Most models I've seen rely on some sort of session token for this purpose. IE, once the user has logged in, either the user id, or some random token associated with the user is stored in session. After you've got that much done, a simple
jsp can be included throughout the rest of your jsps that validates that the token is present and is valid.
Session isn't a *bad* thing...it's not something
you should avoid like the black plague, it's just something that you should use judiciously. Something as small as a session token scaled to thousands of simultaneous users will not take a significant toll on the amount of overhead your servers are seeing...