shiro-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From lhazlew...@apache.org
Subject svn commit: r1373556 [2/3] - in /shiro/site-template/src/main/webapp: index.html inner.html static/assets/css/confluence.css static/assets/css/style.css
Date Wed, 15 Aug 2012 18:32:14 GMT
Modified: shiro/site-template/src/main/webapp/inner.html
URL: http://svn.apache.org/viewvc/shiro/site-template/src/main/webapp/inner.html?rev=1373556&r1=1373555&r2=1373556&view=diff
==============================================================================
--- shiro/site-template/src/main/webapp/inner.html (original)
+++ shiro/site-template/src/main/webapp/inner.html Wed Aug 15 18:32:09 2012
@@ -22,6 +22,7 @@
     <meta name="msvalidate.01" content="0B57EB46CBFAD8FD45008D2DB6B6C68C"/>
     <meta name="y_key" content="e47896cd6bae4920"/>
     <title>Apache Shiro | Home</title>
+    <link rel="stylesheet" type="text/css" href="https://raw.github.com/necolas/normalize.css/master/normalize.css"/>
     <link rel="stylesheet" type="text/css" href="static/assets/css/confluence.css" media="screen">
     <link rel="stylesheet" type="text/css" href="static/assets/css/style.css"/>
 </head>
@@ -59,175 +60,175 @@
             </div> <!--END SECONDARY NAVIGATION-->
         </div> <!--END HEADER-->
 
-        <div id="content">
-    <DIV>
-        <UL>
-            <LI><A href="#SessionManagement-SessionManagement">Session Management</A></LI>
+        <DIV id="content">
+        <DIV class="toc">
             <UL>
-                <LI><A href="#SessionManagement-UsingSessions">Using Sessions</A></LI>
-                <LI><A href="#SessionManagement-TheSessionManager">The SessionManager</A></LI>
+                <LI><A href="#SessionManagement-SessionManagement">Session Management</A></LI>
                 <UL>
-                    <LI><A href="#SessionManagement-SessionTimeout">Session Timeout</A></LI>
-                    <UL>
-                        <LI><A href="#SessionManagement-PerSessionTimeout">Per-Session Timeout</A></LI>
-                    </UL>
-                    <LI><A href="#SessionManagement-SessionListeners">Session Listeners</A></LI>
-                    <LI><A href="#SessionManagement-SessionStorage">Session Storage</A></LI>
+                    <LI><A href="#SessionManagement-UsingSessions">Using Sessions</A></LI>
+                    <LI><A href="#SessionManagement-TheSessionManager">The SessionManager</A></LI>
                     <UL>
-                        <LI><A href="#SessionManagement-EHCacheSessionDAO">EHCache SessionDAO</A></LI>
+                        <LI><A href="#SessionManagement-SessionTimeout">Session Timeout</A></LI>
                         <UL>
-                            <LI><A href="#SessionManagement-EHCacheSessionCacheConfiguration">EHCache Session Cache Configuration</A></LI>
-                            <LI><A href="#SessionManagement-EHCacheSessionCacheName">EHCache Session Cache Name</A></LI>
+                            <LI><A href="#SessionManagement-PerSessionTimeout">Per-Session Timeout</A></LI>
+                        </UL>
+                        <LI><A href="#SessionManagement-SessionListeners">Session Listeners</A></LI>
+                        <LI><A href="#SessionManagement-SessionStorage">Session Storage</A></LI>
+                        <UL>
+                            <LI><A href="#SessionManagement-EHCacheSessionDAO">EHCache SessionDAO</A></LI>
+                            <UL>
+                                <LI><A href="#SessionManagement-EHCacheSessionCacheConfiguration">EHCache Session Cache Configuration</A></LI>
+                                <LI><A href="#SessionManagement-EHCacheSessionCacheName">EHCache Session Cache Name</A></LI>
+                            </UL>
+                            <LI><A href="#SessionManagement-CustomSessionIDs">Custom Session IDs</A></LI>
+                        </UL>
+                        <LI><A href="#SessionManagement-SessionValidation%2526Scheduling">Session Validation &amp; Scheduling</A></LI>
+                        <UL>
+                            <LI><A href="#SessionManagement-DefaultSessionValidationScheduler">Default SessionValidationScheduler</A></LI>
+                            <LI><A href="#SessionManagement-CustomSessionValidationScheduler">Custom SessionValidationScheduler</A></LI>
+                            <LI><A href="#SessionManagement-DisablingSessionValidation">Disabling Session Validation</A></LI>
+                            <LI><A href="#SessionManagement-InvalidSessionDeletion">Invalid Session Deletion</A></LI>
                         </UL>
-                        <LI><A href="#SessionManagement-CustomSessionIDs">Custom Session IDs</A></LI>
-                    </UL>
-                    <LI><A href="#SessionManagement-SessionValidation%2526Scheduling">Session Validation &amp; Scheduling</A></LI>
-                    <UL>
-                        <LI><A href="#SessionManagement-DefaultSessionValidationScheduler">Default SessionValidationScheduler</A></LI>
-                        <LI><A href="#SessionManagement-CustomSessionValidationScheduler">Custom SessionValidationScheduler</A></LI>
-                        <LI><A href="#SessionManagement-DisablingSessionValidation">Disabling Session Validation</A></LI>
-                        <LI><A href="#SessionManagement-InvalidSessionDeletion">Invalid Session Deletion</A></LI>
                     </UL>
-                </UL>
-                <LI><A href="#SessionManagement-SessionClustering">Session Clustering</A></LI>
-                <UL>
-                    <LI><A href="#SessionManagement-%257B%257BEnterpriseCacheSessionDAO%257D%257D"> <TT>EnterpriseCacheSessionDAO</TT></A></LI>
-                    <LI><A href="#SessionManagement-EhcacheTerracotta">Ehcache + Terracotta</A></LI>
-                    <LI><A href="#SessionManagement-Zookeeper">Zookeeper</A></LI>
-                </UL>
-                <LI><A href="#SessionManagement-SessionsandSubjectState">Sessions and Subject State</A></LI>
-                <UL>
-                    <LI><A href="#SessionManagement-StatefulApplications%2528Sessionsallowed%2529">Stateful Applications (Sessions allowed)</A></LI>
-                    <LI><A href="#SessionManagement-StatelessApplications%2528Sessionless%2529">Stateless Applications (Sessionless)</A></LI>
+                    <LI><A href="#SessionManagement-SessionClustering">Session Clustering</A></LI>
                     <UL>
-                        <LI><A href="#SessionManagement-DisablingSubjectStateSessionStorage">Disabling Subject State Session Storage</A></LI>
+                        <LI><A href="#SessionManagement-%257B%257BEnterpriseCacheSessionDAO%257D%257D"> <TT>EnterpriseCacheSessionDAO</TT></A></LI>
+                        <LI><A href="#SessionManagement-EhcacheTerracotta">Ehcache + Terracotta</A></LI>
+                        <LI><A href="#SessionManagement-Zookeeper">Zookeeper</A></LI>
                     </UL>
-                    <LI><A href="#SessionManagement-AHybridApproach">A Hybrid Approach</A></LI>
+                    <LI><A href="#SessionManagement-SessionsandSubjectState">Sessions and Subject State</A></LI>
                     <UL>
-                        <LI><A href="#SessionManagement-SessionStorageEvaluator">SessionStorageEvaluator</A></LI>
+                        <LI><A href="#SessionManagement-StatefulApplications%2528Sessionsallowed%2529">Stateful Applications (Sessions allowed)</A></LI>
+                        <LI><A href="#SessionManagement-StatelessApplications%2528Sessionless%2529">Stateless Applications (Sessionless)</A></LI>
+                        <UL>
+                            <LI><A href="#SessionManagement-DisablingSubjectStateSessionStorage">Disabling Subject State Session Storage</A></LI>
+                        </UL>
+                        <LI><A href="#SessionManagement-AHybridApproach">A Hybrid Approach</A></LI>
                         <UL>
-                            <LI><A href="#SessionManagement-SubjectInspection">Subject Inspection</A></LI>
+                            <LI><A href="#SessionManagement-SessionStorageEvaluator">SessionStorageEvaluator</A></LI>
+                            <UL>
+                                <LI><A href="#SessionManagement-SubjectInspection">Subject Inspection</A></LI>
+                            </UL>
+                            <LI><A href="#SessionManagement-Configuration">Configuration</A></LI>
                         </UL>
-                        <LI><A href="#SessionManagement-Configuration">Configuration</A></LI>
+                        <LI><A href="#SessionManagement-WebApplications">Web Applications</A></LI>
                     </UL>
-                    <LI><A href="#SessionManagement-WebApplications">Web Applications</A></LI>
                 </UL>
-            </UL>
-        </UL></DIV>
+            </UL></DIV>
 
-    <H1><A name="SessionManagement-SessionManagement"></A>Session Management</H1>
+        <H1><A name="SessionManagement-SessionManagement"></A>Session Management</H1>
 
-    <P>Apache Shiro offers something unique in the world of security frameworks: a complete enterprise-grade Session solution for any application, from the simplest command-line and smart phone applications to the largest clustered enterprise web applications.</P>
+        <P>Apache Shiro offers something unique in the world of security frameworks: a complete enterprise-grade Session solution for any application, from the simplest command-line and smart phone applications to the largest clustered enterprise web applications.</P>
 
-    <P>This has large implications for many applications - until Shiro, if you required session support, you were required to deploy your application in a web container or use EJB Stateful Session Beans.  Shiro's Session support is much simpler to use and manage than either of these two mechanisms, and it is available in any application, regardless of container.  </P>
+        <P>This has large implications for many applications - until Shiro, if you required session support, you were required to deploy your application in a web container or use EJB Stateful Session Beans.  Shiro's Session support is much simpler to use and manage than either of these two mechanisms, and it is available in any application, regardless of container.  </P>
 
-    <P>And even if you deploy your application in a Servlet or EJB container, there are still compelling reasons to use Shiro's Session support instead of the container's.  Here is a list of the most desirable features provided by Shiro's session support:</P>
+        <P>And even if you deploy your application in a Servlet or EJB container, there are still compelling reasons to use Shiro's Session support instead of the container's.  Here is a list of the most desirable features provided by Shiro's session support:</P>
 
-    <P><B>Features</B></P>
+        <P><B>Features</B></P>
 
-    <UL>
-        <LI><B>POJO/J2SE based (IoC friendly)</B> - Everything in Shiro (including all aspects of Sessions and Session Management) is interface-based and implemented with POJOs.  This allows you to easily configure all session components with any JavaBeans-compatible configuration format, like JSON, YAML, Spring XML or similar mechanisms. You can also easily extend Shiro's components or write your own as necessary to fully customize session management functionality.</LI>
-    </UL>
+        <UL>
+            <LI><B>POJO/J2SE based (IoC friendly)</B> - Everything in Shiro (including all aspects of Sessions and Session Management) is interface-based and implemented with POJOs.  This allows you to easily configure all session components with any JavaBeans-compatible configuration format, like JSON, YAML, Spring XML or similar mechanisms. You can also easily extend Shiro's components or write your own as necessary to fully customize session management functionality.</LI>
+        </UL>
 
 
-    <UL>
-        <LI><B>Easy Custom Session Storage</B> - Because Shiro's Session objects are POJO-based, session data can be easily stored in any number of data sources.  This allows you to customize exactly where your application's session data resides - for example, the file system, in memory, in a networked distributed cache, a relational database, or proprietary data store.</LI>
-    </UL>
+        <UL>
+            <LI><B>Easy Custom Session Storage</B> - Because Shiro's Session objects are POJO-based, session data can be easily stored in any number of data sources.  This allows you to customize exactly where your application's session data resides - for example, the file system, in memory, in a networked distributed cache, a relational database, or proprietary data store.</LI>
+        </UL>
 
 
-    <UL>
-        <LI><B>Container-Independent Clustering!</B> - Shiro's sessions can be easily clustered using any of the readily-available networked caching products, like Ehcache + Terracotta, Coherence, GigaSpaces, et. al.  This means you can configure session clustering for Shiro once and only once, and no matter what container you deploy to, your sessions will be clustered the same way.  No need for container-specific configuration!</LI>
-    </UL>
+        <UL>
+            <LI><B>Container-Independent Clustering!</B> - Shiro's sessions can be easily clustered using any of the readily-available networked caching products, like Ehcache + Terracotta, Coherence, GigaSpaces, et. al.  This means you can configure session clustering for Shiro once and only once, and no matter what container you deploy to, your sessions will be clustered the same way.  No need for container-specific configuration!</LI>
+        </UL>
 
 
-    <UL>
-        <LI><B>Heterogeneous Client Access</B> - Unlike EJB or Web sessions, Shiro sessions can be 'shared' across various client technologies.  For example, a desktop application could 'see' and 'share' the same physical session used by the same user in a web application.  We are unaware of any framework other than Shiro that can support this.</LI>
-    </UL>
+        <UL>
+            <LI><B>Heterogeneous Client Access</B> - Unlike EJB or Web sessions, Shiro sessions can be 'shared' across various client technologies.  For example, a desktop application could 'see' and 'share' the same physical session used by the same user in a web application.  We are unaware of any framework other than Shiro that can support this.</LI>
+        </UL>
 
 
-    <UL>
-        <LI><B>Event Listeners</B> - Event listeners allow you to listen to lifecycle events during a session's lifetime.  You can listen for these events and react to them for custom application behavior - for example, updating a user record when their session expires.</LI>
-    </UL>
+        <UL>
+            <LI><B>Event Listeners</B> - Event listeners allow you to listen to lifecycle events during a session's lifetime.  You can listen for these events and react to them for custom application behavior - for example, updating a user record when their session expires.</LI>
+        </UL>
 
 
-    <UL>
-        <LI><B>Host Address Retention</B> &ndash; Shiro Sessions retain the IP address or host name of the host from where the session was initiated.  This allows you to determine where the user is located and react accordingly (often useful in intranet environments where IP association is deterministic).</LI>
-    </UL>
+        <UL>
+            <LI><B>Host Address Retention</B> &ndash; Shiro Sessions retain the IP address or host name of the host from where the session was initiated.  This allows you to determine where the user is located and react accordingly (often useful in intranet environments where IP association is deterministic).</LI>
+        </UL>
 
 
-    <UL>
-        <LI><B>Inactivity/Expiration Support</B> &ndash; Sessions expire due to inactivity as expected, but they can be prolonged via a <TT>touch()</TT> method to keep them 'alive' if desired.  This is useful in Rich Internet Application (RIA) environments where the user might be using a desktop application, but may not be regularly communicating with the server, but the server session should not expire.</LI>
-    </UL>
+        <UL>
+            <LI><B>Inactivity/Expiration Support</B> &ndash; Sessions expire due to inactivity as expected, but they can be prolonged via a <TT>touch()</TT> method to keep them 'alive' if desired.  This is useful in Rich Internet Application (RIA) environments where the user might be using a desktop application, but may not be regularly communicating with the server, but the server session should not expire.</LI>
+        </UL>
 
 
-    <UL>
-        <LI><B>Transparent Web Use</B> - Shiro's web support fully implements and supports the Servlet 2.5 specification for Sessions (<TT>HttpSession</TT> interface and all of it's associated APIs). This means you can use Shiro sessions in existing web applications and you don't need to change any of your existing web code.</LI>
-    </UL>
+        <UL>
+            <LI><B>Transparent Web Use</B> - Shiro's web support fully implements and supports the Servlet 2.5 specification for Sessions (<TT>HttpSession</TT> interface and all of it's associated APIs). This means you can use Shiro sessions in existing web applications and you don't need to change any of your existing web code.</LI>
+        </UL>
 
 
-    <UL>
-        <LI><B>Can be used for SSO</B> - Because Shiro session's are POJO based, they are easily stored in any data source, and they can be 'shared' across applications if needed.  We call this 'poor man's SSO', and it can be used to provide a simple sign-on experience since the shared session can retain authentication state.</LI>
-    </UL>
+        <UL>
+            <LI><B>Can be used for SSO</B> - Because Shiro session's are POJO based, they are easily stored in any data source, and they can be 'shared' across applications if needed.  We call this 'poor man's SSO', and it can be used to provide a simple sign-on experience since the shared session can retain authentication state.</LI>
+        </UL>
 
 
-    <H2><A name="SessionManagement-UsingSessions"></A>Using Sessions</H2>
+        <H2><A name="SessionManagement-UsingSessions"></A>Using Sessions</H2>
 
-    <P>Like almost everything else in Shiro, you acquire a <TT>Session</TT> by interacting with the currently executing <TT>Subject</TT>:</P>
+        <P>Like almost everything else in Shiro, you acquire a <TT>Session</TT> by interacting with the currently executing <TT>Subject</TT>:</P>
 
-    <DIV class="code panel" style="border-width: 1px;"><DIV class="codeContent panelContent">
+        <DIV class="code panel" style="border-width: 1px;"><DIV class="codeContent panelContent">
 <PRE class="code-java">
 Subject currentUser = SecurityUtils.getSubject();
 
 Session session = currentUser.getSession();
 session.setAttribute( <SPAN class="code-quote">&quot;someKey&quot;</SPAN>, someValue);
 </PRE>
-    </DIV></DIV>
+        </DIV></DIV>
 
-    <P>The <TT>subject.getSession()</TT> method is a shortcut for calling <TT>currentUser.getSubject(true)</TT>.  </P>
+        <P>The <TT>subject.getSession()</TT> method is a shortcut for calling <TT>currentUser.getSubject(true)</TT>.  </P>
 
-    <P>For those familiar with <TT>HttpServletRequest</TT> API, the <TT>Suject.getSession(boolean create)</TT> method functions the same way as the <TT>HttpServletRequest.getSession(boolean create)</TT> method:</P>
-    <UL>
-        <LI>If the <TT>Subject</TT> already has a <TT>Session</TT>, the boolean argument is ignored and the <TT>Session</TT> is returned immediately</LI>
-        <LI>If the <TT>Subject</TT> does not yet have a <TT>Session</TT> and the <TT>create</TT> boolean argument is <TT>true</TT>, a new session will be created and returned.</LI>
-        <LI>If the <TT>Subject</TT> does not yet have a <TT>Session</TT> and the <TT>create</TT> boolean argument is <TT>false</TT>, a new session will not be created and <TT>null</TT> is returned.</LI>
-    </UL>
+        <P>For those familiar with <TT>HttpServletRequest</TT> API, the <TT>Suject.getSession(boolean create)</TT> method functions the same way as the <TT>HttpServletRequest.getSession(boolean create)</TT> method:</P>
+        <UL>
+            <LI>If the <TT>Subject</TT> already has a <TT>Session</TT>, the boolean argument is ignored and the <TT>Session</TT> is returned immediately</LI>
+            <LI>If the <TT>Subject</TT> does not yet have a <TT>Session</TT> and the <TT>create</TT> boolean argument is <TT>true</TT>, a new session will be created and returned.</LI>
+            <LI>If the <TT>Subject</TT> does not yet have a <TT>Session</TT> and the <TT>create</TT> boolean argument is <TT>false</TT>, a new session will not be created and <TT>null</TT> is returned.</LI>
+        </UL>
 
 
-    <DIV class="panelMacro"><TABLE class="tipMacro"><COLGROUP><COL width="24"><COL></COLGROUP><TR><TD valign="top"><IMG src="https://cwiki.apache.org/confluence/images/icons/emoticons/check.gif" width="16" height="16" align="absmiddle" alt="" border="0"></TD><TD><B>Any Application</B><BR><TT>getSession</TT> calls work in any application, even non-web applications.</TD></TR></TABLE></DIV>
+        <DIV class="panelMacro"><TABLE class="tipMacro"><COLGROUP><COL width="24"><COL></COLGROUP><TR><TD valign="top"><IMG src="https://cwiki.apache.org/confluence/images/icons/emoticons/check.gif" width="16" height="16" align="absmiddle" alt="" border="0"></TD><TD><B>Any Application</B><BR><TT>getSession</TT> calls work in any application, even non-web applications.</TD></TR></TABLE></DIV>
 
-    <P><TT>subject.getSession(false)</TT> can be used to good effect when developing framework code to ensure a Session isn't created unnecessarily.</P>
+        <P><TT>subject.getSession(false)</TT> can be used to good effect when developing framework code to ensure a Session isn't created unnecessarily.</P>
 
-    <P>Once you acquire a Subject's <TT>Session</TT> you can do many things with it, like set or retrieve attributes, set its timeout, and more.  See the <A href="http://shiro.apache.org/static/current/apidocs/org/apache/shiro/session/Session.html" class="external-link" rel="nofollow">Session JavaDoc</A> to see what is possible with an individual session.</P>
+        <P>Once you acquire a Subject's <TT>Session</TT> you can do many things with it, like set or retrieve attributes, set its timeout, and more.  See the <A href="http://shiro.apache.org/static/current/apidocs/org/apache/shiro/session/Session.html" class="external-link" rel="nofollow">Session JavaDoc</A> to see what is possible with an individual session.</P>
 
-    <H2><A name="SessionManagement-TheSessionManager"></A>The SessionManager</H2>
+        <H2><A name="SessionManagement-TheSessionManager"></A>The SessionManager</H2>
 
-    <P>The SessionManager, as its name might imply, manages Sessions for <EM>all</EM> subjects in an application - creation, deletion, inactivity and validation, etc.  Like other core architectural components in Shiro, the <TT>SessionManager</TT> is a top-level component maintained by the <TT>SecurityManager</TT>.</P>
+        <P>The SessionManager, as its name might imply, manages Sessions for <EM>all</EM> subjects in an application - creation, deletion, inactivity and validation, etc.  Like other core architectural components in Shiro, the <TT>SessionManager</TT> is a top-level component maintained by the <TT>SecurityManager</TT>.</P>
 
-    <P>The default <TT>SecurityManager</TT> implementation defaults to using a <TT><A href="http://shiro.apache.org/static/current/apidocs/org/apache/shiro/mgt/DefaultSecurityManager.html" class="external-link" rel="nofollow">DefaultSessionManager</A></TT> out of the box.  The <TT>DefaultSessionManager</TT> implementation provides all of the enterprise-grade session management features needed for an application, like Session validation, orphan cleanup, etc.  This can be used in any application.</P>
+        <P>The default <TT>SecurityManager</TT> implementation defaults to using a <TT><A href="http://shiro.apache.org/static/current/apidocs/org/apache/shiro/mgt/DefaultSecurityManager.html" class="external-link" rel="nofollow">DefaultSessionManager</A></TT> out of the box.  The <TT>DefaultSessionManager</TT> implementation provides all of the enterprise-grade session management features needed for an application, like Session validation, orphan cleanup, etc.  This can be used in any application.</P>
 
-    <DIV class="panelMacro"><TABLE class="infoMacro"><COLGROUP><COL width="24"><COL></COLGROUP><TR><TD valign="top"><IMG src="https://cwiki.apache.org/confluence/images/icons/emoticons/information.gif" width="16" height="16" align="absmiddle" alt="" border="0"></TD><TD><B>Web Applications</B><BR>Web applications use different <TT>SessionManager</TT> implementations.  Please see the <A href="web.html" title="Web">Web</A> documentation for web-specific Session Management information.</TD></TR></TABLE></DIV>
+        <DIV class="panelMacro"><TABLE class="infoMacro"><COLGROUP><COL width="24"><COL></COLGROUP><TR><TD valign="top"><IMG src="https://cwiki.apache.org/confluence/images/icons/emoticons/information.gif" width="16" height="16" align="absmiddle" alt="" border="0"></TD><TD><B>Web Applications</B><BR>Web applications use different <TT>SessionManager</TT> implementations.  Please see the <A href="web.html" title="Web">Web</A> documentation for web-specific Session Management information.</TD></TR></TABLE></DIV>
 
-    <P>Like all other components managed by the <TT>SecurityManager</TT>, the <TT>SessionManager</TT> can be acquired or set via JavaBeans-style getter/setter methods on all of Shiro's default <TT>SecurityManager</TT> implementations (<TT>getSessionManager()</TT>/<TT>setSessionManager()</TT>).  Or for example, if using <TT>shiro.ini</TT> <A href="configuration.html" title="Configuration">Configuration</A>:</P>
+        <P>Like all other components managed by the <TT>SecurityManager</TT>, the <TT>SessionManager</TT> can be acquired or set via JavaBeans-style getter/setter methods on all of Shiro's default <TT>SecurityManager</TT> implementations (<TT>getSessionManager()</TT>/<TT>setSessionManager()</TT>).  Or for example, if using <TT>shiro.ini</TT> <A href="configuration.html" title="Configuration">Configuration</A>:</P>
 
-    <DIV class="code panel" style="border-width: 1px;"><DIV class="codeHeader panelHeader" style="border-bottom-width: 1px;"><B>Configuring a new SessionManager in shiro.ini</B></DIV><DIV class="codeContent panelContent">
+        <DIV class="code panel" style="border-width: 1px;"><DIV class="codeHeader panelHeader" style="border-bottom-width: 1px;"><B>Configuring a new SessionManager in shiro.ini</B></DIV><DIV class="codeContent panelContent">
 <PRE class="code-java">
 [main]
 ...
 sessionManager = com.foo.my.SessionManagerImplementation
 securityManager.sessionManager = $sessionManager
 </PRE>
-    </DIV></DIV>
+        </DIV></DIV>
 
-    <P>But creating a <TT>SessionManager</TT> from scratch is a complicated task and not something that most people will want to do themselves.  Shiro's out-of-the-box <TT>SessionManager</TT> implementations are highly customizable and configurable and will suit most needs.  Most of the rest of this documentation assumes that you will be using Shiro's default <TT>SessionManager</TT> implementations when covering configuration options, but note that you can essentially create or plug-in nearly anything you wish.</P>
+        <P>But creating a <TT>SessionManager</TT> from scratch is a complicated task and not something that most people will want to do themselves.  Shiro's out-of-the-box <TT>SessionManager</TT> implementations are highly customizable and configurable and will suit most needs.  Most of the rest of this documentation assumes that you will be using Shiro's default <TT>SessionManager</TT> implementations when covering configuration options, but note that you can essentially create or plug-in nearly anything you wish.</P>
 
-    <P><A name="SessionManagement-sessionTimeout"></A></P>
-    <H3><A name="SessionManagement-SessionTimeout"></A>Session Timeout</H3>
+        <P><A name="SessionManagement-sessionTimeout"></A></P>
+        <H3><A name="SessionManagement-SessionTimeout"></A>Session Timeout</H3>
 
-    <P>By default, Shiro's <TT>SessionManager</TT> implementations default to a 30 minute session timeout.  That is, if any <TT>Session</TT> created remains idle (unused, where its <TT><A href="http://shiro.apache.org/static/current/apidocs/org/apache/shiro/session/Session.html#getLastAccessTime()" class="external-link" rel="nofollow">lastAccessedTime</A></TT> isn't updated) for 30 minutes or more, the <TT>Session</TT> is considered expired and will not be allowed to be used anymore.</P>
+        <P>By default, Shiro's <TT>SessionManager</TT> implementations default to a 30 minute session timeout.  That is, if any <TT>Session</TT> created remains idle (unused, where its <TT><A href="http://shiro.apache.org/static/current/apidocs/org/apache/shiro/session/Session.html#getLastAccessTime()" class="external-link" rel="nofollow">lastAccessedTime</A></TT> isn't updated) for 30 minutes or more, the <TT>Session</TT> is considered expired and will not be allowed to be used anymore.</P>
 
-    <P>You can set the default <TT>SessionManager</TT> implementation's <TT>globalSessionTimeout</TT> property to define the default timeout value for all sessions.  For example, if you wanted the timeout to be an hour instead of 30 minutes:</P>
+        <P>You can set the default <TT>SessionManager</TT> implementation's <TT>globalSessionTimeout</TT> property to define the default timeout value for all sessions.  For example, if you wanted the timeout to be an hour instead of 30 minutes:</P>
 
-    <DIV class="code panel" style="border-width: 1px;"><DIV class="codeHeader panelHeader" style="border-bottom-width: 1px;"><B>Setting the Default Session Timeout in shiro.ini</B></DIV><DIV class="codeContent panelContent">
+        <DIV class="code panel" style="border-width: 1px;"><DIV class="codeHeader panelHeader" style="border-bottom-width: 1px;"><B>Setting the Default Session Timeout in shiro.ini</B></DIV><DIV class="codeContent panelContent">
 <PRE class="code-java">
 [main]
 ...
@@ -235,19 +236,19 @@ securityManager.sessionManager = $sessio
 securityManager.sessionManager.globalSessionTimeout = 3600000
 
 </PRE>
-    </DIV></DIV>
+        </DIV></DIV>
 
-    <H4><A name="SessionManagement-PerSessionTimeout"></A>Per-Session Timeout</H4>
+        <H4><A name="SessionManagement-PerSessionTimeout"></A>Per-Session Timeout</H4>
 
-    <P>The above <TT>globalSessionTimeout</TT> value is the default for all newly created <TT>Sessions</TT>.  You can control session timeout on a per-Session basis by setting the individual Session's <TT><A href="http://shiro.apache.org/static/current/apidocs/org/apache/shiro/session/Session.html#setTimeout(long)" class="external-link" rel="nofollow">timeout</A></TT> value.  Like the above <TT>globalSessionTimeout</TT>, the value is time in <B>milliseconds</B> (not seconds).</P>
+        <P>The above <TT>globalSessionTimeout</TT> value is the default for all newly created <TT>Sessions</TT>.  You can control session timeout on a per-Session basis by setting the individual Session's <TT><A href="http://shiro.apache.org/static/current/apidocs/org/apache/shiro/session/Session.html#setTimeout(long)" class="external-link" rel="nofollow">timeout</A></TT> value.  Like the above <TT>globalSessionTimeout</TT>, the value is time in <B>milliseconds</B> (not seconds).</P>
 
-    <H3><A name="SessionManagement-SessionListeners"></A>Session Listeners</H3>
+        <H3><A name="SessionManagement-SessionListeners"></A>Session Listeners</H3>
 
-    <P>Shiro supports the notion of a <TT>SessionListener</TT> to allow you to react to important session events as they occur.  You can implement the <TT><A href="http://shiro.apache.org/static/current/apidocs/org/apache/shiro/session/SessionListener.html" class="external-link" rel="nofollow">SessionListener</A></TT> interface (or extend the convenience <TT><A href="http://shiro.apache.org/static/current/apidocs/org/apache/shiro/session/SessionListenerAdapter.html" class="external-link" rel="nofollow">SessionListenerAdapter</A></TT>) and react to session operations accordingly.</P>
+        <P>Shiro supports the notion of a <TT>SessionListener</TT> to allow you to react to important session events as they occur.  You can implement the <TT><A href="http://shiro.apache.org/static/current/apidocs/org/apache/shiro/session/SessionListener.html" class="external-link" rel="nofollow">SessionListener</A></TT> interface (or extend the convenience <TT><A href="http://shiro.apache.org/static/current/apidocs/org/apache/shiro/session/SessionListenerAdapter.html" class="external-link" rel="nofollow">SessionListenerAdapter</A></TT>) and react to session operations accordingly.</P>
 
-    <P>As the default <TT>SessionManager</TT> <TT>sessionListeners</TT> property is a collection, you can configure the <TT>SessionManager</TT> with one or more of your listener implementations like any other collection in <TT>shiro.ini</TT>:</P>
+        <P>As the default <TT>SessionManager</TT> <TT>sessionListeners</TT> property is a collection, you can configure the <TT>SessionManager</TT> with one or more of your listener implementations like any other collection in <TT>shiro.ini</TT>:</P>
 
-    <DIV class="code panel" style="border-width: 1px;"><DIV class="codeHeader panelHeader" style="border-bottom-width: 1px;"><B>SessionListener Configuration in shiro.ini</B></DIV><DIV class="codeContent panelContent">
+        <DIV class="code panel" style="border-width: 1px;"><DIV class="codeHeader panelHeader" style="border-bottom-width: 1px;"><B>SessionListener Configuration in shiro.ini</B></DIV><DIV class="codeContent panelContent">
 <PRE class="code-java">
 [main]
 ...
@@ -256,20 +257,20 @@ anotherSessionListener = com.foo.my.Othe
 
 securityManager.sessionManager.sessionListeners = $aSessionListener, $anotherSessionListener, etc.
 </PRE>
-    </DIV></DIV>
+        </DIV></DIV>
 
-    <DIV class="panelMacro"><TABLE class="infoMacro"><COLGROUP><COL width="24"><COL></COLGROUP><TR><TD valign="top"><IMG src="https://cwiki.apache.org/confluence/images/icons/emoticons/information.gif" width="16" height="16" align="absmiddle" alt="" border="0"></TD><TD><B>All Session Events</B><BR><TT>SessionListeners</TT> are notified when an event occurs for <EM>any</EM> session - not just for a particular session.</TD></TR></TABLE></DIV>
+        <DIV class="panelMacro"><TABLE class="infoMacro"><COLGROUP><COL width="24"><COL></COLGROUP><TR><TD valign="top"><IMG src="https://cwiki.apache.org/confluence/images/icons/emoticons/information.gif" width="16" height="16" align="absmiddle" alt="" border="0"></TD><TD><B>All Session Events</B><BR><TT>SessionListeners</TT> are notified when an event occurs for <EM>any</EM> session - not just for a particular session.</TD></TR></TABLE></DIV>
 
-    <P><A name="SessionManagement-sessionstorage"></A></P>
-    <H3><A name="SessionManagement-SessionStorage"></A>Session Storage</H3>
+        <P><A name="SessionManagement-sessionstorage"></A></P>
+        <H3><A name="SessionManagement-SessionStorage"></A>Session Storage</H3>
 
-    <P>Whenever a session is created or updated, its data needs to persisted to a storage location so it is accessible by the application at a later time.  Similarly, when a session is invalid and longer being used, it needs to be deleted from storage so the session data store space is not exhausted.  The <TT>SessionManager</TT> implementations delegate these Create/Read/Update/Delete (CRUD) operations to an internal component, the <TT><A href="http://shiro.apache.org/static/current/apidocs/org/apache/shiro/session/mgt/eis/SessionDAO.html" class="external-link" rel="nofollow">SessionDAO</A></TT>, which reflects the <A href="http://en.wikipedia.org/wiki/Data_access_object" class="external-link" rel="nofollow">Data Access Object (DAO)</A> design pattern.</P>
+        <P>Whenever a session is created or updated, its data needs to persisted to a storage location so it is accessible by the application at a later time.  Similarly, when a session is invalid and longer being used, it needs to be deleted from storage so the session data store space is not exhausted.  The <TT>SessionManager</TT> implementations delegate these Create/Read/Update/Delete (CRUD) operations to an internal component, the <TT><A href="http://shiro.apache.org/static/current/apidocs/org/apache/shiro/session/mgt/eis/SessionDAO.html" class="external-link" rel="nofollow">SessionDAO</A></TT>, which reflects the <A href="http://en.wikipedia.org/wiki/Data_access_object" class="external-link" rel="nofollow">Data Access Object (DAO)</A> design pattern.</P>
 
-    <P>The power of the SessionDAO is that you can implement this interface to communicate with <EM>any</EM> data store you wish.  This means your session data can reside in memory, on the file system, in a relational database or NoSQL data store, or any other location you need.  You have control over persistence behavior.</P>
+        <P>The power of the SessionDAO is that you can implement this interface to communicate with <EM>any</EM> data store you wish.  This means your session data can reside in memory, on the file system, in a relational database or NoSQL data store, or any other location you need.  You have control over persistence behavior.</P>
 
-    <P>You can configure any <TT>SessionDAO</TT> implementation as a property on the default <TT>SessionManager</TT> instance. For example, in shiro.ini:</P>
+        <P>You can configure any <TT>SessionDAO</TT> implementation as a property on the default <TT>SessionManager</TT> instance. For example, in shiro.ini:</P>
 
-    <DIV class="code panel" style="border-width: 1px;"><DIV class="codeHeader panelHeader" style="border-bottom-width: 1px;"><B>Configuring a SessionDAO in shiro.ini</B></DIV><DIV class="codeContent panelContent">
+        <DIV class="code panel" style="border-width: 1px;"><DIV class="codeHeader panelHeader" style="border-bottom-width: 1px;"><B>Configuring a SessionDAO in shiro.ini</B></DIV><DIV class="codeContent panelContent">
 <PRE class="code-java">
 [main]
 ...
@@ -277,13 +278,13 @@ sessionDAO = com.foo.my.SessionDAO
 securityManager.sessionManager.sessionDAO = $sessionDAO
 
 </PRE>
-    </DIV></DIV>
+        </DIV></DIV>
 
-    <P>However, as you might expect, Shiro already has some good <TT>SessionDAO</TT> implementations that you can use out of the box or subclass for your own needs.<BR>
-        <A name="SessionManagement-websessionmanagersessiondao"></A></P>
-    <DIV class="panelMacro"><TABLE class="noteMacro"><COLGROUP><COL width="24"><COL></COLGROUP><TR><TD valign="top"><IMG src="https://cwiki.apache.org/confluence/images/icons/emoticons/warning.gif" width="16" height="16" align="absmiddle" alt="" border="0"></TD><TD><B>Web Applications</B><BR>The above <TT>securityManager.sessionManager.sessionDAO = $sessionDAO</TT> assignment only works when using a Shiro native session manager.  Web applications by default do not use a native session manager and instead retain the Servlet Container's default session manager which does not support a SessionDAO.  If you would like to enable a SessionDAO in a web-based application for custom session storage or session clustering, you will have to first configure a native web session manager.  For example:
+        <P>However, as you might expect, Shiro already has some good <TT>SessionDAO</TT> implementations that you can use out of the box or subclass for your own needs.<BR>
+            <A name="SessionManagement-websessionmanagersessiondao"></A></P>
+        <DIV class="panelMacro"><TABLE class="noteMacro"><COLGROUP><COL width="24"><COL></COLGROUP><TR><TD valign="top"><IMG src="https://cwiki.apache.org/confluence/images/icons/emoticons/warning.gif" width="16" height="16" align="absmiddle" alt="" border="0"></TD><TD><B>Web Applications</B><BR>The above <TT>securityManager.sessionManager.sessionDAO = $sessionDAO</TT> assignment only works when using a Shiro native session manager.  Web applications by default do not use a native session manager and instead retain the Servlet Container's default session manager which does not support a SessionDAO.  If you would like to enable a SessionDAO in a web-based application for custom session storage or session clustering, you will have to first configure a native web session manager.  For example:
 
-        <DIV class="code panel" style="border-width: 1px;"><DIV class="codeContent panelContent">
+            <DIV class="code panel" style="border-width: 1px;"><DIV class="codeContent panelContent">
 <PRE class="code-java">
 [main]
 ...
@@ -293,24 +294,24 @@ securityManager.sessionManager = $sessio
 # Configure a SessionDAO and then set it:
 securityManager.sessionManager.sessionDAO = $sessionDAO
 </PRE>
-        </DIV></DIV></TD></TR></TABLE></DIV>
+            </DIV></DIV></TD></TR></TABLE></DIV>
 
-    <DIV class="panelMacro"><TABLE class="warningMacro"><COLGROUP><COL width="24"><COL></COLGROUP><TR><TD valign="top"><IMG src="https://cwiki.apache.org/confluence/images/icons/emoticons/forbidden.gif" width="16" height="16" align="absmiddle" alt="" border="0"></TD><TD><B>Configure a SessionDAO!</B><BR>Shiro's default configuration native SessionManagers use <B><EM>in-memory-only</EM></B> Session storage.  This is unsuitable for most production applications.  Most production applications will want to either configure the provided EHCache support (see below) or provide their own <TT>SessionDAO</TT> implementation.
+        <DIV class="panelMacro"><TABLE class="warningMacro"><COLGROUP><COL width="24"><COL></COLGROUP><TR><TD valign="top"><IMG src="https://cwiki.apache.org/confluence/images/icons/emoticons/forbidden.gif" width="16" height="16" align="absmiddle" alt="" border="0"></TD><TD><B>Configure a SessionDAO!</B><BR>Shiro's default configuration native SessionManagers use <B><EM>in-memory-only</EM></B> Session storage.  This is unsuitable for most production applications.  Most production applications will want to either configure the provided EHCache support (see below) or provide their own <TT>SessionDAO</TT> implementation.
 
-        <P>Note that web applications use a servlet-container-based SessionManager by default and do not have this issue.  This is only an issue when using a Shiro native SessionManager.</P></TD></TR></TABLE></DIV>
+            <P>Note that web applications use a servlet-container-based SessionManager by default and do not have this issue.  This is only an issue when using a Shiro native SessionManager.</P></TD></TR></TABLE></DIV>
 
-    <P><A name="SessionManagement-ehcachesessiondao"></A></P>
-    <H4><A name="SessionManagement-EHCacheSessionDAO"></A>EHCache SessionDAO</H4>
+        <P><A name="SessionManagement-ehcachesessiondao"></A></P>
+        <H4><A name="SessionManagement-EHCacheSessionDAO"></A>EHCache SessionDAO</H4>
 
-    <P>EHCache is not enabled by default, but if you do not plan on implementing your own <TT>SessionDAO</TT>, it is <B>highly</B> recommended that you enable the EHCache support for Shiro's SessionManagement.  The EHCache SessionDAO will store sessions in memory and support overflow to disk if memory becomes constrained.  This is highly desirable for production applications to ensure that you don't randomly 'lose' sessions at runtime.</P>
+        <P>EHCache is not enabled by default, but if you do not plan on implementing your own <TT>SessionDAO</TT>, it is <B>highly</B> recommended that you enable the EHCache support for Shiro's SessionManagement.  The EHCache SessionDAO will store sessions in memory and support overflow to disk if memory becomes constrained.  This is highly desirable for production applications to ensure that you don't randomly 'lose' sessions at runtime.</P>
 
-    <DIV class="panelMacro"><TABLE class="tipMacro"><COLGROUP><COL width="24"><COL></COLGROUP><TR><TD valign="top"><IMG src="https://cwiki.apache.org/confluence/images/icons/emoticons/check.gif" width="16" height="16" align="absmiddle" alt="" border="0"></TD><TD><B>Use EHCache as your default</B><BR>If you're not writing a custom <TT>SessionDAO</TT>, definitely enable EHCache in your Shiro configuration.  EHCache can also be beneficial beyond Sessions, caching authentication and authorization data as well.  See the <A href="caching.html" title="Caching">Caching</A> documentation for more information.</TD></TR></TABLE></DIV>
-    <DIV class="panelMacro"><TABLE class="tipMacro"><COLGROUP><COL width="24"><COL></COLGROUP><TR><TD valign="top"><IMG src="https://cwiki.apache.org/confluence/images/icons/emoticons/check.gif" width="16" height="16" align="absmiddle" alt="" border="0"></TD><TD><B>Container-Independent Session Clustering</B><BR>EHCache is also a nice choice if you quickly need container-independent session clustering. You can transparently plug in <A href="http://www.terracotta.org/" class="external-link" rel="nofollow">TerraCotta</A> behind EHCache and have a container-independent clustered session cache.  No more worrying about Tomcat, JBoss, Jetty, WebSphere or WebLogic specific session clustering ever again!</TD></TR></TABLE></DIV>
-    <P>Enabling EHCache for sessions is very easy.  First, ensure that you have the <TT>shiro-ehcache-&lt;version&gt;.jar</TT> file in your classpath (see the <A href="download.html" title="Download">Download</A> page or use Maven or Ant+Ivy). </P>
+        <DIV class="panelMacro"><TABLE class="tipMacro"><COLGROUP><COL width="24"><COL></COLGROUP><TR><TD valign="top"><IMG src="https://cwiki.apache.org/confluence/images/icons/emoticons/check.gif" width="16" height="16" align="absmiddle" alt="" border="0"></TD><TD><B>Use EHCache as your default</B><BR>If you're not writing a custom <TT>SessionDAO</TT>, definitely enable EHCache in your Shiro configuration.  EHCache can also be beneficial beyond Sessions, caching authentication and authorization data as well.  See the <A href="caching.html" title="Caching">Caching</A> documentation for more information.</TD></TR></TABLE></DIV>
+        <DIV class="panelMacro"><TABLE class="tipMacro"><COLGROUP><COL width="24"><COL></COLGROUP><TR><TD valign="top"><IMG src="https://cwiki.apache.org/confluence/images/icons/emoticons/check.gif" width="16" height="16" align="absmiddle" alt="" border="0"></TD><TD><B>Container-Independent Session Clustering</B><BR>EHCache is also a nice choice if you quickly need container-independent session clustering. You can transparently plug in <A href="http://www.terracotta.org/" class="external-link" rel="nofollow">TerraCotta</A> behind EHCache and have a container-independent clustered session cache.  No more worrying about Tomcat, JBoss, Jetty, WebSphere or WebLogic specific session clustering ever again!</TD></TR></TABLE></DIV>
+        <P>Enabling EHCache for sessions is very easy.  First, ensure that you have the <TT>shiro-ehcache-&lt;version&gt;.jar</TT> file in your classpath (see the <A href="download.html" title="Download">Download</A> page or use Maven or Ant+Ivy). </P>
 
-    <P>Once in the classpath, this first <TT>shiro.ini</TT> example shows you how to use EHCache for all of Shiro's caching needs (not just Session support):</P>
+        <P>Once in the classpath, this first <TT>shiro.ini</TT> example shows you how to use EHCache for all of Shiro's caching needs (not just Session support):</P>
 
-    <DIV class="code panel" style="border-width: 1px;"><DIV class="codeHeader panelHeader" style="border-bottom-width: 1px;"><B>Configuring EHCache for all of Shiro's caching needs in shiro.ini</B></DIV><DIV class="codeContent panelContent">
+        <DIV class="code panel" style="border-width: 1px;"><DIV class="codeHeader panelHeader" style="border-bottom-width: 1px;"><B>Configuring EHCache for all of Shiro's caching needs in shiro.ini</B></DIV><DIV class="codeContent panelContent">
 <PRE class="code-java">
 [main]
 
@@ -321,24 +322,24 @@ cacheManager = org.apache.shiro.cache.eh
 securityManager.cacheManager = $cacheManager
 
 </PRE>
-    </DIV></DIV>
+        </DIV></DIV>
 
-    <P>The final line, <TT>securityManager.cacheManager = $cacheManager</TT>, configures a <TT>CacheManager</TT> for all of Shiro's needs.  This <TT>CacheManager</TT> instance will propagate down to the <TT>SessionDAO</TT> automatically (by nature of <TT>EnterpriseCacheSessionDAO</TT> implementing the <TT><A href="http://shiro.apache.org/static/current/apidocs/org/apache/shiro/cache/CacheManagerAware.html" class="external-link" rel="nofollow">CacheManagerAware</A></TT> interface).</P>
+        <P>The final line, <TT>securityManager.cacheManager = $cacheManager</TT>, configures a <TT>CacheManager</TT> for all of Shiro's needs.  This <TT>CacheManager</TT> instance will propagate down to the <TT>SessionDAO</TT> automatically (by nature of <TT>EnterpriseCacheSessionDAO</TT> implementing the <TT><A href="http://shiro.apache.org/static/current/apidocs/org/apache/shiro/cache/CacheManagerAware.html" class="external-link" rel="nofollow">CacheManagerAware</A></TT> interface).</P>
 
-    <P>Then, when the <TT>SessionManager</TT> asks the <TT>EnterpriseCacheSessionDAO</TT> to persist a <TT>Session</TT>, it will use an EHCache-backed <TT><A href="http://shiro.apache.org/static/current/apidocs/org/apache/shiro/cache/Cache.html" class="external-link" rel="nofollow">Cache</A></TT> implementation to store the Session data.</P>
+        <P>Then, when the <TT>SessionManager</TT> asks the <TT>EnterpriseCacheSessionDAO</TT> to persist a <TT>Session</TT>, it will use an EHCache-backed <TT><A href="http://shiro.apache.org/static/current/apidocs/org/apache/shiro/cache/Cache.html" class="external-link" rel="nofollow">Cache</A></TT> implementation to store the Session data.</P>
 
-    <DIV class="panelMacro"><TABLE class="infoMacro"><COLGROUP><COL width="24"><COL></COLGROUP><TR><TD valign="top"><IMG src="https://cwiki.apache.org/confluence/images/icons/emoticons/information.gif" width="16" height="16" align="absmiddle" alt="" border="0"></TD><TD><B>Web Applications</B><BR>Don't forget that assigning a <TT>SessionDAO</TT> is a feature when using Shiro native SessionManager implementations.  Web applications by default use a Servlet container-based SessionManager which does not support a <TT>SessionDAO</TT>.  Configure a native web SessionManager as <A href="#SessionManagement-websessionmanagersessiondao">explained above</A> if you want to use Ehcache-based session storage in a web application.</TD></TR></TABLE></DIV>
+        <DIV class="panelMacro"><TABLE class="infoMacro"><COLGROUP><COL width="24"><COL></COLGROUP><TR><TD valign="top"><IMG src="https://cwiki.apache.org/confluence/images/icons/emoticons/information.gif" width="16" height="16" align="absmiddle" alt="" border="0"></TD><TD><B>Web Applications</B><BR>Don't forget that assigning a <TT>SessionDAO</TT> is a feature when using Shiro native SessionManager implementations.  Web applications by default use a Servlet container-based SessionManager which does not support a <TT>SessionDAO</TT>.  Configure a native web SessionManager as <A href="#SessionManagement-websessionmanagersessiondao">explained above</A> if you want to use Ehcache-based session storage in a web application.</TD></TR></TABLE></DIV>
 
-    <P><A name="SessionManagement-ehcachesessioncacheconfiguration"></A></P>
-    <H5><A name="SessionManagement-EHCacheSessionCacheConfiguration"></A>EHCache Session Cache Configuration</H5>
+        <P><A name="SessionManagement-ehcachesessioncacheconfiguration"></A></P>
+        <H5><A name="SessionManagement-EHCacheSessionCacheConfiguration"></A>EHCache Session Cache Configuration</H5>
 
-    <P>By default, the <TT>EhCacheManager</TT> uses a Shiro-specific <TT><A href="https://svn.apache.org/repos/asf/shiro/trunk/support/ehcache/src/main/resources/org/apache/shiro/cache/ehcache/ehcache.xml" class="external-link" rel="nofollow">ehcache.xml</A></TT> file that sets up the Session cache region and the necessary settings to ensure Sessions are stored and retrieved properly.</P>
+        <P>By default, the <TT>EhCacheManager</TT> uses a Shiro-specific <TT><A href="https://svn.apache.org/repos/asf/shiro/trunk/support/ehcache/src/main/resources/org/apache/shiro/cache/ehcache/ehcache.xml" class="external-link" rel="nofollow">ehcache.xml</A></TT> file that sets up the Session cache region and the necessary settings to ensure Sessions are stored and retrieved properly.</P>
 
-    <P>However, if you wish to change the cache settings, or configure your own <TT>ehcache.xml</TT> or EHCache <TT>net.sf.ehcache.CacheManager</TT> instance, you will need to configure the cache region to ensure that Sessions are handled correctly.</P>
+        <P>However, if you wish to change the cache settings, or configure your own <TT>ehcache.xml</TT> or EHCache <TT>net.sf.ehcache.CacheManager</TT> instance, you will need to configure the cache region to ensure that Sessions are handled correctly.</P>
 
-    <P>If you look at the default <TT><A href="https://svn.apache.org/repos/asf/shiro/trunk/support/ehcache/src/main/resources/org/apache/shiro/cache/ehcache/ehcache.xml" class="external-link" rel="nofollow">ehcache.xml</A></TT> file, you will see the following <TT>shiro-activeSessionCache</TT> cache configuration:</P>
+        <P>If you look at the default <TT><A href="https://svn.apache.org/repos/asf/shiro/trunk/support/ehcache/src/main/resources/org/apache/shiro/cache/ehcache/ehcache.xml" class="external-link" rel="nofollow">ehcache.xml</A></TT> file, you will see the following <TT>shiro-activeSessionCache</TT> cache configuration:</P>
 
-    <DIV class="code panel" style="border-width: 1px;"><DIV class="codeContent panelContent">
+        <DIV class="code panel" style="border-width: 1px;"><DIV class="codeContent panelContent">
 <PRE class="code-xml">
 &lt;cache name=<SPAN class="code-quote">&quot;shiro-activeSessionCache&quot;</SPAN>
        maxElementsInMemory=<SPAN class="code-quote">&quot;10000&quot;</SPAN>
@@ -349,23 +350,23 @@ securityManager.cacheManager = $cacheMan
        diskPersistent=<SPAN class="code-quote">&quot;true&quot;</SPAN>
        diskExpiryThreadIntervalSeconds=<SPAN class="code-quote">&quot;600&quot;</SPAN>/&gt;
 </PRE>
-    </DIV></DIV>
+        </DIV></DIV>
 
-    <P>If you wish to use your own <TT>ehcache.xml</TT> file, ensure that you have defined a similar cache entry for Shiro's needs.  Most likely you might change the <TT>maxElementsInMemory</TT> attribute value to meet your needs.  However, it is very important that at least the following two attributes exist (and are not changed) in your own configuration:</P>
+        <P>If you wish to use your own <TT>ehcache.xml</TT> file, ensure that you have defined a similar cache entry for Shiro's needs.  Most likely you might change the <TT>maxElementsInMemory</TT> attribute value to meet your needs.  However, it is very important that at least the following two attributes exist (and are not changed) in your own configuration:</P>
 
-    <UL>
-        <LI><TT>overflowToDisk=&quot;true&quot;</TT> - this ensures that if you run out of process memory, sessions won't be lost and can serialized to disk</LI>
-        <LI><TT>eternal=&quot;true&quot;</TT> - ensures that cache entries (Session instances) are never expired or expunged automatically by the cache. This is necessary because Shiro does its own validation based on a scheduled process (see &quot;Session Validation &amp; Scheduling&quot; below).  If we turned this off, the cache would likely evict Sessions without Shiro knowing about it, which could cause problems.</LI>
-    </UL>
+        <UL>
+            <LI><TT>overflowToDisk=&quot;true&quot;</TT> - this ensures that if you run out of process memory, sessions won't be lost and can serialized to disk</LI>
+            <LI><TT>eternal=&quot;true&quot;</TT> - ensures that cache entries (Session instances) are never expired or expunged automatically by the cache. This is necessary because Shiro does its own validation based on a scheduled process (see &quot;Session Validation &amp; Scheduling&quot; below).  If we turned this off, the cache would likely evict Sessions without Shiro knowing about it, which could cause problems.</LI>
+        </UL>
 
 
-    <H5><A name="SessionManagement-EHCacheSessionCacheName"></A>EHCache Session Cache Name</H5>
+        <H5><A name="SessionManagement-EHCacheSessionCacheName"></A>EHCache Session Cache Name</H5>
 
-    <P>By default, the <TT>EnterpriseCacheSessionDAO</TT> asks the <TT>CacheManager</TT> for a <TT>Cache</TT> named &quot;<TT>shiro-activeSessionCache</TT>&quot;.  This cache name/region is expected to be configured in <TT>ehcache.xml</TT>, as mentioned above.</P>
+        <P>By default, the <TT>EnterpriseCacheSessionDAO</TT> asks the <TT>CacheManager</TT> for a <TT>Cache</TT> named &quot;<TT>shiro-activeSessionCache</TT>&quot;.  This cache name/region is expected to be configured in <TT>ehcache.xml</TT>, as mentioned above.</P>
 
-    <P>If you want to use a different name instead of this default, you can configure that name on the <TT>EnterpriseCacheSessionDAO</TT>, for example:</P>
+        <P>If you want to use a different name instead of this default, you can configure that name on the <TT>EnterpriseCacheSessionDAO</TT>, for example:</P>
 
-    <DIV class="code panel" style="border-width: 1px;"><DIV class="codeHeader panelHeader" style="border-bottom-width: 1px;"><B>Configuring the cache name for Shiro's active session cache in shiro.ini</B></DIV><DIV class="codeContent panelContent">
+        <DIV class="code panel" style="border-width: 1px;"><DIV class="codeHeader panelHeader" style="border-bottom-width: 1px;"><B>Configuring the cache name for Shiro's active session cache in shiro.ini</B></DIV><DIV class="codeContent panelContent">
 <PRE class="code-java">
 [main]
 ...
@@ -373,19 +374,19 @@ sessionDAO = org.apache.shiro.session.mg
 sessionDAO.activeSessionsCacheName = myname
 ...
 </PRE>
-    </DIV></DIV>
+        </DIV></DIV>
 
-    <P>Just ensure that a corresponding entry in <TT>ehcache.xml</TT> matches that name and you've configured <TT>overflowToDisk=&quot;true&quot;</TT> and <TT>eternal=&quot;true&quot;</TT> as mentioned above.</P>
+        <P>Just ensure that a corresponding entry in <TT>ehcache.xml</TT> matches that name and you've configured <TT>overflowToDisk=&quot;true&quot;</TT> and <TT>eternal=&quot;true&quot;</TT> as mentioned above.</P>
 
-    <H4><A name="SessionManagement-CustomSessionIDs"></A>Custom Session IDs</H4>
+        <H4><A name="SessionManagement-CustomSessionIDs"></A>Custom Session IDs</H4>
 
-    <P>Shiro's <TT>SessionDAO</TT> implementations use an internal <TT><A href="http://shiro.apache.org/static/current/apidocs/org/apache/shiro/session/mgt/eis/SessionIdGenerator.html" class="external-link" rel="nofollow">SessionIdGenerator</A></TT> component to generate a new Session ID every time a new session is created.  The ID is generated, assigned to the newly created <TT>Session</TT> instance, and then the <TT>Session</TT> is saved via the <TT>SessionDAO</TT>.</P>
+        <P>Shiro's <TT>SessionDAO</TT> implementations use an internal <TT><A href="http://shiro.apache.org/static/current/apidocs/org/apache/shiro/session/mgt/eis/SessionIdGenerator.html" class="external-link" rel="nofollow">SessionIdGenerator</A></TT> component to generate a new Session ID every time a new session is created.  The ID is generated, assigned to the newly created <TT>Session</TT> instance, and then the <TT>Session</TT> is saved via the <TT>SessionDAO</TT>.</P>
 
-    <P>The default <TT>SessionIdGenerator</TT> is a <TT><A href="http://shiro.apache.org/static/current/apidocs/org/apache/shiro/session/mgt/eis/JavaUuidSessionIdGenerator.html" class="external-link" rel="nofollow">JavaUuidSessionIdGenerator</A></TT>, which generates <TT>String</TT> IDs based on Java <TT><A href="http://download.oracle.com/javase/6/docs/api/java/util/UUID.html" class="external-link" rel="nofollow">UUIDs</A></TT>.  This implementation is suitable for all production environments.</P>
+        <P>The default <TT>SessionIdGenerator</TT> is a <TT><A href="http://shiro.apache.org/static/current/apidocs/org/apache/shiro/session/mgt/eis/JavaUuidSessionIdGenerator.html" class="external-link" rel="nofollow">JavaUuidSessionIdGenerator</A></TT>, which generates <TT>String</TT> IDs based on Java <TT><A href="http://download.oracle.com/javase/6/docs/api/java/util/UUID.html" class="external-link" rel="nofollow">UUIDs</A></TT>.  This implementation is suitable for all production environments.</P>
 
-    <P>If this does not meet your needs, you can implement the <TT>SessionIdGenerator</TT> interface and configure the implementation on Shiro's <TT>SessionDAO</TT> instance.  For example, in <TT>shiro.ini</TT>:</P>
+        <P>If this does not meet your needs, you can implement the <TT>SessionIdGenerator</TT> interface and configure the implementation on Shiro's <TT>SessionDAO</TT> instance.  For example, in <TT>shiro.ini</TT>:</P>
 
-    <DIV class="code panel" style="border-width: 1px;"><DIV class="codeHeader panelHeader" style="border-bottom-width: 1px;"><B>Configuring a SessionIdGenerator in shiro.ini</B></DIV><DIV class="codeContent panelContent">
+        <DIV class="code panel" style="border-width: 1px;"><DIV class="codeHeader panelHeader" style="border-bottom-width: 1px;"><B>Configuring a SessionIdGenerator in shiro.ini</B></DIV><DIV class="codeContent panelContent">
 <PRE class="code-java">
 [main]
 ...
@@ -393,25 +394,25 @@ sessionIdGenerator = com.my.session.Sess
 securityManager.sessionManager.sessionDAO.sessionIdGenerator = $sessionIdGenerator
 
 </PRE>
-    </DIV></DIV>
+        </DIV></DIV>
 
-    <H3><A name="SessionManagement-SessionValidation%26Scheduling"></A>Session Validation &amp; Scheduling</H3>
+        <H3><A name="SessionManagement-SessionValidation%26Scheduling"></A>Session Validation &amp; Scheduling</H3>
 
-    <P>Sessions must be validated so any invalid (expired or stopped) sessions can be deleted from the session data store.  This ensures that the data store does not fill up over time with sessions that will never be used again.</P>
+        <P>Sessions must be validated so any invalid (expired or stopped) sessions can be deleted from the session data store.  This ensures that the data store does not fill up over time with sessions that will never be used again.</P>
 
-    <P>For performance reasons, <TT>Sessions</TT> are only validated to see if they have been stopped or expired at the time they are accessed (i.e. <TT>subject.getSession()</TT>).  This means that without additional regular periodic validation, <TT>Session</TT> orphans would begin to fill up the session data store.  </P>
+        <P>For performance reasons, <TT>Sessions</TT> are only validated to see if they have been stopped or expired at the time they are accessed (i.e. <TT>subject.getSession()</TT>).  This means that without additional regular periodic validation, <TT>Session</TT> orphans would begin to fill up the session data store.  </P>
 
-    <P>A common example illustrating orphans is the web browser scenario:  Let's say a user logs in to a web application and a session is created to retain data (authentication state, shopping cart, etc).  If the user does not log out and closes their browser without the application knowing about it, their session is essentially just 'lying around' (orphaned) in the session data store.  The <TT>SessionManager</TT> has no way of detecting that the user was no longer using their browser, and the session is never accessed again (it is orphaned).</P>
+        <P>A common example illustrating orphans is the web browser scenario:  Let's say a user logs in to a web application and a session is created to retain data (authentication state, shopping cart, etc).  If the user does not log out and closes their browser without the application knowing about it, their session is essentially just 'lying around' (orphaned) in the session data store.  The <TT>SessionManager</TT> has no way of detecting that the user was no longer using their browser, and the session is never accessed again (it is orphaned).</P>
 
-    <P>Session orphans, if they are not regularly purged, will fill up the session data store (which would be bad).  So, to prevent orphans from piling up, the <TT>SessionManager</TT> implementations support the notion of a <TT><A href="http://shiro.apache.org/static/current/apidocs/org/apache/shiro/session/mgt/SessionValidationScheduler.html" class="external-link" rel="nofollow">SessionValidationScheduler</A></TT>.  A <TT>SessionValidationScheduler</TT> is responsible for validating sessions at a periodic rate to ensure they are cleaned up as necessary.</P>
+        <P>Session orphans, if they are not regularly purged, will fill up the session data store (which would be bad).  So, to prevent orphans from piling up, the <TT>SessionManager</TT> implementations support the notion of a <TT><A href="http://shiro.apache.org/static/current/apidocs/org/apache/shiro/session/mgt/SessionValidationScheduler.html" class="external-link" rel="nofollow">SessionValidationScheduler</A></TT>.  A <TT>SessionValidationScheduler</TT> is responsible for validating sessions at a periodic rate to ensure they are cleaned up as necessary.</P>
 
-    <H4><A name="SessionManagement-DefaultSessionValidationScheduler"></A>Default SessionValidationScheduler</H4>
+        <H4><A name="SessionManagement-DefaultSessionValidationScheduler"></A>Default SessionValidationScheduler</H4>
 
-    <P>The default <TT>SessionValidationScheduler</TT> usable in all environments is the <TT><A href="http://shiro.apache.org/static/current/apidocs/org/apache/shiro/session/mgt/ExecutorServiceSessionValidationScheduler.html" class="external-link" rel="nofollow">ExecutorServiceSessionValidationScheduler</A></TT> which uses a JDK <TT><A href="http://download.oracle.com/javase/6/docs/api/java/util/concurrent/ScheduledExecutorService.html" class="external-link" rel="nofollow">ScheduledExecutorService</A></TT> to control how often the validation should occur.</P>
+        <P>The default <TT>SessionValidationScheduler</TT> usable in all environments is the <TT><A href="http://shiro.apache.org/static/current/apidocs/org/apache/shiro/session/mgt/ExecutorServiceSessionValidationScheduler.html" class="external-link" rel="nofollow">ExecutorServiceSessionValidationScheduler</A></TT> which uses a JDK <TT><A href="http://download.oracle.com/javase/6/docs/api/java/util/concurrent/ScheduledExecutorService.html" class="external-link" rel="nofollow">ScheduledExecutorService</A></TT> to control how often the validation should occur.</P>
 
-    <P>By default, this implementation will perform validation once per hour.  You can change the rate at which validation occurs by specifying a <B>new</B> instance of <TT>ExecutorServiceSessionValidationScheduler</TT> and specifying a different interval (in milliseconds):</P>
+        <P>By default, this implementation will perform validation once per hour.  You can change the rate at which validation occurs by specifying a <B>new</B> instance of <TT>ExecutorServiceSessionValidationScheduler</TT> and specifying a different interval (in milliseconds):</P>
 
-    <DIV class="code panel" style="border-width: 1px;"><DIV class="codeHeader panelHeader" style="border-bottom-width: 1px;"><B>ExecutorServiceSessionValidationScheduler interval in shiro.ini</B></DIV><DIV class="codeContent panelContent">
+        <DIV class="code panel" style="border-width: 1px;"><DIV class="codeHeader panelHeader" style="border-bottom-width: 1px;"><B>ExecutorServiceSessionValidationScheduler interval in shiro.ini</B></DIV><DIV class="codeContent panelContent">
 <PRE class="code-java">
 [main]
 ...
@@ -422,18 +423,18 @@ sessionValidationScheduler.interval = 36
 securityManager.sessionManager.sessionValidationScheduler = $sessionValidationScheduler
 
 </PRE>
-    </DIV></DIV>
+        </DIV></DIV>
 
-    <P><!--
+        <P><!--
 <p>The <tt>ExecutorServiceSessionValidationScheduler</tt> only supports validation at a specific periodic interval -  every N milliseconds.  If you'd like better control over exactly when validation occurs, such as maybe at a certain time of day when system load is lower or at different rates depending on time of day, you'll find the <tt>QuartzSessionValidationScheduler</tt> more convenient.</p>
 
 <h4><a name="SessionManagement- QuartzSessionValidationScheduler"></a>Quartz SessionValidationScheduler</h4> --></P>
 
-    <H4><A name="SessionManagement-CustomSessionValidationScheduler"></A>Custom SessionValidationScheduler</H4>
+        <H4><A name="SessionManagement-CustomSessionValidationScheduler"></A>Custom SessionValidationScheduler</H4>
 
-    <P>If you wish to provide a custom <TT>SessionValidationScheduler</TT> implementation, you can specify it as a property of the default <TT>SessionManager</TT> instance.  For example, in <TT>shiro.ini</TT>:</P>
+        <P>If you wish to provide a custom <TT>SessionValidationScheduler</TT> implementation, you can specify it as a property of the default <TT>SessionManager</TT> instance.  For example, in <TT>shiro.ini</TT>:</P>
 
-    <DIV class="code panel" style="border-width: 1px;"><DIV class="codeHeader panelHeader" style="border-bottom-width: 1px;"><B>Configuring a custom SessionValidationScheduler in shiro.ini</B></DIV><DIV class="codeContent panelContent">
+        <DIV class="code panel" style="border-width: 1px;"><DIV class="codeHeader panelHeader" style="border-bottom-width: 1px;"><B>Configuring a custom SessionValidationScheduler in shiro.ini</B></DIV><DIV class="codeContent panelContent">
 <PRE class="code-java">
 [main]
 ...
@@ -441,79 +442,79 @@ sessionValidationScheduler = com.foo.my.
 securityManager.sessionManager.sessionValidationScheduler = $sessionValidationScheduler
 
 </PRE>
-    </DIV></DIV>
+        </DIV></DIV>
 
-    <H4><A name="SessionManagement-DisablingSessionValidation"></A>Disabling Session Validation</H4>
+        <H4><A name="SessionManagement-DisablingSessionValidation"></A>Disabling Session Validation</H4>
 
-    <P>In some cases, you might wish to disable session validation entirely because you have set up a process outside of Shiro's control to perform the validation for you.  For example, maybe you are using an enterprise Cache and rely on the cache's Time To Live setting to automatically expunge old sessions.  Or maybe you've set up a cron job to auto-purge a custom data store.  In these cases you can turn off session validation scheduling:</P>
+        <P>In some cases, you might wish to disable session validation entirely because you have set up a process outside of Shiro's control to perform the validation for you.  For example, maybe you are using an enterprise Cache and rely on the cache's Time To Live setting to automatically expunge old sessions.  Or maybe you've set up a cron job to auto-purge a custom data store.  In these cases you can turn off session validation scheduling:</P>
 
-    <DIV class="code panel" style="border-width: 1px;"><DIV class="codeHeader panelHeader" style="border-bottom-width: 1px;"><B>Disabling Session Validation Scheduling in shiro.ini</B></DIV><DIV class="codeContent panelContent">
+        <DIV class="code panel" style="border-width: 1px;"><DIV class="codeHeader panelHeader" style="border-bottom-width: 1px;"><B>Disabling Session Validation Scheduling in shiro.ini</B></DIV><DIV class="codeContent panelContent">
 <PRE class="code-java">
 [main]
 ...
 securityManager.sessionManager.sessionValidationSchedulerEnabled = <SPAN class="code-keyword">false</SPAN>
 </PRE>
-    </DIV></DIV>
+        </DIV></DIV>
 
-    <P>Sessions will still be validated when they are retrieved from the session data store, but this will disable Shiro's periodic validation.</P>
+        <P>Sessions will still be validated when they are retrieved from the session data store, but this will disable Shiro's periodic validation.</P>
 
-    <DIV class="panelMacro"><TABLE class="warningMacro"><COLGROUP><COL width="24"><COL></COLGROUP><TR><TD valign="top"><IMG src="https://cwiki.apache.org/confluence/images/icons/emoticons/forbidden.gif" width="16" height="16" align="absmiddle" alt="" border="0"></TD><TD><B>Enable Session Validation <EM>somewhere</EM></B><BR>If you turn off Shiro's session validation scheduler, you <EM>MUST</EM> perform periodic session validation via some other mechanism (cron job, etc.).  This is the only way to guarantee Session orphans do not fill up the data store.</TD></TR></TABLE></DIV>
+        <DIV class="panelMacro"><TABLE class="warningMacro"><COLGROUP><COL width="24"><COL></COLGROUP><TR><TD valign="top"><IMG src="https://cwiki.apache.org/confluence/images/icons/emoticons/forbidden.gif" width="16" height="16" align="absmiddle" alt="" border="0"></TD><TD><B>Enable Session Validation <EM>somewhere</EM></B><BR>If you turn off Shiro's session validation scheduler, you <EM>MUST</EM> perform periodic session validation via some other mechanism (cron job, etc.).  This is the only way to guarantee Session orphans do not fill up the data store.</TD></TR></TABLE></DIV>
 
-    <H4><A name="SessionManagement-InvalidSessionDeletion"></A>Invalid Session Deletion</H4>
+        <H4><A name="SessionManagement-InvalidSessionDeletion"></A>Invalid Session Deletion</H4>
 
-    <P>As we've stated above, the purpose of periodic session validation is mainly to delete any invalid (expired or stopped) sessions to ensure they do not fill up the session data store.</P>
+        <P>As we've stated above, the purpose of periodic session validation is mainly to delete any invalid (expired or stopped) sessions to ensure they do not fill up the session data store.</P>
 
-    <P>By default, whenever Shiro detects an invalid session, it attempts to delete it from the underlying session data store via the <TT>SessionDAO.delete(session)</TT> method.  This is good practice for most applications to ensure the session data storage space is not exhausted.</P>
+        <P>By default, whenever Shiro detects an invalid session, it attempts to delete it from the underlying session data store via the <TT>SessionDAO.delete(session)</TT> method.  This is good practice for most applications to ensure the session data storage space is not exhausted.</P>
 
-    <P>However, some applications may not wish for Shiro to automatically delete sessions.  For example, if an application has provided a <TT>SessionDAO</TT> that backs a queryable data store, perhaps the application team wishes old or invalid sessions to be available for a certain period of time.  This would allow the team to run queries against the data store to see, for example, how many sessions a user has created over the last week, or the average duration of a user's sessions, or similar reporting-type queries.</P>
+        <P>However, some applications may not wish for Shiro to automatically delete sessions.  For example, if an application has provided a <TT>SessionDAO</TT> that backs a queryable data store, perhaps the application team wishes old or invalid sessions to be available for a certain period of time.  This would allow the team to run queries against the data store to see, for example, how many sessions a user has created over the last week, or the average duration of a user's sessions, or similar reporting-type queries.</P>
 
-    <P>In these scenarios, you can turn off invalid session deletion entirely.  For example, in <TT>shiro.ini</TT>:</P>
+        <P>In these scenarios, you can turn off invalid session deletion entirely.  For example, in <TT>shiro.ini</TT>:</P>
 
-    <DIV class="code panel" style="border-width: 1px;"><DIV class="codeHeader panelHeader" style="border-bottom-width: 1px;"><B>Disabling Invalid Session Deletion in shiro.ini</B></DIV><DIV class="codeContent panelContent">
+        <DIV class="code panel" style="border-width: 1px;"><DIV class="codeHeader panelHeader" style="border-bottom-width: 1px;"><B>Disabling Invalid Session Deletion in shiro.ini</B></DIV><DIV class="codeContent panelContent">
 <PRE class="code-java">
 [main]
 ...
 securityManager.sessionManager.deleteInvalidSessions = <SPAN class="code-keyword">false</SPAN>
 </PRE>
-    </DIV></DIV>
+        </DIV></DIV>
 
-    <P>But be careful!  If you turn this off, you are responsible for ensuring that your session data store doesn't exhaust its space.  You must delete invalid sessions from you data store yourself!</P>
+        <P>But be careful!  If you turn this off, you are responsible for ensuring that your session data store doesn't exhaust its space.  You must delete invalid sessions from you data store yourself!</P>
 
-    <P>Note also that even if you prevent Shiro from deleting invalid sessions, you still should enable session validation somehow - either via Shiro's existing validation mechanisms or via a custom mechanism you provide yourself (see the above &quot;Disabling Session Validation&quot; section above for more).  The validation mechanism will update your session records to reflect the invalid state (e.g. when it was invalidated, when it was last accessed, etc), even if you will delete them manually yourself at some other time.</P>
+        <P>Note also that even if you prevent Shiro from deleting invalid sessions, you still should enable session validation somehow - either via Shiro's existing validation mechanisms or via a custom mechanism you provide yourself (see the above &quot;Disabling Session Validation&quot; section above for more).  The validation mechanism will update your session records to reflect the invalid state (e.g. when it was invalidated, when it was last accessed, etc), even if you will delete them manually yourself at some other time.</P>
 
-    <DIV class="panelMacro"><TABLE class="warningMacro"><COLGROUP><COL width="24"><COL></COLGROUP><TR><TD valign="top"><IMG src="https://cwiki.apache.org/confluence/images/icons/emoticons/forbidden.gif" width="16" height="16" align="absmiddle" alt="" border="0"></TD><TD>If you configure Shiro so it does not delete invalid sessions, you are responsible for ensuring that your session data store doesn't exhaust its space.  You must delete invalid sessions from you data store yourself!
+        <DIV class="panelMacro"><TABLE class="warningMacro"><COLGROUP><COL width="24"><COL></COLGROUP><TR><TD valign="top"><IMG src="https://cwiki.apache.org/confluence/images/icons/emoticons/forbidden.gif" width="16" height="16" align="absmiddle" alt="" border="0"></TD><TD>If you configure Shiro so it does not delete invalid sessions, you are responsible for ensuring that your session data store doesn't exhaust its space.  You must delete invalid sessions from you data store yourself!
 
-        <P>Also note that disabling session deletion is <B>not</B> the same as disabling session validation scheduling.  You should almost always use a session validation scheduling mechanism - either one supported by Shiro directly or your own.</P></TD></TR></TABLE></DIV>
+            <P>Also note that disabling session deletion is <B>not</B> the same as disabling session validation scheduling.  You should almost always use a session validation scheduling mechanism - either one supported by Shiro directly or your own.</P></TD></TR></TABLE></DIV>
 
-    <H2><A name="SessionManagement-SessionClustering"></A>Session Clustering</H2>
+        <H2><A name="SessionManagement-SessionClustering"></A>Session Clustering</H2>
 
-    <P>One of the very exciting things about Apache Shiro's session capabilities is that you can cluster Subject sessions natively and never need to worry again about how to cluster sessions based on your container environment.  That is, if you use Shiro's native sessions and configure a session cluster, you can, say, deploy to Jetty or Tomcat in development, JBoss or Geronimo in production, or any other environment - all the while never worrying about container/environment-specific clustering setup or configuration.  Configure session clustering once in Shiro and it works no matter your deployment environment.</P>
+        <P>One of the very exciting things about Apache Shiro's session capabilities is that you can cluster Subject sessions natively and never need to worry again about how to cluster sessions based on your container environment.  That is, if you use Shiro's native sessions and configure a session cluster, you can, say, deploy to Jetty or Tomcat in development, JBoss or Geronimo in production, or any other environment - all the while never worrying about container/environment-specific clustering setup or configuration.  Configure session clustering once in Shiro and it works no matter your deployment environment.</P>
 
-    <P>So how does it work?</P>
+        <P>So how does it work?</P>
 
-    <P>Because of Shiro's POJO-based N-tiered architecture, enabling Session clustering is as simple as enabling a clustering mechanism at the Session persistence level.  That is, if you configure a cluster-capable <TT><A href="#SessionManagement-sessionstorage">SessionDAO</A></TT>, the DAO can interact with a clustering mechanism and Shiro's <TT>SessionManager</TT> never needs to know about clustering concerns.</P>
+        <P>Because of Shiro's POJO-based N-tiered architecture, enabling Session clustering is as simple as enabling a clustering mechanism at the Session persistence level.  That is, if you configure a cluster-capable <TT><A href="#SessionManagement-sessionstorage">SessionDAO</A></TT>, the DAO can interact with a clustering mechanism and Shiro's <TT>SessionManager</TT> never needs to know about clustering concerns.</P>
 
-    <P><B>Distributed Caches</B></P>
+        <P><B>Distributed Caches</B></P>
 
-    <P>Distributed Caches such as <A href="http://ehcache.org/documentation/get-started/about-distributed-cache" class="external-link" rel="nofollow">Ehcache+TerraCotta</A>, <A href="http://www.gigaspaces.com/" class="external-link" rel="nofollow">GigaSpaces</A> <A href="http://www.oracle.com/technetwork/middleware/coherence/overview/index.html" class="external-link" rel="nofollow">Oracle Coherence</A>, and <A href="http://memcached.org/" class="external-link" rel="nofollow">Memcached</A> (and many others) already solve the distributed-data-at-the-persistence-level problem.  Therefore enabling Session clustering in Shiro is as simple as configuring Shiro to use a distributed cache.</P>
+        <P>Distributed Caches such as <A href="http://ehcache.org/documentation/get-started/about-distributed-cache" class="external-link" rel="nofollow">Ehcache+TerraCotta</A>, <A href="http://www.gigaspaces.com/" class="external-link" rel="nofollow">GigaSpaces</A> <A href="http://www.oracle.com/technetwork/middleware/coherence/overview/index.html" class="external-link" rel="nofollow">Oracle Coherence</A>, and <A href="http://memcached.org/" class="external-link" rel="nofollow">Memcached</A> (and many others) already solve the distributed-data-at-the-persistence-level problem.  Therefore enabling Session clustering in Shiro is as simple as configuring Shiro to use a distributed cache.</P>
 
-    <P>This gives you the flexibility of choosing the exact clustering mechanism that is suitable for <EM>your</EM> environment.</P>
+        <P>This gives you the flexibility of choosing the exact clustering mechanism that is suitable for <EM>your</EM> environment.</P>
 
-    <DIV class="panelMacro"><TABLE class="noteMacro"><COLGROUP><COL width="24"><COL></COLGROUP><TR><TD valign="top"><IMG src="https://cwiki.apache.org/confluence/images/icons/emoticons/warning.gif" width="16" height="16" align="absmiddle" alt="" border="0"></TD><TD><B>Cache Memory</B><BR>Note that when enabling a distributed/enterprise cache to be your session clustering data store, one of the following two cases must be true:
-        <UL>
-            <LI>The distributed cache has enough cluster-wide memory to retain <EM>all</EM> active/current sessions</LI>
-            <LI>If the distributed cache does not have enough cluster-wide memory to retain all active sessions, it must support disk overflow so sessions are not lost.<BR>
-                Failure for the cache to support either of the two cases will result in sessions being randomly lost, which would likely be frustrating to end-users.</LI>
-        </UL>
-    </TD></TR></TABLE></DIV>
+        <DIV class="panelMacro"><TABLE class="noteMacro"><COLGROUP><COL width="24"><COL></COLGROUP><TR><TD valign="top"><IMG src="https://cwiki.apache.org/confluence/images/icons/emoticons/warning.gif" width="16" height="16" align="absmiddle" alt="" border="0"></TD><TD><B>Cache Memory</B><BR>Note that when enabling a distributed/enterprise cache to be your session clustering data store, one of the following two cases must be true:
+            <UL>
+                <LI>The distributed cache has enough cluster-wide memory to retain <EM>all</EM> active/current sessions</LI>
+                <LI>If the distributed cache does not have enough cluster-wide memory to retain all active sessions, it must support disk overflow so sessions are not lost.<BR>
+                    Failure for the cache to support either of the two cases will result in sessions being randomly lost, which would likely be frustrating to end-users.</LI>
+            </UL>
+        </TD></TR></TABLE></DIV>
 
-    <H3><A name="SessionManagement-%7B%7BEnterpriseCacheSessionDAO%7D%7D"></A><TT>EnterpriseCacheSessionDAO</TT></H3>
+        <H3><A name="SessionManagement-%7B%7BEnterpriseCacheSessionDAO%7D%7D"></A><TT>EnterpriseCacheSessionDAO</TT></H3>
 
-    <P>As you might expect, Shiro already provides a <TT>SessionDAO</TT> implementation that will persist data to an enterprise/distributed Cache.  The <A href="http://shiro.apache.org/static/current/apidocs/org/apache/shiro/session/mgt/eis/EnterpriseCacheSessionDAO.html" class="external-link" rel="nofollow">EnterpriseCacheSessionDAO</A> expects a Shiro <TT>Cache</TT> or <TT>CacheManager</TT> to be configured on it so it can leverage the caching mechanism.</P>
+        <P>As you might expect, Shiro already provides a <TT>SessionDAO</TT> implementation that will persist data to an enterprise/distributed Cache.  The <A href="http://shiro.apache.org/static/current/apidocs/org/apache/shiro/session/mgt/eis/EnterpriseCacheSessionDAO.html" class="external-link" rel="nofollow">EnterpriseCacheSessionDAO</A> expects a Shiro <TT>Cache</TT> or <TT>CacheManager</TT> to be configured on it so it can leverage the caching mechanism.</P>
 
-    <P>For example, in <TT>shiro.ini</TT>:</P>
+        <P>For example, in <TT>shiro.ini</TT>:</P>
 
-    <DIV class="code panel" style="border-width: 1px;"><DIV class="codeContent panelContent">
+        <DIV class="code panel" style="border-width: 1px;"><DIV class="codeContent panelContent">
 <PRE class="code-java">
 #This implementation would use your preferred distributed caching product's APIs:
 activeSessionCache = my.org.apache.shiro.cache.CacheImplementation
@@ -523,13 +524,13 @@ sessionDAO.activeSessionCache = $activeS
 
 securityManager.sessionManager.sessionDAO = $sessionDAO
 </PRE>
-    </DIV></DIV>
+        </DIV></DIV>
 
-    <P>Although you could inject a <TT>Cache</TT> instance directly to the <TT>SessionDAO</TT> as shown above, it is usually far more common to configure a general <TT>CacheManager</TT> to use for all of Shiro's caching needs (sessions as well as authentication and authorization data).  In this case, instead of configuring a <TT>Cache</TT> instance directly, you would tell the <TT>EnterpriseCacheSessionDAO</TT> the name of the cache in the <TT>CacheManager</TT> that should be used for storing active sessions.</P>
+        <P>Although you could inject a <TT>Cache</TT> instance directly to the <TT>SessionDAO</TT> as shown above, it is usually far more common to configure a general <TT>CacheManager</TT> to use for all of Shiro's caching needs (sessions as well as authentication and authorization data).  In this case, instead of configuring a <TT>Cache</TT> instance directly, you would tell the <TT>EnterpriseCacheSessionDAO</TT> the name of the cache in the <TT>CacheManager</TT> that should be used for storing active sessions.</P>
 
-    <P>For example:</P>
+        <P>For example:</P>
 
-    <DIV class="code panel" style="border-width: 1px;"><DIV class="codeContent panelContent">
+        <DIV class="code panel" style="border-width: 1px;"><DIV class="codeContent panelContent">
 <PRE class="code-java">
 # This implementation would use your caching product's APIs:
 cacheManager = my.org.apache.shiro.cache.CacheManagerImplementation
@@ -546,27 +547,27 @@ securityManager.sessionManager.sessionDA
 # to use it <SPAN class="code-keyword">for</SPAN> all of Shiro's caching needs:
 securityManager.cacheManager = $cacheManager
 </PRE>
-    </DIV></DIV>
+        </DIV></DIV>
 
-    <P>But there's something a bit strange about the above configuration.  Did you notice it?</P>
+        <P>But there's something a bit strange about the above configuration.  Did you notice it?</P>
 
-    <P>The interesting thing about this config is that nowhere in the config did we actually tell the <TT>sessionDAO</TT> instance to use a <TT>Cache</TT> or <TT>CacheManager</TT>!  So how does the <TT>sessionDAO</TT> use the distributed cache?</P>
+        <P>The interesting thing about this config is that nowhere in the config did we actually tell the <TT>sessionDAO</TT> instance to use a <TT>Cache</TT> or <TT>CacheManager</TT>!  So how does the <TT>sessionDAO</TT> use the distributed cache?</P>
 

[... 295 lines stripped ...]


Mime
View raw message