Downloaded 44 times
![#ApacheCon
shiro.ini overview
[main]
# bean config here
[users]
# optional static user accounts (and their roles) here
[roles]
# optional static roles (and their permissions) here
[urls]
# filter chains here](https://image.slidesharecdn.com/infinitesessionclusteringwithapacheshiro9x16updated111-140331175432-phpapp02/75/ApacheCon-2014-Infinite-Session-Clustering-with-Apache-Shiro-Cassandra-23-2048.jpg)
![#ApacheCon
Native Web Session Manager
[main]
sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager
securityManager.sessionManager = $sessionManager](https://image.slidesharecdn.com/infinitesessionclusteringwithapacheshiro9x16updated111-140331175432-phpapp02/75/ApacheCon-2014-Infinite-Session-Clustering-with-Apache-Shiro-Cassandra-29-2048.jpg)
![#ApacheCon
Cassandra SessionDAO
[main]
...
cassandraCluster = com.leshazlewood.samples.shiro.cassandra.ClusterFactory
sessionDAO = com.leshazlewood.samples.shiro.cassandra.CassandraSessionDAO
sessionDAO.cluster = $cassandraCluster
sessionDAO.keyspaceName = shirosessions
sessionDAO.tableName = sessions
...](https://image.slidesharecdn.com/infinitesessionclusteringwithapacheshiro9x16updated111-140331175432-phpapp02/75/ApacheCon-2014-Infinite-Session-Clustering-with-Apache-Shiro-Cassandra-30-2048.jpg)
![#ApacheCon
Plug in the SessionDAO
[main]
...
sessionManager.sessionDAO = $sessionDAO](https://image.slidesharecdn.com/infinitesessionclusteringwithapacheshiro9x16updated111-140331175432-phpapp02/75/ApacheCon-2014-Infinite-Session-Clustering-with-Apache-Shiro-Cassandra-31-2048.jpg)
![#ApacheCon
TTL for session timeout
[main]
# Cassandra can enforce a TTL.
# No need for Shiro to invalidate!
sessionManager.sessionValidationSchedulerEnabled = false](https://image.slidesharecdn.com/infinitesessionclusteringwithapacheshiro9x16updated111-140331175432-phpapp02/75/ApacheCon-2014-Infinite-Session-Clustering-with-Apache-Shiro-Cassandra-35-2048.jpg)
Uploaded byDataStax Academy
ApacheCon 2014: Infinite Session Clustering with Apache Shiro & Cassandra
The document details a presentation on implementing session clustering with Apache Shiro and Cassandra. It covers session management, security workflows, and web application architecture, along with examples of configuration using web.xml and shiro.ini files. The integration of session management with Cassandra, including session DAO and caching strategies, is also discussed.
More Related Content
![How does Riak compare to Cassandra? [Cassandra London User Group July 2011]](https://cdn.slidesharecdn.com/ss_thumbnails/cassandralondonugjuly2011-110720110309-phpapp02-thumbnail.jpg?width=640&height=640&fit=bounds)
Similar to ApacheCon 2014: Infinite Session Clustering with Apache Shiro & Cassandra
![[BDD 2025 - Full-Stack Development] Digital Accessibility: Why Developers nee...](https://cdn.slidesharecdn.com/ss_thumbnails/fs-digitalaccessibilitywhydevelopersneedtoknowandcarein2025-251127011019-0674441d-thumbnail.jpg?width=640&height=640&fit=bounds)
![[BDD 2025 - Full-Stack Development] PHP in AI Age: The Laravel Way. (Rizqy Hi...](https://cdn.slidesharecdn.com/ss_thumbnails/fs-phpinaiagethelaravelway-251125012602-ef9d330e-thumbnail.jpg?width=640&height=640&fit=bounds)
ApacheCon 2014: Infinite Session Clustering with Apache Shiro & Cassandra
- 1. #ApacheCon Infinite Session Clusteringwith Apache Shiro & Cassandra Les Hazlewood @lhazlewood Apache Shiro Project Chair CTO, Stormpath stormpath.com ApacheCon 2014
- 2. #ApacheCon .com • User Managementand Authentication API • Security for your applications • User security workflows • Security best practices • Developer tools, SDKs, libraries
- 3. #ApacheCon • Application securityframework • ASF TLP http://shiro.apache.org • Quick and Easy • Simplifies Security What is Apache Shiro?
- 4. #ApacheCon Web Session Management AuxiliaryFeatures AuthorizationAuthentication Cryptography Session Management Web Support
- 5. #ApacheCon Quick Concepts Subject currentUser= SecurityUtils.getSubject(); currentUser.login(...) currentUser.isPermitted(...)
- 6. #ApacheCon Session Management Defined Managingthe lifecycle of Subject-specific temporal data context
- 7. #ApacheCon Session Management Features •Heterogeneous client access • POJO/J2SE based (IoC friendly) • Event listeners • Host address retention • Inactivity/expiration support (touch()) • Transparent web use - HttpSession • Container-Independent Clustering!
- 8. #ApacheCon Acquiring and CreatingSessions Subject subject = SecurityUtils.getSubject() //guarantee a session Session session = subject.getSession(); //get a session if it exists subject.getSession(false);
- 9.
- 10. #ApacheCon Session Management Architecture Subject.getSession() Session
- 11.
- 12. #ApacheCon Session Management Architecture Subject SessionManager .getSession() Session Factory Session
- 13. #ApacheCon Session Management Architecture Subject SessionManager SessionDAO .getSession() Session Factory Session
- 14. #ApacheCon Session Management Architecture Subject SessionManager SessionDAO .getSession() Session ID Generator Session Factory Session
- 15. #ApacheCon Session Management Architecture Subject SessionManager SessionDAO .getSession() Session ID Generator Session Cache Session Factory Session
- 16. #ApacheCon Session Management Architecture Subject SessionManager SessionDAO .getSession() Session ID Generator Session Cache Session Factory Session Data store
- 17. #ApacheCon Session Management Architecture Subject SessionManager SessionDAO .getSession() Session ID Generator Session Cache Session Factory Validation Scheduler Session Data store
- 18. #ApacheCon Session Management Architecture Subject SessionManager SessionDAO .getSession() Session ID Generator Session Cache Session Factory Validation Scheduler Session Listeners Session Data store
- 19. #ApacheCon Session Clustering: Clustered DataStore of Choice SessionDAO Session ID Generator Session Cache Validation Scheduler Data store
- 20. #ApacheCon Web Configuration • web.xmlelements • Protects all URLs • Innovative Filtering (URL-specific chains) • JSP Tag support • Transparent HttpSession support
- 21.
- 22.
- 23. #ApacheCon shiro.ini overview [main] # beanconfig here [users] # optional static user accounts (and their roles) here [roles] # optional static roles (and their permissions) here [urls] # filter chains here
- 24.
- 25. #ApacheCon Two Approaches • Writea SessionDAO • Use EnterpriseCacheSessionDAO and write a CacheManager
- 26.
- 27.
- 28. #ApacheCon Custom SessionDAO public classMySessionDAO extends AbstractSessionDAO { protected void doCreate(Session s){...} protected void doReadSession(Serializable id){...} protected void delete(Session s){...} protected void update(Session s){...} Collection<Session> getActiveSessions(){...} } Or public class MySessionDAO extends CachingSessionDAO { ... //enables write-through caching }
- 29. #ApacheCon Native Web SessionManager [main] sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager securityManager.sessionManager = $sessionManager
- 30. #ApacheCon Cassandra SessionDAO [main] ... cassandraCluster =com.leshazlewood.samples.shiro.cassandra.ClusterFactory sessionDAO = com.leshazlewood.samples.shiro.cassandra.CassandraSessionDAO sessionDAO.cluster = $cassandraCluster sessionDAO.keyspaceName = shirosessions sessionDAO.tableName = sessions ...
- 31. #ApacheCon Plug in theSessionDAO [main] ... sessionManager.sessionDAO = $sessionDAO
- 32. #ApacheCon Sessions Table (CQL3) CREATE TABLE sessions ( id timeuuid PRIMARY KEY, start_ts timestamp, stop_ts timestamp, last_access_ts timestamp, timeout bigint, expired boolean, host varchar, serialized_value blob )
- 33.
- 34. #ApacheCon No Validation Scheduler? UseCassandra’s TTL
- 35. #ApacheCon TTL for sessiontimeout [main] # Cassandra can enforce a TTL. # No need for Shiro to invalidate! sessionManager.sessionValidationSchedulerEnabled = false
- 36. #ApacheCon Session Upsert (CQL3) UPDATE sessions USING TTL $timeout SET start_ts = ?, stop_ts = ?, last_access_ts = ?, timeout = ?, expired = ?, host = ?, serialized_value = ? WHERE id = ?
- 37. #ApacheCon But what abouttombstones!?!?
- 38. #ApacheCon Sessions Table (revised) CREATETABLE sessions ( id timeuuid PRIMARY KEY, start_ts timestamp, stop_ts timestamp, last_access_ts timestamp, timeout bigint, expired boolean, host varchar, serialized_value blob ) WITH gc_grace_seconds = 86400 AND compacation = {‘class’:’LeveledCompactionStrategy’}
- 39. #ApacheCon But what aboutrow caching?
- 40. #ApacheCon Row Cache? Probably don’tneed it (but maybe in some cases it would be useful) • SSTable likely in Operating System page cache (off heap) • DO use Key Cache (very important, enabled by default in 1.2)
- 41. #ApacheCon Code $ git clonehttps://github.com/lhazlewood/shiro- cassandra-sample.git $ cd shiro-cassandra-sample $ $CASSANDRA_HOME/bin/cassandra $ mvn jetty:run Open a browser to http://localhost:8080
- 42. #ApacheCon Thank You! • les@stormpath.com •Twitter: @lhazlewood • http://www.stormpath.com