#ApacheCon
Infinite Session Clustering with
Apache Shiro & Cassandra
Les Hazlewood @lhazlewood
Apache Shiro Project Chair
...
#ApacheCon
.com
• User Management and Authentication API
• Security for your applications
• User security workflows
• Secu...
#ApacheCon
• Application security framework
• ASF TLP http://shiro.apache.org
• Quick and Easy
• Simplifies Security
What ...
#ApacheCon
Web Session Management
Auxiliary Features
AuthorizationAuthentication
Cryptography
Session
Management
Web Suppo...
#ApacheCon
Quick Concepts
Subject currentUser =
SecurityUtils.getSubject();
currentUser.login(...)
currentUser.isPermitted...
#ApacheCon
Session Management Defined
Managing the lifecycle of Subject-specific
temporal data context
#ApacheCon
Session Management Features
• Heterogeneous client access
• POJO/J2SE based (IoC friendly)
• Event listeners
• ...
#ApacheCon
Acquiring and Creating Sessions
Subject subject =
SecurityUtils.getSubject()
//guarantee a session
Session sess...
#ApacheCon
Session API
getStartTimestamp()
getLastAccessTime()
getAttribute(key)
setAttribute(key, value)
get/setTimeout(l...
#ApacheCon
Session Management Architecture
Subject .getSession()  Session
#ApacheCon
Session Management Architecture
Subject
SessionManager
.getSession()  Session
#ApacheCon
Session Management Architecture
Subject
SessionManager
.getSession() 
Session
Factory
Session
#ApacheCon
Session Management Architecture
Subject
SessionManager
SessionDAO
.getSession() 
Session
Factory
Session
#ApacheCon
Session Management Architecture
Subject
SessionManager
SessionDAO
.getSession() 
Session ID
Generator
Session
...
#ApacheCon
Session Management Architecture
Subject
SessionManager
SessionDAO
.getSession() 
Session ID
Generator
Session
...
#ApacheCon
Session Management Architecture
Subject
SessionManager
SessionDAO
.getSession() 
Session ID
Generator
Session
...
#ApacheCon
Session Management Architecture
Subject
SessionManager
SessionDAO
.getSession() 
Session ID
Generator
Session
...
#ApacheCon
Session Management Architecture
Subject
SessionManager
SessionDAO
.getSession() 
Session ID
Generator
Session
...
#ApacheCon
Session Clustering:
Clustered Data Store of Choice
SessionDAO
Session ID
Generator
Session
Cache
Validation
Sch...
#ApacheCon
Web Configuration
• web.xml elements
• Protects all URLs
• Innovative Filtering (URL-specific chains)
• JSP Tag...
#ApacheCon
web.xml
<listener>
<listener-class>
org.apache.shiro.web.env.EnvironmentLoaderListener
</listener-class>
</list...
#ApacheCon
web.xml cont’d
<filter-mapping>
<filter-name>ShiroFilter</filter-name>
<url-pattern>/*</url-pattern>
<dispatche...
#ApacheCon
shiro.ini overview
[main]
# bean config here
[users]
# optional static user accounts (and their roles) here
[ro...
#ApacheCon
Session Clustering
#ApacheCon
Two Approaches
• Write a SessionDAO
• Use EnterpriseCacheSessionDAO and
write a CacheManager
#ApacheCon
Cassandra SessionDAO
#ApacheCon
SessionDAO Concerns
SessionManager
SessionDAO
Session ID
Generator
Session
Cache
Data store
#ApacheCon
Custom SessionDAO
public class MySessionDAO extends AbstractSessionDAO {
protected void doCreate(Session s){......
#ApacheCon
Native Web Session Manager
[main]
sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager
se...
#ApacheCon
Cassandra SessionDAO
[main]
...
cassandraCluster = com.leshazlewood.samples.shiro.cassandra.ClusterFactory
sess...
#ApacheCon
Plug in the SessionDAO
[main]
...
sessionManager.sessionDAO = $sessionDAO
#ApacheCon
Sessions Table (CQL 3)
CREATE TABLE sessions (
id timeuuid PRIMARY KEY,
start_ts timestamp,
stop_ts timestamp,
...
#ApacheCon
No Validation Scheduler?
#ApacheCon
No Validation Scheduler?
Use Cassandra’s TTL
#ApacheCon
TTL for session timeout
[main]
# Cassandra can enforce a TTL.
# No need for Shiro to invalidate!
sessionManager...
#ApacheCon
Session Upsert (CQL 3)
UPDATE sessions USING TTL $timeout SET
start_ts = ?,
stop_ts = ?,
last_access_ts = ?,
ti...
#ApacheCon
But what about tombstones!?!?
#ApacheCon
Sessions Table (revised)
CREATE TABLE sessions (
id timeuuid PRIMARY KEY,
start_ts timestamp,
stop_ts timestamp...
#ApacheCon
But what about row caching?
#ApacheCon
Row Cache?
Probably don’t need it
(but maybe in some cases it would be useful)
• SSTable likely in Operating Sy...
#ApacheCon
Code
$ git clone https://github.com/lhazlewood/shiro-
cassandra-sample.git
$ cd shiro-cassandra-sample
$ $CASSA...
#ApacheCon
Thank You!
• les@stormpath.com
• Twitter: @lhazlewood
• http://www.stormpath.com
Upcoming SlideShare
Loading in...5
×

ApacheCon 2014: Infinite Session Clustering with Apache Shiro & Cassandra

1,671
-1

Published on

In this session Les Hazlewood, the Apache Shiro PMC Chair, will cover Shiro's enterprise session management capabilities, how it can be used across any application (not just web or JEE applications) and how to use Cassandra as Shiro's session store, enabling a distributed session cluster supporting hundreds of thousands or even millions of concurrent sessions. As a working example, Les will show how to set up a session cluster in under 10 minutes using Cassandra. If you need to scale user session load, you won't want to miss this!

Published in: Technology
1 Comment
1 Like
Statistics
Notes
No Downloads
Views
Total Views
1,671
On Slideshare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
36
Comments
1
Likes
1
Embeds 0
No embeds

No notes for slide

ApacheCon 2014: Infinite Session Clustering with Apache Shiro & Cassandra

  1. 1. #ApacheCon Infinite Session Clustering with Apache Shiro & Cassandra Les Hazlewood @lhazlewood Apache Shiro Project Chair CTO, Stormpath stormpath.com ApacheCon 2014
  2. 2. #ApacheCon .com • User Management and Authentication API • Security for your applications • User security workflows • Security best practices • Developer tools, SDKs, libraries
  3. 3. #ApacheCon • Application security framework • ASF TLP http://shiro.apache.org • Quick and Easy • Simplifies Security What is Apache Shiro?
  4. 4. #ApacheCon Web Session Management Auxiliary Features AuthorizationAuthentication Cryptography Session Management Web Support
  5. 5. #ApacheCon Quick Concepts Subject currentUser = SecurityUtils.getSubject(); currentUser.login(...) currentUser.isPermitted(...)
  6. 6. #ApacheCon Session Management Defined Managing the lifecycle of Subject-specific temporal data context
  7. 7. #ApacheCon Session Management Features • Heterogeneous client access • POJO/J2SE based (IoC friendly) • Event listeners • Host address retention • Inactivity/expiration support (touch()) • Transparent web use - HttpSession • Container-Independent Clustering!
  8. 8. #ApacheCon Acquiring and Creating Sessions Subject subject = SecurityUtils.getSubject() //guarantee a session Session session = subject.getSession(); //get a session if it exists subject.getSession(false);
  9. 9. #ApacheCon Session API getStartTimestamp() getLastAccessTime() getAttribute(key) setAttribute(key, value) get/setTimeout(long) touch() ...
  10. 10. #ApacheCon Session Management Architecture Subject .getSession()  Session
  11. 11. #ApacheCon Session Management Architecture Subject SessionManager .getSession()  Session
  12. 12. #ApacheCon Session Management Architecture Subject SessionManager .getSession()  Session Factory Session
  13. 13. #ApacheCon Session Management Architecture Subject SessionManager SessionDAO .getSession()  Session Factory Session
  14. 14. #ApacheCon Session Management Architecture Subject SessionManager SessionDAO .getSession()  Session ID Generator Session Factory Session
  15. 15. #ApacheCon Session Management Architecture Subject SessionManager SessionDAO .getSession()  Session ID Generator Session Cache Session Factory Session
  16. 16. #ApacheCon Session Management Architecture Subject SessionManager SessionDAO .getSession()  Session ID Generator Session Cache Session Factory Session Data store
  17. 17. #ApacheCon Session Management Architecture Subject SessionManager SessionDAO .getSession()  Session ID Generator Session Cache Session Factory Validation Scheduler Session Data store
  18. 18. #ApacheCon Session Management Architecture Subject SessionManager SessionDAO .getSession()  Session ID Generator Session Cache Session Factory Validation Scheduler Session Listeners Session Data store
  19. 19. #ApacheCon Session Clustering: Clustered Data Store of Choice SessionDAO Session ID Generator Session Cache Validation Scheduler Data store
  20. 20. #ApacheCon Web Configuration • web.xml elements • Protects all URLs • Innovative Filtering (URL-specific chains) • JSP Tag support • Transparent HttpSession support
  21. 21. #ApacheCon web.xml <listener> <listener-class> org.apache.shiro.web.env.EnvironmentLoaderListener </listener-class> </listener> <filter> <filter-name>ShiroFilter</filter-name> <filter-class> org.apache.shiro.web.servlet.ShiroFilter </filter-class> </filter>
  22. 22. #ApacheCon web.xml cont’d <filter-mapping> <filter-name>ShiroFilter</filter-name> <url-pattern>/*</url-pattern> <dispatcher>REQUEST</dispatcher> <dispatcher>FORWARD</dispatcher> <dispatcher>INCLUDE</dispatcher> <dispatcher>ERROR</dispatcher> </filter-mapping>
  23. 23. #ApacheCon shiro.ini overview [main] # bean config here [users] # optional static user accounts (and their roles) here [roles] # optional static roles (and their permissions) here [urls] # filter chains here
  24. 24. #ApacheCon Session Clustering
  25. 25. #ApacheCon Two Approaches • Write a SessionDAO • Use EnterpriseCacheSessionDAO and write a CacheManager
  26. 26. #ApacheCon Cassandra SessionDAO
  27. 27. #ApacheCon SessionDAO Concerns SessionManager SessionDAO Session ID Generator Session Cache Data store
  28. 28. #ApacheCon Custom SessionDAO public class MySessionDAO extends AbstractSessionDAO { protected void doCreate(Session s){...} protected void doReadSession(Serializable id){...} protected void delete(Session s){...} protected void update(Session s){...} Collection<Session> getActiveSessions(){...} } Or public class MySessionDAO extends CachingSessionDAO { ... //enables write-through caching }
  29. 29. #ApacheCon Native Web Session Manager [main] sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager securityManager.sessionManager = $sessionManager
  30. 30. #ApacheCon Cassandra SessionDAO [main] ... cassandraCluster = com.leshazlewood.samples.shiro.cassandra.ClusterFactory sessionDAO = com.leshazlewood.samples.shiro.cassandra.CassandraSessionDAO sessionDAO.cluster = $cassandraCluster sessionDAO.keyspaceName = shirosessions sessionDAO.tableName = sessions ...
  31. 31. #ApacheCon Plug in the SessionDAO [main] ... sessionManager.sessionDAO = $sessionDAO
  32. 32. #ApacheCon Sessions Table (CQL 3) CREATE TABLE sessions ( id timeuuid PRIMARY KEY, start_ts timestamp, stop_ts timestamp, last_access_ts timestamp, timeout bigint, expired boolean, host varchar, serialized_value blob )
  33. 33. #ApacheCon No Validation Scheduler?
  34. 34. #ApacheCon No Validation Scheduler? Use Cassandra’s TTL
  35. 35. #ApacheCon TTL for session timeout [main] # Cassandra can enforce a TTL. # No need for Shiro to invalidate! sessionManager.sessionValidationSchedulerEnabled = false
  36. 36. #ApacheCon Session Upsert (CQL 3) UPDATE sessions USING TTL $timeout SET start_ts = ?, stop_ts = ?, last_access_ts = ?, timeout = ?, expired = ?, host = ?, serialized_value = ? WHERE id = ?
  37. 37. #ApacheCon But what about tombstones!?!?
  38. 38. #ApacheCon Sessions Table (revised) CREATE TABLE sessions ( id timeuuid PRIMARY KEY, start_ts timestamp, stop_ts timestamp, last_access_ts timestamp, timeout bigint, expired boolean, host varchar, serialized_value blob ) WITH gc_grace_seconds = 86400 AND compacation = {‘class’:’LeveledCompactionStrategy’}
  39. 39. #ApacheCon But what about row caching?
  40. 40. #ApacheCon Row Cache? Probably don’t need it (but maybe in some cases it would be useful) • SSTable likely in Operating System page cache (off heap) • DO use Key Cache (very important, enabled by default in 1.2)
  41. 41. #ApacheCon Code $ git clone https://github.com/lhazlewood/shiro- cassandra-sample.git $ cd shiro-cassandra-sample $ $CASSANDRA_HOME/bin/cassandra $ mvn jetty:run Open a browser to http://localhost:8080
  42. 42. #ApacheCon Thank You! • les@stormpath.com • Twitter: @lhazlewood • http://www.stormpath.com
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×