sometimes we write whole data source syntax in JSP page using JSTL with username and password. so is it secure or not?
<sql:setDataSource var="dataSource" driver="org.postgresql.Driver" url="jdbc:postgresql://localhost:5433/postgres" user="username" password="password" />
or how to reduce this type of secure syntax at jsp page?
The JSP stays on the server and is never visible on the client -- so that's not an issue. However, anyone that has permission to view the files on the server can see this information. But it's no less secure in a JAP than in any other file.
P.S. Using the JSTL SQL tags in anything but "toy" code is not recommended.
If you are going to use the JSTL SQL tags, I would recommend setting up a JNDI DataSource on your server, and referencing that from the sql tag instead of coding the connection details onto every jsp page.
I usually use Hibernate in my data layer (about as far removed from the UI as it could possibly be), but if you are going to roll your own JDBC, get it out of the JSP pages and use a datasource as Stefan recommended.