Also note that the [urls] INI section is really there to configure filter chains on a Shiro FilterChainManager instance. You could configure your own FilterChainManager (and create filter chains as necessary) yourself by invoking methods on it directly (see the DefaultFilterChainManager class).
So, in summary: The [main] section configures the SecurityManager and its object graph, including realms. The [urls] section configures filter chains which are set on a FilterChainManager. At runtime, a FilterChainResolver asks the FilterChainManager for a filter chain to execute for the corresponding request/response. If the FilterChainManager returns one, that is executed. If it doesn't, the original chain provided by the servlet container is executed. If you didn't want to use INI, you could subclass the AbstractShiroFilter and provide your own means (code, DI, whatever) of providing the SecurityManager and FilterChainResolver instances. HTH, Les On Tue, Aug 2, 2011 at 12:03 PM, Les Hazlewood <[email protected]> wrote: > The SecurityManager is an object graph with nested components (some of > which are Realms). You can instantiate a SecurityManager and call > setter methods on it or any of its internal components just fine. > > The INI [main] section is just a text-based way of configuring the > Security manager object graph. I often call it 'poor man's Dependency > Injection' since it works like Spring or Guice, just not quite as > powerful. You don't have to use it however - you can call the methods > you want via standard Java code or reflection if you like (or use > something like Spring or Guice which does this for you). > > Cheers, > > Les
