Hi Jack, It doesn't appear that you have configured Shiro for a standard web environment. The setup code that you referenced (where you instantiate a DefaultSecurityManager directly) is really only used for non-web applications.
Shiro's web support sets up the proper SecurityManager instance and ensures the Subject is available on the request thread as necessary for any request. This will be a big help: http://shiro.apache.org/web.html Let us know if that doesn't work for you. Cheers, Les
