I am trying to implement login mechanism for web application using servlets in java. Generally authentication and authorization is done by web service, I just have to detect that user is not logged in, collect nick and password and send it via web service. Then I receive the token and the user can work with the web application. For now, I have a filter chain which detects if there exists proper cookie with token, if not, the login servlet is invoked, the user types nick and password to the html form, clicks submit, data is passed to servlet via POST request, data is send to webservice, the token is registered and the user can work with the page. The application works with HTTPS protocol. If the user put wrong password, login page should be displayed again with proper message. It also may happen that the password is out of date and than instead of message button that redirects to page with password change should be displayed. I can recognize if the password is wrong or out of date by the code returned by web service.
My question is, how the whole process should be done to fulfill general good rules of login mechanisms and how to do it in good manner/convension? I read about configuring login-config in web.xml file, but I think that the I can not do what I described above using web.xml. Also, is it secure to user simple servlet and jsp form with POST action? Please, give me some advice how should I implement that kind of login mechanism. I do not want to use spring or any other frameworks.