I am toying with servlets and jsp. I wanted to create a simple app. Upon entering there would be login page. User could enter his login/password or register himself. I was wondering, if I would want to secure the password from being "intercepted" should I use https? Or is there some other way to secure the password on application level?
If it is only way, is it possible to restrict access to an app only from https? (I am using Tomcat if it is relevant).
You need security for data in motion and data at rest. So you need both. At transport level it is SSL (HTTPS) and at persistence level you normally hash the password with a salt and while displaying you obviously want to mask the entered password.
if I would want to secure the password from being "intercepted" should I use https? Or is there some other way to secure the password on application level?
Yes, HTTPS is designed for exactly this purpose. No, there are not really other ways when you want to use HTTP. To configure HTTPS on Tomcat, read the Tomcat SSL Configuration HOW-TO.
If it is only way, is it possible to restrict access to an app only from https? (I am using Tomcat if it is relevant).
Yes, that's possible. When using container managed authentication, you can force this by setting the transport guarantee to CONFIDENTIAL in web.xml. See also Java EE 6 tutorial - Securing web applications. Tomcat is not relevant here, you only need to make sure that it supports HTTPS, as answered before.
<security-constraint>
...
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
If you're however homegrowing authentication, then you'd need to implement a custom filter which checks if ServletRequest#isSecure() returns false and sends a redirect to the proper HTTPS URL scheme.
