OK, first it should be clear that authentication and is not the same as securing the data transport!
Authentication is the process of determining the user's identity. This should be done by the container (Tomcat) and is configured with the <auth-constraint> element sitting on the same level as the <user-data-constraint> element which will be used for securing the data. You can chose between different authentication mechanisms (HTTP basic or digest authentication, form login) which is in your case most probably a form login on the login page. Tomcat automatically redirects to this page if the user tries to access another page which requires an authenticated user. The pages which need authentication are defined via an URL pattern(s) inside a <web-resource-collection> element. Note: all the side elements are inside a <security-constraint> element.
Securing data transport with SSL is another thing. This is needed to protect the data transferred between the browser and web server. It works similar to authentication in regard to the definition of one or more URL patterns which should be protected. With a normal web application you usually define a <user-data-constraint> element which configures what kind of of security is needed. Usually you will define <transport-guarantee>CONFIDENTIAL</transport-guarantee> where "confidential" means SSL encryption for virtually all web applications (although other settings would be possible).
So you have to configure the authentication part to trigger authentication for any page (or all pages) which should only be accessed by a user who has logged in correctly.
Additionally you declare confidential data transport for the same or other pages or only the login page which instructs Tomcat to redirect the browser to a HTTPS URL schema when such a page is accessed.
Have a look at
Sun's documentation for a more detailed explanation of all the configuration elements ;-) It's hard to explain this here in text mode how all the elements fit together and are nested inside each other.
As warning I already told you that it's NOT sufficient to use SSL only for the login page IF you use HTTP basic authentication (this is the well-known popup where the browser asks you for a username or password). This would be insecure because the password, which is almost in cleartext, is not only transmitted to the login page but to all subsequent pages which require authentication. You DON'T have to worry about this if you have an extra login page with some form to type in the username and password.
I hope this helps, but as an advice read the documentation to fully understand what you're doing here!
Marco