Hi Mike, Currently a login will persist authentication state (and Subject identity) to a Session to ensure it is available for future requests. SHIRO-187 [1] and SHIRO-266 [2] are issues based on this behavior. Please vote/watch them to indicate your need.
In the meantime, I think the easiest thing to do would be to subclass the SecurityManager implementation (DefaultSecurityManager or DefaultWebSecurityManager in a webapp) and override the 'bind' method implementation to not use the Session for the necessary Subject(s). Here's the respective code to help you find out how you might want to alter the implementation: DefaultSecurityManager: http://svn.apache.org/repos/asf/shiro/trunk/core/src/main/java/org/apache/shiro/mgt/DefaultSecurityManager.java [1] https://issues.apache.org/jira/browse/SHIRO-187 [2] https://issues.apache.org/jira/browse/SHIRO-266 HTH, -- Les Hazlewood CTO, Katasoft | 888.391.5282 | http://www.katasoft.com twitter: http://twitter.com/lhazlewood katasoft blog: http://www.katasoft.com/blogs/lhazlewood personal blog: http://leshazlewood.com
