Not to rain on the parade, but JSTL is just one step away from scriptlets, and scriptlets make the Bear growl.
More tellingly, this looks like a user-designed login/security system. The technical name for user-designed security is "hacked" or "pwned".
JEE provides a very secure container-managed authentication and authorization system along with a security API. In almost all cases, it's what I recommend for managing security.
Unless your job and training is full-time security, there's almost certainly going to be gaping loopholes in anything you design, and by "you design" I also mean the "resident genius" of most corporate shops.
In fact, about 90% of the user-designed systems I've seen could be bypassed by non-technical people in under 15 minutes.
Even professionally-designed security systems often fail, although as far as I know, no one has broken through JEE container security.
And one of the biggest advantages of JEE standard security is that many attacks get repulsed by the container itself, and never get near any vulnerable application code. You can't exploit holes if you can't even reach the holes.
Some people, when well-known sources tell them that fire will burn them, don't put their hands in the fire.
Some people, being skeptical, will put their hands in the fire, get burned, and learn not to put their hands in the fire.
And some people, believing that they know better than well-known sources, will claim it's a lie, put their hands in the fire, and continue to scream it's a lie even as their hands burn down to charred stumps.