of valid domains.

 

1.5.3, May 16, 2016

  • QC1570 – A user will be able to change his or her email address. Currently, a user sees the Error page during change email address confirmation.

 

1.5.2-HOTFIX, May 3, 2016

  • QC1558 – All federated identity buttons will appear on the Login page when a user's browser (or operating system, if configured via the registry) is configured to display NYC.gov in compatibility mode.

 

1.5.2, April 12, 2016

  • Content – NYC Identity Management was changed to NYC.ID.
  • Removed the "newEmailAddress" parameter from the change email address validation link.
  • On the NYC.ID Feedback page, removed the Other option from the Which application are you using? field.
  • Defect – The high resolution NYC Employees button will display on mobile devices.
  • Defect – Federated identity provider logos will scale appropriately on mobile devices.
  • Defect – Users that login via social identity providers will be able to accept the TOU.
  • Content – The Citywide Performance Reporting (CPR) NYC.ID dashboard displays the application name instead of the service account name.
  • finance.nycnet was added to the list of valid domains.

 

1.5.1, February 2, 2016

  • On the NYC.ID Feedback page, the Which application are you using? field is required.
  • Upgraded to Apache Log4j 2, which adds the ability to dynamically change the logging configuration without restarting NYC.ID.
  • Content – On the Login page, updated the copyright date to 2016.
  • Defect – On the Create Account page, some invalid email addresses (e.g., test@gmail) displayed the Error page instead of an error message.
  • Defect – An invalid "target" parameter will display the Error page instead of a blank page.
  • On the Account Profile page, when changing an email address, some invalid email addresses (e.g., "test 2"@gmail.com) displayed the Error page instead of an error message.
  • Email addresses containing spaces are considered invalid, even when they are conform to RFC822.
  • The "lang" parameter is no longer appended to email validation links in the English locale. In some email clients, the text, &lang, is treated as an HTML entity. This caused email validation to fail because the email address was invalid. The email address appeared as though it contains the character (e.g., monarch888@startmail.com〈=en).
  • nycgovparks.org was added to the list of valid domains.
  • Defect – A user was able to change his or her email address to an arbitrary email address, provided that email address did not exist in NYC.ID.

 

1.5.0, December 14, 2015

  • On the Create Account page, a user is required to input his or her email address or username twice.
  • Defect – The signature parameter for Web Service authentication is now case insensitive.
  • The "signature" parameter for all Web Services must have a length of 40 characters.
  • The NYC.ID Web Services return "invalid" if the signature parameter does not have a length of 40 characters.
  • The Web Services return "invalid" instead of "required" when the "signature" parameter is not provided or is empty.
  • On the NYC.ID Feedback page, the user's selection of the Topic field has been added to subject line of the feedback email.
  • Security – Updated Apache Commons Collections library to mitigate de-serialization vulnerability.

 

1.4.0, November 12, 2015

  • Content – On the Login page, the text "SOCIAL MEDIA LOGIN" was changed to "OTHER LOGINS".
  • Content – On the Login page, the text "Or login using one of these social media sites:" was changed to "Or login using one of these options:"
  • Defect – On the Login page, the high-resolution version of the Microsoft image appears in place of the Yahoo! image.
  • Content – On the Create Account page and Terms of Use page the text "I understand and agree..." has been changed to "Check the box to indicate that you understand and agree...".
  • On the Reset Password page, the tabs have been replaced with radio buttons.
  • Defect – The error code, unknown-error, returned from the DoITT CAPTCHA Service no longer produces an exception.
  • The Account Profile page and Welcome page display a list of applications the logged-in user has enrolled with.
  • Defect – On the Forgot Password Success page, the Continue button has an incorrect URL when a user does not have security questions.
  • Defect – On the Login page, incorrect text appears en_US locale after deploying LoginPages.zip to the IdP.
  • Report an Issue links to a new NYC.ID Feedback page.
  • The Authenticate Web Service returns the error code cpui.duplicateUser when more than one user is found containing the email address specified.
  • Defect – The Error page will display a Session Timeout Warning Dialog.
  • Added support for the new the NYC Employee button on the Login page.
  • Added the Get Enrollment Web Service.
  • Defect – On the NYC.ID Feedback page, values in the Which application are you using? field are sorted alphabetically.
  • Defect – On the Welcome page, the Session Timeout Warning Dialog now displays.
  • Added hpd.nycnet as a valid domain.

 

1.3.4, September 2015

  • Defect – Email addresses with new top-level domains (e.g., .uno and .nyc) are now considered valid.

 

1.3.3, August 20, 2015

  • The NYC.ID context path was renamed from cpui to account. Rewrite rules have been added for backwards compatibility.
  • Content – On the NYC.ID Application Header, "Log In" was renamed to "Profile".
  • Defect (PKE000000003600) – Passwords containing a user's username are considered invalid.
  • Defect – On the Forgot Password page, the Create Account link was moved outside of the gray box.
  • Defect – Attempting to perform email validation with a username causes a partially blank page to be displayed.
  • On the Account Created page, the text now reads, "Welcome! Your account was created. Click "Continue" to log in."
  • Content – The word "Choose" was replaced with "Click" when referring to buttons to be consistent with internet nomenclature. This change was only made to the English locale.
  • The password strength meter background colors were removed and replaced with color text.
  • The password strength meter detects invalid passwords – passwords that match email address, username, first name, or last name.
  • The password strength meter handles passwords that are too short.
  • On the Create Account page, added a help bubble to the Email Address or Username field.
  • Content – On the Create Account page, added the following text to the security question information: "This information can be used to reset your password if you forget it."
  • Defect (INC000000132885) – Removed the JSP.56 property from LoginPages.zip resource bundle.
  • Defect – Fixed formatting of emails that contain validation links.
  • Defect – The "fromKiosk" parameter used by Access NYC is now sent from the Login page to the Forgot Password page.
  • Defect – The Profile link in the Application Header now contains the "target" parameter.
  • Defect - The "target" parameter is lost when the Forgot Password page is submitted with an error.
  • Defect – Some Look and Feel elements are lost during Forgot Password and Change Username/Email Address.
  • Added NYC Employee authentication option to Login page.
  • The Authenticate Web Service responds with  {"authenticated":"locked"} if the user's account is locked.
  • Defect – Decreased width and increased height of Username Warning Dialog so that the entire dialog is visible on mobile browsers.
  • On the Email Confirmation Required page, added a Create Account link.
  • Content – When a user does not respond to the Google reCAPTCHA v2 challenge, the error message displayed to the user was changed from "Enter matching security text." to "Check the box."

 

1.3.2-HOTFIX, July 22, 2015

  • Increased the default maximum wait time for LDAP synchronization, max_wait_ldap_sync, from 15 to 30 seconds.
  • Content – On the Login page, the login failed message reads: "The combination of email address or username and password was not found. Try again, reset your password, or create a new account."

1.3.2, April 29, 2015

  • Defect – On the Error page, the text "report this incident" is not linked in the Korean locale.
  • Defect – On the Login page, the Terms of Use and Privacy Policy links open in browser tabs for non-English locales.
  • Defect – Fixed an exception that occurs if a user attempts to create an account with security question answers that are duplicated in case only.
  • Defect – Users with a username can now accept an updated version of the Terms of Use.
  • The session timeout was changed from 15 to 30 minutes.
  • On the Create Account page, the Create Account button is disabled when clicked to prevent duplicate submissions.
  • Defect – On the Create Account page, removed HTML escape characters from Spanish version of password error message.
  • Defect – Increased height and width of Username Warning Dialog to prevent the vertical scroll bar from appearing in the Russian locale.
  • The Log In link in the Application Header now contains "target" parameter.
  • Defect – Some users are unable to login immediately after creating an account with a username. NYC.ID now waits for synchronization of a newly created account to the LDAP authentication tree before prompting the user that his or her user account was created.
  • Enhancement – The middle initial field on Account Profile page now only allows one character.

 

1.3.1

 

1.3.0, March 31, 2015

  • A user may create an account with a username.
  • A username can be changed to an email address, but not to another username.
  • Performance – Disabled polling of the file system every 5 seconds for updated SAML metadata.
  • Content:
    • EXTWS1106 changed from "This email is already in use." to "Enter a different email for your account or log in."
    • Defect – On the Account Profile page, changed "addresses" to "address".
    • Defect – On the Create Account page, changed "Agree to the Terms Of Use." to "Agree to the Terms of Use."
    • Defect – Shortened text on Username Warning Dialog so that it is readable on mobile browsers.
    • On the Create Account page and Account Profile page, removed "(optional)" text. The name fields remain optional.
    • All occurrences of the word "Register" and "Registration" have been replaced with "Create Account" or similar language.
    • "Back to Application" changed to "Back".
    • Password error messages were modified to specify that a letter in the English alphabet is required.
  • Defect – Fixed report this incident link (found in email content) when an invalid "target" parameter is specified.
  • Added Webtrends on Demand reporting capability.
  • Security – Encrypting passwords stored in database.
  • Defect – On the Login page, when a user clicks cancel authorization via a federated social media provider, removed the message: "An authentication error occurred during OAuth2 client protocol execution."
  • Defect – On the Login page, when a user clicks cancel authorization via a federated social media provider, removed the message: "An authentication error occurred during OAuth1 client protocol execution."
  • Defect – Fixed broken image path in header.jsp.
  • Replaced Google reCAPTCHA v1 with reCAPTCHA v2 via the DoITT CAPTCHA Service.
  • QC1461 – Removed leading and trailing spaces from usernames on various forms.
  • The Text Size link now opens a modal dialog.
  • Added language translations: Arabic (ar), Chinese (zh), English (en), Haitian Creole (ht), Korean (ko), Russian (ru), and Spanish (es)
  • Defect – Increased width and height of Username Warning Dialog  to remove vertical scroll bar.
  • Defect – On the Create Account page, fixed an exception occurring when with passwords containing Unicode characters (e.g., тест12345678).
  • Defect – On the Account Profile page, when changing a password, fixed an exception with passwords containing Unicode characters (e.g., тест12345678).
  • Defect – On the Account Profile page, fixed an IllegalArgumentException when an invalid "tab" parameter is specified.
  • Defect – Locale from the account management pages (e.g., Registration) is sent to the Login page.
  • Content – On the Login page, updated copyright date to 2015.
  • On the Account Created page, added a Continue button.
  • Added a new optional parameter, "fromKiosk". Learn about Registration.
  • Google Translate can be disabled as needed by Portal Support through the external configuration parameter, google_translate_disabled.
  • Added Report an Issue link to all pages.
  • The percent symbol is an invalid symbol in email addresses. The DoITT SMTP server rejects email addresses with the percent symbol.
  • On the Login page, the Create Account and Forgot Password links have been moved outside the gray box.
  • Defect – When a user clicks on an email token validation link, and that user's email address is already validated, the user is prompted with the Email Address Confirmed page instead of the Email Confirmation Required page.

 

1.2.0, August 12, 2014

  • Added internationalization configuration. Learn about Internationalization and Localization.
  • Applications can now add branding to NYC.ID. Learn about Look and Feel.
  • Character encoding set to UTF-8.
  • Content – On the Login page, and Welcome page, the Application Name in the Application Header now reads "NYC Identity Management".
  • Content – On the Welcome page, the title was changed from "Login" to "Welcome".
  • Removed the property nycAssetsUrl from operation.properties in LoginPages.zip.
  • Added the Authenticate Web Service.
  • On the Create Account page, the Privacy Policy and Terms of Use are now linked.
  • Defect – On the Create Account page, fixed the TKTK URL link in the Terms of Use.
  • Added the Cache Flush Web Service. Caches are flushed every 5 minutes.
  • Added additional logging when the user is directed to an error page.
  • Content – On the Login page, updated copyright date to 2014.
  • Defect – On the Login page, corrected the path of html5shiv.js, selectivizr.js and respond.min.js, which may have caused formatting issues with IE7 and IE8.
  • Disabled caching of pages by CDNs (e.g., Limelight) through the use of HTTP headers.
  • On the Login page, removed the email address and password JavaScript alerts.
  • Moved some log messages that were previously set to the DEBUG level to the INFO level.
  • Modified log4j.properties to log all DEBUG messages for Java classes within the cpui package. Previously, this was set to ERROR.
  • On the Create Account page, added five new parameters: "emailAddress", "firstName", "lastName", "middleInitial", and "disableEmail". Learn about Registration.
  • A user with a username can now authenticate.
  • On the Forgot Password page, fixed a MalformedUrlException when the "target" parameter is used in conjunction with an email address that has not been validated.
  • Defect – On the Email Address Confirmed page, added a missing error message when a duplicate email is found. This appears to only be reproducible using test@test.com in the development environment. A new error message was added, EXTWS1106, with the content: "This email is already in use."
  • CAPTCHA now appears after a user submits three forms within a one minute timeframe. This feature can be disabled via a configurable property, CPUI.CAPTCHA.THROTTLER_ENABLED.
  • On the Forgot Password page, a user's email address is trimmed of leading and trailing spaces.
  • On the Email Confirmation Required page will display a Session Timeout Warning Dialog.

 

1.1.0, May 1, 2014

  • Added user Search Web Services.
  • The Create Enrollment Web Service "enrollmentDate" parameter defaults to the current date and time when not specified.
  • Security – A user's security question answers are no longer serializable in the ForgotPasswordForm Java class.
  • All Web Services that accept a "guid" parameter return "invalid" instead of "required".
  • Removed duplicate logging of checked exceptions.
  • The official NYC logo in the Application Header is now linked to NYC.gov.
  • Defect – Fixed multiple concurrency defects.
  • Defect – Fixed improperly formatted HTML p tag in changeEmailNewAddress.body.
  • When a user updates his or her name, with a non-default "target" parameter, NYC.ID waits for the update to complete before returning a response to the user.
  • On the Account Profile page, added the "tab" parameter. Learn about Account Profile.
  • A NYC.ID Service Account requires a "branded" name or abbreviation of the application.
  • The Error page returns an HTTP Status code of Internal Server Error (500) instead of OK (200).
  • The Web Services return JSON instead of HTML when a status code of Internal Server Error (500) is returned.
  • Defect – Fixed JavaScript error due to incorrect order of JavaScript includes.
  • On the Create Account page, added a new error message, GM002, which reads: "Re-enter your password and correct the errors below."
  • On the Account Profile page, added new parameter called "returnOnSave", which allows an application to control the behavior of the Save Changes button on the Name tab. Learn about Account Profile.

 

1.0.0, October 18, 2013

  • QC3 – Improved the password strength meter.
  • QC81 – Email addresses can no longer be larger than 254 characters.
  • QC19, QC127 – Added the ability to close help overlays.
  • QC70 – Special characters in password fields now comply with the City's Password Policy.
  • QC83 – On the Reset Password page, the text "Click Continue" was changed to "Click Continue below to receive an email with instructions on how to reset your password."
  • QC115 – Fixed typo in change email confirmation message body.
  • QC124 – Updated text in change email confirmation message body.
  • QC122 – Changed text from "The email address is already registered." to "This email address is already registered."
  • QC125 – Changed text from "An email has been sent to email address provided. Follow the instructions in the email to reset the password." to "An email has been sent to the email address provided. Follow the instructions in the email to reset your password."
  • Security – The Java Key Store (JKS) password can be different from the certificate password.
  • Content – The Application Name in the Application Header now reads "NYC Identity Management".
  • Security – On the Create Account page, disabled autocomplete on the password and confirm password form fields.
  • Disabled Ehcache update check.
  • On the Login page and Welcome page, set the favicon to the favicon used on NYC.gov.
  • Added iOS icons for bookmarked websites.
  • QC620 – The Welcome page displays the user's email address instead of guid.
  • QC804 – Change error message from "Email matching email addresses" to "Enter matching email address".
  • Defect – Password validation rejects passwords that contain the user's first name, last name, or email address. Previously, it rejected the user's password if it was equal to the user's first name, last name, or email address.
  • Defect – On the Create Account page, leading and trailing spaces are trimmed from a user's first name and last name.
  • Defect – On the Account Profile page, leading and trailing spaces are trimmed from a user's first and last name.
  • Defect – Hibernates query cache by setting explicit regions in ehcache.xml.
  • All Web Services now contain /api in their request mapping. Rewrite rules were added for backward compatibility.
  • Defect – The email sent to the user after creating an account now contains the correct link to report an incident.
  • Defect – The Error page now contains the correct link to report an incident.
  • Performance – The Login page and Welcome page no longer open a connection to NYC.gov to get header and footer. The header and footer are now embedded in those pages.
  • Performance – The global header and footer are now cached.
  • Added transactionId to log to improve troubleshooting.
  • Improved logging of IOExceptions within the CaptchaValidator Java class.
  • Defect – On the Forgot Password page and Account Profile page, fixed XSS vulnerability with Back to Application link.