There is a login process that's defined as part of the core
J2EE security specification. Every J2EE/JEE server of any consequence - including the lightweight ones like
Tomcat and jetty support it. It intercepts all URL requests and automatically handles login as needed as well as providing role-based access control (RBAC) to URL. A very secure mechanism that has been in place for many years and which can be augmented by secondary (in-app) security frameworks. By blocking many of the the worst of the attacks
before they can reach application components, the application is defended without the need to design, write, or debug basic security code.
Because it's part of the basic server implementation specs, it's well-documented and well-supported, unlike the "one-off" Do-It-Yourself security systems that almost always have massive holes in them and frequently don't get applied correctly when the app is later updated by people who didn't know anything about the original application specs. It also has functions built right into the J2EE APIs, which is more than can be said for the do-it-yourself stuff.
For about 95% of all interactive web applications, this should be your login system and primary line of defense, regardless of what secondary security you might apply on top of it.
1
