1) Is Base64 secure? [Pete] No. You need to use HTTPS for the actual transmission in order for it to be secure. Base64 is merely a way to obfuscate strings to make them not immediately human readable, i.e. in server logs etc.
2) What's the standard model of authentication in RIA? I mean.. I figure out that the process works this way: I create a JSP login.jsp file that receives username and password (HTTPService) enconded through Base64 and decode it. Ok. After that my JSP file put in the session that there's an user logged. [Pete] Close, but not quite. You really should be authenticating into the J2EE web application container itself so that you're not responsible for managing sessions or authenticating credentials. Just lock down resources with a security constraint in /WEB-INF/web.xml with auth-method set to "FORM" so that you can POST the username and password on login via HTTPService.