The problem is here
HttpSession session = request.getSession();
User u = null;
if(session.getAttribute("loggedUser")!=null){
you are looking in the request for any existing session. so for the first time it will return null.
And your doing the
null.getAttribute()
. that is the reason you get the exception.
try this
HttpSession session = request.getSession(true);
It first check if any session exist then return it otherwise create one and return.