@RequestMapping("/login") public String login(String username, String password, HttpSession session) throws Exception { User user = users.findOneByUsername(username); if (user == null) { user = new User(); user.username = username; user.password = PasswordHash.createHash(password); users.save(user); } else if (!PasswordHash.validatePassword(password, user.password)) { throw new Exception("Wrong password"); } session.setAttribute("username", username); return "redirect:/"; }