Shiro's web *Request implementations automatically performs URL rewriting as necessary - the SessionManager implementation does not need to know about it (the Servlet spec ensures this is maintained in the *Request implementations and not in the session manager implementations since those vary dramatically across containers).
As for the WebSecurityManager, if we add a new method to be 'isServletContainerSessions', I think that would be fine, but we would need to deprecate the old one (and keep it in place and just delegate to the new one) - we should retain backwards compatibility here. As for the WebSessionManager, I think it should probably be 'isServletContainerSessions' regardless of what we do w/ the WebSecurityManager interface. Just my .02. Cheers, Les
