I have a very basic login form which accepts username and password. When the data is submitted a controller class essentially authenticates the username and password, if the credentials are correct a user is then forwarded to a membersOnly.jsp which is located in the WEB-INF of the java EE project. Since content in the WEB-INF is only accessible by forwarding and not redirect I assume the only way someone can access this information is through the server-side forward.
My question is, how secure is this approach and should I use some other form of security?
You’re using some sort of custom-based authentication, but the Java EE Standards defines several authentication mechanisms:
With Form-Based authentication you can still use your custom-made form, and delegate password validation to your Java EE Container. Almost every vendor offers credential validation against LDAP servers, database tables and other repositories.