Skip to main content
Kinetic Community

Kinetic Request CE - Version 2.2.0

Release Overview

The Kinetic Request CE v2.2.0 release is primarily focused on improved security within the application. There were a number of improvements made to help secure the system against Cross-Site Request Forgery (CSRF), Unrestricted Cross-Origin Requests and Clickjacking attacks.

This release also contains improvements that now support the use of subdomains for tenants of the Kinetic Request CE application. For example you can now configure your load balancer / proxy to handle https://my-space.acme.com instead of https://acme.com/my-space which was the only path previously supported. This configuration also prevents inter-space request forgery (CSRF) attacks for Service Providers that have configured the Kinetic Request CE application to be multi-tenanted.

Detailed information about the release can be found in the Release Notes section below.

New Installation Instructions

Install Links & Guides

The following installation files are needed for setting up your Kinetic Request CE System:
Kinetic Request CE Application (MD5 | SHA1 | SHA256)
Kinetic Request CE Cassandra Schema (MD5 | SHA1 | SHA256)

Detailed installation instructions for setting up Kinetic Request CE can be found here: Kinetic Request CE Install Guide

Related Product Installation Guides

Typically, customers will extend Kinetic Request CE's functionality by installing the following components as well:

Kinetic Task:  The workflow automation and integration hub for Kinetic Request.  Kinetic Task helps business deliver approvals, fulfillment, notifications and other integrations to nearly any application. (Install Guide)

Kinetic Bridgehub: The front-end integration hub used to store and run various Bridge Adapters that will be used to access data from different systems and convert it into a single, standardized bridging interface. (Install Guide)

Kinetic Filehub: The file storage and retrieval hub containing various Filestore Adapters that can be used to access files from different systems using a single, standardized interface. (Install Guide)

Upgrade Instructions

Preparation

  1. You must have a download of the new Kinetic Request CE 2.1.1 web archive (.war)

Upgrade

  • If you are upgrading from a version before v1.0.4, please see the Upgrade Instructions from v1.0.3 to v1.0.4+ guide.
  • If you are upgrading from a version before v1.1.0, any custom bundles that leverages the built in password reset will need to update their passwordReset.jsp to match changes in request-ce-bundle-base.
  • If you are upgrading from a version before v2.1.0, please see the 2.1.0 Upgrade Instructions before proceeding as that version included Database Schema Changes which need to be made.
  1. Backup the existing web application directory (%TOMCAT%/webapps/kinetic).
  2. Deploy the Kinetic Request CE web archive (.war) file.
  3. Copy the following directories:
    1. %BACKUP%/kinetic/app/bundles to %TOMCAT%/webapps/kinetic/app
    2. %BACKUP%/kinetic/app/root-bundle to %TOMCAT%/webapps/kinetic/app
    3. %BACKUP%/kinetic/app/shared-bundles to %TOMCAT%/webapps/kinetic/app
    4. %BACKUP%/kinetic/WEB-INF/config to %TOMCAT%/webapps/kinetic/WEB-INF
  4. Copy any non-standard .jar files to the tomcat shared lib (this is not typical, and only needs to be done if you've added custom .jar files to the application):
    1. %BACKUP%/kinetic/WEB-INF/lib/... to %TOMCAT%/lib
  5. If SAML is being used (and if upgrading from a version lower than 2.0.0):
    1. Find the name of the IDP file by looking for the security.saml.idp.filebased.url value in the %BACKUP%/kinetic/WEB-INF/classes/security.%SPACE_SLUG%.properties file(s).
    2. Copy the IDP files from %BACKUP%/kinetic/WEB-INF/classes/... to %TOMCAT%/webapps/kinetic/WEB-INF/config
  6. Restart tomcat.

Post Upgrade Instructions

Setting Trusted Domains

The default behavior for previous versions of Request CE was to allow pages to be displayed in iFrames on any website, and to allow AJAX calls from JavaScript on any website.  Starting in v2.2, the default will be to prevent websites that don’t share the same domain from embedding iFrames or sending AJAX calls.

If your implementation is relying on embedding iFrames to Request CE from a different domain (ie, https://www.acme.com has an iFrame that is displaying https://acme.com/kinetic/acme/catalog/ipad-request), you will need to add a Trusted Frame Domain for each of the trusted domains (ie https://www.acme.com).

If your implementation is relying on making AJAX calls to Request CE from a different domain (ie https://www.acme.com has a custom HTML form that POSTs data to the Request CE API at https://acme.com/kinetic/acme/app/api/v1/kapps/catalog/forms/ipad-request), you will need to add a Trusted Resource Domain for each of the trusted domains (ie https://www.acme.com).

An example configuration is shown below.  In this case, the “Kinetic Data” space wants to allow https://kineticdata.com to make JavaScript AJAX calls to the Request CE instance, and to allow any subdomain of kineticdata.com or kinops.io to embed iFrames to the Request CE instance.

Kinetic Request CE Trusted Resource Domains

Adding CSRF token fields to Legacy JSP-based Bundles

If you are using a legacy bundle (ie one that defines pages in JSP pages instead of React) that has an HTML form that makes a non-AJAX PUT, POST, or DELETE, you will need to add a CSRF token field.  Most of the bundles provided by Kinetic Data will already have the CSRF token included (such as for the login.jsp or the resetPassword.jsp).

The CSRF token can be easily added as a field to the form with the following JSP snippet:

   <!-- CSRF field -->
   <input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/>  

If you a form that requires CSRF does not properly have this set, the wall will result in a 403 Forbidden response with the following message:

 "Invalid CSRF Token 'null' was found on the request parameter '_csrf' or header 'X-XSRF-TOKEN'."

Release Notes

Features

Summary Details Issue Number(s)
Implemented Frame Policy Management In order to address clickjacking attacks, a management interface that allows administrators to configure trusted frame domains was implemented within the Administration Consoles. KCORE-14
Addressed CSRF Vulnerabilities In order to address Cross-Site Request Forgery (CSRF) attacks, the application implemented the synchronizer token pattern.  Previously CSRF attacks were expected to be mitigated by the web proxy / load balancer verifying standard headers. KCORE-1932
Implemented CORS Management In order to address cross origin attacks, a management interface that allows administrators to configure trusted resource domains was implemented within the Administration Consoles KCORE-1983
Implemented Subdomain Support In order to address request forgery attacks between spaces on a single instance of Kinetic Request CE, the application now supports the ability to user separate subdomains for each space.  This is configured on your load balancer or web proxy by adding the “X-Kinetic-Subdomain” header. KCORE-2221

Enhancements

Summary Details Issue Number(s)
Implemented ability to specify that an HTTP request should return a 401 if the requester is not authenticated. Kinetic Request CE bundles often retrieve lists of Forms or Submissions on behalf of the user.  If the user’s session times out, those calls would return only the records available to a “public” user (which are typically different than the records available to an authenticated user).  By passing a “X-Kinetic-AuthAssumed” header with the AJAX request, the developer can instruct the application to return a 401 response (which can then be handled by displaying of a login model) rather than the incomplete results. KCORE-1759

Bug Fixes

Summary Details Issue Number(s)
Default Bundle contained a hard coded reference to the 'kinetic' web application context. The bundle that ships with the Kinetic Request CE application (commonly referred to as the “Base” bundle) included a hard coded reference to the “kinetic” web application context. This would have caused an error for customers leveraging subdomains for tenant spaces.

 
KCORE-2228
Incorrect results being returned for some Datastore Submission searches Datastore submission searches were incorrectly omitting results when a compound index specified a greater than (or equal to) expression without a less than (or equal to) expression.

Also, the Datastore Submission indexes that included a checkbox question as part of the index definition were not properly being updated when the checkbox value changed.

KCORE-2269
KCORE-2279

The ‘?debugjs’ URL parameter was not being respected in SPA mode The ‘?debugjs’ URL parameter is used during development to prevent the Kinetic Request CE application from minifying the JS/CSS code returned from the server (for easier debugging). This URL parameter was not being respected when a space was configured with the “Single Page App” display type.. KCORE-2275