diff --git a/jetty-security/src/main/java/org/eclipse/jetty/security/SecurityHandler.java b/jetty-security/src/main/java/org/eclipse/jetty/security/SecurityHandler.java
index 538533c6581..f6af0978805 100644
--- a/jetty-security/src/main/java/org/eclipse/jetty/security/SecurityHandler.java
+++ b/jetty-security/src/main/java/org/eclipse/jetty/security/SecurityHandler.java
@@ -306,7 +306,7 @@ public abstract class SecurityHandler extends HandlerWrapper implements Authenti
             if (_identityService==null)
                 _identityService=findIdentityService();
             
-            if (_identityService==null && _loginService!=null)
+            if (_identityService==null && _realmName!=null)
                 _identityService=new DefaultIdentityService();
         }
         
@@ -469,7 +469,8 @@ public abstract class SecurityHandler extends HandlerWrapper implements Authenti
                 {
                     Authentication.User userAuth = (Authentication.User)authentication;
                     baseRequest.setAuthentication(authentication);
-                    previousIdentity = _identityService.associate(userAuth.getUserIdentity());
+                    if (_identityService!=null)
+                        previousIdentity = _identityService.associate(userAuth.getUserIdentity());
 
                     if (isAuthMandatory)
                     {
@@ -483,7 +484,8 @@ public abstract class SecurityHandler extends HandlerWrapper implements Authenti
                     }
                          
                     handler.handle(pathInContext, baseRequest, request, response);
-                    authenticator.secureResponse(request, response, isAuthMandatory, userAuth);
+                    if (authenticator!=null)
+                        authenticator.secureResponse(request, response, isAuthMandatory, userAuth);
                 }
                 else if (authentication instanceof Authentication.Deferred)
                 {