I'm using port redirection with JBoss 3.0.6, so that if someone requests login.jsp through HTTP, the browser is redirected to an HTTPS protocol version (i.e., the login.jsp web application resource has a <transport-guarantee> of CONFIDENTIAL).

I'm also using FORM based authentication to automatically go to login.jsp if the user has not yet authenticated on "normal" pages.

The idea is that I don't want to have the user's password revealed during the login (hence confidential transport guarantee), but I also don't think the normal page content is confidential, and I'd like the transport for normal pages to be fast. This HAS to be a common scenario.

OK, so this all works fine up to and through the login process. However, when JBoss/Jetty redirects to the originally requested page, everything is now in HTTPS mode. I can manually go into non-SSL mode by typing the http://... url of the "normal" page, and since I'm still authenticated it works fine.

Shouldn't temporary redirects to a SSL-protected form pop back to non-SSL when going to the requested resource? After all, if I wanted my normal resources in SSL, I would have marked them as CONFIDENTIAL. Is there a recommended way to accomplish this goal?

What am I doing wrong? I've searched everywhere for information on this, and I must be missing something.