The first you need is a Server Certificate. You can get a valid Certificate from Certification Authority (CA) like Thwate, Verisign and many more. But here I will use a self-signed certificate but the process is quite similar for the ones from a Certification Authority (CA).
$ keytool -genkey -alias rsatest -keyalg RSA -keystore server.keystore -keysize 2048 -validity 60
...
Is CN=localhost, OU=MSC, O=MSC, L=Stockholm, ST=Stockholm, C=SE correct?
[no]: yes
Remember that the first and last name should be either your domain address or machine name.
And to view your self-signed certificate:
$ keytool -list -v -keystore server.keystore
Now you need configure your HTTPS Connector.
$JBOSS_HOME/server/$JBOSS_CONF/deploy/jbossweb.sar/server.xml:
<Connector protocol="HTTP/1.1" SSLEnabled="true"
port="8443" address="${jboss.bind.address}"
scheme="https" secure="true" clientAuth="false"
keystoreFile="${jboss.server.home.dir}/conf/server.keystore"
keystorePass="changeit" sslProtocol="TLS" />
There are several more configuration for the Connector which you can read more about here for JBoss 5.1:http://docs.jboss.org/jbossweb/2.1.x/config/http.html
And the latest documentation is found here:
http://docs.jboss.org/jbossweb/latest/config/http.html
The last thing we need is a test application I will leave that as a practice, but I will show one interesting part and that is the web.xml
<web-app>
...
<security-constraint>
<web-resource-collection>
<web-resource-name>Security Demo</web-resource-name>
<url-pattern>/*</url-pattern>
<!-- Do not specify http-method, since then only specified
http-method will be authenticated, not e.g. JUNK (attack) -->
</web-resource-collection>
<auth-constraint>
<description>These are the roles who have access.</description>
<role-name>ROLE_FOO</role-name>
</auth-constraint>
<user-data-constraint>
<description>This is how the user data must be transmitted.</description>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>foo-realm</realm-name>
</login-config>
<security-role>
<role-name>ROLE_FOO</role-name>
</security-role>
<session-config>
<!-- Session timeout after X MINUTES after no user interaction. -->
<session-timeout>15</session-timeout>
<cookie-config>
<!-- XSS attack: make sure that cookie cannot be accessed via
client side scripts -->
<http-only>true</http-only>
<!-- CSRF attack, session hijack attack: require cookie can
only be used for SSL communication. -->
<secure>true</secure>
</cookie-config>
<!-- Do not use URL, since then it can be stored in numerous places:
browser history, proxy server log, referrer logs, web logs, etc. -->
<tracking-mode>COOKIE</tracking-mode>
</session-config>
...
</web-app>
Now open you web browser and test your application. To do the same for Tomcat is quite similiar, read more about it in my next blog - http://magnus-k-karlsson.blogspot.se/2012/06/how-to-install-install-and-configure.html.