The SecurityManager is an object graph with nested components (some of which are Realms). You can instantiate a SecurityManager and call setter methods on it or any of its internal components just fine.
The INI [main] section is just a text-based way of configuring the Security manager object graph. I often call it 'poor man's Dependency Injection' since it works like Spring or Guice, just not quite as powerful. You don't have to use it however - you can call the methods you want via standard Java code or reflection if you like (or use something like Spring or Guice which does this for you). Cheers, Les
