There are all sorts of red flags with this approach.
For one, if you put user folders under ROOT like that then I can go to
http://yourwebsite/users/user1 and access all their files. You *could* protect this with a filter of sorts but the better approach is to create those kinds of things in a folder that isn't web accessible. At the very least, write them to the WEB-INF folder but preferably they'd be placed completely outside of the Tomcat install.
Secondly,
you should really be doing this work in a
servlet, not a JSP.
Please use UBB code tags (the
word code inside of [ ]) when showing code as to preserver your formatting. Looking at it as is, is very difficult.