JIRA 4.3 : Configuring Secure Administrator Sessions
This page last changed on Feb 14, 2011 by rosie@atlassian.com.
On this page: About Secure Administrator SessionsJIRA protects access to its administrative functions by requiring a secure administration session in order to use the JIRA administration screens. (This is also known as websudo.) When a JIRA administrator (who is logged into JIRA) attempts to access an administration function, they are prompted to log in again. This logs the administrator into a temporary secure session that grants access to the JIRA administration screens. Screenshot: log in to temporary secure session The temporary secure session has a rolling timeout (defaulted to 10 minutes). If there is no activity by the administrator in the JIRA administration screens for a period of time that exceeds the timeout, then the administrator will be logged out of the secure administrator session (note that they will remain logged into JIRA). If the administrator does click an administration function, the timeout will reset. Note that Project Administration functions (as defined by the 'Project Administrator' permission) do not require a secure administration session. Manually ending a Secure Administrator SessionAn administrator can choose to manually end their secure session by clicking the 'drop access' link in the banner displayed at the top of their screen. Disabling Secure Administrator SessionsSecure administrator sessions (i.e. password confirmation before accessing administration functions) are enabled by default. If this causes issues for your JIRA site (e.g. if you are using a custom authentication mechanism), you can disable this feature by editing the following line in the jira-application.properties file: jira.websudo.is.disabled = false Changing the TimeoutTo change the number of minutes of inactivity after which a secure administator session will time out, edit the following line in the jira-application.properties file: jira.websudo.timeout = 10 Developer NotesIf you have written a plugin that has webwork actions in the JIRA Administration section, those actions should have the @WebSudoRequired annotation added to the class (not the method or the package, unlike Confluence). Please also see Developing against JIRA with Secure Administrator Sessions and Adding WebSudo Support to your Plugin. |
![]() |
Document generated by Confluence on Mar 27, 2011 18:33 |