please check out the section on securing web application in the EE 6 tutorial
http://java.sun.com/javaee/6/docs/tutorial/doc/bncas.html
you can configure web.xml such that ssl will be used in different ways.
if you define a user-data-constraint, ssl will be used to encrypt the trafffic between
your browser and the server. You can also configure auth-contraint elements to require
user authentication and authorization for corresponding patterns. You can also configiure
CLIENT_CERT as the auth method in login-config; such that the user will be required to
authenticate to the server as part of the ssl handshake to satisfy the specified auth-constraints.
if the above reference does not get you started, you might try attachinging your web.xml
to this thread.
[Message sent by forum member 'monzillo' (ronald.monzillo_at_sun.com)]
http://forums.java.net/jive/thread.jspa?messageID=391252