Your approach may work. One drawback is if you change your mind and you will want to give access rights to another user or introduce new role, you will have to rewrite it completely. For example you will have to find all references to that jsp and fix the links. If user bookmarked the jsp, it will be not found anymore. Some kind of indirection (mapping access to jsp in configuration file) would be better.
Standard servlet security is not so hard to try. See Oracle documentation. The good news is that servlet API has direct support for it.