The Sun Java System Web Server security model is based on an authenticated user session. Once a session has been created, the application user is authenticated (if authentication is used) and logged in to the session. Each interaction step from the servlet that receives a request does two things: generates content for a JSP to format the output, and checks if the user is properly authenticated.
Additionally, you can specify that a session cookie is only passed on a secured connection (that is, HTTPS), so the session can only remain active on a secure channel.
For more information about security, see Chapter 6, Securing Web Applications.