Connect to Atlassian Crowd

By default, Deploy authenticates users and retrieves authorization information from its repository. Deploy can also be configured to use an Atlassian Crowd repository to authenticate users and to retrieve role (group) membership. In this scenario, the Atlassian Crowd users and groups are used as principals in Deploy and can be mapped to Deploy roles. Role membership and rights assigned to roles are stored in the Deploy repository.

Deploy treats the Atlassian Crowd as read-only. This means that Deploy will use the information from the Atlassian Crowd, but can not make changes to that information.

To configure Deploy to use an Atlassian Crowd, you must change the security configuration file (deployit-security.xml).

This is a step-by-step procedure describing how to connect Deploy to your Atlassian Crowd.

Note: Atlassian Crowd provided centralized authentication connectors for Spring Security are used for this integration.

Important: Integration based on CrowdID is not supported.

Step 1 - Configure Atlassian Crowd to communicate with a Deploy Application

To configure Atlassian Crowd to receive authentication requests from Deploy:

  1. Add a Deploy application to Atlassian Crowd.
  2. Add and configure the directories that must be visible to Deploy.
  3. Add and map the groups which are allowed to authenticate with Deploy.

For more information, see Adding an Application.

Step 2 - Add the cache configuration file

Copy the following file into your XL_DEPLOY_SERVER_HOME/conf directory:

Copy From Copy To
CROWD/client/conf/crowd-ehcache.xml XL_DEPLOY_SERVER_HOME/conf/crowd-ehcache.xml

This file can be adjusted to change the cache behavior.

Step 3 - Configure the Atlassian Crowd Spring Security connector properties

The Atlassian Crowd Spring Security connector needs to be configured with the details of the Atlassian Crowd server.

  1. Copy the default crowd.properties file into your XL_DEPLOY_SERVER_HOME/conf directory:
Copy From Copy To
CROWD/client/conf/crowd.properties XL_DEPLOY_SERVER_HOME/conf/crowd.properties
  1. Edit crowd.properties and populate the following fields appropriately:
Key Value
application.name Use the same application name that you used when adding the application to Atlassian Crowd.
application.password Use the same application password that you used when adding the application to Atlassian Crowd.
crowd.server.url URL to use when connecting with the integration libraries to communicate with the Atlassian Crowd server i.e. http://localhost:8095/crowd/services/.
session.validationinterval This is the time interval between requests which validates whether the user is logged in or out of the Atlassian Crowd server. Set this value to 0, if you want authentication checks to occur on each request. Otherwise, set to the number of minutes you wish to wait between requests. Setting this value to 1 or higher will increase the performance of the Atlassian Crowd integration.

For more information, see crowd.properties.

Step 4 - Add an Atlassian Crowd Authenticator

  1. Add the following code to deployit-security.xml.

    <import resource="applicationContext-CrowdRestClient.xml"/>
    <bean id="crowdUserDetailsService" class="com.atlassian.crowd.integration.springsecurity.user.CrowdUserDetailsServiceImpl">
        <property name="crowdClient" ref="crowdClient"/>
        <property name="authorityPrefix" value=""/>
    </bean>
    
    <bean id="crowdAuthenticationProvider" class="com.xebialabs.deployit.security.authentication.XLCrowdAuthenticationProvider">
        <constructor-arg ref="crowdClient"/>
        <constructor-arg ref="crowdHttpAuthenticator"/>
        <constructor-arg ref="crowdUserDetailsService"/>
    </bean>
  2. Locate the following section and add crowdAuthenticationProvider as an authentication provider:

    <security:authentication-manager alias="authenticationManager">
      <security:authentication-provider ref="rememberMeAuthenticationProvider"/>
      <security:authentication-provider ref="XlAuthenticationProvider"/>
      <security:authentication-provider ref="crowdAuthenticationProvider"/>
    </security:authentication-manager>

    Important: crowdAuthenticationProvider must come after XlAuthenticationProvider. This ensures that if there is a problem with the Atlassian Crowd, you can still log in to Deploy as a local user.

  3. Restart Deploy and ensure that the server starts without any exceptions.

Step 5 - Add the user in Deploy

  1. Add the user as a principal in the Deploy GUI and assign the principal permission to the user. For more information see, Principals.

    Note: In Deploy, user principals are not case-sensitive.

  2. Log out, then verify that you can log in with the user.

Step 6 - Add the group in Deploy

  1. Add the group as a principal in the Deploy GUI and assign the principal permission to the group.
  2. Log out, then verify that you can log in with the user of a group.

Sample deployit-security.xml file

The following is an example of a deployit-security.xml file that uses Atlassian Crowd.

Note: Depending on your version of Deploy and the customizations it has, this sample may differ from your deployit-security.xml file.

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xmlns:security="http://www.springframework.org/schema/security"
    xsi:schemaLocation="
        http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
        http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd">

    <import resource="xl-crowd-deploy-security.xml"/>

    <bean id="crowdUserDetailsService" class="com.atlassian.crowd.integration.springsecurity.user.CrowdUserDetailsServiceImpl">
        <property name="crowdClient" ref="crowdClient"/>
        <property name="authorityPrefix" value=""/>
    </bean>

    <bean id="crowdAuthenticationProvider" class="com.xebialabs.deployit.security.authentication.XLCrowdAuthenticationProvider">
        <constructor-arg ref="crowdClient"/>
        <constructor-arg ref="crowdHttpAuthenticator"/>
        <constructor-arg ref="crowdUserDetailsService"/>
    </bean>

    <bean id="rememberMeAuthenticationProvider" class="com.xebialabs.deployit.security.authentication.RememberMeAuthenticationProvider"/>

    <security:authentication-manager alias="authenticationManager">
        <security:authentication-provider ref="rememberMeAuthenticationProvider"/>
        <security:authentication-provider ref="xlAuthenticationProvider"/>
        <security:authentication-provider ref="crowdAuthenticationProvider"/>
    </security:authentication-manager>

</beans>

Note: For more information about this integration, see Integrating Crowd with Spring Security. Required artifacts are used from the Atlassian public Maven repository.