I think the main thing is ensuring that static resources loaded over ssl are getting cached, providing this meets your security
requirements. I've got a filter that sets up headers for the http response such that .xhtml pages don't get cached, and static
resources do get cached:
response.setHeader("Cache-Control", "max-age=31536000, public, must-revalidate"); // only for static resources
I think the inclusion of "public" is important for https. Using a good browser like chrome or firefox you can see if the resources
are reloading from the server every time, or loading from cache. One thing that can be very confusing is that with the chrome
browser F5 will circumvent the browser cache, it's often thought that only ctrl+F5 does this. To mimic a normal navigation click
into the browser url window and press return.
write a CacheHeaderFilter (take a look on Servlet Filters, http://docs.oracle.com/javaee/6/api/javax/servlet/Filter.html) and map it in your web.xml to *.gif, *.jpg, *,css and so on (to all static file extensions, which apply).
An other possibility might be using Apache HTTPd with mod_spdy (very performant secure protocol, but only by Google Chrome in use).