I've integrated jCIFS with Shiro in a web application for work. It's not difficult, but the implementation is rather inelegant due to the nature of the NTLM protocol (and possibly because I don't adequately understand the Shiro API).
Specifically, the problem arises because NTLM authentication is stateful. In total, 3 round trips are required, and a server-generated challenge needs to be shared between the 2nd and 3rd requests (this data isn't ever sent by the client). In my implementation, the 2nd request is handled by the authentication filter whereas the 3rd request is handled by the authentication realm (via an AuthenticationToken) - this requires that the data be shared in some manner. The alternative would be to have both requests handled by the authenticating realm, but that seems to run counter to the design of the Shiro authentication API (i.e. separating the generation and consumption of the authentication token). The (only?) alternative is the HTTP Negotiate protocol (SPNEGO over HTTP), which seems like it'd be a bit cleaner as far as implementation goes (I'm still working on it). But this requires quite a bit more setup and also allows the client to fall back to using NTLM authentication rather than Kerberos, in which case you'd probably still encounter the same problem.
