Not to rain on the parade, but JSTL is just one step away from scriptlets, and scriptlets make the Bear growl.
More tellingly, this looks like a user-designed login/security system. The technical name for user-designed security is "hacked" or "pwned".
JEE provides a very secure container-managed authentication and authorization system along with a security API. In almost all cases, it's what I recommend for managing security.
Unless your job and training is full-time security, there's almost certainly going to be gaping loopholes in anything you design, and by "you design" I also mean the "resident genius" of most corporate shops.
In fact, about 90% of the user-designed systems I've seen could be bypassed by non-technical people in under 15 minutes.
Even professionally-designed security systems often fail, although as far as I know, no one has broken through JEE container security.
And one of the biggest advantages of JEE standard security is that many attacks get repulsed by the container itself, and never get near any vulnerable application code. You can't exploit holes if you can't even reach the holes.
Loudly announcing something is true and finding out you're wrong makes you feel foolish.
Finding out you're wrong and refusing to admit it makes you LOOK foolish.