Adding WebSudo Support to your Plugin
Support for Secure Administrator Sessions (also called websudo) was added in Confluence 3.3 and JIRA 4.3. When an administrator who is logged into Confluence or JIRA attempts to access an administration function, they are prompted to log in again. By default, Atlassian applications run with secure sessions enabled. Administrators can disable this feature. For information on how to do this, refer to the administrative documentation for your product and version.
All the Atlassian applications will support WebSudo sessions at some point. As of SAL version 2.2 and REST 2.2 it is possible to enforce websudo from within a plugin if the host application supports it.
SAL 2.2 supports programmatic access to a
WebSudoManager that you can use from within your servlet or servlet filter. As of version 2.2 of the Atlassian REST plugin module, you can add annotations to REST resources.
You can use the
com.atlassian.sal.api.websudo.WebSudoManager to check for secure administrator sessions and to enforce the websudo protection for the current request.
The call to
WebSudoManager#enforceWebSudoProtection(javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse) will cause the host application to
redirect the user to an authentication form if, and only if, the current request is not WebSudo protected.
SAL provides two annotations that you can use to control secure administrator sessions. You can apply the annotations on a package, type or method level.
com.atlassian.sal.api.websudo.WebSudoRequired annotation will require websudo protection. On the other hand,
com.atlassian.sal.api.websudo.WebSudoNotRequired allows REST resources to bypass websudo protection if this annotation is applied to a more specific element.
The following example adds a package level annotation that enforces websudo protection but allows the REST resource
ATestResource to bypass it.
Enforce websudo protection for all the resources in the
To exclude a resource, you can add the annotation
This prevents websudo protection from being enforced for the
ATestResource REST resource.