Shiro has three important cache interfaces:

A CacheManager returns Cache instances and various Shiro components use those Cache instances to cache data as necessary. Any Shiro
component that implements CacheManager will automatically receive a configured CacheManager, where it can be used to acquire Cache instances.

The Shiro SecurityManager implementations and all AuthorizingRealm implementations implement CacheManagerAware. If you set the CacheManager on the SecurityManager, it will in turn set it on the various Realms that implement CacheManagerAware as well (OO delegation). For example, in shiro.ini:

example shiro.ini CacheManger configuration

securityManager.realms = $myRealm1, $myRealm2, ..., $myRealmN
...
cacheManager = my.implementation.of.CacheManager
...
securityManager.cacheManager = $cacheManager
# at this point, the securityManager and all CacheManagerAware
# realms have been set with the cacheManager instance

We have an out-of-the-box EhCacheManager implementation, so you can use that today if you wanted. Otherwise, you can implement your own CacheManager (e.g. with Coherence, etc) and configure it as above, and you'll be good to go.

Authorization Cache Invalidation

Finally note that AuthorizingRealm has a {{clearCachedAuthorizationInfo method that can be called by subclasses to evict the cached authzInfo for a particular account. It is usually called by custom logic if the corresponding account's authz data has changed (to ensure the next authz check will pick up the new data).

Lend a hand with documentation

While we hope this documentation helps you with the work you're doing with Apache Shiro, the community is improving and expanding the documentation all the time. If you'd like to help the Shiro project, please consider corrected, expanding, or adding documentation where you see a need. Every little bit of help you provide expands the community and in turn improves Shiro.

The easiest way to contribute your documentation is to send it to the User Forum or the User Mailing List.