JAAS, Spring Security or Apache Shiro

Shiro is great if you want to use it in a mixture of web/non-web environments. It is highly customizable. We use it to do multi-tennant authorization and we also have some custom permission requirements we have implemented using shiro.

You can also create spring beans from almost every class in shiro as the code is setup very cleanly and is very usable with spring injection (or any other dependency injection framework I guess).

As dev mentions, the documentation is lacking. We did a lot of reading the source code to get our fixes, so if you want to do more advanced configuration, be aware that you'll have to dive into the source.

For simple setups, the standard documentation of shiro will help you in most cases.

Imho spring security is fine, but it doesnt have the flexibility shiro provides.

I personally use apache shiro as it is highly customizable using shiro.ini and extending prebuild classes. Also configuration is mearly a shiro.inin file with some entries in web.xml. It has good documentation from third persons like

http://meri-stuff.blogspot.in/2011/03/apache-shiro-part-1-basics.html

other parts link in same page.

It can be integrated with springs, guice, sso, etc so i go with it.