Documentation for JIRA 4.3. Documentation for other versions of JIRA is available too.

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 4 Current »

On this page:

About Secure Administrator Sessions

JIRA protects access to its administrative functions by requiring a secure administration session in order to use the JIRA administration screens. (This is also known as websudo.) When a JIRA administrator (who is logged into JIRA) attempts to access an administration function, they are prompted to log in again. This logs the administrator into a temporary secure session that grants access to the JIRA administration screens.

Screenshot: log in to temporary secure session

The temporary secure session has a rolling timeout (defaulted to 10 minutes). If there is no activity by the administrator in the JIRA administration screens for a period of time that exceeds the timeout, then the administrator will be logged out of the secure administrator session (note that they will remain logged into JIRA). If the administrator does click an administration function, the timeout will reset.

Note that Project Administration functions (as defined by the 'Project Administrator' permission) do not require a secure administration session.

Manually ending a Secure Administrator Session

An administrator can choose to manually end their secure session by clicking the 'drop access' link in the banner displayed at the top of their screen.

Disabling Secure Administrator Sessions

Secure administrator sessions (i.e. password confirmation before accessing administration functions) are enabled by default. If this causes issues for your JIRA site (e.g. if you are using a custom authentication mechanism), you can disable this feature by editing the following line in the jira-application.properties file:

jira.websudo.is.disabled = false

Changing the Timeout

To change the number of minutes of inactivity after which a secure administator session will time out, edit the following line in the jira-application.properties file:

jira.websudo.timeout = 10

Developer Notes

If you have written a plugin that has webwork actions in the JIRA Administration section, those actions should have the @WebSudoRequired annotation added to the class (not the method or the package, unlike Confluence).

Please also see Developing against JIRA with Secure Administrator Sessions and Adding WebSudo Support to your Plugin​.

  • No labels



See our Getting Help page for details.



Raise an issue for our developers.



See answers from the community.



Tweet, blog and update our documentation.

Except where otherwise noted, content in this space is licensed under a Creative Commons Attribution 2.5 Australia License.