There's login and then there's "login".
When you are using the
J2EE standard authentication system, that's very low overhead and the only time login is likely to be if whatever credentials service your Realm invokes is bogged down. That would normally show up as OS resource overhead.
On the other hand, if you are foolhardy enough to be using a Do-it-Yourself "security" system (perhaps designed by the local genius), all bets are off. In many cases, such systems marshal all sorts of resources when you log in, up to and including yanking in massive amounts of user profile-related data from a database. Systems like this are not merely security exploits waiting to happen (unless you're a
trained full-time security professional, it doesn't matter how "clever" you are, chances are your Pride and Joy can be shredded in 15 minutes or less by a determined invader and often not even a very technically skilled one). In addition to insecurity, they're often not properly load-tested. Too often in-house designed security work is an annoyance rather than the most critical part of the system.
Long story short. If you're using J2EE container security, I can probably help. If you're using a standard package like Spring Security, we have a forum for that, too. But if you're using DIY security, it's ultimately an applications program problem and since there's no standard for application-designed security, you're just going to have to treat it like any other application performance problem.
And, incidentally, I don't think this has anything to do with JNLP Web Start. This question would have been better posted to a server or webapp forum.