Data Center 6.3
Versions

Preparing for Crowd 7.0

Development releases

On this page

Related content

  • No related content found

Still need help?

The Atlassian Community is here for you.

Ask the community

This documentation is intended for Crowd developers who want to ensure that their existing apps are compatible with Crowd 7.0.

On this page:

Quick info

Here you can find information about the latest EAP.

DateEAP numberDownloads

 

7.0.0-EAP03 (EAP 03)

Download EAP

Summary of changes

In this section we'll provide an overview of the changes we intend to make, so you can start thinking how it might impact your apps. Once they're ready, we'll indicate when a change has been implemented.

In Crowd 7.0.0, we introduce new functionalities and features without any expected breaking changes.

Upgrade to Struts 7.0

Status: IMPLEMENTED (EAP 02)

We’re upgrading to Struts 7.0 which comes with new features and significantly enhances security. This update addresses critical vulnerabilities and incorporates the latest security measures, providing you with a safer and more reliable experience.

In addition to the Servlet API changes mentioned earlier, the primary change is the renaming of the com.opensymphony.xwork2 package to org.apache.struts2. Take care to replace all such imports.

In EAP01, we released an intermediate version with Struts 6.6, with EAP02 we completed migration to Struts 7.0

Removed support for Freemarker templates

Status: IMPLEMENTED (EAP 01)

We’re removing support for Freemarker templates to ensure a safer environment. We encourage you to update your apps to use alternative templating technologies, such as Soy or Apache Velocity templates, which will be supported in the new release.

Added support for Apache Velocity and Soy templates

Status: IMPLEMENTED (EAP 01)

We’re introducing support for Apache Velocity and Soy templates, offering you new server-side templating options with enhanced security for rendering dynamic content.

New plugin modules

Status: IMPLEMENTED (EAP 01)

The Struts module

The Struts plugin module replaces the xwork module which is deprecated starting from Crowd 7.0 and will be removed in Crowd 8.0. Learn more about the new Struts module

The Velocity Allowlist module

The Velocity Allowlist module allows app developers to allowlist their plugin class methods for invocation from Velocity templates. Learn more about the Velocity Allowlist module

Migration of insecure password encoders

Status: IN PROGRESS (EAP 01)

Internal directories in Crowd can be configured to utilize encryption for user passwords. This setting ensures that Crowd applies a one-way hash function to user passwords before processing them, making it impossible to decrypt later:

  • When a user is created or his password is updated, the password is encrypted prior to being stored within the database.
  • When a user enters their credentials on login, the password is encrypted prior to being compared with the stored value.

Crowd still supports the following password encoders, which are deemed insecure:

  • PLAINTEXT
  • MD5
  • SHA
  • SSHA

In Crowd 7.0, we're introducing tools to facilitate the migration of directories using insecure password encoders to secure alternatives. Upon their next login, each user's password will be re-hashed with a secure encoder.

This transition means that, for a period, the directory will contain user passwords encrypted with two different encoders. Our goal is to provide a seamless experience for the end user, however, some manual intervention may be necessary from the Crowd administrator, such as removing inactive accounts.

Security and usability updates

Status: IMPLEMENTED (EAP 02)

We’ve implemented several updates shared across all Atlassian Data Center products, including the adoption of Jakarta and upgrading major versions of underlying technologies used in Atlassian products. This upgrade can be split into two parts:

Backend

  • Spring updated to version 6
  • Tomcat updated to version 10
  • Ehcache updated to version 3
  • Atlassian Central Visibility plugin updated to version 3

More details about the backend updates

Frontend

Updated Tomcat protocols

Status: IMPLEMENTED (EAP 02)

We’ve updated the protocols provided by Crowd extending the Tomcat protocols with support for password encryption:

Crowd protocol

Based on Tomcat protocol

Supported attributes for password encryption

com.atlassian.secrets.tomcat.protocol.Http11NioProtocolWithPasswordEncryption

Http11NioProtocol

  • KeystorePass

  • KeyPass

  • SSLPassword

  • TruststorePass

com.atlassian.secrets.tomcat.protocol.Http11Nio2ProtocolWithPasswordEncryption

Http11Nio2Protocol

  • KeystorePass

  • KeyPass

  • SSLPassword

  • TruststorePass

com.atlassian.secrets.tomcat.protocol.AjpNioProtocolWithPasswordEncryption

AjpNioProtocol

  • secret

com.atlassian.secrets.tomcat.protocol.AjpNio2ProtocolWithPasswordEncryption

AjpNio2Protocol

  • secret


The APR/Native library and the APR/Native connectors (specifically, Http11AprProtocol and AjpAprProtocol) are deprecated in Tomcat 10 and will be removed in Tomcat 10.1.x.

This means the com.atlassian.secrets.tomcat.protocol.AjpAprProtocolWithPasswordEncryption and the com.atlassian.secrets.tomcat.protocol.Http11AprProtocolWithPasswordEncryption protocol will no longer be supported in Crowd 7.0.

Added support for Oracle 23ai and removed bundled Oracle JDBC driver

Status: IMPLEMENTED (EAP 02)

We’ve added support for the Oracle 23ai database, apart from the already supported version 19. Since these two databases require different Oracle JDBC variants, we've removed the Oracle JDBC driver from the bundled drivers. This means you need to add the Oracle JDBC driver .jar in tomcat/lib based on the Oracle database:

Removed support for databases

Status: IMPLEMENTED (EAP 02)

We’re removing support for:

  • Oracle 12

  • Postgres 10

  • Postgres 11

  • Postgres 12

  • Postgres 13

  • Postgres 14

  • MySQL 5.7

  • MySQL 8.0 LTS

  • SQL Server 2016

  • SQL Server 2017

Removed support for Java 17

Status: IN PROGRESS (EAP 02)

We’re removing support for:

  • Java 17

Struts security updates

Status: IMPLEMENTED (EAP 02)

We’ve introduced changes for improved security in Struts:

  • The exclusion of class org.apache.struts2.ActionContext in struts.excludedClasses

  • The exclusion of OGNL expression node types:

    • ognl.ASTBitAnd

    • ognl.ASTBitOr

    • ognl.ASTNegate

Removal of insecure and deprecated components

Status: IMPLEMENTED (EAP 02)

We’ve updated some outdated and insecure external components:

  • com.sun.activation and com.sun.mail were migrated from com.sun to org.eclipse.angus

We’ve also removed some components which have been deprecated in the past:

Component

Removed

Crowd Core

class com.atlassian.crowd.embedded.propertyset.DateFormats

public static methods and fields in

  • com.atlassian.crowd.embedded.api.Directories

  • com.atlassian.crowd.model.application.Applications

  • com.atlassian.crowd.model.user.Users

  • com.atlassian.crowd.model.group.Groups

class com.atlassian.crowd.embedded.directory.LdapConnectionPoolInitialisationListener

class com.atlassian.crowd.directory.query.MicrosoftGraphQueryParams

Crowd API

com.atlassian.crowd.embedded.api.AttributesSynchronisableDirectoryProperties:

  • CURRENT_START_SYNC_TIME

  • LAST_START_SYNC_TIME

  • LAST_SYNC_DURATION_MS

  • IS_SYNCHRONISING

public methods

  • com.atlassian.crowd.integration.http.CrowdHttpAuthenticator#isAuthenticated

  • com.atlassian.crowd.integration.http.CrowdHttpAuthenticator#rememberMeLoginToCrowd

  • com.atlassian.crowd.service.CrowdRememberMeService#createCookie

OAuth 2.0 and service accounts

Status: IN PROGRESS (EAP 02)

We’re introducing the ability to use OAuth 2.0 to connect an application to Crowd and synchronize users, groups, and memberships. With this change, basic authentication will be disabled by default for newly created Crowd instances. This is a first step towards the removal of basic authentication altogether as we develop and mature alternatives to support the remaining few use cases.

Furthermore, we’re adding support for managing service accounts which are special accounts used by applications or services to interact with other systems or APIs, often without human intervention. Service accounts facilitate secure interactions between applications and Crowd and ensure that applications can authenticate and synchronize users, groups, and memberships securely, without relying on traditional username and password combinations (basic authentication). By managing service accounts, admins can control how applications access and interact with Crowd, enhancing security and efficiency in user management processes.

Added support for Postgres and MySQL

Status: IMPLEMENTED (EAP 03)

We’re adding support for:

  • Postgres 17

  • MySQL 8.4

Changes to the Restore Crowd feature

Status: IMPLEMENTED (EAP 03)

Restoring Crowd using an XML file requires only the file name now. The file must be located in the crowd-home/import directory. Before starting the restoration, the admin needs to copy the XML file to the crowd-home/import directory and then input just the file name in the UI.

This process aligns with the Import-Users feature.

Deprecating user and group attribute sync

Status: IN PROGRESS (EAP 03)

We’re deprecating the functionality of synchronizing user and group attributes from external directories. This was an undocumented feature which synchronized user and group attributes with a certain prefix from external directory. The functionality was disabled by default unless activated by manually editing the directory attributes.

When enabled, an error message will be logged at the error level from the com.atlassian.crowd.directory.synchronisation.cache.AbstractCacheRefresher logger. The message will state either:

  • "User attribute synchronization is enabled. This functionality is deprecated and will be removed in a future Crowd version", or
  • "Group attribute synchronization is enabled. This functionality is deprecated and will be removed in a future Crowd version." 

Currently, there is no planned replacement for this feature.

Disable scheduled backups by default

Status: IMPLEMENTED (EAP 03)

In this Crowd version, scheduled backups are turned off by default. When upgrading from a previous version of Crowd or restoring from a backup, your existing backup configuration will remain unchanged. This means your current settings will be preserved as they're previously configured.

Migrate to new authentication API

Status: IMPLEMENTED (EAP 03)

We’re deprecating com.atlassian.crowd.manager.authentication.TokenAuthenticationManager. It’ll be added to the list of deprecated API in the upcoming Crowd 6.3.2 release and will be completely removed with the release of Crowd 7.0.

As a more secure alternative, use com.atlassian.crowd.service.authentication.CrowdApplicationAuthenticationService to authenticate and logout users to Crowd. This service also supports audit log entries for better visibility of these operations.

Other functionalities provided by TokenAuthenticationManager will no longer be exposed by Crowd’s public API.


Last modified on Jul 17, 2025

Was this helpful?

Yes
No
Provide feedback about this article

Related content

  • No related content found
Powered by Confluence and Scroll Viewport.