Configuring secure administrator sessions in Jira Service Management
Manually ending a secure administrator session
An administrator can choose to manually end their secure session by clicking the 'drop access' link in the banner displayed at the top of their screen.
Disabling secure administrator sessions
Secure administrator sessions (i.e. password confirmation before accessing administration functions) are enabled by default. If this causes issues for your Jira instance (e.g. if you are using a custom authentication mechanism), you can disable this feature by specifying the following line in your jira-config.properties file:
jira.websudo.is.disabled = true
You will need to restart your Jira server for this setting to take effect.
Changing the timeout
To change the number of minutes of inactivity after which a secure administrator session will time out, specify the jira.websudo.timeout
property (in your jira-config.properties file) whose value is the number of minutes of inactivity required before a secure administration session times out.
For example, the following line in your jira-config.properties file will end a secure administration session in 10 minutes:
jira.websudo.timeout = 10
You will need to restart your Jira server for this setting to take effect.
Tightening access with a websudo allowlist
To add an extra layer of security to websudo operations, you can configure and enable your own IP address/subnet allowlist for Jira. This means that certain superuser operations can only be performed from pre-approved IP addresses.
How to create a websudo allowlist
Developer notes
If you have written a plugin that has webwork actions in the Jira Administration section, those actions should have the @WebSudoRequired
annotation added to the class (not the method or the package, unlike Confluence).
Please also see How do I develop against Jira with Secure Administrator Sessions? and Adding WebSudo Support to your Plugin.