Pretty much any decent book on J2EE that covers JSPs and servlets will have a chapter on configuring the container-managed security system and FORM-based authentication.
They then usually ruin all their good work by presenting demos that have a "login page" done as user code instead of using the container security system. Long experience has taught me that the technical term for user-code logins is "hacked". The container-managed security system has its own pre-debugged login code which is much more secure.
Customer surveys are for companies who didn't pay proper attention to begin with.