简单分析完jetty的请求处理过程：

来看看shiro是怎么接管session的；我们知道web容器都实现有session管理；要把这个容器默认实现屏蔽掉，就需要改变request的getSession方法的默认实现；

shiro是这样实现的：封装普通的request成一个wrap,即是ShiroHttpServletRequest;

通过拦截器拦截request并封装为ShiroHttpServletRequest;具体如下

shiro的AbstractShiroFilter

protected void doFilterInternal(ServletRequest servletRequest, ServletResponse servletResponse, final FilterChain chain)            throws ServletException, IOException {        Throwable t = null;        try {            final ServletRequest request = prepareServletRequest(servletRequest, servletResponse, chain);//执行封装            final ServletResponse response = prepareServletResponse(request, servletResponse, chain);            final Subject subject = createSubject(request, response);            //noinspection unchecked            subject.execute(new Callable() {                public Object call() throws Exception {                    updateSessionLastAccessTime(request, response);                    executeChain(request, response, chain);                    return null;                }            });...

@SuppressWarnings({"UnusedDeclaration"})    protected ServletRequest prepareServletRequest(ServletRequest request, ServletResponse response, FilterChain chain) {        ServletRequest toUse = request;        if (request instanceof HttpServletRequest) {            HttpServletRequest http = (HttpServletRequest) request;            toUse = wrapServletRequest(http);        }        return toUse;    }

protected ServletRequest wrapServletRequest(HttpServletRequest orig) {        return new ShiroHttpServletRequest(orig, getServletContext(), isHttpSessions());    }

默认不用容器的session实现；

再来看看ShiroHttpServletRequest的getSession方法；

public HttpSession getSession() {        return getSession(true);    }

public HttpSession getSession(boolean create) {        HttpSession httpSession;        if (isHttpSessions()) {//默认是flase;            httpSession = super.getSession(false);            if (httpSession == null && create) {                //Shiro 1.2: assert that creation is enabled (SHIRO-266):                if (WebUtils._isSessionCreationEnabled(this)) {                    httpSession = super.getSession(create);                } else {                    throw newNoSessionCreationException();                }            }        } else {//这里是shiro实现的session            if (this.session == null) {                boolean existing = getSubject().getSession(false) != null;                Session shiroSession = getSubject().getSession(create);                if (shiroSession != null) {                    this.session = new ShiroHttpSession(shiroSession, this, this.servletContext);                    if (!existing) {                        setAttribute(REFERENCED_SESSION_IS_NEW, Boolean.TRUE);                    }                }            }            httpSession = this.session;        }        return httpSession;    }

那么实现shiro的sessionDao接口就可以想存哪就存哪了；