//Cloudogu EcoSystem Docs

Plugin configuration

These properties are configured within the typical sonar.properties file.

configure CAS plugin to handle authentication

sonar.security.realm=cas

Allow Users to sign up

Allow yet unknown users to authenticate. When set to false, only existing users will be able to authenticate.

sonar.authenticator.createUsers=true

force CAS authentication (no anonymous access allowed)

sonar.cas.forceCasLogin=true

cas3, cas1, cas2 or saml11

Select the authentication protocol between CAS and SonarQube. Default is cas3.

sonar.cas.protocol=cas3

Set the root URL of the CAS server

You should use HTTP/S where possible. Without an ending slash.

sonar.cas.casServerUrlPrefix = https://cas.hitchhiker.com:8443/cas

Location of the CAS server login form

sonar.cas.casServerLoginUrl=https://cas.hitchhiker.com:8443/cas/login

Sonar server root URL

Without ending slash.

sonar.cas.sonarServerUrl=http://localhost:9000

CAS server logout URL

mandatory CAS server logout URL. If set, sonar session will be deleted on CAS logout request. Also from the logout-button

sonar.cas.casServerLogoutUrl=https://cas.hitchhiker.com:8443/cas/logout

Specifies whether gateway=true should be sent to the CAS server.

Default is false.

sonar.cas.sendGateway=false

Path to CAS Session Store

As SonarQube does not provide a session (other than by issueing JWT tokens). When the user logs out, the cookie containing the necessary JWT token is removed. Even so, SonarQube DOES NOT ensure that the JWT token (which is now no-longer valid) is ignored. Instead the JWT token is still considered valid, enabling the possessor to continue to work with SonarQube.

The CAS plugin makes sure to blacklist existing tokens when the user logs out. In order to do this the tokens must be stored persistently in order to outlive server or container restarts or even container recreations. Administrators may want to mount this as its own volume in order to scale with number of unexpired sessions.

The directory should live in SonarQube's working directory.

sonar.cas.sessionStorePath = /opt/sonarqube/data/sonarcas/sessionstore

CAS Session Store clean up interval

The CAS session store stores JWT tokens which have an expiration date. These are kept for black- and whitelisting JWTs from a user in order to prohibit attackers which gained access to a user's old JWT tokens.

Once these JWTs are expired they need to be removed from the store in a background ob. This property defines the interval in seconds between each clean up run. Do not set the interval too short (this could lead to unnecessary CPU load) or too long (this could lead to unnecessary filesystem load).

Default is 30 minutes, 0 disables the cleanup (this SHOULD NOT be done in a production environment)

sonar.cas.sessionStore.cleanUpIntervalInSeconds = 1800

Configure CAS Roles Attribute(s)

Attributes holding the authorities (groups, roles, etc.) the user belongs to. Multiple values should be separated with commas without further whitespace (e.g. 'groups,roles').

sonar.cas.rolesAttributes=groups,roles

Attribute holding the user's full name.

Currently not supported related to Sonar limitations but is solved with CAS2 attributes. displayName is the appropriate field in the CAS ticket which contains the user's full name.

sonar.cas.fullNameAttribute=displayName

Attribute holding the user's email address.

mail is the appropriate field in the CAS ticket which contains the user's email address.

sonar.cas.eMailAttribute=mail

Configure clock drifting tolerance for SAML 1.1 tickets.

The tolerance in milliseconds for drifting clocks when validating SAML 1.1 tickets.

Note that 10 seconds should be more than enough for most environments that have NTP time synchronization. Default is 1000 milliseconds.

sonar.cas.saml11.toleranceMilliseconds=1000

Ignore certification validation errors.

CAUTION! NEVER USE IN PROD! SECURITY RISK!

This is only for development environments where a proper certificate chain is unfeasible.

sonar.cas.disableCertValidation=false

When logged out, the user may call any SonarQube URL and is then redirected to the CAS. CAS itself is unable to retain any further information and redirects only to a fix SonarQube URL. The original URL, as called from the user, is saved in a cookie. After a successful login the system redirects to that URL.

This setting controls how long (in seconds) the cookie may be valid until it is discarded.

sonar.cas.urlAfterCasRedirectCookieMaxAgeSeconds=300