Documentation for JIRA 4.4. Documentation for other versions of JIRA is available too.
JIRA protects access to its administrative functions by requiring a secure administration session in order to use the JIRA administration screens. (This is also known as websudo.) When a JIRA administrator (who is logged into JIRA) attempts to access an administration function, they are prompted to log in again. This logs the administrator into a temporary secure session that grants access to the JIRA administration screens.
Screenshot: Logging in to a temporary secure session
The temporary secure session has a rolling timeout (defaulted to 10 minutes). If there is no activity by the administrator in the JIRA administration screens for a period of time that exceeds the timeout, then the administrator will be logged out of the secure administrator session (note that they will remain logged into JIRA). If the administrator does click an administration function, the timeout will reset.
Note that Project Administration functions (as defined by the 'Project Administrator' permission) do not require a secure administration session.
An administrator can choose to manually end their secure session by clicking the 'drop access' link in the banner displayed at the top of their screen.
Secure administrator sessions (i.e. password confirmation before accessing administration functions) are enabled by default. If this causes issues for your JIRA site (e.g. if you are using a custom authentication mechanism), you can disable this feature by specifying the following line in your jira-config.properties file:
jira.websudo.is.disabled = true
You will need to restart your JIRA server for this setting to take effect.
To change the number of minutes of inactivity after which a secure administator session will time out, specify the jira.websudo.timeout
property (in your jira-config.properties file) whose value is the number of minutes of inactivity required before a secure administration session times out.
For example, the following line in your jira-config.properties file will end a secure administration session in 10 minutes:
jira.websudo.timeout = 10
You will need to restart your JIRA server for this setting to take effect.
If you have written a plugin that has webwork actions in the JIRA Administration section, those actions should have the @WebSudoRequired
annotation added to the class (not the method or the package, unlike Confluence).
Please also see Developing against JIRA with Secure Administrator Sessions and Adding WebSudo Support to your Plugin.