In this session Les Hazlewood, the Apache Shiro PMC Chair, will cover Shiro's enterprise session management capabilities, how it can be used across any application (not just web or JEE applications) and how to use Cassandra as Shiro's session store, enabling a distributed session cluster supporting hundreds of thousands or even millions of concurrent sessions. As a working example, Les will show how to set up a session cluster in under 10 minutes using Cassandra. If you need to scale user session load, you won't want to miss this!
2. #Cassandra13
.com
• User
Management
and
Authen?ca?on
API
• Security
for
your
applica?ons
• User
security
workflows
• Security
best
prac?ces
• Developer
tools,
SDKs,
libraries
3. #Cassandra13
• Applica?on
security
framework
• ASF
TLP
hMp://shiro.apache.org
• Quick
and
Easy
• Simplifies
Security
What
is
Apache
Shiro?
4. #Cassandra13
Web
Session
Management
Auxiliary
Features
Authoriza?on
Authen?ca?on
Cryptography
Session
Management
Web
Support
7. #Cassandra13
Session
Management
Features
• Heterogeneous
client
access
• POJO/J2SE
based
(IoC
friendly)
• Event
listeners
• Host
address
reten?on
• Inac?vity/expira?on
support
(touch())
• Transparent
web
use
-‐
HMpSession
• Container-‐Independent
Clustering!
8. #Cassandra13
Acquiring
and
CreaKng
Sessions
Subject subject =
SecurityUtils.getSubject()
//guarantee a session
Session session = subject.getSession();
//get a session if it exists
subject.getSession(false);
16. #Cassandra13
Session
Management
Architecture
Subject
SessionManager
SessionDAO
.getSession()
à
Session
ID
Generator
Session
Cache
Session
Factory
Session
Data
store
17. #Cassandra13
Session
Management
Architecture
Subject
SessionManager
SessionDAO
.getSession()
à
Session
ID
Generator
Session
Cache
Session
Factory
Valida?on
Scheduler
Session
Data
store
18. #Cassandra13
Session
Management
Architecture
Subject
SessionManager
SessionDAO
.getSession()
à
Session
ID
Generator
Session
Cache
Session
Factory
Valida?on
Scheduler
Session
Listeners
Session
Data
store
19. #Cassandra13
Session
Clustering:
Clustered
Data
Store
of
Choice
SessionDAO
Session
ID
Generator
Session
Cache
Valida?on
Scheduler
Data
store
20. #Cassandra13
Web
ConfiguraKon
• web.xml
elements
• Protects
all
URLs
• Innova?ve
Filtering
(URL-‐specific
chains)
• JSP
Tag
support
• Transparent
HMpSession
support
23. #Cassandra13
shiro.ini
overview
[main]
# bean config here
[users]
# optional static user accounts (and their roles) here
[roles]
# optional static roles (and their permissions) here
[urls]
# filter chains here
35. #Cassandra13
TTL
for
session
Kmeout
[main]
# Cassandra can enforce a TTL.
# No need for Shiro to invalidate!
sessionManager.sessionValidationSchedulerEnabled = false
36. #Cassandra13
Session
Upsert
(CQL
3)
UPDATE sessions USING TTL $timeout SET
start_ts = ?,
stop_ts = ?,
last_access_ts = ?,
timeout = ?,
expired = ?,
host = ?,
serialized_value = ?
WHERE
id = ?
40. #Cassandra13
Row
Cache?
Probably
don’t
need
it
(but
maybe
in
some
cases
it
would
be
useful)
• SSTable
likely
in
Opera?ng
System
page
cache
(off
heap)
• DO
use
Key
Cache
(very
important,
enabled
by
default
in
1.2)
41. #Cassandra13
Code
$ git clone https://github.com/lhazlewood/shiro-
cassandra-sample.git
$ cd shiro-cassandra-sample
$ $CASSANDRA_HOME/bin/cassandra
$ mvn jetty:run
Open a browser to http://localhost:8080