You can do this declaratively with security constraints in the deployment descriptor.
Essentially, you say 'this set of resources is only accessible by users in a given set of rules using a given set of HTTP methods', as follows:
Resources behind URLs /secured/* are only accessible to authenticated users in the 'admin' role.
<web-app...>
<security-constraint>
<web-resource-collection>
<web-resource-name>secured</web-resource-name>
<description>Secured pages</description>
<url-pattern>/secured/*</url-pattern>
<http-method>POST</http-method>
<http-method>GET</http-method>
</web-resource-collection>
<auth-constraint>
<description>Administrative users</description>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>
</web-app>
It requires some setup - security realms etc, login form configuration, but it means that your security setup is not done programmatically, instead it is in a tool-supported and abstracted, declarative way. This helps keep your code clean and focussed.
Here's the relevant part of the Sun Educational material for Java EE 5. It's a relatively complex and potentially very important topic so I suggest you have a good read through of the material there.