no doubt...
The controller does nothing (or should do nothing) but to marshall requests to their proper destinations.
So your login request should be marshalled to a resource (
servlet probably) that does the actual password check and which then sends it back to the controller with a new destination (which could be dependent on the actual user, maybe).