Documentation for JIRA 6.3 EAP developer (EAP) releases only. Not using this? See below:
(JIRA 6.2.x documentation | JIRA OnDemand documentation | earlier versions of JIRA)

Skip to end of metadata
Go to start of metadata

JIRA protects access to its administrative functions by requiring a secure administration session in order to use the JIRA administration screens. (This is also known as websudo.) When a JIRA administrator (who is logged into JIRA) attempts to access an administration function, they are prompted to log in again. This logs the administrator into a temporary secure session that grants access to the JIRA administration screens.

The temporary secure session has a rolling timeout (defaulted to 10 minutes). If there is no activity by the administrator in the JIRA administration screens for a period of time that exceeds the timeout, then the administrator will be logged out of the secure administrator session (note that they will remain logged into JIRA). If the administrator does click an administration function, the timeout will reset.

Note that Project Administration functions (as defined by the 'Project Administrator' permission) do not require a secure administration session.

On this page:

 

Manually ending a Secure Administrator Session

An administrator can choose to manually end their secure session by clicking the 'drop access' link in the banner displayed at the top of their screen.

Disabling Secure Administrator Sessions

Secure administrator sessions (i.e. password confirmation before accessing administration functions) are enabled by default. If this causes issues for your JIRA site (e.g. if you are using a custom authentication mechanism), you can disable this feature by specifying the following line in your jira-config.properties file:

(info) You will need to restart your JIRA server for this setting to take effect.

Changing the Timeout

To change the number of minutes of inactivity after which a secure administator session will time out, specify the jira.websudo.timeout property (in your jira-config.properties file) whose value is the number of minutes of inactivity required before a secure administration session times out.

For example, the following line in your jira-config.properties file will end a secure administration session in 10 minutes:

(info) You will need to restart your JIRA server for this setting to take effect.

Developer Notes

If you have written a plugin that has webwork actions in the JIRA Administration section, those actions should have the @WebSudoRequired annotation added to the class (not the method or the package, unlike Confluence).

Please also see Developing against JIRA with Secure Administrator Sessions and Adding WebSudo Support to your Plugin.

13 Comments

  1. Anonymous

    this :

    jira.websudo.is.disabled = true

     doesn't work on my freshly installed Jira 4.4.1

     

    1. Hi there,

      I have tried this myself on a freshly installed JIRA 4.4 installation and an upgrade of that installation to JIRA 4.4.1. In both scenarios, this setting worked as expected. Could you please confirm the following:

      • You have added this property to your jira-config.properties file located at the root of your JIRA Home Directory.
        (info) You need to create this file and property if they don't exist.
      • You have restarted your JIRA installation to make this newly-added property take effect. (We've just clarified this in the documentation above.)

      Cheers,

      Giles.

  2. Anonymous

    The code "jira.websudo.is.disabled = true" do works on a new instance installation of JIRA 4.4.1 (Upgrade from 4.1.12). If I access my JIRA site through Firefox and IE 8 in HTTP mode, this stops the administration prompt from showing up.  However, once I switched to HTTPS mode (with the self-signed certificate), this administration prompt still shows up in IE 8, even though I add the self-signed certificate installed to the Trust Root store.  The only way to get ride of it is to change the "Allow Mixed Content" option in IE 8 to "Prompt", but this cause more annoying popups.  Firefox doesn't have this problem.  Looks like Atlassian still working on this.

    https://jira.atlassian.com/browse/JRA-25881

  3. To change the timeout, I found that I had to edit the appropriate section of atlassian-jira/WEB-INF/classes/jpm.xml. 

    In my case, i wanted to increase the timeout instead of disabling it.

    Editing ( after creating) the jira-config.properties file did not seem to work. 

    <property>

                <key>jira.websudo.timeout</key>

                <default-value>45</default-value>

                <type>uint</type>

                <user-editable>false</user-editable>

            </property>

     

     

     

     

    1. That did the Trick on my OSX-Instance

       

      Thank you!

  4. Anonymous

    This doesnt work on JIRA 5.1.6. I still get prompted multiple times within the same few minutes when Im accessing Admin pages. Pretty annoying to say the least

    1. Hi,

      Have you tried setting the timeout for your secure administrator sessions (see 'Changing the Timeout' section above)? If you've changed it to a suitably long period and are still getting prompted for the timeout, can I suggest raising an issue in our support system to get further help: https://support.atlassian.com/ (If you do not have a login for our support system, you can sign up for a free one here: https://support.atlassian.com/secure/Signup!default.jspa)

      Kind Regards,
      Andrew

       

  5. Doesn't work here either.

    Click :admin page: (no prompt)

    Click : application link (prompt for password)

    Administrator Access

    If you were sent to this page from a link obtained from an untrusted source please proceed with caution or validate the link source before continuing.

     

    Untrusted source? Not sure why Https link with self signed is problem?

     

     

    1. Secure Administrator Sessions is intended only for screens accessible only by administrators and system administrators. The main admin page contains no sensitive data or operations, and is accessible by project administrators, so does not require it.

  6. I figured out what the problem was:

    jira-config.properties was in 

    /opt/atlassian/JIRA

    and it should be

    /var/atlassian/JIRA

    works as expected now!

  7. Anonymous

    I have created the properties file and added in the line as described above, restarted the services but am still seeing the issue ? Can anyone help with this ?

  8. How do we set timeout for On Demand instances?

    1. Hi Susan,

      As JIRA OnDemand is hosted for you, it is not possible to change the timeout period from 10 minutes. This is set for our users security. I hope it doesn't inconvenience you too much! 

      Thanks,

      Warren