Hi guys, Until we can spend a proper amount of time writing the docs for this, here is the 'Cliff's Notes' version:
Shiro has three important cache interfaces: org.apache.shiro.cache.CacheManager and org.apache.shiro.cache.Cache org.apache.shiro.cache.CacheManagerAware A CacheManager returns Cache instances and various Shiro components use those Cache instances to cache data as necessary. Any Shiro component that implements CacheManager will automatically receive a configured CacheManager, where it can be used to acquire Cache instances. The Shiro SecurityManager implementations and all AuthorizingRealm implementations implement CacheManagerAware. If you set the CacheManager on the SecurityManager, it will in turn set it on the various Realms that implement CacheManagerAware as well (OO delegation). For example, in shiro.ini: securityManager.realms = $myRealm1, $myRealm2, ..., $myRealmN ... cacheManager = my.implementation.of.CacheManager ... securityManager.cacheManager = $cacheManager # at this point, the securityManager and all CacheManagerAware # realms have been set with the cacheManager instance We have out-of-the-box Ehcache implementations of CacheManager/Cache, so you can use that today if you wanted. Otherwise, you can implement your own CacheManager (e.g. via Coherence, etc) and configure it as above, and you'll be good to go. Finally note that AuthorizingRealm has a convenience method 'clearCachedAuthorizationInfo' that can be called by subclasses to evict the cached authzInfo for a particular account. It is usually called by custom logic if the corresponding account's authz data has changed (to ensure the next authz check will pick up the new data). Does this help? Are there any glaring holes that you guys are still wondering about? Cheers, -- Les Hazlewood Founder, Katasoft, Inc. Application Security Products & Professional Apache Shiro Support and Training: http://www.katasoft.com
