Can I set Tomcat (or my webapp if it's done that way) to require SSL for confidentiality of the built-in Form-Based Login mechanism?
i.e. to protect the users credentials, and use standard http for any other transactions?
You can put your login forms in its own directory and just require SSL for the directory,
<security-constraint>
<display-name>Login Pages</display-name>
<web-resource-collection>
<web-resource-name>Login</web-resource-name>
<url-pattern>/login/*</url-pattern>
<http-method>POST</http-method>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
Make sure your login form is in this path,
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/login/form_login.jsp</form-login-page>
<form-error-page>/login/error.jsp</form-error-page>
</form-login-config>
</login-config>
Of course, you need to have a SSL connector setup on your Tomcat.