You'll get better support when you strip out non-essentials from your examples. Anything that won't fit on one screen is more than it's worth my time to read unless I'm being paid for it. Plus, one of the first steps to solving any problem is to simplify it.
Because it's more than my bleary early-morning eyes can read, I can't comment on what you are specifically asking. But I will say this:
J2EE comes with a built-in security system. It's integrated into the J2EE APIs, it's always available, and it was debugged over a decade ago. Which is more than I can say for user-designed login services. Over that same 10 years or so, I can't say I've ever seen a really secure user-designed login, even in the financial systems I've worked with. In your particular case, even if you don't make any of the usual mistakes that even non-hackers can quickly punch through, I think an SQL injection would make soggy paper-maché out of your security in no time at all.