Security Top

I just announced the new Learn Spring Security course, including the full material focused on the new OAuth2 stack in Spring Security 5:


1. Overview

In this tutorial, we'll learn how to check a user's login and ensure that the user has filled the login form with valid credentials and started a session. However, we'll do this without using Spring Security and using only JSPs and servlets. Consequently, we'll need a servlet container that can support it, like Tomcat 9.

By the end, we'll have a good understanding of how things work under the hood.

2. Persistence Strategy

Firstly, we need users. To keep it simple, we'll use a preloaded map. Let's define it along with our User:

public class User {
    static HashMap<String, User> DB = new HashMap<>();
    static {
        DB.put("user", new User("user", "pass"));
        // ...

    private String name;
    private String password;

    // getters and setters

3. Filtering Requests

We'll start by creating a filter to check sessionless requests, blocking direct access to our servlets:

public class UserCheckFilter implements Filter {
    public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) {
        // ...
        request.setAttribute("origin", request.getRequestURI());

        if (!request.getRequestURI().contains("login") && request.getSession(false) == null) {
            forward(request, response, "/login.jsp");

        chain.doFilter(request, response);

Here, by defining “/*” as our URL pattern on the @WebFilter, all requests will pass through our filter first. Then, if there's no session yet, we redirect the request to our login page, storing the origin for later use. Finally, we return early, preventing our servlet from processing without a proper session.

4. Creating a Login Form With JSP

To build our login form, we'll need to import the core Taglib from JSTL. Also, let's set our session attribute to “false” in our page directive. As a result, a new session is not created automatically, and we can have full control:

<%@ page session="false"%>
<%@ taglib uri="" prefix="c"%>

<form action="login" method="POST">

Then, inside our form, we'll have a hidden input to save the origin:

<input type="hidden" name="origin" value="${origin}">

Next, we'll include a conditional element to output errors:

<c:if test="${not empty error}">
    * error: ${error} 

Finally, let's add some input tags so the user can enter and submit the credentials:

<input type="text" name="name">
<input type="password" name="password"> 
<input type="submit">

5. Setting up Our Login Servlet

In our servlet, we'll forward the request to our login form if it's a GET. And most importantly, we validate the login if it's a POST:

public class UserCheckLoginServlet extends HttpServlet {
    // ...

So, in our doGet() method, we'll just redirect to our login JSP, passing the origin forward:

protected void doGet(HttpServletRequest request, HttpServletResponse response) {
    String referer = (String) request.getAttribute("origin");
    request.setAttribute("origin", referer);
    forward(request, response, "/login.jsp");

In our doPost(), we validate credentials and create a session, passing the User object forward and redirecting to origin:

protected void doPost(HttpServletRequest request, HttpServletResponse response) {
    String key = request.getParameter("name");
    String pass = request.getParameter("password");

    User user = User.DB.get(key);
    if (!user.getPassword().equals(pass)) {
        request.setAttribute("error", "invalid login");
        forward(request, response, "/login.jsp");
    HttpSession session = request.getSession();
    session.setAttribute("user", user);


In case of invalid credentials, we set a message in our error variable. Otherwise, we update the session with our User object.

6. Checking Login Info

Finally, let's create our home page. It just shows session information and has a logout link:

    current session info: ${}

    <a href="logout">logout</a>

All that our home servlet does is forward the User to the home page:

public class UserCheckServlet extends HttpServlet {

    protected void doGet(HttpServletRequest request, HttpServletResponse response) {
        User user = (User) session.getAttribute("user");
        request.setAttribute("user", user);

        forward(request, response, "/home.jsp");

And this is how it looks:

7. Logging Out

To log out, we simply invalidate the current session and redirect home. After that, our UserCheckFilter will detect a sessionless request and redirect us back to the login page, restarting the process:

public class UserCheckLogoutServlet extends HttpServlet {

    protected void doGet(HttpServletRequest request, HttpServletResponse response) {


8. Conclusion

In this article, we went through the creation of a full login cycle. We saw how we now have full control over access to our servlets, using a single filter. In short, with this approach, we can always be sure that there's a valid session where we need one. Similarly, we could expand that mechanism to implement finer access control.

And as always, the source code is available over on GitHub.

Security bottom

I just announced the new Learn Spring Security course, including the full material focused on the new OAuth2 stack in Spring Security 5:

Security footer banner
Comments are closed on this article!