Create service accounts using REST API with OAuth 2.0

Service accounts are specialized, non-user accounts created for secure and efficient management of automated processes and external integrations. You can now create such accounts by using REST APIs with OAuth 2.0 authentication. Explore how to create service accounts with REST API

Advance notice: we’re also working on a new user interface to make it even easier to create service accounts across products. If you have feedback or questions, let us know.

Sync directories with OAuth 2.0

Crowd directory sync now supports OAuth 2.0 as the default connection method for Data Center products, although basic authentication remains an available option. Update your connected products to use OAuth 2.0 for directory sync and enhance security. Existing integrations will continue to work, but we recommend migrating to OAuth 2.0.

Explore how to set up OAuth 2.0 directory sync in Crowd

Struts 7.0 のアップグレード

We’ve upgraded to Struts 7.0 to deliver new features and stronger security. This update addresses critical vulnerabilities and introduces the latest security measures, giving you a safer and more reliable experience.

In addition to the Servlet API, the main update is the renaming of the com.opensymphony.xwork2 package to org.apache.struts2. We recommend updating all related imports to ensure compatibility.

Removed support for Freemarker templates

We’re removing support for Freemarker templates to create a safer environment. Update your apps to use alternative templating technologies, such as Soy or Apache Velocity templates.

Added support for Apache Velocity and Soy templates

We now support Apache Velocity and Soy templates to render dynamic content on the server side. These templates improve security and flexibility, making it easier to build and maintain custom features in your instance.

New plugin modules

The Struts module

The Struts plugin module now replaces the deprecated xwork module. The xwork module will be removed in Crowd 8.0. Update your integrations to use the Struts module to ensure compatibility with future Crowd releases. More about the new Struts module

The Velocity Allowlist module

The Velocity Allowlist module allows app developers to allowlist their plugin class methods for invocation from Velocity templates. More about the Velocity Allowlist module

Security and usability updates

We’ve implemented several updates shared across all Atlassian Data Center products, such as adoption of Jakarta and upgrading major versions of underlying technologies. This upgrade can be split into two parts:

• Backend updates to:

  • Spring 6

  • Tomcat 10

  • Ehcache 3

  • Atlassian Central Visibility plugin 3
    More about the backend updates

• Frontend updates to:

• • Atlassian UI 10
  • JQuery 3
  • LESS transformer support removed

Tomcat プロトコルのアップデート

We've updated the protocols provided by Crowd to extend the Tomcat protocols with support for password encryption.

The APR/Native library, Http11AprProtocol connector, and AjpAprProtocol connector are deprecated in Tomcat 10 and will be removed in Tomcat 10.1.x.

As a result, the com.atlassian.secrets.tomcat.protocol.AjpAprProtocolWithPasswordEncryption and com.atlassian.secrets.tomcat.protocol.Http11AprProtocolWithPasswordEncryption protocols are no longer supported in Crowd 7.0.

Removal of insecure and deprecated components

We’ve updated and migrated the insecure external components com.sun.activation and com.sun.mail from com.sun to org.eclipse.angus.

We’ve also removed the below components which have been deprecated in the past.

Changes to the Restore Crowd feature

Now, restoring Crowd using an XML file requires only the file name. To restore Crowd:

1. Ensure the XML file is located in the crowd-home/import directory

2. Copy the XML file to the crowd-home/import directory

3. Enter just the file name.

This process aligns with the Import users feature. More about restoring Crowd

Disabled scheduled backups by default

Starting from Crowd 7, scheduled backups are disabled by default. If you upgrade from an earlier version or restore from a backup, your existing backup configuration won’t change and your current settings will be preserved as previously configured.

Deprecating user and group attribute sync

We're deprecating the ability to synchronize user and group attributes from external directories. This was an undocumented feature that synchronized user and group attributes with a specific prefix from an external directory. By default, this functionality was disabled and could only be activated via the directory attributes.

If you enable this feature, Crowd will log the following error message from the com.atlassian.crowd.directory.synchronisation.cache.AbstractCacheRefresher logger: “This functionality is deprecated and will be removed in a future Crowd version.”

Currently, there's no planned replacement for this feature.

Migration to new authentication API

We’re deprecating com.atlassian.crowd.manager.authentication.TokenAuthenticationManager. As a more secure alternative, use the com.atlassian.crowd.service.authentication.CrowdApplicationAuthenticationService service to authenticate and log out users to Crowd. This service also supports audit log entries, giving you better visibility into authentication and logout operations.

Other functionalities provided by TokenAuthenticationManager won’t be available in Crowd’s public API.

Removed support for Google Apps connector

With Crowd 7.0, we’re removing support for Google Apps Connector. If you need an SSO experience, we recommend relying on an external identity provider (IdP).

Now, the Google Apps connector functionality is blocked by default. However, the Google Apps connector configuration isn't automatically removed, and you can see the following warning message: "The Google Apps connector is enabled in your Crowd instance. This connector is no longer supported and will be removed in future Crowd versions. We recommend that you disable the connector and remove it from your instance."

To permanently remove the Google Apps connector:

1. Log in to Crowd.

2. Go to the Applications tab.

3. Select Google Apps.

4. Select Remove application and confirm removal.

After removing the connector, the warning message will disappear. More about Google Apps connector

グローバル シリアル化フィルター

Java の逆シリアル化、Velocity、Struts、XStream のセントラル ブロックリストに依存するグローバル シリアル化フィルターを実装します。このフィルターは、公開されているガジェット チェーンを通じてリモート コード実行 (RCE) に対して脆弱であると認識されている特定のクラスやパターンをブロックするように設計されています。

OAuth 2.0 でアプリ リンクを安全に接続する

We're introducing OAuth 2.0 support for application links (app links) across Atlassian Data Center products. OAuth 2.0 is an industry-standard authentication protocol that enables secure, modern, and reliable connections between Atlassian products and external applications. Explore how to create an app link

アトラシアンは、ハイブリッド環境での安全かつ効率的な統合を可能にする、クラウドに接続するための OAuth 2.0 ベースのアプリ リンクにも取り組んでいます。タイムラインは近日公開予定です。

REST エンドポイントにスコープを追加して、OAuth 2.0 2LO を使用する

REST エンドポイントのセキュリティと制御を強化するために、@ScopesAllowed を導入しました。

@ScopesAllowed アノテーションをエンドポイントに追加し、OAuth 2.0 クライアント認証情報トークン (2LO) を使用してアクセスできるようにします。

たとえば、このアノテーションでは、このエンドポイントへのアクセスを提供する前に、アクセス トークンに WRITE スコープが必要です。

@POST
@ScopesAllowed(requiredScope = "WRITE")
public void createEntity(...) {}

Explore how to configure an incoming link

OAuth 2.0 セキュリティの向上

We're implementing several important changes to our OAuth 2.0 authentication process to enhance security and efficiency.

• Enforced global maximum time on access tokens: Access tokens will now have a maximum validity period of 1 hour. This change is designed to improve security by ensuring tokens are refreshed more frequently. You can change the value by setting the atlassian.oauth2.provider.access.token.expiration.seconds system property.

• Maximum lifetime of client ID and secret: The lifetime of client IDs and secrets is now 90 days by default. However, you can adjust this setting to a maximum of 730 days. This change aims to encourage regular rotation of credentials. You can change the value by setting the atlassian.oauth2.provider.client.credentials.expiration.seconds system property.

• Rotation of client credentials: Regular rotation of client credentials (both client ID and secret) is now encouraged to enhance security. Implementing a rotation policy can help mitigate risks associated with compromised credentials.

• Revocation of rotated client credentials: Once client credentials (client ID and secret) are rotated, the previous credentials can be revoked. This ensures that only the most recent credentials remain active, reducing the risk of unauthorized access.

• Revocation of user's refresh tokens: We now provide the ability to revoke all refresh tokens associated with a specific user. Additionally, administrators have the authority to revoke all refresh tokens for users within the system. This capability allows for greater control over session management and security.

• Maximum number of refresh tokens: The maximum number of refresh tokens allowed per client ID and user is limited to 25. This limitation helps manage resource usage and ensures that token proliferation is kept in check. You can change the value by setting the atlassian.oauth2.provider.refresh.token.limit.per.client.user system property.

アプリのインストール時におけるアプリ署名の既定での有効化

このリリースでは、アプリ署名は既定で有効化されます。この機能は、アプリのセキュリティを強化するものであり、徐々に Data Center 製品全体にロールアウトされています。詳細については、こちらのコミュニティ投稿をご確認ください。

アプリ署名は新規アプリのインストールのみに影響し、すでにインストール済みのアプリはそのままです。

必要な手順は、アプリを Marketplace からインストールするか、カスタム アプリを構築するかによって異なります。

Marketplace からアプリをインストールする

この操作を行うには、次の手順を実行します。

1. 「UPM アプリ署名チェックを設定する」の説明に従って、truststore フォルダの場所を設定します。

2. アトラシアンの証明書バンドルをダウンロードしてインストールします。詳細については、「アトラシアンの証明書バンドルを更新する」を参照してください。

3. 以上で完了です。Marketplace から安全にアプリをインストールできます。

カスタム アプリのインストール

カスタム アプリのビルドを使用する場合は、次の手順でご自身のアプリに署名してそれらを保護できます。

1. 「UPM アプリ署名チェックを設定する」の説明に従って、truststore フォルダの場所を設定します。

2. 「OpenSSL を使ってアプリ署名と検証証明書を生成する」の説明に従って、アプリ署名と検証証明書を入手します。

3. 「Updating Atlassian Certificate Bundles」の説明に従って、新しい証明書をトラスト ストアに配置します。

4. 署名したアプリをインストールします。

If you’re experiencing issues, check out app signing troubleshooting.

Move from jTDS to Microsoft JDBC driver for SQL Server

We’ve removed support for the jTDS driver, and it’s no longer bundled with Crowd. Crowd now supports the Microsoft JDBC Driver for SQL Server, ensuring ongoing compatibility with SQL Server databases. Either you want to continue using the JTDS driver (not recommended) or move to the MS JDBC driver (recommended), you’ll have to add the driver manually to tomcat/lib directory. Explore how to set up Crowd with MS SQL Server database

If you're upgrading an existing instance to Crowd 7.0, refer to the Transitioning from JTSD to Microsofts JDBC driver article.

サポート対象プラットフォームの変更

See what changes are in store for the supported platforms in Crowd. For more information about what the latest stable release of Crowd supports, see Supported platforms.

• Added support for Oracle 21ai and removed bundled Oracle JDBC driver

  • We now support the Oracle 23ai database, in addition to the already supported version 19. Because these databases require different Oracle JDBC drivers, we’ve removed the Oracle JDBC driver from the bundled drivers. You need to add the appropriate Oracle JDBC driver .jar file to the tomcat/lib directory, depending on your Oracle database version: Oracle 23ai or Oracle 19.

• Added support for:

  • PostgreSQL 17

  • MySQL 8.4

• 次の製品のサポートを終了

  • Java 17

  • Oracle 12

  • Postgres 10

  • Postgres 11

  • Postgres 12

  • Postgres 13

  • Postgres 14

  • MySQL 5.7

  • MySQL 8.0 LTS

  • SQL Server 2016

  • SQL Server 2017

Complete list of changes and improvements

Here's a full list of issues resolved in this release:

Crowd 7.0.0 - 19 August, 2025

Crowd 7.0.1 - 8 September, 2025

Crowd 7.0.2 - 27 November, 2025