This is based on the step-by-step tutorial showing how to secure a web app with Apache Shiro
We added some functionality to it like:
database schema
user, role en permission management for admins
change password functionality
account lockout on too many logins
audit loging on login
session timeout (configuration)
password encryption (configuration)
password expiration
password policies