Fork me on GitHub

Apache Shiro Logo Simple. Java. Security. Apache Software Foundation Event Banner

Handy Hint
Shiro v1 version notice

As of February 28, 2024, Shiro v1 was superseded by v2.

Apache Shiro Cache Manager Overview

Shiro has three important cache interfaces:

A CacheManager returns Cache instances and various Shiro components use those Cache< instances to cache data as necessary. Any Shiro component that implements CacheManager will automatically receive a configured CacheManager, where it can be used to acquire Cache instances.

The Shiro SecurityManager implementations and all AuthorizingRealm implementations implement CacheManagerAware. If you set the CacheManager on the SecurityManager, it will in turn set it on the various Realms that implement CacheManagerAware as well (OO delegation). For example, in shiro.ini:

example shiro.ini CacheManager configuration
securityManager.realms = $myRealm1, $myRealm2, ..., $myRealmN
...
cacheManager = my.implementation.of.CacheManager
...
securityManager.cacheManager = $cacheManager
# at this point, the securityManager and all CacheManagerAware
# realms have been set with the cacheManager instance

We have an out-of-the-box EhCacheManager implementation, so you can use that today if you wanted. Otherwise, you can implement your own CacheManager (e.g. with Coherence, etc.) and configure it as above, and you’ll be good to go.

Authorization Cache Invalidation

Finally, note that AuthorizingRealm has a clearCachedAuthorizationInfo method that can be called by subclasses to evict the cached authzInfo for a particular account. It is usually called by custom logic if the corresponding account’s authz data has changed (to ensure the next authz check will pick up the new data).