These properties are configured within the typical
Allow yet unknown users to authenticate. When set to
false, only existing users will be able to authenticate.
Select the authentication protocol between CAS and SonarQube. Default is
You should use HTTP/S where possible. Without an ending slash.
sonar.cas.casServerUrlPrefix = https://cas.hitchhiker.com:8443/cas
Without ending slash.
mandatory CAS server logout URL. If set, sonar session will be deleted on CAS logout request. Also from the logout-button
Default is false.
As SonarQube does not provide a session (other than by issueing JWT tokens). When the user logs out, the cookie containing the necessary JWT token is removed. Even so, SonarQube DOES NOT ensure that the JWT token (which is now no-longer valid) is ignored. Instead the JWT token is still considered valid, enabling the possessor to continue to work with SonarQube.
The CAS plugin makes sure to blacklist existing tokens when the user logs out. In order to do this the tokens must be stored persistently in order to outlive server or container restarts or even container recreations. Administrators may want to mount this as its own volume in order to scale with number of unexpired sessions.
The directory should live in SonarQube's working directory.
sonar.cas.sessionStorePath = /opt/sonarqube/data/sonarcas/sessionstore
The CAS session store stores JWT tokens which have an expiration date. These are kept for black- and whitelisting JWTs from a user in order to prohibit attackers which gained access to a user's old JWT tokens.
Once these JWTs are expired they need to be removed from the store in a background ob. This property defines the interval in seconds between each clean up run. Do not set the interval too short (this could lead to unnecessary CPU load) or too long (this could lead to unnecessary filesystem load).
Default is 30 minutes, 0 disables the cleanup (this SHOULD NOT be done in a production environment)
sonar.cas.sessionStore.cleanUpIntervalInSeconds = 1800
Attributes holding the authorities (groups, roles, etc.) the user belongs to. Multiple values should be separated with commas without further whitespace (e.g. 'groups,roles').
Currently not supported related to Sonar limitations but is solved with CAS2 attributes.
displayName is the
appropriate field in the CAS ticket which contains the user's full name.
The tolerance in milliseconds for drifting clocks when validating SAML 1.1 tickets.
Note that 10 seconds should be more than enough for most environments that have NTP time synchronization. Default is 1000 milliseconds.
CAUTION! NEVER USE IN PROD! SECURITY RISK!
This is only for development environments where a proper certificate chain is unfeasible.
When logged out, the user may call any SonarQube URL and is then redirected to the CAS. CAS itself is unable to retain any further information and redirects only to a fix SonarQube URL. The original URL, as called from the user, is saved in a cookie. After a successful login the system redirects to that URL.
This setting controls how long (in seconds) the cookie may be valid until it is discarded.