I...i've configured tomcat with ssl support and my web application with transport-guarantee "CONFIDENTIAL". With this configuration when I go to http://localhost:8080/webapp, the server redirect me at https://localhost:8443/webapp. But before the redirect, I insert username and password through a "BASIC" authentication. I ask me if username and password are passed as crypted to the server because the padlock of the browser is activated only after the authentication
If all access to your webapp is configured to require confidential data transport, then there should be no data in the clear. You should test that the browser does not leak the auth header to regular http requests.