I have form-based authentication in my web.xml that requires HTTPS - has <transport-guarantee>CONFIDENTIAL</transport-guarantee>. In my opinion, one of the beautiful things about declarative security is that users can have bookmarks and return to the same location, and be prompted.
My problem is that (1) I'm using the latest nightly build of struts ;) and (2) I only want to use https for the login, and http for everything else. I'm using Tomcat 4.0.1. 1. I'd like requests to my secure resources to be automagically routed to https://<secure resource path> even if they request http://<secure resource path>. Is this possible? 2. Once they've been authenticated, I'd like to switch them back to http://<secure resource path>. Is this possible? I wrote a small mockup for this using return new ActionForward(unsecureURL, true) to do a redirect and I got a warning from my browser that I was leaving a secured resource - and this was just after hitting "Login" doesn't look good to the user. But alas, this is how Yahoo Mail does it - so I can always argue that, right ;) Thanks, Matt