SecurityValve needs to support stateless env when dealing with subject

Currently, securityValve stores subject into http session which seems okay with JAAS authentication integration because JAAS authentication in servlet container depends on http session.
However, in stateless environment, they might don't want to use http sessions at all, but have something like filter to resolve authentication based on request data instead.
So, I think SecurityValve should consider this environment, with allowing extensibility for external filter based solutions (probably based on request attributes).