Check if a User Is Logged-in With Servlets and JSP

Last updated: January 8, 2024

Written by: baeldung

Reviewed by: Saajan Nagendra

Security

Modern software architecture is often broken. Slow delivery leads to missed opportunities, innovation is stalled due to architectural complexities, and engineering resources are exceedingly expensive.

Orkes is the leading workflow orchestration platform built to enable teams to transform the way they develop, connect, and deploy applications, microservices, AI agents, and more.

With Orkes Conductor managed through Orkes Cloud, developers can focus on building mission critical applications without worrying about infrastructure maintenance to meet goals and, simply put, taking new products live faster and reducing total cost of ownership.

Try a 14-Day Free Trial of Orkes Conductor today.

Orkes is the leading workflow orchestration platform built to enable teams to transform the way they develop, connect, and deploy applications, microservices, AI agents, and more.

Try a 14-Day Free Trial of Orkes Conductor today.

Browser testing is essential if you have a website or web applications that users interact with. Manual testing can be very helpful to an extent, but given the multiple browsers available, not to mention versions and operating system, testing everything manually becomes time-consuming and repetitive.

To help automate this process, Selenium is a popular choice for developers, as an open-source tool with a large and active community. What's more, we can further scale our automation testing by running on theLambdaTest cloud-based testing platform.

Read more through our step-by-step tutorial on how to set up Selenium tests with Java and run them on LambdaTest:

>> Automated Browser Testing With Selenium

Orkes is the leading workflow orchestration platform built to enable teams to transform the way they develop, connect, and deploy applications, microservices, AI agents, and more.

Try a 14-Day Free Trial of Orkes Conductor today.

Refactor Java code safely — and automatically — with OpenRewrite.

Refactoring big codebases by hand is slow, risky, and easy to put off. That’s where OpenRewrite comes in. The open-source framework for large-scale, automated code transformations helps teams modernize safely and consistently.

Each month, the creators and maintainers of OpenRewrite at Moderne run live, hands-on training sessions — one for newcomers and one for experienced users. You’ll see how recipes work, how to apply them across projects, and how to modernize code with confidence.

Join the next session, bring your questions, and learn how to automate the kind of work that usually eats your sprint time.

1. Overview

In this tutorial, we’ll learn how to check a user’s login and ensure that the user has filled the login form with valid credentials and started a session. However, we’ll do this without using Spring Security and using only JSPs and servlets. Consequently, we’ll need a servlet container that can support it, like Tomcat 9.

By the end, we’ll have a good understanding of how things work under the hood.

2. Persistence Strategy

Firstly, we need users. To keep it simple, we’ll use a preloaded map. Let’s define it along with our User:

public class User {
    static HashMap<String, User> DB = new HashMap<>();
    static {
        DB.put("user", new User("user", "pass"));
        // ...
    }

    private String name;
    private String password;

    // getters and setters
}

3. Filtering Requests

We’ll start by creating a filter to check sessionless requests, blocking direct access to our servlets:

@WebFilter("/*")
public class UserCheckFilter implements Filter {
    
    public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) {
        // ...
        request.setAttribute("origin", request.getRequestURI());

        if (!request.getRequestURI().contains("login") && request.getSession(false) == null) {
            forward(request, response, "/login.jsp");
            return;
        }

        chain.doFilter(request, response);
    }
}

Here, by defining “/*” as our URL pattern on the @WebFilter, all requests will pass through our filter first. Then, if there’s no session yet, we redirect the request to our login page, storing the origin for later use. Finally, we return early, preventing our servlet from processing without a proper session.

To build our login form, we’ll need to import the core Taglib from JSTL. Also, let’s set our session attribute to “false” in our page directive. As a result, a new session is not created automatically, and we can have full control:

<%@ page session="false"%>
<%@ taglib uri="http://java.sun.com/jstl/core_rt" prefix="c"%>

<form action="login" method="POST">
    ...
</form>

Then, inside our form, we’ll have a hidden input to save the origin:

<input type="hidden" name="origin" value="${origin}">

Next, we’ll include a conditional element to output errors:

<c:if test="${not empty error}">
    * error: ${error} 
</c:if>

Finally, let’s add some input tags so the user can enter and submit the credentials:

<input type="text" name="name">
<input type="password" name="password"> 
<input type="submit">

In our servlet, we’ll forward the request to our login form if it’s a GET. And most importantly, we validate the login if it’s a POST:

@WebServlet("/login")
public class UserCheckLoginServlet extends HttpServlet {
    // ...
}

So, in our doGet() method, we’ll just redirect to our login JSP, passing the origin forward:

protected void doGet(HttpServletRequest request, HttpServletResponse response) {
    String referer = (String) request.getAttribute("origin");
    request.setAttribute("origin", referer);
    forward(request, response, "/login.jsp");
}

In our doPost(), we validate credentials and create a session, passing the User object forward and redirecting to origin:

protected void doPost(HttpServletRequest request, HttpServletResponse response) {
    String key = request.getParameter("name");
    String pass = request.getParameter("password");

    User user = User.DB.get(key);
    if (!user.getPassword().equals(pass)) {
        request.setAttribute("error", "invalid login");
        forward(request, response, "/login.jsp");
        return;
    }
        
    HttpSession session = request.getSession();
    session.setAttribute("user", user);

    response.sendRedirect(request.getParameter("origin"));
}

In case of invalid credentials, we set a message in our error variable. Otherwise, we update the session with our User object.

Finally, let’s create our home page. It just shows session information and has a logout link:

<body>
    current session info: ${user.name}

    <a href="logout">logout</a>
</body>

All that our home servlet does is forward the User to the home page:

@WebServlet("/home")
public class UserCheckServlet extends HttpServlet {

    protected void doGet(HttpServletRequest request, HttpServletResponse response) {
        User user = (User) session.getAttribute("user");
        request.setAttribute("user", user);

        forward(request, response, "/home.jsp");
    }
}

And this is how it looks:

7. Logging Out

To log out, we simply invalidate the current session and redirect home. After that, our UserCheckFilter will detect a sessionless request and redirect us back to the login page, restarting the process:

@WebServlet("/logout")
public class UserCheckLogoutServlet extends HttpServlet {

    protected void doGet(HttpServletRequest request, HttpServletResponse response) {
        request.getSession().invalidate();

        response.sendRedirect("./");
    }
}

8. Conclusion

In this article, we went through the creation of a full login cycle. We saw how we now have full control over access to our servlets, using a single filter. In short, with this approach, we can always be sure that there’s a valid session where we need one. Similarly, we could expand that mechanism to implement finer access control.

The code backing this article is available on GitHub. Once you're logged in as a Baeldung Pro Member, start learning and coding on the project.

Orkes is the leading workflow orchestration platform built to enable teams to transform the way they develop, connect, and deploy applications, microservices, AI agents, and more.

Try a 14-Day Free Trial of Orkes Conductor today.

Orkes is the leading workflow orchestration platform built to enable teams to transform the way they develop, connect, and deploy applications, microservices, AI agents, and more.

Try a 14-Day Free Trial of Orkes Conductor today.

Modern Java teams move fast — but codebases don’t always keep up. Frameworks change, dependencies drift, and tech debt builds until it starts to drag on delivery. OpenRewrite was built to fix that: an open-source refactoring engine that automates repetitive code changes while keeping developer intent intact.

The monthly training series, led by the creators and maintainers of OpenRewrite at Moderne, walks through real-world migrations and modernization patterns. Whether you’re new to recipes or ready to write your own, you’ll learn practical ways to refactor safely and at scale.

If you’ve ever wished refactoring felt as natural — and as fast — as writing code, this is a good place to start.