We have not tried with MongoDB, but I guess any store where you can keep serialized data should do.
For the Session Cache, on the DefaultWebSessionManager (or your implementation) call setCache() with your own implementation of a CacheManager. Your implementation of CacheManager must override the method public <K, V> Cache<K, V> getCache(String cacheName) throws CacheException to return your Cache implementation. Your Cache implementation must handle the CRUD calls to either MongoDB or to a Memory Cache like EhCache, backed by MongoDB. Now you have to make sure that yourHttpSessions are serializable and I am not sure there may be any benefit to serialize them to JSON. If you want to cache Authorization and Authentication infos, silly do the same on your implementation of the AuthorizingRealm
