This week's book giveaway is in the OO, Patterns, UML and Refactoring forum. We're giving away four copies of Refactoring for Software Design Smells: Managing Technical Debt and have Girish Suryanarayana, Ganesh Samarthyam & Tushar Sharma on-line! See this thread for details.
While using container-managed security would be best, if you are going to roll your own, then it doesn't make any sense to check for it in a JSP.
Firstly, checking in the JSP is too late; by the time a JSP is executed, the controller has done it's job and may have done something that should not be allowed if not logged in, or if the logged-in user doesn't have appropriate permissions/role.
Also, does it make sense to have to put this check into each and every location that's a possible entry point into the application?
Of course not.
Rather, a servlet filter should be employed that can check the authentication for each request before any other code executes.