Seems like the way we actualy integrate shiro to work with spring is not compatible with spring's own aop stack. I've verified this issue at least on spring's @Controller beans.
This seems to be due to the fact that we proxy the classes marked with shiro's annotations.
To reproduce this issue:
1. Create a spring beans that is annotated with either @Component or @Controller.
2. Add shiro security annotations to this class.
3. then configure the shiro annotations as advised here: http://shiro.apache.org/spring.html
I can extract a sample maven project that reproduce this issue.
I think that we should add annotations support to spring enabled web app the same way all others spring components does, through spring's own AOP stack.