This is true. By default HTTP is stateless protocol. Inorder to identifies client who participates in session, Java EE container/server must support cookies.
2. Java EE containers must support URL rewriting.
This is wrong. Not must. It is optional. If the container supports url rewriting, adding 'jsessionid:....' to each urls in the application takes time. If the application includes many pages and many of the urls it takes even much time. Dealing with them slows down the application. I think because of this supporting 'url rewriting' for Java EE containers is optional.
3. Java EE containers must support the Secure Sockets Layer.
This is true. Java EE containers guarantees data integrity/confidentiality. If our 'web.xml' includes
and if we made a request to the constrained resourse, container sees the above element and it redirects to the client, turn on the SSL, which is above the Transport layer. And if the client comes up to the server by turning on the SSL(come up with https protocol), then only login form will be sent to the client. This behaviour is guranteed by Java EE containers.