Servers can check to make sure that incoming requests are secure.
If not, they can either throw an exception or (more useful) redirect the user to the same page but with the secure ('https://') scheme.
http://java.sun.com/j2ee/1.4/docs/api/javax/servlet/ServletRequest.html#isSecure() This can be done programmatically from within your code or declaratively from the security-constraint entry in your deployment descriptor.
There is a link to the
Servlet Spec in my signature.
Download the PDF and perform a search with the following criteria:
<transport-guarantee>CONFIDENTIAL</transport-guarantee> to learn more about declarative security in
j2ee apps.