Extending the Standard Security Policy shows how to deny access if the access control list is null. The second example shows how to deny access except during specified hours.

Authenticating a User defines a bean and associated form that presents a login form to a user until their login succeeds, then lists some details about the account they logged in with after the login is successful.