Configuring secure administrator sessions

Jira protects access to its administrative functions by requiring a secure administration session in order to use the Jira administration screens. (This is also known as websudo.) When a Jira administrator (who is logged into Jira) attempts to access an administration function, they are prompted to log in again. This logs the administrator into a temporary secure session that grants access to the Jira administration screens.

The temporary secure session has a rolling timeout (defaulted to 10 minutes). If there is no activity by the administrator in the Jira administration screens for a period of time that exceeds the timeout, then the administrator will be logged out of the secure administrator session (note that they will remain logged into Jira). If the administrator does click an administration function, the timeout will reset.

Note that Project Administration functions (as defined by the 'Project Administrator' permission) do not require a secure administration session.

On this page:

Manually ending a secure administrator session

An administrator can choose to manually end their secure session by clicking the 'drop access' link in the banner displayed at the top of their screen.

Disabling secure administrator sessions

Secure administrator sessions (i.e. password confirmation before accessing administration functions) are enabled by default. If this causes issues for your Jira instance (e.g. if you are using a custom authentication mechanism), you can disable this feature by specifying the following line in your jira-config.properties file:

jira.websudo.is.disabled = true

You will need to restart your Jira server for this setting to take effect.

Changing the timeout

To change the number of minutes of inactivity after which a secure administrator session will time out, specify the jira.websudo.timeout property (in your jira-config.properties file) whose value is the number of minutes of inactivity required before a secure administration session times out.

For example, the following line in your jira-config.properties file will end a secure administration session in 10 minutes:

jira.websudo.timeout = 10

(info) You will need to restart your Jira server for this setting to take effect.

Tightening access with a websudo allowlist

To add an extra layer of security to websudo operations, you can configure and enable your own IP address/subnet allowlist for Jira. This means that certain superuser operations can only be performed from pre-approved IP addresses.

How to create a websudo allowlist

Developer notes

If you have written a plugin that has webwork actions in the Jira Administration section, those actions should have the @WebSudoRequired annotation added to the class (not the method or the package, unlike Confluence).

Please also see How do I develop against Jira with Secure Administrator Sessions? and Adding WebSudo Support to your Plugin.

Last modified on Jul 1, 2024

Was this helpful?

Yes
No
Provide feedback about this article
Powered by Confluence and Scroll Viewport.