crowd.username.header

When set to true, Crowd will add the X-AUSERNAME header containing the username of a logged-in user to all HTTP requests (including REST).

This header can be used in Tomcat's access logs.

4.0.3

true

crowd.appname.header

When set to true, Crowd will add the X-AAPPNAME header containing the name of the application that makes REST requests to Crowd.

This header can be used in Tomcat's access logs.

4.0.3

true

crowd.sync.memberships.improvement.enabled

For the XML membership REST endpoint (like outgoing membership), this property defines whether the optimized version of synchronization should be used.

According to manual tests of an application with 1 M users in four directories, enabling this feature saves ~2 hours for full synchronisation of memberships and increases memory consumption by ~300 MB.

4.1.2

true

crowd.use.legacy.ad.membership.sync

For the internal full synchronisation process (from Active Directory to Crowd database tables), this property defines whether membership details should be retrieved upfront.

With the legacy approach, memberships are retrieved for each group individually (for both group and user-based directories). For an Active Directory instance with many groups and users, the full synchronisation can take several hours or more.

The preferred (non-legacy) approach is to retrieve all membership details as part of an upfront request to Active Directory. With this approach, the full synchronisation can be completed in several minutes (depending on the server, database, and the speed and specifications of an Active Directory).

Normally, the non-legacy approach should not use much (if any) additional memory (when compared to the legacy approach). Refer to CrowdLdapNameFactory for details.

5.3.0

false

crowd.use.legacy.membership.mapper.check

This property defines whether the mapper configuration is used when checking com.atlassian.crowd.directory.RFC4519Directory#getCustomUserAttributeMappers().

This check has been discovered to make a surplus call to com.atlassian.crowd.directory.ldap.LDAPPropertiesMapper#isUsingUserMembershipAttributeForGroupMembership()

Set this property to false to skip the unnecessary call.

5.3.6

true

crowd.use.legacy.ad.incremental.sync

This property controls how incremental synchronization works for an Active Directory.

The incremental synchronization of users has two flavors:

• Legacy mode: based on the usnChanged attribute only.

• The “bulletproof” mode (default): it uses both usnChanged and ObjectGUID diff between the internal and remote directory.

5.3.0

false

com.atlassian.crowd.directory.synchronisation.cache.GroupUserCache.disabled

This property disables the caching performed by GroupUserCache.

In general, the crowd.use.legacy.ad.incremental.sync property should be used to turn off up-front membership retrieval.

This property addresses the situations when a customer is having a problem with sync processing and has turned on legacy mode (crowd.use.legacy.ad.incremental.sync system property) but is still experiencing a problem with GroupUserCache (for instance, for incremental syncs).

In such a case, this flag can be used (in addition to the legacy property crowd.use.legacy.ad.incremental.sync) while the problem with the cache is resolved.

5.3.0

false

crowd.sync.allow.duplicated.external.ids

When set to true, Crowd will match users with duplicated external IDs by names, instead of failing the synchronization.

4.4.0

true

crowd.application.status.cache.in.seconds

When set to an integer, Crowd web application’s /status endpoint will memoize the database health check for a provided number of seconds instead of the default value.

4.1.10

10

crowd.email.change.by.external.apps

Since 4.4, Crowd does not allow external apps to change user emails. Enabling this property bypasses this rule—if this property is set to true, external apps can change user emails.

Do not enable this property when using Crowd as an SSO provider, because it will cause a security vulnerability in applications that use email as a UID (unique identifier).

4.4.0

false

crowd.directory.search.return.defaults.on.errors

Enables swallowing exceptions and returning empty results in the directory search methods.

4.4.0

false

crowd.event.transformer.directory.manager.cache.size

Sets the cache size of the DirectoryManager in the EventTransformer.

5.0.4

1000

crowd.sync.recreated.memberships.batching.enabled

Enables request batching to verify if a user or group is a direct member of a parent group. The batching of requests happens during incremental synchronisation when determining recreated memberships.

5.0.4

true

crowd.audit.log.escape_special_characters

When set to true, this property enables escaping the underscore (_) special character.

5.1.2

true

crowd.hsql.nodata.log.suppressing.filter.enabled

Enables a filter that suppresses log messages containing "no data" from HSQL (HyperSQL) database operations.

5.2.0

true

crowd.database.hsql2.upgrade.condition.skip

Enables Crowd’s advanced PBKDF2-HMAC-SHA512 password encoder with 210,000 iterations.

5.2.1

false

crowd.security.annotations.enabled

Controls whether security annotations are applied to Struts actions, servlets, and filters.

6.0.0

true

crowd.plugin.security.annotations.enabled

Controls whether security annotations are applied to plugin actions, servlets, and filters.

6.0.0

true

crowd.security.servlet.annotation.cache.enabled

Determines whether the caching of AccessTypes for servlet methods is enabled.

By default, it’s set to true (cache is enabled).

6.0.0

true

crowd.default.to.licensed.access.enabled

Determines whether licensed access is enabled by default, in cases when there is no annotation.

6.0.0

true

crowd.legacy.object.mapper.creation.enabled

When set to true, the legacy ObjectMapper creation will be used. The ObjectMapper doesn’t include constraints.

This can be useful for backward compatibility or specific use cases where the default constraints are not preferred.

6.2.3

false

crowd.sync.deduplicate.azure.ad.delta.users

Enables deduplication of users returned by Azure.

5.3.7

true