Servlet Filter is needed to do the login and logout.
login :
step1: writer the login filter and in doFilter method , check the user info based on the useID given by the user
step2: if the customer info not in DB or any authencation server (LDAP) throw error mesage
step3:if the userinfo found , create the HTTpSession and keep the userinfo in that session
step4: every req will comes through the loginfilter and checks the incoming user valid or not
logout:
step1: write the logout filter and check the any session is alive then call the session.invalidate() method