Secure administrator sessions is a security feature introduced in Confluence 3.3. This provides an additional layer of authentication for administration functions. If you are developing a plugin for Confluence 3.3 or later, you will need to take note of the information below.
You must run Confluence (3.3 and later) in developer mode to develop against Confluence using AMPS or deploy a plugin using the Atlassian Plugin SDK. If you do not do this, you will receive an exception when deploying the plugin. This is because the plugin will be expecting the plugin upload screen when it is uploaded, but will get the secure administration session authentication screen instead.
Please note, if you use AMPS to develop against Confluence, it will start Confluence in developer mode. This will automatically disable the secure administrator session authentication checks, so you should not encounter any problems. You also will not run into this problem if you are developing against Confluence 3.2 and earlier, as these versions do not have the secure administrator sessions feature.
All webwork modules mounted under will automatically be protected by secure administrator sessions. To opt out of this protection you can mark your class or webwork action method with the WebSudoNotRequired annotation. Conversely, all webwork actions mounted outside the namespace are not protected and can be opted in by adding the WebSudoRequired annotation.
Both of these annotations work on the class or the action method. If you mark a method with the annotation, only action invocations invoking that method will be affected by the annotations. If you annotate the class, any invocation to that class will be affected. Sub-classes inherit these annotations.