Sure - in whatever Realms you configure on the SecurityManager, just ensure that the realm(s)' supports(AuthenticationToken) method returns false. Then the realm will never participate in authentication, but still be available for authorization.
There are two ways of ensuring this happens at the moment: 1. Subclass the realm and override the supports method to always return false. 2. If the Realm implementation is a subclass of AuthenticatingRealm (most are), set the 'authenticationTokenClass' property to be some fake token class that will never be used for authentication (e.g. public interface NonExistentAuthenticationToken extends AuthenticationToken) and never create an implementation of that interface. If you'd like to see this as a configurable property, please open a feature request in Jira: https://issues.apache.org/jira/browse/SHIRO HTH, -- Les Hazlewood CTO, Katasoft | http://www.katasoft.com | 888.391.5282 twitter: http://twitter.com/lhazlewood katasoft blog: http://www.katasoft.com/blogs/lhazlewood personal blog: http://leshazlewood.com
