You can find basic information on the J2EE standard security framework in just about any good introductory servlet/JSP book. The author then typically ruins it all by doing an example with a
user-defined login process
The bulk of the security comes from elements you configure in web.xml, including transport security, the login/loginfail pages, and role definitions and their URL mappings. There are also API functions that integrate into the system for assisting in user identification and authorization checking.
Because the front line of defense in j2EE security is the server itself, not the application, you also configure a security provider, called a Realm in the webapp server. Realms are typically plug-replaceable, providing a choice of security providers such as databases, LDAP servers and single-signon security services. Some, such as Tomcat, also have simpler realms that keep their info in files - the Tomcat conf/tomcat-users.xml file is used by the Tomcat MemoryRealm, for example. This one is good for
testing because you don't have to have a formal security service online.
On your other (original) problem, a second look makes me think that you have confused JSTL with EL. When you specify an expression such as "${err}", that's an EL (Expression Language) expression. Normally, the
JSP processor should expand that automatically. In fact, "<c: out value="${err}"/> is redundant since ${err} should do the same thing here.
EL is built into Tomcat 6 and higher releases. It had to be manually included in the WAR for Tomcat 5.5.
My suspicion is that actually your problem is that you didn't declare err as an object in a useBean element, but I don't do much straight JSP these days, so I could be mistaken on that one.