Configure secure administrator sessions (websudo)
Bitbucket Data Center protects access to its administrative functions by requiring a secure administrator session to access and use the instance administration user interface. This functionality is known as WebSudo.
When a Bitbucket admin attempts to access the Administration page, they're prompted to reauthenticate. This grants the admin a temporary session that allows them to use Bitbucket’s instance administration pages. Specifically, pages that require either ADMIN or SYS_ADMIN level permissions.
On this page:
The temporary secure administrator session has a default rolling timeout of 10 minutes. If there is no activity in the Bitbucket administration pages for a period that exceeds the timeout, the admin will be logged out of the secure session but will remain logged in to Bitbucket.
End a secure administrator session manually
You can choose to manually end your secure session by selecting the drop access link in the banner at the top of the screen.
Disable secure administrator sessions
Secure administrator sessions are enabled by default. You can disable the feature by adding the following line in your bitbucket.properties file and restarting Bitbucket:
feature.websudo=falseChange the websudo session timeout
By default, the secure administrator session timeout is 10 minutes. That is, after 10 minutes of not accessing the administration pages, your session will automatically have its secure administration access removed. To access the instance administration functionality again, you'll need to re-enter your credentials.
You can change this timeout. For example, to decrease the timeout to 5 minutes, add the following line in your bitbucket.properties file and restart Bitbucket:
websudo.session.timeout=5This value is in minutes by default but you can also use certain suffixes: s, m, h, and d for seconds, minutes, hours, or days, respectively. For example, 1h for one hour.
IP address allowlisting
It's useful to restrict administrator functionality to certain IP addresses, while continuing to permit non-administrator developer users to access the instance regardless of an IP address. Doing so is a smart security measure to, for example, restrict the impact of a stolen administrator user’s authentication credentials. You can achieve this by using the IP address allowlisting functionality of websudo.
By default, websudo requests from all IP addresses will be permitted. If you configure an allowlist, websudo will be denied for clients that don't originate from an IP address on the allowlist.
You can configure an allowlist by adding one or more IP address patterns in the bitbucket.properties file. For example, to only permit websudo from the IP address 192.168.1.10, add the following line to your bitbucket.properties file and restart Bitbucket:
websudo.allowlist.patterns=192.168.1.10Patterns can be IPv4/IPv6 addresses or subnets in both asterisk and CIDR notation. Here are the examples of valid patterns:
192.168.1.10::10192.168.1.*192.168.5.128/260:0:0:7b::/64
Multiple patterns can be specified as a comma separated list. For example:
websudo.allowlist.patterns=192.168.1.10, 192.168.2.*, 192.168.5.128/26
Developer notes
If you've written a plugin that includes the administration pages requiring ADMIN or SYS_ADMIN permissions, the servlets or REST resources that implement those pages should be made websudo-aware.