When you tell a J2EE Container that you want to implement data confidentiality and/or integrity, the J2EE spec guarantees that the data to be transmitted will travel over a “protected transport layer connection”. In other words, Containers are not required to use any specific protocol to handle secure transmissions, but in practice they nearly all use HTTPS over SSL.

HTTP request—not secured

The Bad Eavesdropper gets a copy of the HTTP request that contains the client’s credit card info. The data isn’t protected, so it comes over in the body of the POST in a nice readable form. The Eavesdropper is happy.

A secured HTTPS over SSL request

The Bad Eavesdropper gets a copy of the HTTP request that contains the client’s credit card info.

But because it was sent with extra-strength HTTPS over SSL, he CANNOT read the information !!