This week's giveaway is in the Java/Jakarta EE forum. We're giving away four copies of Java EE 8 High Performance and have Romain Manni-Bucau on-line! See Also if it were encrypted, the browser wouldn't be able to find your site.
If you put your content behind a directory that can't by viewed directly from the web (such as under WEB-INF), you can then write a servlet that delivers this content.
As pradheesh suggested, a filter would allow you to check a user's session scoped credentials to determine whether a request for a particular resource should be granted or not.
The important part is not so much the filter (which can be used to implement this, but there are other ways as well), but that any access to data is checked against the credentials. Any database query should contain a clause that filters out any data the user is not allowed to see.