You should first of all study orion API. Download docs from www.orionserver.com
(if you haven't already done so). In the docs bundle you will find api directory, where Orion JavaDocs dwell.
Orion has some interfaces and there implementations to implement user management and authentication. They are:
(com.evermind.security.)RoleManager, UserManager, User, Group, etc. Orion's RoleManager, for example, can be retrieved with the following line:
RoleManager manager = (RoleManager)new InitialContext().lookup("java:comp/RoleManager");
With the role manager you can create/remove roles/principals, login users etc. (see docs).