I have recently had to evaluate both shiro and spring security. We went with spring security (in fact we extended spring security to use the shiro permission strings in a better way - with instance variables on annoations).
Spring Security
- under active development.
- has much more community support.
- Spring security has extensions providing support for both Oauth and kerberos
and SAML.
Shiro
- Does not support saml or Oauth.
- Makes no mention of supporting before and after security policies.
- Active development seems limited, the website still
contains erroneous information.
