SubjectContext was created to provide type-safe data resolution when creating new Subject instances. The SessionManager.start(Map) method serves the same exact purpose, but for Session creation. The SessionManager.start method argument should reflect the same architectural principal of the SubjectContext.
There are a number of 'hacky' bits of code in the framework because of this - such as using static Map key constants in implementation classes from other implementation classes. Also, the biggest thing might be that AbstractShiroFilter resorts to preemptively binding the SecurityManager, ServletRequest and ServletResponse to the ThreadContext because it can NOT just perform a simple subject.execute() invocation to execute the filter chain. This all stems from a lack of SessionContext to use when starting sessions. This should be part of 1.0 to 1) remove the hacks and 2) employ a consistent API for instance creation.