While using container-managed security would be best, if you are going to roll your own, then it doesn't make any sense to check for it in a JSP.
Firstly, checking in the JSP is too late; by the time a JSP is executed, the controller has done it's job and may have done something that should not be allowed if not logged in, or if the logged-in user doesn't have appropriate permissions/role.
Also, does it make sense to have to put this check into each and every location that's a possible entry point into the application?
Of course not.
Rather, a
servlet filter should be employed that can check the authentication for each request before any other code executes.