Ignoring the client application for the moment, web applications have built in support for authentication and encryption. If the client was a browser, you could encrypt all traffic and force the client to go through a login screen so that they are authenticated before you give them any data.
This works well when the client is a browser, but is harder if the client is a rich client, since you have to manage the client support for encryption and authentication yourself.
I'm wondering if having a JSP as the interface is the correct way to go. A
Servlet would be better, but they are forcing you to communicate over HTTP. I was thinking about providing an
EJB as the remote interface and allowing remove connections to this instead. You can still require clients to authenticate, but communication is RMI rather than HTTP. I believe it would make the client significantly easier to write.
Dave