The only other way to do this is with PAM. That method is dangerous because the apache user (www-data in my case) must be able to read /etc/shadow.

I don't know about Debian, but under most distributions, it is safe to authenticate against /etc/shadow using pam_unix, since there is a setuid wrapper which validates access from pam_unix running as non-root and allows the checking of one user's password (no read access to passwords is provided).

This seems to be a better solution than what you have described is done by mod_auth_shadow (and used by many more applications than just apache), but your description is not comprehensive ("owned by root" is insufficient to provide access to /etc/shadow, I assume you actually mean setuid root). As such, I think a more comprehensive (and accurate regarding setuid, and mechanisms in place to prevent abuse) discussion of the security differences would be in order, if you propose this as a more secure solution than mod_auth_external and PAM.