I finished implementing this last night (https://issues.apache.org/jira/browse/SHIRO-221) and documented it here:
https://cwiki.apache.org/confluence/display/SHIRO/Web#Web-EnablingandDisablingFilters There are a lot of reasons why this is useful, but a common example is SSL configuration: often you want to disable SSL in development, but enable it in production without being forced to muck with static web.xml security-constraints or convoluted build resource filtering or changing your filter chain definitions. I cover this example briefly in the documentation. Feedback is always welcome. Cheers, -- Les Hazlewood Founder, Katasoft, Inc. Application Security Products & Professional Apache Shiro Support and Training: http://www.katasoft.com P.S. https://issues.apache.org/jira/browse/SHIRO-224 exists to make this behavior more generic and not entrenched in the filter hierarchy.
