• Like
  • Save
ApacheCon 2014: Infinite Session Clustering with Apache Shiro & Cassandra
Upcoming SlideShare
Loading in...5
×
 

ApacheCon 2014: Infinite Session Clustering with Apache Shiro & Cassandra

on

  • 704 views

In this session Les Hazlewood, the Apache Shiro PMC Chair, will cover Shiro's enterprise session management capabilities, how it can be used across any application (not just web or JEE applications) ...

In this session Les Hazlewood, the Apache Shiro PMC Chair, will cover Shiro's enterprise session management capabilities, how it can be used across any application (not just web or JEE applications) and how to use Cassandra as Shiro's session store, enabling a distributed session cluster supporting hundreds of thousands or even millions of concurrent sessions. As a working example, Les will show how to set up a session cluster in under 10 minutes using Cassandra. If you need to scale user session load, you won't want to miss this!

Statistics

Views

Total Views
704
Views on SlideShare
702
Embed Views
2

Actions

Likes
1
Downloads
15
Comments
1

1 Embed 2

http://www.slideee.com 2

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel

11 of 1

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    ApacheCon 2014: Infinite Session Clustering with Apache Shiro & Cassandra ApacheCon 2014: Infinite Session Clustering with Apache Shiro & Cassandra Presentation Transcript

    • #ApacheCon Infinite Session Clustering with Apache Shiro & Cassandra Les Hazlewood @lhazlewood Apache Shiro Project Chair CTO, Stormpath stormpath.com ApacheCon 2014
    • #ApacheCon .com • User Management and Authentication API • Security for your applications • User security workflows • Security best practices • Developer tools, SDKs, libraries
    • #ApacheCon • Application security framework • ASF TLP http://shiro.apache.org • Quick and Easy • Simplifies Security What is Apache Shiro?
    • #ApacheCon Web Session Management Auxiliary Features AuthorizationAuthentication Cryptography Session Management Web Support
    • #ApacheCon Quick Concepts Subject currentUser = SecurityUtils.getSubject(); currentUser.login(...) currentUser.isPermitted(...)
    • #ApacheCon Session Management Defined Managing the lifecycle of Subject-specific temporal data context
    • #ApacheCon Session Management Features • Heterogeneous client access • POJO/J2SE based (IoC friendly) • Event listeners • Host address retention • Inactivity/expiration support (touch()) • Transparent web use - HttpSession • Container-Independent Clustering!
    • #ApacheCon Acquiring and Creating Sessions Subject subject = SecurityUtils.getSubject() //guarantee a session Session session = subject.getSession(); //get a session if it exists subject.getSession(false);
    • #ApacheCon Session API getStartTimestamp() getLastAccessTime() getAttribute(key) setAttribute(key, value) get/setTimeout(long) touch() ...
    • #ApacheCon Session Management Architecture Subject .getSession()  Session
    • #ApacheCon Session Management Architecture Subject SessionManager .getSession()  Session
    • #ApacheCon Session Management Architecture Subject SessionManager .getSession()  Session Factory Session
    • #ApacheCon Session Management Architecture Subject SessionManager SessionDAO .getSession()  Session Factory Session
    • #ApacheCon Session Management Architecture Subject SessionManager SessionDAO .getSession()  Session ID Generator Session Factory Session
    • #ApacheCon Session Management Architecture Subject SessionManager SessionDAO .getSession()  Session ID Generator Session Cache Session Factory Session
    • #ApacheCon Session Management Architecture Subject SessionManager SessionDAO .getSession()  Session ID Generator Session Cache Session Factory Session Data store
    • #ApacheCon Session Management Architecture Subject SessionManager SessionDAO .getSession()  Session ID Generator Session Cache Session Factory Validation Scheduler Session Data store
    • #ApacheCon Session Management Architecture Subject SessionManager SessionDAO .getSession()  Session ID Generator Session Cache Session Factory Validation Scheduler Session Listeners Session Data store
    • #ApacheCon Session Clustering: Clustered Data Store of Choice SessionDAO Session ID Generator Session Cache Validation Scheduler Data store
    • #ApacheCon Web Configuration • web.xml elements • Protects all URLs • Innovative Filtering (URL-specific chains) • JSP Tag support • Transparent HttpSession support
    • #ApacheCon web.xml <listener> <listener-class> org.apache.shiro.web.env.EnvironmentLoaderListener </listener-class> </listener> <filter> <filter-name>ShiroFilter</filter-name> <filter-class> org.apache.shiro.web.servlet.ShiroFilter </filter-class> </filter>
    • #ApacheCon web.xml cont’d <filter-mapping> <filter-name>ShiroFilter</filter-name> <url-pattern>/*</url-pattern> <dispatcher>REQUEST</dispatcher> <dispatcher>FORWARD</dispatcher> <dispatcher>INCLUDE</dispatcher> <dispatcher>ERROR</dispatcher> </filter-mapping>
    • #ApacheCon shiro.ini overview [main] # bean config here [users] # optional static user accounts (and their roles) here [roles] # optional static roles (and their permissions) here [urls] # filter chains here
    • #ApacheCon Session Clustering
    • #ApacheCon Two Approaches • Write a SessionDAO • Use EnterpriseCacheSessionDAO and write a CacheManager
    • #ApacheCon Cassandra SessionDAO
    • #ApacheCon SessionDAO Concerns SessionManager SessionDAO Session ID Generator Session Cache Data store
    • #ApacheCon Custom SessionDAO public class MySessionDAO extends AbstractSessionDAO { protected void doCreate(Session s){...} protected void doReadSession(Serializable id){...} protected void delete(Session s){...} protected void update(Session s){...} Collection<Session> getActiveSessions(){...} } Or public class MySessionDAO extends CachingSessionDAO { ... //enables write-through caching }
    • #ApacheCon Native Web Session Manager [main] sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager securityManager.sessionManager = $sessionManager
    • #ApacheCon Cassandra SessionDAO [main] ... cassandraCluster = com.leshazlewood.samples.shiro.cassandra.ClusterFactory sessionDAO = com.leshazlewood.samples.shiro.cassandra.CassandraSessionDAO sessionDAO.cluster = $cassandraCluster sessionDAO.keyspaceName = shirosessions sessionDAO.tableName = sessions ...
    • #ApacheCon Plug in the SessionDAO [main] ... sessionManager.sessionDAO = $sessionDAO
    • #ApacheCon Sessions Table (CQL 3) CREATE TABLE sessions ( id timeuuid PRIMARY KEY, start_ts timestamp, stop_ts timestamp, last_access_ts timestamp, timeout bigint, expired boolean, host varchar, serialized_value blob )
    • #ApacheCon No Validation Scheduler?
    • #ApacheCon No Validation Scheduler? Use Cassandra’s TTL
    • #ApacheCon TTL for session timeout [main] # Cassandra can enforce a TTL. # No need for Shiro to invalidate! sessionManager.sessionValidationSchedulerEnabled = false
    • #ApacheCon Session Upsert (CQL 3) UPDATE sessions USING TTL $timeout SET start_ts = ?, stop_ts = ?, last_access_ts = ?, timeout = ?, expired = ?, host = ?, serialized_value = ? WHERE id = ?
    • #ApacheCon But what about tombstones!?!?
    • #ApacheCon Sessions Table (revised) CREATE TABLE sessions ( id timeuuid PRIMARY KEY, start_ts timestamp, stop_ts timestamp, last_access_ts timestamp, timeout bigint, expired boolean, host varchar, serialized_value blob ) WITH gc_grace_seconds = 86400 AND compacation = {‘class’:’LeveledCompactionStrategy’}
    • #ApacheCon But what about row caching?
    • #ApacheCon Row Cache? Probably don’t need it (but maybe in some cases it would be useful) • SSTable likely in Operating System page cache (off heap) • DO use Key Cache (very important, enabled by default in 1.2)
    • #ApacheCon Code $ git clone https://github.com/lhazlewood/shiro- cassandra-sample.git $ cd shiro-cassandra-sample $ $CASSANDRA_HOME/bin/cassandra $ mvn jetty:run Open a browser to http://localhost:8080
    • #ApacheCon Thank You! • les@stormpath.com • Twitter: @lhazlewood • http://www.stormpath.com