I'm not sure why you're using the Subject.Builder. If you subclass the IniShiroFilter (or its parent AbstractShiroFilter), the WebSubject is already created and bound to the thread for you so that SecurityUtils.getSubject() will work correctly (and return WebSubject) instances.
The AbstractShiroFilter will also build the WebSubject according to the JSESSIONID as expected - no need to re-implement this yourself. http://svn.apache.org/repos/asf/shiro/trunk/web/src/main/java/org/apache/shiro/web/servlet/AbstractShiroFilter.java HTH, Les
