By using the JSTL "if" tag, you can code this without any
Java scriptlet code at all.
Regardless, as a login page, a hacker could shred it in little or no time.
Don't write your own login system. Use the
J2EE container security standard or at least a reputable third-party security package. If you're not a full-time trained security professional, it's very, very unlikely that you're going to produce a secure system, no matter how clever you think you are.
The secret of how to be miserable is to constantly expect things are going to happen the way that they are "supposed" to happen.
You can have faith, which carries the understanding that you may be disappointed. Then there's being a willfully-blind idiot, which virtually guarantees it.