How-To: Crowd - Workaround to get Crowd to allow email change through API.
Platform Notice: Data Center - This article applies to Atlassian products on the Data Center platform.
Note that this knowledge base article was created for the Data Center version of the product. Data Center knowledge base articles for non-Data Center-specific features may also work for Server versions of the product, however they have not been tested. Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.
*Except Fisheye and Crucible
Summary
Crowd 4.4 requires that new email addresses are verified by their users. To avoid working around this requirement, Crowd will reject any requests for changing email addresses coming from connected applications.
This also means that admins will no longer be able to change email addresses of users through REST API. This article provides information on JVM parameter to bypass this check.
Environment
Crowd DC 4.4 and above
Diagnosis
Error:
YYYY-MM-DD hh:mm:ss http-nio-8080-exec-x url: /internal-error ERROR [c.a.j.web.servlet.InternalServerErrorServlet] {errorId=xxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx, interpretedMsg=, cause=com.atlassian.crowd.exception.runtime.OperationFailedException: com.atlassian.crowd.exception.ApplicationPermissionException: <?xml version="1.0" encoding="UTF-8" standalone="yes"?><error><reason>APPLICATION_PERMISSION_DENIED</reason><message>External applications are not allowed to change user emails</message></error>, stacktrace=com.atlassian.crowd.exception.runtime.OperationFailedException: com.atlassian.crowd.exception.ApplicationPermissionException: <?xml version="1.0" encoding="UTF-8" standalone="yes"?><error><reason>APPLICATION_PERMISSION_DENIED</reason><message>External applications are not allowed to change user emails</message></error>Cause
The error you are encountering is due to a security enhancement introduced in Crowd 4.4, which mandates email verification whenever an email address is added or updated. This modification is detailed in the "Applications are no longer allowed to change the email addresses of Crowd users" section of the Crowd 4.4 Upgrade Notes and the Crowd 4.4 Release Notes: Verify new email addresses. The recommended approach is to update user email addresses directly within Crowd.
Solution
This feature can be bypassed by adding a specific JVM parameter to your Crowd configuration. Please follow these steps:
1. Navigate to the {{<crowd-install>/apache-tomcat/bin}}directory.
2. Create a backup of the setenv.sh file.
3. Edit the setenv.sh file and insert the following line just above the export JAVA_OPTS line:
JAVA_OPTS="-Dcrowd.email.change.by.external.apps=true $JAVA_OPTS"4. Save the changes.
5. Restart your Crowd instance to apply the changes.
6. Ensure these steps are repeated on all Crowd nodes.
NOTE: This parameter does not interfere with the verification process for new email addresses. Users will still receive an email notification to verify their updated email addresses by following the instructions provided here.
IMPORTANT: As with all recommendations made, it is expected that best practices for Change Management will be followed.
Please test these recommended settings thoroughly on a staging/replica instance prior to propagating them to the production instance.