It depends on your requirements. Most shopping cart checkouts are a flow (some support multi-cart, some require more steps, some less steps). If this is the case and the login may be required at more than one step in your flow, you can consider an Interceptor to centralize the logic. Otherwise, you can re-direct them to the login page as part of the shopping cart controller.
Also, some best practice / standard suggestions. I would narrow the scope of your @SessionAttributes annotation to the user form object if that is all you plan to store. I would create another component with the @Service annotation and put the logic for getting the user from the database:
Hopefully you are encrypting your password in the database? If not, highly recommend that
you should, especially in a purchasing capability.
Finally, you may want to add a check to see if the user is already in session; otherwise, you are authenticating them every time.