Create service accounts using REST API with OAuth 2.0

Service accounts are specialized, non-user accounts created for secure and efficient management of automated processes and external integrations. You can now create such accounts by using REST APIs with OAuth 2.0 authentication. Explore how to create service accounts with REST API

Advance notice: we’re also working on a new user interface to make it even easier to create service accounts across products. If you have feedback or questions, let us know.

Struts 7.0 upgrade

We’ve upgraded to Struts 7.0 to deliver new features and stronger security. This update addresses critical vulnerabilities and introduces the latest security measures, giving you a safer and more reliable experience.

In addition to the Servlet API, the main update is the renaming of the com.opensymphony.xwork2 package to org.apache.struts2. We recommend updating all related imports to ensure compatibility.

Removed support for Freemarker templates

We’re removing support for Freemarker templates to create a safer environment. Update your apps to use alternative templating technologies, such as Soy or Apache Velocity templates.

Added support for Apache Velocity and Soy templates

We now support Apache Velocity and Soy templates to render dynamic content on the server side. These templates improve security and flexibility, making it easier to build and maintain custom features in your instance.

New plugin modules

The Struts module

The Struts plugin module now replaces the deprecated xwork module. The xwork module will be removed in Crowd 8.0. Update your integrations to use the Struts module to ensure compatibility with future Crowd releases. More about the new Struts module

The Velocity Allowlist module

The Velocity Allowlist module allows app developers to allowlist their plugin class methods for invocation from Velocity templates. More about the Velocity Allowlist module

Security and usability updates

We’ve implemented several updates shared across all Atlassian Data Center products, such as adoption of Jakarta and upgrading major versions of underlying technologies. This upgrade can be split into two parts:

• Backend updates to:

  • Spring 6

  • Tomcat 10

  • Ehcache 3

  • Atlassian Central Visibility plugin 3
    More about the backend updates

• Frontend updates to:

• • Atlassian UI 10
  • JQuery 3
  • LESS transformer support removed

Updated Tomcat protocols

We've updated the protocols provided by Crowd to extend the Tomcat protocols with support for password encryption.

The APR/Native library, Http11AprProtocol connector, and AjpAprProtocol connector are deprecated in Tomcat 10 and will be removed in Tomcat 10.1.x.

As a result, the com.atlassian.secrets.tomcat.protocol.AjpAprProtocolWithPasswordEncryption and com.atlassian.secrets.tomcat.protocol.Http11AprProtocolWithPasswordEncryption protocols are no longer supported in Crowd 7.0.

Removal of insecure and deprecated components

We’ve updated and migrated the insecure external components com.sun.activation and com.sun.mail from com.sun to org.eclipse.angus.

We’ve also removed the below components which have been deprecated in the past.

Changes to the Restore Crowd feature

Now, restoring Crowd using an XML file requires only the file name. To restore Crowd:

1. Ensure the XML file is located in the crowd-home/import directory

2. Copy the XML file to the crowd-home/import directory

3. Enter just the file name.

This process aligns with the Import users feature. More about restoring Crowd

Disabled scheduled backups by default

Starting from Crowd 7, scheduled backups are disabled by default. If you upgrade from an earlier version or restore from a backup, your existing backup configuration won’t change and your current settings will be preserved as previously configured.

Deprecating user and group attribute sync

We're deprecating the ability to synchronize user and group attributes from external directories. This was an undocumented feature that synchronized user and group attributes with a specific prefix from an external directory. By default, this functionality was disabled and could only be activated via the directory attributes.

If you enable this feature, Crowd will log the following error message from the com.atlassian.crowd.directory.synchronisation.cache.AbstractCacheRefresher logger: “This functionality is deprecated and will be removed in a future Crowd version.”

Currently, there's no planned replacement for this feature.

Migration to new authentication API

We’re deprecating com.atlassian.crowd.manager.authentication.TokenAuthenticationManager. As a more secure alternative, use the com.atlassian.crowd.service.authentication.CrowdApplicationAuthenticationService service to authenticate and log out users to Crowd. This service also supports audit log entries, giving you better visibility into authentication and logout operations.

Other functionalities provided by TokenAuthenticationManager won’t be available in Crowd’s public API.

Removed support for Google Apps connector

With Crowd 7.0, we’re removing support for Google Apps Connector. If you need an SSO experience, we recommend relying on an external identity provider (IdP).

Now, the Google Apps connector functionality is blocked by default. However, the Google Apps connector configuration isn't automatically removed, and you can see the following warning message: "The Google Apps connector is enabled in your Crowd instance. This connector is no longer supported and will be removed in future Crowd versions. We recommend that you disable the connector and remove it from your instance."

To permanently remove the Google Apps connector:

1. Log in to Crowd.

2. Go to the Applications tab.

3. Select Google Apps.

4. Select Remove application and confirm removal.

After removing the connector, the warning message will disappear. More about Google Apps connector

Global serialization filter

We’re implementing a global serialization filter that relies on a central blocklist for Java deserialization, Velocity, Struts, and XStream. This filter is designed to block specific classes and patterns that are recognized as vulnerable to Remote Code Execution (RCE) through publicly known gadget chains.

Connect securely with OAuth 2.0 for app links

We're introducing OAuth 2.0 support for application links (app links) across Atlassian Data Center products. OAuth 2.0 is an industry-standard authentication protocol that enables secure, modern, and reliable connections between Atlassian products and external applications. Explore how to create an app link

We’re also working on OAuth 2.0-based app links to connect with cloud to allow for secure and efficient integrations of hybrid environments, and will share the timeline soon.

Add scopes to REST endpoints to use OAuth 2.0 2LO

We’ve introduced @ScopesAllowed to improve security and control over REST endpoints.

Add the @ScopesAllowed annotation to your endpoints to make them accessible using an OAuth 2.0 Client Credentials token (2LO).

For example, this annotation requires that the access token has the WRITE scope before providing access to this endpoint.

@POST
@ScopesAllowed(requiredScope = "WRITE")
public void createEntity(...) {}

Explore how to configure an incoming link

OAuth 2.0 security improvements

We're implementing several important changes to our OAuth 2.0 authentication process to enhance security and efficiency.

• Enforced global maximum time on access tokens: Access tokens will now have a maximum validity period of 1 hour. This change is designed to improve security by ensuring tokens are refreshed more frequently. You can change the value by setting the atlassian.oauth2.provider.access.token.expiration.seconds system property.

• Maximum lifetime of client ID and secret: The lifetime of client IDs and secrets is now 90 days by default. However, you can adjust this setting to a maximum of 730 days. This change aims to encourage regular rotation of credentials. You can change the value by setting the atlassian.oauth2.provider.client.credentials.expiration.seconds system property.

• Rotation of client credentials: Regular rotation of client credentials (both client ID and secret) is now encouraged to enhance security. Implementing a rotation policy can help mitigate risks associated with compromised credentials.

• Revocation of rotated client credentials: Once client credentials (client ID and secret) are rotated, the previous credentials can be revoked. This ensures that only the most recent credentials remain active, reducing the risk of unauthorized access.

• Revocation of user's refresh tokens: We now provide the ability to revoke all refresh tokens associated with a specific user. Additionally, administrators have the authority to revoke all refresh tokens for users within the system. This capability allows for greater control over session management and security.

• Maximum number of refresh tokens: The maximum number of refresh tokens allowed per client ID and user is limited to 25. This limitation helps manage resource usage and ensures that token proliferation is kept in check. You can change the value by setting the atlassian.oauth2.provider.refresh.token.limit.per.client.user system property.

App signing is now enabled by default for app installations

In this release, app signing is enabled by default. This feature improves app security and was gradually rolled out across Data Center products. For details, check out this community post.

App signing affects only new app installations; already installed apps will remain intact.

The steps you need to take differ depending on whether you install applications from the Marketplace or build your custom applications.

Install apps from the Marketplace

To do so:

1. Configure the location of the truststore folder as described in Configuring UPM app signature check.

2. Download and install the Atlassian Certificates bundle. For details, see Updating Atlassian Certificate Bundles.

3. That’s it! Enjoy the safe app installations from the Marketplace.

Install custom apps

If you use custom application builds, you can sign and secure your apps:

1. Configure the location of the truststore folder as described in Configuring UPM app signature check.

2. Get the app signature and verification certificate as described in Generating app signature and verification certificate using OpenSSL.

3. Put your new certificate in your Trust store as described in Updating Atlassian Certificate Bundles.

4. Install the signed application.

If you’re experiencing issues, check out app signing troubleshooting.

Move from jTDS to Microsoft JDBC driver for SQL Server

We’ve removed support for the jTDS driver, and it’s no longer bundled with Crowd. Crowd now supports the Microsoft JDBC Driver for SQL Server, ensuring ongoing compatibility with SQL Server databases. Either you want to continue using the JTDS driver (not recommended) or move to the MS JDBC driver (recommended), you’ll have to add the driver manually to tomcat/lib directory. Explore how to set up Crowd with MS SQL Server database

If you're upgrading an existing instance to Crowd 7.0, refer to the Transitioning from JTSD to Microsofts JDBC driver article.

Changes to supported platforms

See what changes are in store for the supported platforms in Crowd. For more information about what the latest stable release of Crowd supports, see Supported platforms.

• Added support for Oracle 21ai and removed bundled Oracle JDBC driver

  • We now support the Oracle 23ai database, in addition to the already supported version 19. Because these databases require different Oracle JDBC drivers, we’ve removed the Oracle JDBC driver from the bundled drivers. You need to add the appropriate Oracle JDBC driver .jar file to the tomcat/lib directory, depending on your Oracle database version: Oracle 23ai or Oracle 19.

• Added support for:

  • PostgreSQL 17

  • MySQL 8.4

• Removed support for:

  • Java 17

  • Oracle 12

  • Postgres 10

  • Postgres 11

  • Postgres 12

  • Postgres 13

  • Postgres 14

  • MySQL 5.7

  • MySQL 8.0 LTS

  • SQL Server 2016

  • SQL Server 2017

Complete list of changes and improvements

Here's a full list of issues resolved in this release:

Crowd 7.0.0 - 19 August, 2025