//Cloudogu EcoSystem Docs

Plugin configuration

These properties are configured within the typical sonar.properties file.

configure CAS plugin to handle authentication


Allow Users to sign up

Allow yet unknown users to authenticate. When set to false, only existing users will be able to authenticate.


force CAS authentication (no anonymous access allowed)


cas3, cas1, cas2 or saml11

Select the authentication protocol between CAS and SonarQube. Default is cas3.


Set the root URL of the CAS server

You should use HTTP/S where possible. Without an ending slash.

sonar.cas.casServerUrlPrefix = https://cas.hitchhiker.com:8443/cas

Location of the CAS server login form


Sonar server root URL

Without ending slash.


CAS server logout URL

mandatory CAS server logout URL. If set, sonar session will be deleted on CAS logout request. Also from the logout-button


Specifies whether gateway=true should be sent to the CAS server.

Default is false.


Path to CAS Session Store

As SonarQube does not provide a session (other than by issueing JWT tokens). When the user logs out, the cookie containing the necessary JWT token is removed. Even so, SonarQube DOES NOT ensure that the JWT token (which is now no-longer valid) is ignored. Instead the JWT token is still considered valid, enabling the possessor to continue to work with SonarQube.

The CAS plugin makes sure to blacklist existing tokens when the user logs out. In order to do this the tokens must be stored persistently in order to outlive server or container restarts or even container recreations. Administrators may want to mount this as its own volume in order to scale with number of unexpired sessions.

The directory should live in SonarQube's working directory.

sonar.cas.sessionStorePath = /opt/sonarqube/data/sonarcas/sessionstore

CAS Session Store clean up interval

The CAS session store stores JWT tokens which have an expiration date. These are kept for black- and whitelisting JWTs from a user in order to prohibit attackers which gained access to a user's old JWT tokens.

Once these JWTs are expired they need to be removed from the store in a background ob. This property defines the interval in seconds between each clean up run. Do not set the interval too short (this could lead to unnecessary CPU load) or too long (this could lead to unnecessary filesystem load).

Default is 30 minutes, 0 disables the cleanup (this SHOULD NOT be done in a production environment)

sonar.cas.sessionStore.cleanUpIntervalInSeconds = 1800

Configure CAS Roles Attribute(s)

Attributes holding the authorities (groups, roles, etc.) the user belongs to. Multiple values should be separated with commas without further whitespace (e.g. 'groups,roles').


Attribute holding the user's full name.

Currently not supported related to Sonar limitations but is solved with CAS2 attributes. displayName is the appropriate field in the CAS ticket which contains the user's full name.


Attribute holding the user's email address.

mail is the appropriate field in the CAS ticket which contains the user's email address.


Configure clock drifting tolerance for SAML 1.1 tickets.

The tolerance in milliseconds for drifting clocks when validating SAML 1.1 tickets.

Note that 10 seconds should be more than enough for most environments that have NTP time synchronization. Default is 1000 milliseconds.


Ignore certification validation errors.


This is only for development environments where a proper certificate chain is unfeasible.


When logged out, the user may call any SonarQube URL and is then redirected to the CAS. CAS itself is unable to retain any further information and redirects only to a fix SonarQube URL. The original URL, as called from the user, is saved in a cookie. After a successful login the system redirects to that URL.

This setting controls how long (in seconds) the cookie may be valid until it is discarded.