Packages 
Package Description
org.apache.shiro
This package primarily exists as a root classpath distinction, but it does contain two core classes widely used by applications, SecurityUtils and ShiroException.
org.apache.shiro.aop
Components used to support the framework's AOP/interception support classes.
org.apache.shiro.authc
Core interfaces and exceptions concerning Authentication (the act of logging-in).
org.apache.shiro.authc.credential
Support for validating credentials (such as passwords or X509 certificates) during authentication via the CredentialsMatcher interface and its supporting implementations.
org.apache.shiro.authc.pam
Support for PAM, or Pluggable Authentication Modules, which is the capability to authenticate a user against multiple configurable (pluggable) modules (Shiro calls these Realms).
org.apache.shiro.authz
Core interfaces and exceptions supporting Authorization (access control).
org.apache.shiro.authz.annotation
Annotations used to restrict which classes, instances, or methods may be accessed or invoked depending on the caller's access abilities or authentication state.
org.apache.shiro.authz.aop
Contains AOP implementation support classes specifically used for authorization operations, particularly supporting AOP Method Interceptors and JSR-175 metadata Annotations.
org.apache.shiro.authz.permission
Support and default implementations for Shiro's Permission interface.
org.apache.shiro.concurrent
Executor, ExecutorService, and ScheduledExecutorService implementations for transparent Subject association with threads in an asynchronous execution environment.
org.apache.shiro.config  
org.apache.shiro.dao
Package containing various components useful when building Data Access Objects (DAOs), including a generic Data Access Exception hierarchy.
org.apache.shiro.env
Concepts used to represent Shiro's aggregate state in an application.
org.apache.shiro.jndi
Enables accessing objects located in JNDI that might be useful when configuring a Shiro-enabled application.
org.apache.shiro.ldap  
org.apache.shiro.mgt
Provides the master SecurityManager interface and a default implementation hierarchy for managing all aspects of Shiro's functionality in an application.
org.apache.shiro.realm
Components and sub-packages used in supporting the core Realm interface.
org.apache.shiro.realm.activedirectory
Realms that acquire security data from a Microsoft Active Directory.
org.apache.shiro.realm.jdbc
Realms that acquire security data from an RDBMS (Relational Database Management System) using the JDBC API.
org.apache.shiro.realm.jndi
Support for acquiring Realms from JNDI, particularly useful for configuring Shiro in JEE or EJB environments.
org.apache.shiro.realm.ldap
Realms that acquire security data from an LDAP (Lightweight Directory Access Protocol) server utilizing LDAP/Naming APIs.
org.apache.shiro.realm.text
Realms that acquire security data from text-based data sources such as Files or text streams.
org.apache.shiro.session
Components related to managing sessions, the time-based data contexts in which a Subject interacts with an application.
org.apache.shiro.session.mgt
SessionManager components supporting enterprise session management.
org.apache.shiro.session.mgt.eis
EIS (Enterprise Information System)-tier components that can perform CRUD operations for sessions using any EIS API.
org.apache.shiro.subject
Components supporting the Subject interface, the most important concept in Shiro's API.
org.apache.shiro.subject.support
Concrete support implementations of most of the org.apache.shiro.subject interfaces.
org.apache.shiro.util
Your run-of-the-mill 'util' package for components and logic widely used across the framework that can't find their home into a proper OO hierarchy (or, most likely for things used across many hierarchies).