Bamboo Data Center protects access to its administrative functions by requiring a secure administrator session to access and use the instance administration user interface. This functionality is known as WebSudo. When a Bamboo admin attempts to access the Administration page, they're prompted to reauthenticate. This grants the admin a temporary session that allows them to use Bamboo’s instance administration pages. Specifically, pages that require either Admin or Restricted Admin level permissions. The temporary secure administrator session has a default rolling timeout of 10 minutes. If there is no activity in the Bamboo administration pages for a period that exceeds the timeout, the admin will be logged out of the secure session but will remain logged in to Bamboo.

End a secure administrator session manually

You can choose to manually end your secure session by selecting the drop access link in the banner at the top of the screen.

Disable secure administrator sessions

Secure administrator sessions are enabled by default. You can disable the feature by adding the following system property and restarting Bamboo:

bamboo.websudo.disabled=true

Change the websudo session timeout

By default, the secure administrator session timeout is 10 minutes. That is, after 10 minutes of not accessing the administration pages, your session will automatically have its secure administration access removed. To access the instance administration functionality again, you'll need to re-enter your credentials.

You can change this timeout. For example, to decrease the timeout to 5 minutes, add the following system property and restart Bamboo:

bamboo.websudo.session.timeout.seconds=300

IP address allowlisting

It's useful to restrict administrator functionality to certain IP addresses, while continuing to permit non-administrator developer users to access the instance regardless of an IP address. Doing so is a smart security measure to, for example, restrict the impact of a stolen administrator user’s authentication credentials. You can achieve this by using the IP address allowlisting functionality of websudo.

By default, websudo requests from all IP addresses will be permitted. If you configure an allowlist, websudo will be denied for clients that don't originate from an IP address on the allowlist.

You can configure an allowlist by adding one or more IP address patterns to Bamboo’s bamboo-shared.cfg.xml properties. For example, to only permit websudo from the IP address 192.168.1.10, add the following line to your bamboo-shared.cfg.xml file and restart Bamboo:

<property name="websudo.allowlist.patterns">192.168.1.10</property>

Patterns can be IPv4/IPv6 addresses or subnets in both asterisk and CIDR notation. Here are the examples of valid patterns:

• 192.168.1.10

• ::10

• 192.168.1.*

• 192.168.5.128/26

• 0:0:0:7b::/64

Multiple patterns can be specified as a comma-separated list. For example:

<property name="websudo.allowlist.patterns">192.168.1.10, 192.168.2.*, 192.168.5.128/26</property>

Developer notes

If you've written a plugin that includes the administration pages requiring Admin or Restricted Admin permissions, the servlets or REST resources that implement those pages should be made websudo-aware.

Add websudo support to your plugin

Known issue with single sign-on and just-in-time user provisioning

Some customers use different authentication methods like SSO or SAML. With these methods, the secure session feature doesn't work. In such cases, there are few possible workarounds.

Option #1:

Manually configure a password inside the Bamboo internal user directory

Option #2:

Configure Bamboo with a new User Directory configured to the same LDAP server that the OAuth/SAML solution uses so Bamboo can validate the user's password during WebSudo

Option #3:

Disable the WebSudo functionality through the system property:

bamboo.websudo.disabled=true