Java EE - including
J2EE - has built-in support for page redirection using container-managed authentication and authorization. By including the proper directives in your webapp's web.xml file, you can designate some or all of the URLs directed at your application to be subject to authentication and authorization.
If a URL requires authentication - meaning that the user is not presently logged in - the application server will place that URL request on hold and redirect to a login page, dialog, or other means of obtaining security credentials. Once/if the user has logged in successfully, the original URL request will be taken off hold and processed.
Over time, I've compiled a list of about 10 reasons why writing your own login and security code is an
extremely bad thing to do. I highly recommend letting the Java EE framework do the job for you (yes, one of the 10 reasons is that you probably already have enough work to do anyway).
My experience has been that the Java EE container-based security system is sufficient for most apps, and can be extended easily to handle quite a few more. Rarely is it really necessary to invent your own security, and few people have done the job all that well from what I've seen.
If you absolutely insist on implementing your own security, filters are a good choice. Coding security directly into the application logic is not.