The Spring development team does not use Shiro in any part of its framework that I am aware of. However, the Shiro team (and its end-users) often use Spring for their own applications, so Shiro provides a complete Spring integration solution out-of-the-box for anyone wishing to use Shiro instead of Spring Security as their preferred application security API.
There are enough differences between the two frameworks, but the basic idea is that they differ based on scope and mental model/design. Also Shiro has a broader scope than Spring Security (to the best of my knowledge) in that it also addresses problems associated with enterprise session management (agnostic session clustering, SSO, etc) as well as cryptography, concurrency, etc. Finally, Shiro was designed from day one to work in all application environments (Spring, JEE, command line, smartphone, etc) - not just Spring environments.
Both frameworks are top notch, maintained by top-notch people - their scope and design/models are just different.
