If you are using JEE standard container-based security, that's not a problem. The JEE security system puts guards on the URLs using patterns and role relationships that you define in the web.xml and any attempt to access those URLs will cause the security system to intercept the request. And to force a login (authentication), if the user is not already logged in. The security role[s] assigned to the user - if any - will be matched and thus access will be limited to only users assigned the proper role for that URL.
With container security, you define the login and loginfail form pages in web.xml but you do not code login logic. The login logic is part of the container (security Realm). Users do not issue requests to the login page directly. In fact, if they try, it will fail. Instead, the login page is displayed automatically when a non-authenticated user makes a URL request to a protected URL.
This is a very robust and secure system designed and tested over many years by security professionals. It's part of every JEE server, even the lightweight ones like Tomcat and jetty and it's supported by the JEE APIs.
Unfortunately, too many people try to write their own login/security system and then they do encounter problems like the one you worry about. Because security is a chain where the weakest link breaks everything and unless you're profesionally-trained and not distracted by security as an add-on to the application you're supposed to be writing, I can virtually assure that your grow-your-own security will be cracked open in very short order.
In short, you really shouldn't write your own login code, no matter how clever you are. And I'm afraid that a lot of JEE textbooks like to use user-written login code for examples, which just makes things worse.
Loudly announcing something is true and finding out you're wrong makes you feel foolish.
Finding out you're wrong and refusing to admit it makes you LOOK foolish.