Shiro is better to use. Its code much simple which provides you flexibility to extend it and provide your custom behaviour wherever needed. It also provides internal cache implementation of Ehcache through which you can replicate session on server clusters.
If you are going to design RBAC(Role based access control) system for your application it will provide you flexibility to handle asset level permission and its access control mechanism is much flexible as compared to spring security.
