Whatever you do, don’t attempt to write your own library unless you have a background in strong cryptography, browser exploits, cookies, and session management. (If you did have a background in these subjects, you likely wouldn’t be asking this question, so I will try to give you some more useful advice.)

For Java, there are two big security libraries available: Spring Security or Apache Shiro:

Spring Security is extremely mature but hyper-flexible. It almost does too much for simple applications, but if you’re already using Spring, it just makes sense to use Spring Security. It’s chock full of features and can do some awesome things if you need highly granurlarized security. It has integrations with CAS (An SSO server) and can authenticate against LDAP, JDBC, and many more. Spring Security is ‘declarative’; it relies on annotations and runtime AOP to inject authorization checkpoints into your app.

Apache Shiro is much simpler: a servlet filter and a .ini file and you’re up and running. It has really simple SSO and remember me features that are much easier to implement than spring security. The API is programmatic, rather than declarative in nature; which I think is simpler, but makes your code tightly coupled to the Shiro library.

Either route will requires you to stick to mainstream Java patterns and good programming practices. Poor programming elsewhere where nullify any security framework.