If trying to authenticate with wrong credentials Isis Shiro integration logs an ERROR with its complete stacktrace.
This is not an error in the application so I think it should be logged with lower level, e.g. WARN (but even WARN looks too much to me for this normal use case).
The second change that I'd recommend is to not dump the stacktrace.
LOG.error("Unable to authenticate", ae);
LOG.error("Unable to authenticate. Reason: " + ae.getMessage());