Connect to Atlassian Crowd

By default, XL Deploy authenticates users and retrieves authorization information from its repository. XL Deploy can also be configured to use an Atlassian Crowd repository to authenticate users and to retrieve role (group) membership. In this scenario, the Atlassian Crowd users and groups are used as principals in XL Deploy and can be mapped to XL Deploy roles. Role membership and rights assigned to roles are stored in the XL Deploy repository.

XL Deploy treats the Atlassian Crowd as read-only. This means that XL Deploy will use the information from the Atlassian Crowd, but can not make changes to that information.

To configure XL Deploy to use an Atlassian Crowd, you must change the security configuration file (deployit-security.xml).

This is a step-by-step procedure describing how to connect XL Deploy to your Atlassian Crowd.

Note: Atlassian Crowd provided centralized authentication connectors for Spring Security are used for this integration.

Important: Integration based on CrowdID is not supported.

Step 1 - Configure Atlassian Crowd to communicate with an XL Deploy Application

To configure Atlassian Crowd to receive authentication requests from XL Deploy:

  1. Add an XL Deploy application to Atlassian Crowd.
  2. Add and configure the directories that must be visible to XL Deploy.
  3. Add and map the groups which are allowed to authenticate with XL Deploy.

For more information, see Adding an Application.

Step 2 - Add the cache configuration file

Copy the following file into your XL_DEPLOY_SERVER_HOME/conf directory:

Copy From Copy To
CROWD/client/conf/crowd-ehcache.xml XL_DEPLOY_SERVER_HOME/conf/crowd-ehcache.xml

This file can be adjusted to change the cache behavior.

Step 3 - Configure the Atlassian Crowd Spring Security connector properties

The Atlassian Crowd Spring Security connector needs to be configured with the details of the Atlassian Crowd server.

  1. Copy the default crowd.properties file into your XL_DEPLOY_SERVER_HOME/conf directory:
Copy From Copy To
CROWD/client/conf/crowd.properties XL_DEPLOY_SERVER_HOME/conf/crowd.properties
  1. Edit crowd.properties and populate the following fields appropriately:
Key Value
application.name Use the same application name that you used when adding the application to Atlassian Crowd.
application.password Use the same application password that you used when adding the application to Atlassian Crowd.
crowd.server.url URL to use when connecting with the integration libraries to communicate with the Atlassian Crowd server i.e. http://localhost:8095/crowd/services/.
session.validationinterval This is the time interval between requests which validates whether the user is logged in or out of the Atlassian Crowd server. Set this value to 0, if you want authentication checks to occur on each request. Otherwise, set to the number of minutes you wish to wait between requests. Setting this value to 1 or higher will increase the performance of the Atlassian Crowd integration.

For more information, see crowd.properties.

Step 4 - Add an Atlassian Crowd Authenticator

  1. Add the following code to deployit-security.xml.

    <import resource="applicationContext-CrowdRestClient.xml"/>
    <bean id="crowdUserDetailsService" class="com.atlassian.crowd.integration.springsecurity.user.CrowdUserDetailsServiceImpl">
        <property name="crowdClient" ref="crowdClient"/>
        <property name="authorityPrefix" value=""/>
    </bean>
    
    <bean id="crowdAuthenticationProvider" class="com.xebialabs.deployit.security.authentication.XLCrowdAuthenticationProvider">
        <constructor-arg ref="crowdClient"/>
        <constructor-arg ref="crowdHttpAuthenticator"/>
        <constructor-arg ref="crowdUserDetailsService"/>
    </bean>
  2. Locate the following section and add crowdAuthenticationProvider as an authentication provider:

    <security:authentication-manager alias="authenticationManager">
      <security:authentication-provider ref="rememberMeAuthenticationProvider"/>
      <security:authentication-provider ref="XlAuthenticationProvider"/>
      <mark><security:authentication-provider ref="crowdAuthenticationProvider"/></mark>
    </security:authentication-manager>

    Important: crowdAuthenticationProvider must come after XlAuthenticationProvider. This ensures that if there is a problem with the Atlassian Crowd, you can still log in to XL Deploy as a local user.

  3. Restart XL Deploy and ensure that the server starts without any exceptions.

Step 5 - Add the user in XL Deploy

  1. Add the user as a principal in the XL Deploy GUI and assign the principal permission to the user. For more information see, Principals.

  2. Log out, then verify that you can log in with the user.

Step 6 - Add the group in XL Deploy

  1. Add the group as a principal in the XL Deploy GUI and assign the principal permission to the group.

  2. Log out, then verify that you can log in with the user of a group.

Sample deployit-security.xml file

The following is an example of a deployit-security.xml file that uses Atlassian Crowd.

Note: Depending on your version of XL Deploy and the customizations it has, this sample may differ from your deployit-security.xml file.

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xmlns:security="http://www.springframework.org/schema/security"
    xsi:schemaLocation="
        http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
        http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd">

    <import resource="applicationContext-CrowdRestClient.xml"/>
    <bean id="crowdUserDetailsService" class="com.atlassian.crowd.integration.springsecurity.user.CrowdUserDetailsServiceImpl">
        <property name="crowdClient" ref="crowdClient"/>
        <property name="authorityPrefix" value=""/>
    </bean>

    <bean id="crowdAuthenticationProvider" class="com.xebialabs.deployit.security.authentication.XLCrowdAuthenticationProvider">
        <constructor-arg ref="crowdClient"/>
        <constructor-arg ref="crowdHttpAuthenticator"/>
        <constructor-arg ref="crowdUserDetailsService"/>
    </bean>

    <bean id="rememberMeAuthenticationProvider" class="com.xebialabs.deployit.security.authentication.RememberMeAuthenticationProvider"/>

    <security:authentication-manager alias="authenticationManager">
        <security:authentication-provider ref="rememberMeAuthenticationProvider"/>
        <security:authentication-provider ref="xlAuthenticationProvider"/>
        <security:authentication-provider ref="crowdAuthenticationProvider"/>
    </security:authentication-manager>

</beans>

Note: For more information about this integration, see Integrating Crowd with Spring Security. Required artifacts are used from the Atlassian public Maven repository.