You could use basic auth for your webservice endpoints and form based authentication for the web.
Do web users also have access to your webservice?
EDIT:
Checkout this sample app. https://github.com/dominicfarr/skybird-shiro
It has three url paths configured in shiro.
web - uses form authentication.
api - uses basic authentication.
jersey - anonymous access.
Cutting to the shiro.ini config.
[main]
authc.loginUrl = /web/login.html
sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager
sessionDAO = org.apache.shiro.session.mgt.eis.EnterpriseCacheSessionDAO
securityManager.sessionManager = $sessionManager
securityManager.sessionManager.sessionDAO = $sessionDAO
[users]
dom = password, user
[roles]
user = standard
[urls]
/web/login.html = authc
/web/** = authc
/api/** = authcBasic
/jersey/message = anon