It completely depends upon:
* The resources you have available (hardware, management of infrastructure)
* The distribution of work (a huge website with tiny J2EE involvement, huge J2EE operation with a tiny management website)
If you were to looking at how to best handle the available work completely within software within a single host with the option of scaling up later the breakdown is:
1) HTTP Accelerator / content cache (www.squid-cache.org in http_accel mode)
2) HTTPD Apache (general purpose webserver doing SSL)
3) Tomcat (connected to apache with mod_jk)
I've never used SSL from Tomcat, I believe the SSL cipher routines are not in native machine code and OpenSSL+mod_ssl goes to great lengths in providing performance in this area. If my beliefs are correct I wouldn't entertain the idea of the JVM being taxed with the trivial work of volume encryption.
However if your website was serving 95% static content, 4% dynamic amd 1% SSL and during the peak of your day the machine wasn't really heavily loaded then maybe Tomcat/SSL would work for you.
With the mod_jk connector (ApacheHTTPD<>Tomcat) that all of the SSL attributes that are available to your servlet (when Tomcat does SSL itself) are retained across the connector (even when the Apache/HTTPD is on a different machiine). So from a scalabiliy point of view if you have a lot of SSL processing you can comission a fleet of ApacheHTTPD+mod_ssl+mod_jk machines at the frontend of a single JBoss/Tomcat system to offload the SSL processing.
Just a quick reply thanking you for taking the time to respond! Your thoughtful reply to my post is most appreciated... I'll take your points into consideration as I work through configuring SSL over JBoss. I've decided to not use Apache as the primary Web server (at least at this time). If you have any suggestions on how to implement SSL over the JBoss/Tomcat bundle, please share!