We are developing a web application that contains a small part that requires SSL. Its a fairly decent sized site (1000 files) and I was wondering how best to go about isolating the parts of the web app that require SSL. I have had a trawl through the archives and this seems to be a fairly common request but I havent as yet found an answer. Basically what I would like to do is - be able to share sessions between the secure and non-secure parts of the web-app(s) - be able to 'seamlessly' allow the user to navigate through the secure and non-secure parts of the app - be able to specify in some declarative way using some sort of URL pattern what parts of the web app require SSL. For example, I dont ever want to have to manually specify 'https' or 'http' in a hyperlink on a page, sendRedirect or forward(). This is especially important because different clients may want different portions of the web app secured. Thanks Matt