One option is to use form based authentication as in the following:
Define in the web.xml a login.html page and an error page that is displayed if the username and password is incorrect.
This can be done in the <role> element in tomcat-users.xml.
Define the security roles in the web.xml using the <security-role> element.
All roles must be declared in order to be used in the web.xml and the component code. Each <security-role> tag can contain only one <role-name>.
Defining resource and method constraints
Roles declaration in annotations
Or you could do the same via annotations.
These annotations have the same purpose as those defined in the deployment descriptor but apply to just the servlet on which they are declared. Roles can be declared on any servlet implementing the javax.servlet.Servlet interface.
This annotation is specified on a class, and it is typically used to define roles that could be tested (for example, by calling isUserInRole) from within the methods of the annotated class. This annotation is not used to link application roles to other roles. When such linking is necessary, it is accomplished by defining an appropriate security-role-ref in the associated deployment descriptor. When a call is made to isUserInRole from the annotated class, the caller identity associated with the invocation of the class is tested for membership in the role with the same name as the argument to isUserInRole. If a security-role-ref has been defined for the argument role-name, the caller is tested for membership in the role mapped to the role-name.
Now when someone visits UserServlet/student.jsp or any of it subdirectories they will be directed to the login.html page if they are not currently logged in.