New features, improvements and bug fixes done for version 3.3.0.

Table of Contents

HOPA calls showing attachments 

Issue [HDC-2551] - HOPA call to optionally return object attachment 

HOPA calls that ends up with attachment (not composite drawing) will now work correctly and attachment will be shown in browser viewer (if it's of accepted format like) or it will be send to browser for download.
If the attachment file is of .docx format for instance then in browser tab, converted PDF form will be shown. If user want to download original file, then Download=1 param should be used.

AD FS / SAML Single Sign On

• [HDC-370] - As a user I can access HyperDoc (with oAuth token?) from another trusted application, so that I don't have to re-login (SSO)
• [HDC-2062] - HDC and Symetri SSO - Auth0

Description on new authentication methods are added here.

Security audit changes and improvements

Epic Issue  [HDC-1968] - consists of:

Issue [HDC-2932] - Eliminate possibility to enumerate users via login request by looking at the response size
Issue [HDC-2933] - Users listing for non administrative purposes should not include login name
Issue [HDC-2934] - Review cookie settings: token, rememberMe and hdcsession 
Issue [HDC-2935] - Prevent Script injections
Issue [HDC-2929] - Remove Server Version Visible in HTTP Response
Issue [HDC-2930] - Missing Security Headers
Issue [HDC-2931] - Vulnerable Version of Nginx in Operation

1. Removed detail Error message from response on login page, however the part of response is the input username (so that it persists in html form), the content length may vary a bit.
   
2. Added new Administrator only WebService /api/admin/user/json that returns username. Non admin users (without Admin role) will use /api/user/json that do not return username at all.
3. Secure cookies/tokens 

Anonymous access to HDC

Issue [HDC-2679] - Anonymous access to HDC

New type of anonymous access to HDC have been added. 

By default this mode is Disabled. To allow this mode, go to:
Administrative Panel → System → System Settings → Other → Anonymous Access

Data availability for Anonymous Users

For ease of management, anonymous sessions have the same privileges as a user selected in configuration.

Even though a basic privileges are the same as for this user, there are some important limitations that cannot be changed.

Anonymous user has only access to several services that allow for viewing of Documents:

• basic system configuration and parameters

• drawing structure

• macro resolver

• icons

• basic object properties (metadata)

Anonymous access is always read-only. No changes in data are allowed regardless of security settings for selected user.

Even taking that into account, it is advised to use minimum required privileges for a user that will be used fro anonymous access. 

Anonymous user should have appropriate Security Settings applied, that include specific object class access and only selected fields available (Field Level Security (FLS)) 

Creating anonymous sessions

When this configuration is enabled, accessing a dedicated URL will create an anonymous session and allow access to application and data.

Accessing this URL will at the same time create a new session and return client application code. 

Bugs fixed and other improvements for this version

• [HDC-2937] - User name inconsistent handling in the database
• [HDC-2947] - objectid field is not allowed
• [HDC-2970] - Proper raster's zip format handling when tiles are in .JGP format
• [HDC-2968] - FM Access to handle linked groups through LDAP

API Changes

• Issue [HDC-2933] - Users listing for non administrative purposes should not include login name

  New Webservice:

  METHOD /api/admin/user/json

  Returns same response as /api/user/json before 3.3.0 release which is now limited due to security and will be used by non-admin users.

  Old Webservice: 

  GET /api/admin/user/json/{username}

  Will now not work with username but only with userId only:

  GET /api/admin/user/{User_ID}