Pretty much any decent book on
J2EE that covers JSPs and servlets will have a chapter on configuring the container-managed security system and FORM-based authentication.
They then usually ruin all their good work by presenting demos that have a "login page" done as user code instead of using the container security system. Long experience has taught me that the technical term for user-code logins is "hacked". The container-managed security system has its own pre-debugged login code which is much more secure.
The secret of how to be miserable is to constantly expect things are going to happen the way that they are "supposed" to happen.
You can have faith, which carries the understanding that you may be disappointed. Then there's being a willfully-blind idiot, which virtually guarantees it.