ThingWorx - Version 6.0 Release Notes

    The following feature enhancements and bug fixes have been made in ThingWorx 6.0.

     

    Feature Enhancements

    Platform

    • New Persistence Provider entity allows for choosing the data store for Stream, Value Stream, and Data Table runtime data. The ability to use DataStax Enterprise (DSE) as a persistence provider is possible via extension import.
    • Help Center integrated, includes searchable Platform API documentation.
    • While Entity names must be unique within the same entity type, they can be the same across entity types. For example, you can have a Thing and a Thing Shape with the same name, but you cannot have a Data Table and a Thing with the same name.
    • New Infotable snippet functions added. See below for additional details.
    • Tomcat 8 supported.
    • Java 8 supported.

    Mashups

    • Added the ability to change the colors in the Pie Chart widget.
    • Added default OnFocus style to the Checkbox widget.

     

    Bug Fixes

    Platform

    • Improved cross-site scripting (XSS) and cross-site request forgery (CSRF) protection. If your application uses a custom UI that accesses ThingWorx via the REST API, action may be required. See the CSRF section below for more information.
    • Various tooltip improvements.
    • Fixed an issue with the Data Export widget that caused the HTTP GET method to be blocked by the default security settings.
    • Fixed an issue with the Alert Subsystem that didn't allow the "Apply Visibility Checks on Alert Queries" option to work correctly.
    • Changed the error message that is displayed when a user cancels their login into ThingWorx.
    • Fixed the SetAllowMethodSwitch and SetFilterContentType methods in the Platform Subsystem to not allow properties to be dynamically added.
    • Fixed the filter for Query Location Property via a Value Stream.

    Composer

    • Fixed a possible issue with the dashboardID that could lead the groups in a Dashboard widget to get duplicated.
    • Fixed an issue that was not allowing the export of all entities with multiple tags.
    • Fixed an issue that didn't allow LocalizationTables to be searched from the "All" category of Composer.

    Mashup

    • Fixed runtime Tag Picker widget to display the selected tag correctly.
    • Fixed an issue in the Property Display and Property Table Widgets that was causing them not to render at runtime.
    • Fixed all the chart widgets to allow custom style definitions on the ChartIndicatorStyle.
    • Fixed an issue with the Entity Picker widget so that you can bind a UserGroup EntityType.

     

    Infotable Snippet Functions Update

     

    The following Infotable snippets have been added in this release:

     

    Snippet

    Description

    ToJSON()
    • Returns your InfoTable as a JSON object.
    • Does not work with Infotables that are already JSONObjects (i.e. var myTable = { dataShape: { fieldDefinitions : {} }, rows:[]}
    RemoveField(fieldName)
    • The RemoveField function allows you to remove a column from an infotable by passing in the FieldDefinition name.
    • For example, if you had an infotable variable called 'myInfoTable' and wanted to remove the 'Description' FieldDefinition:
      • myInfoTable.RemoveField('Description');
    • Does not work with JSONObject Infotables (i.e. var myTable = { dataShape: { fieldDefinitions : {} }, rows: [] };
    RemoveAllRows()
    • The RemoveAllRows function allows you to remove all rows from an infotable.
    • Does not work with JSONObject Infotables (i.e. var myTable = { dataShape: { fieldDefinitions : {} }, rows: [] };
    Sort
    • The Sort function allows you to sort your infotable by a specific column - either ascending or descending. Sorts the Infotablein place.
    • Does not work with JSONObject Infotables (i.e. var myTable = { dataShape: { fieldDefinitions : {} }, rows: [] };
    Filter
    • The Filter function allows you to filter your infotable so that it matches your value collection. The function requires that the value collection object be passed into the function as a parameter. The value collection object's values should be aligned with the datashape of the infotable. Filters the Infotable in place. For example:
      • var valueCollection = new Object();
      • valueCollection.name = 'Alert1';
      • valueCollection.duration = 10;
      • valueCollection.priority = 1;
      • // etc....
      • myInfoTable.Filter(valueCollection);
    • Only the rows that match your value collection will be returned as your InfoTable.
    • Does not work with JSONObject Infotables (i.e. var myTable = { dataShape: { fieldDefinitions : {} }, rows: [] };
    Find
    • The Find function allows you to find a row of an infotable that matches your value collection. The function requires that the value collection object be passed into the function as a parameter. The value collection object's values should be aligned with the datashape of the infotable. Returns the first row matching your criteria. For example:
      • var valueCollection = new Object();
      • valueCollection.name = 'Alert1';
      • valueCollection.duration = 10;
      • valueCollection.priority = 1;
      • // etc....
      • myInfoTable.Find(valueCollection);
    • The first row that matches your value collection will be returned as a row.
    • Does not work with JSONObject Infotables (i.e. var myTable = { dataShape: { fieldDefinitions : {} }, rows: [] };
    Delete rows by filter
    • The Delete function allows you to delete multiple rows of an infotable that match your value collection. The function requires that the value collection object be passed into the function as a parameter. The value collection object's values should be aligned with the datashape of the infotable. Returns a NUMBER representing the rows deleted. For example:
      • var valueCollection = new Object();
      • valueCollection.name = 'Alert1'
      • valueCollection.duration = 10;
      • valueCollection.priority = 1;
      • // etc....
      • myInfoTable.Delete(valueCollection);
    • Only rows whose values match the above will be deleted.
    • Does not work with JSONObject Infotables (i.e. var myTable = { dataShape: { fieldDefinitions : {} }, rows: [] };
    Add Row[]
    • The Add Row [] function allows you to add a row to a JSONObject Infotable. The row object's values should be aligned with the datashape of the infotable. For example:
      • var newRow = new Object();
      • newRow.name = 'Alert1';
      • newRow.duration = 10;
      • newRow.priority = 1;
      • newRow.description = 'This is the value that will be saved for the description field';
      • // etc...
      • yourInfoTableHere.rows[x] = newRow;
    • Only works with JSONObject Infotables (i.e. var myTable = { dataShape: { fieldDefinitions : {} }, rows: [] };
    AddField
    • The AddField() function allows you to add a new field definition to your InfoTable datashape on the fly. For example:
      • var newField = new Object();
      • newField.name = 'Field1';
      • newField.baseType = 'STRING';
      • myInfoTable.AddField(newField);
    • Does not work with JSONObject Infotables (i.e. var myTable = { dataShape: { fieldDefinitions : {} }, rows: [] };

     

    CSRF Vulnerability Fix and Actions

     

    A CSRF (Cross Site Request Forgery) vulnerability was detected in ThingWorx and action may be necessary by current users to prevent any attacks. In a CSRF attack, the attacker exploits how the target web application manages authentication. For CSRF to be exploited, the victim must be logged in to the target site. While this vulnerability has been fixed in ThingWorx 6.0, current users with custom applications may be affected.

     

    What ThingWorx Users does this Affect?

     

    • If your application only uses mashups built in Composer, then your application should not be affected.
    • If your application uses a custom UI accessing ThingWorx via the REST API, then action may be required.

     

    Action Required

     

    By default, the request method can no longer be changed by request parameters. If your application was developed using these practices, you can:

     

    • Remove any code that will change a GET method to a POST method via request parameters. This is the recommended best practice approach.
    • Set the Allow Request Method Switch value found in the Platform Subsystem configuration to true.
      • Caution: This is not the recommended best practice, and in doing so you acknowledge you are exposing your implementation/application to the possibility of Cross Site Request Forgery.
    • The ContentTypeFilter has been implemented to verify that the content type in the request header is either application/json, application/xml, or text/xml for all POST, PUT, and DELETE methods. If the request is multipart/form-data, it will check for a X-XSRF-TOKEN header with a value of TWX-XSRF-TOKEN-VALUE. Requests for this multipart/form data are for file upload.
      • If performing file uploads, your browser must implement the FormData object.
      • Note: FormData is not available in older browsers (Internet Explorer 9 and below), so file upload will not work in these browsers (including entity and extension imports) when the ContentTypeFilter is included.
      • Caution: The ContentTypeFilter can be turned off in the Platform Subsystem, but in doing so, you acknowledge you are exposing your implementation/application to the possibility of Cross Site Request Forgery.