Welcome to the JavaRanch, Rajeshwar!
If you are using the
J2EE standard security framework, the answer to your question about what to code is:
Nothing.
That's because the standard container security framework will monitor all incoming URL requests, and if any attempt is made to access a secured URL, the server itself checks to see if the user is authenticated (logged in), and presents the login page, if he/she is not logged in. That is, in fact, one of the major strengths of the standard security framework. Most "Do It Yourself" security systems can be compromised by merely sidestepping the proper URL sequences.
Technically, the container doesn't "navigate to the login page". Instead, the login page is presented by the container (
not the application) in place of the resource requested in the secured URL, and once the user is logged in, the original URL request proceeds transparently. Because the login page has no true URL of its own and is not handled by the application, but by the server, it must be a simple HTML or
JSP page. Servlet-controlled pages (
JSF,
Struts, and so forth) cannot be used as login pages.
If you're attempting to invent your own login/security system, all bets are off. That's one of the disadvantages of DIY. There's no standard documented, debugged framework.
Another disadvantage of DIY security is that in something like 10 years of J2EE, I've yet to encounter one that's actually secure. Most, in fact, can be cracked by amateur hackers and kids in 5 minutes or less. The J2EE standard system, on the other hand, was designed and implemented by full-time security professionals and has had 10 years to be hardened.