I've just set up a proxy and run all my request through that proxy.
I investigated several different applications: they pass login and password pair raw, i.e. I can grab them from POST-request parameter.
How should it be implemented to make it more secure? (I haven't investigated gmail and facebook yet, but I think they don't have this issue. Otherwise any Internet-cafe can collect all accounts of its customers, for example).
P.S. I investigated sites written in JSP and GWT.
if you're using a web server why not just turn on SSL? (i.e. in the web config file specify you want SSL on - see you server's docs for that)
I agree with the other answers: Use HTTPS (TLS). It will secure the transmission, including defense against replay-attacks, man-in-the-middle etc. Though nothing is perfect (see e.g. TLS Renegotiation Attack), you can consider TLS to be very mature.
But considering your statement:
any Internet-cafe can collect all accounts of its customers
Yes, unfortunately that's still true, even if you use HTTPS: Any internet cafe can install keyloggers, a modified browser, ...
So is it enough for you to secure the channel, or do you also need to authenticate clients? You can do that with HTTPS, too - but this will mean, that you'll have to create client certificates and install them on the machines (user accounts) you trust. Depending on your requirements (high security, only company users, ...), this may be a good approach, or not (e.g. a web site for the general public).