<web-resource-name>Web Service Security Resource</web-resource-name>
Note that the <user-data-constraint> element must come after the <auth-constraint> element.
In addition, you need to enable HTTPS on the server that deploys the web service. On the Sun Java System Application Server, you do this by adding the emboldened element below to the <security-role-mapping> that you defined in Web Service Security: Three Steps:
For the Tomcat Web Server, you need to edit the server.xml file as described here (and also in Tomcat's own SSL Configuration HOW-TO). I don't know how it works for other servers, such as JBoss, but in each case you need to do something to enable the server to work with HTTPS.
Then, when a client attempts to connect to the web service (and also the first time you deploy the web service), you get this slightly forbidding looking certificate:
Using the JDK's Keytool application, you can create and manage your own certificates. So far, I'm just using the standard certificate provided by the Sun Java System Application Server. I'll be looking at creating my own soon.