Some of this is tricky because it requires a bit of UI (which you don't get out of the box with Shiro)
And for password request, not all realms would support resetting passwords (for example some would require navigating to a different service, others the connection Shiro knows about is read only) Restricting logins should be possible, any realm that uses a 'UsernamePasswordToken' has access to the servletRequest.remoteHost via the 'getHost()' method. Anything that fits in Shiro itself would be welcome, send us a pull request! I know Sonatype's Nexus <https://github.com/sonatype/nexus-public>[1], and a few other projects have password reset support, you could start there. [1]https://github.com/sonatype/nexus-public
