//Cloudogu EcoSystem Docs

Developing the SonarQube CAS plugin

CAS server installation (local development)

What you need

  • Java JDK >= 17

    • tested with the eclipse-temurin-17 distribution
  • Maven
  • docker
  • docker-compose

Before you start, you need to pick a reachable host name. This host name is used for

  • Authentication interaction between SonarQube and CAS
  • SSL certificate check within CAS
  • Generate a keystore for your CAS host name

    • alternatively go with the host name cas.hitchhiker.com for which a keystore is provided
  • Modify the static user list and attributes

    • currently only one user is configurable with static lists
cas.authn.attributeRepository.stub.attributes.displayName=Tricia McMillan


Sonar CAS plugin installation (local development)

  1. Map your local IP address to DNS names for proper SonarQube ⇄ CAS interaction

    • add a line to your /etc/hosts file like this:
    • sonar.hitchhiker.com cas.hitchhiker.com
    • check if the host names are reachable:
    • ping cas.hitchhiker.com
    • ping sonar.hitchhiker.com
  2. Export your local IP address to environment variables for docker-compose:

    • either with a shell export or with .env file to be source'd
  3. Copy the plugin
  4. Add the following properties to conf/sonar.properties then restart the server
  5. build the CAS plugin and copy it into the SonarQube plugins directory
mvn clean install
cp target/sonar-cas-plugin-<version>.jar sonar-home/plugins

Start SonarQube and CAS with docker-compose

This is easy as 1,2,3 because docker-compose is used. So make sure you have either the images in your docker cache or have a working internet connection.

Start both servers at once in the backup like this:

docker-compose up -d

And hit the configured URLs:

  • CAS
  • SonarQube

    • currently it must be configured to have a context path
    • configure sonar.config with this value sonar.web.context=/sonar

File Permissions of sonar_home

If SonarQube acts up on your filesystem permission just change the permissions with this command:

sudo chown 999:999 -R sonar-home/data sonar-home/temp sonar-home/plugins sonar-home/logs

Restart SonarQube during development

For CAS plugin development you need to restart SonarQube in order to make the activate code changes, like this:

cp target/sonar-cas-plugin-<version>.jar sonar-home/plugins
docker-compose restart sonar

Reading logs

You can view the respective log output with these commands:

docker-compose logs -f sonar
docker-compose logs -f cas

Plugin configuration

This plugin is configurable in several ways by means of setting the usual properties in the sonar.properties file. You can find the keys and some explanation in the Plugin Configuration page

How this plugin works

You can find more about plugin internals in the Architecture and Internals page.


In order to be able to investigate SonarQube's multiple authentication entry points, these classes have been created that can help to simplify during an analysis:

  • org.sonar.plugins.cas.LogNoOpFilter.

    • Logs if SonarQube passes a request to the Sonar CAS plugin.

      • this is not always the case, e.g. if SonarQube rejects a request from the beginning due to external defects
  • org.sonar.plugins.cas.util.RequestStringer

    • HttpServletRequests do not reasonably implement toString()
    • This class takes over that functionality and converts relevant fields to a string:

      • URL
      • HTTP method
      • HTTP header
      • Cookies
      • Parameters