For what it's worth...
For production use, I've come to the point where I do *NOT* like
implementing SSL solutions directly in Java. The extra overhead,
hassles, etc. just aren't worth it in general. For example, for both
Krugle and MarkMail, we have SSL (ala HTTPS) handled directly by the
load-balancers and everybody behind them is blissfully unaware and
this makes the management of all of the backend servers much much
cleaner, easier, faster, etc.
Of course, if you're doing really sensitive stuff and need finer
granularity (medical, financial, etc.) then you're stuck and need to
do that but in those cases you're already stuck dealing with a lot of
threats that you can't take for granted anyways so the Java-specific
hassles aren't such a big issue. [But I shall refrain from going off
on my tirade about big complicated SSL installations that then talk to
an unencrypted database over an unencrypted connection.] :-)
Hope this helps,
John