I'm running JBoss 4.0.1SP1 on Linux.

Scenario: I have two JSPs under <transport-guarantee>CONFIDENTIAL</transport-guarantee>: login.jsp and remember.jsp. The former contains a form which upon submit redirects to the latter:

form method="POST" action="secure/remember.jsp"
input type="text" name="j_username"/
input type="password" name="j_password"/
/form

Remember.jsp only contains some code to store data in the HTTP session object and immediately redirect to 'j_security_check' with 'j_username' and 'j_password' appended:

// ...
String route = "j_security_check?j_username=" +
URLEncoder.encode( username ) + "&j_password=" +
URLEncoder.encode( password );
response.sendRedirect( response.encodeRedirectURL( route ) );


I have this all working as far as I enter the application, the server redirects me to login.jsp. After submitting the form, the server changes to SSL mode asking me to accept the certificate. I do that, and all of a sudden the server gets stuck on page remember.jsp. The URL in the broswer window shows https://localhost:8443/app/secure/remember.jsp; something it should actually never do.

Just to make sure, I turned off SSL for the JSPs by commenting out the relevant <security-constraint>, and voila, it works as expected. Instead of being stuck on remember.jsp, the browser enters the requested application page.

Looks to me like j_security_check does recall a user requested page under HTTP but not under HTTPS!?

Any help appreciated.