I have evaluated both Shiro and Spring security. The main advantage that people claim about Shiro is simplicity, but I believe that Spring Security (3.0) is not crazy complicated. It took me almost the same amount of lines of configuration to set up. Also Spring Security is much better documented than Shiro.
But the main issue with Shiro it is that it doesn't support OAuth or Digest Authetication (they are planning to include it in the future https://issues.apache.org/jira/browse/SHIRO-20 ).
My conclusion: Today I would go for spring security.
