Hi Thibault, This method is always available. It would be a new feature request to prevent this from being available (please create a new Jira issue if you think this should be a feature).
That being said, it should be noted that Shiro's primary purpose is to 1) be easy to use and understand and to 2) protect the application from the end-user and/or attack vectors. Shiro does not often make attempts to protect the application code from the developer (since they can just ignore Shiro's APIs entirely if they wanted, thereby subverting any security at all). Also note that SecurityUtils.setSecurityManager should only ever be called if an application's default configuration mechanism does not provide a better alternative. For example, Tapestry, Spring, Guice and Shiro web environments all never need to call SecurityUtils.getSecurityManager() because the SM instance is always easily accessible from heap memory via other method calls. Avoid static memory if you can and use SecurityUtils.setSecurityManager only when you can't avoid it. But again, if you feel this should be a feature, please file a Jira issue and we can discuss. HTH, -- Les Hazlewood CTO, Katasoft | http://www.katasoft.com | 888.391.5282 twitter: @lhazlewood | http://twitter.com/lhazlewood katasoft blog: http://www.katasoft.com/blogs/lhazlewood personal blog: http://leshazlewood.com On Tue, Jan 3, 2012 at 4:07 AM, Thibault TIGEON <[email protected]> wrote: > Hi, > > how to prevent the application to override the securitymanager at runtime? > > It seems SecurityUtils.setSecurityManager is always available. > > Is there any way to do a kind of "only startup configuration"? > > Regards, > > Thibault
