(warning) Breaking changes in DPE 2.5.199.0 (warning) - READ CAREFULLY!

Overview

Secure DPE tokens

  • DPE 2.5 is using secure authentication tokens
  • DPE Service clients cannot construct secure DPE tokens on their own but have to request them from an API endpoint /api/token (see API description).
  • Tokens forwarded from DPE web app to other applications (or received from other apps) should be secure tokens.
  • Secure DPE tokens cannot be deconstructed into user and password

DPE Service Access More Restrictive

  • More service calls are only allowed with valid authentication

web.config

See https://learn.davidsystems.com/dpe2v5/dpe-server/learn-and-explore-dpe-server/configuring-web-config-files#Configuringweb.configFiles-AutomaticLogoutfunction

Forms authentication has to be removed from web.config. The DPE Setup does this automatically for newly installed web.config.

If your are copying a previous web.config to your new installation you have to do it manually, so comment out or remove the authentication section:

<!--
<authentication mode="Forms">
  <forms name="MyFormsAuthCookie" timeout="1440" slidingExpiration="true" loginUrl="Logon.aspx" ticketCompatibilityMode="Framework40" />
</authentication>
-->    
XML

Content Manager Details Templates

See https://learn.davidsystems.com/dpe2v5/content-manager/learn-and-explore-cm/details-pane-configuration/introduction-to-details-pane-templates/configuration-options-for-single-selection-of-entry/audio-download-links

If you are using download links in your ContentManager details template you have to replace them in the following way:

Old
DownloadMedium.ashx?{{model.FullEntryId}}
CODE
New
DownloadMedium.ashx?{{model.FullEntryIdAuth}}
CODE

Workflow System

Workflows

AccessToken
  • The workflow argument AccessToken has to be used (= forwarded) in all DPE activities offering an AccessToken property.
  • We have adapted all standard workflows, make sure you use the newest version.
Calling DPE Services Directly
  • If your workflow calls DPE Services directly via .Net proxy classes you have to instantiate the ProxyContainer differently:
Old
New ProxyContainer(User, Password, Environment.MachineName, TimeSpan.FromSeconds(120))
CODE
New
MixedAuthHeader auth = If (AccessToken Is Nothing, new MixedAuthHeader(User, Password, Environment.MachineName), MixedAuthHeader.FromAnyToken(AccessToken))
New ProxyContainer(auth, TimeSpan.FromSeconds(120))
CODE

Workflow Compatibility

Please ensure to use only Workflow Templates released within with Release.

Please request project specific Workflow Template updates from DAVID Support Team, before updating your system.

Product compatibility list for DPE 2.5.199.0 and later

Minimum required versions of other DAVID products compatible with Secure DPE tokens:

ApplicationVersionComment
DBM5.8.8220.0Older versions work as long as DpeTokenAcceptMode is not set to "Secure"
MTE7.10.1783.0
CAE0.7.12
WDA-

Not implemented/supported yet in WDA.

WDA will not understand secure token in URL, so forwarding logon will not work.

Nevertheless you can logon in WDA as long as DpeTokenAcceptMode is not set to "Secure"

ROAD Backend1.3.567.1Older versions work as long as DpeTokenAcceptMode is not set to "Secure"
ROAD InstaRecorder1.1.73
ROAD Admin??
ROAD Scheduling??

DPE Server Config Options

web.config

Description

DpeTokenCreateMode

Specifies which kind of token is returned from /api/token REST endpoint

  • Secure (default): returns signed, secure DPE token 
  • Unsecure: returns unsecure DPE v1.0 token containing password
  • Disabled: return status code 500 on GET /api/token

It also allowed to set a comma-separated list for various clients, e.g.

  • Secure,dpe:Unsecure

Clients have to use the query parameter "client" when requesting the token to support this.

DpeTokenAcceptMode

Specifies the behavior when DPE tokens are validated

  • Secure: only secure DPE tokens are accepted
  • WarningOnNotSecure: accepts secure and unsecure DPE tokens but logs a warning for unsecure
  • Disabled: returns status code 500 on POST /api/token
  • Any: accepts any request (= turns off validation)
  • Any other value (default): accepts secure and unsecure DPE tokens

Currently the default is to still accept unsecure tokens. This will change in the future.

ParameterServiceSecurity 
  • High (default): all Parameter Service calls require authentication
  • Low: some Parameter Service calls are allowed without authentication; needed to run older SAF Servers (e.g. 2.4) with DPE Server 2.5

Proposed Migration Order

Step

Component

Comments

1Update to DPE Server 2.5

In web.config 

  • temporarily set ParameterServiceSecurity = Low (needed for older SAF Servers)
  • Make sure forms authentication mode is commented out or removed
2Update DPE ProcessorsBut NOT WorkflowServer
3Backup all installed workflowsBy checking them in Workflow Templates page and exporting them
4Stop WorkflowServerEnsure that Workflow queue is empty before doing this
5Update all workflowsTo newest version, also see workflow version list above
6Start WorkflowServer
7DPE web.configRemove ParameterServiceSecurity = Low from web.config



DPE WebServices & WebApplications

Please check breaking changes outlined above

Components

Version

DPE

2.5.199.0.

Bugfix branch

2.4.301.5

Dependencies
  • Required for BrowserBridge version 2.5.15.0
  • Required for Workflow Server version 2.5.36.0
  • Required for Utility Processor version 2.5.15.0
  • Required for Audio Processor version 2.5.19.0
  • Required for Loudness Processor version 2.5.14.0
  • Required for Video Processor version 2.5.14.0
  • Required for Active Directory Sync version 2.5.12.0
  • Requires a DpeCoreDb version 1.12 or 1.13 or 1.14 (DpeCoreDb Wizard supports upgrading an older version) running on (Details see Supported Databases)
  • Requires Microsoft Windows Server 2012 R2, 2016 or 2019 operating system
  • Requires Microsoft .Net 4.8
  • Using on-the-fly conversion requires Workflow Templates AudioLoResOnTheFly.wft in version 2.0.0.0 and AudioWaveformOnTheFly.wft in version 2.0.0.0 (details see below) and a AudioConverter license for AudioProcessor.
  • For accessing all web applications the client must have a standard compliant web browser. Supported are latest versions of Firefox, latest version of Chrome and Edge latest

Setup

New Features
  • None
Fixed Issues
  • OIA-1219 - Text color in all setups is gray instead of black after Advanced Installer Update

WebServices

Vulnerabilities
  • All service calls must be authorized
  • Support secure DPE Token - see Breaking changes above
  • Content Service
    • OIA-638 - Auth caching has a security bug
  • Workflow Service
    • Password is exposed in WorkflowService API
New Features
  • Enhanced Security
    • Access-Control-Allow-Origin headers added to almost any HTTP response of DPE
    • Brute force protection for token validation system
  • Content Service 
    • UploadMedium.ashx: should return 403 (Forbidden) instead of 500 when auth is not sufficient
    • Extending XmlFilter-functionality
    • CCD-42914 - Option to create missing master data when creating an entry
  • Workflow Service
    • workflowStates and jobStates resource
    • REST Status Calls for Workflow, Jobs
    • CCD-41241 - Extend JobService by "offset" parameter as base for paging
  • Logging Service
    • logLevels resource
    • REST Status Calls for Logs
Fixed Issues
  • Content Service 
    • OIA-513 - CM staying open over night "breaks" facet search
    • OIA-957 - Label not created without NAMERELATIONTABLE
    • OIA-1391 - Waveform.ashx is called and fails from EAO player for virtual entry without any media
    • OIA-1497 - Custom field with minus sign in name does not work in XmlFilter
    • OIA-1518 - REST PUT /api/media/id fails
  • Workflow Service
    • OIA-1527 - Monitoring Workflow progress leads to many deadlocks under heavy load

General UI

New Features
  • "Clear all" button inside all facetted search
  • Support for changing Labels in GenericDateTimeFacet
  • Show RIGHTS.PAR problem in logon screen (instead of DpeDiagnostics)
Fixed Issues
  • OIA-968 - Drop down out of window if option longer than screen width

Video Player

This component is used within Content Manager and RoughCut Edit for viewing LoRes videos.

Dependencies
  • This component is integral part of the DPE solution and fits therefore to the same Content Manager and RoughCut Edit versions
  • VideoPlayer requires a dedicated MPD (MPeg Dash) Lo-Res file beside each video entry in the DigaSystem database. These LoRes files can be generated via a project specific Video Conversion Workflow.
  • VideoPlayer requires latest Firefox, latest Chrome latest or latest Edge (Chromium based) as client.
New Features
  • None

Content Manager

see Content Manager

Subclip Editor

see Subclip Editor

RoughCut Edit

see Roughcut Edit

Management Services

see Management Services

Admin

New features
  • None

Workflow Admin

see Workflow System

SAF Monitor

see Workflow System

Licenses

New features
  • None

Logs

New Features
  • None

System Monitor

New Features
  • None

Further Workflow Templates

Following standard Workflow Templates are part of the DPE base package.

DigErase

Workflow Template

Version

Changes

DigEraseSoftDelete.wft

2.0.9.0

Vulnerabilities
  • Support for secure DPE token

DigEraseHardDelete.wft

2.0.9.0

Vulnerabilities
  • Support for secure DPE token

AudioTranscoding

Workflow Template

Version

Changes

AudioRenderingJobFolderToFolder.wft

2.0.3.0

Initial Release

AudioTranscodingFolderToFolder.wft

2.0.2.0

Initial Release
Dependencies

Loudness Analysis Package

Workflow Template

Version

Changes

LoudnessAnalyzeEntry.wft

2.0.0.0

No changes, identical to Release 2019.2.0

  • AnalyzeEntry workflow should also update main medium duration
  • WorkflowActivities: LoudnessAnalyzeJob + LoudnessNormalizeJob is exposing password in job description

LoudnessAnalyzeNextBlock.wft

2.0.0.0

No changes, identical to Release 2019.2.0

Dependencies

Loudness Gain Adjust

Workflow Template

Version

Changes

LoudnessGainAdjust.wft

2.0.2.0

No changes, identical to Release 2020.1.0

Dependencies