This topic can be a little tricky so I recommend reading this in a good book like moreservlets by marty hall. or even better, just review chapters 7 and 8 in pdf on the web site -
www.coreservlets.com But basically there are 2 ways
1. Declarative security, in which you configure your applications web.xml and the containers' users file. Then essentially the server takes care of implementing authentication, access restriction and SSL as defined by you. This is easier but suffers from lack of portability, as the process varies for different servers.
2. Programatic security in which some or all of the security is handled by you. this is more portable but requires more work.