I use JBoss 7.1.1.Final and in my Java EE 6 application (JSF 2.0, CDI) I would like to switch from http to https on certain pages (e.g. login page, but not only that one). I accomplish this but now I need to switch back from HTTPS to HTTP (e.g. after I login and I don't need HTTPS anymore).
I setup my web.xml as follows (this ensures that those 2 pages will be forced to HTTPS)
<security-constraint> <web-resource-collection> <web-resource-name>SecureConnection</web-resource-name> <url-pattern>/login.xhtml</url-pattern> <url-pattern>/private/profile.xhtml</url-pattern> <http-method>GET</http-method> <http-method>POST</http-method> </web-resource-collection> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint>
However, I need all other pages to be on HTTP. I tried to add following element to my web.xml:
<security-constraint> <web-resource-collection> <web-resource-name>UnsecureConnection</web-resource-name> <url-pattern>/welcome</url-pattern> <http-method>GET</http-method> <http-method>POST</http-method> </web-resource-collection> <user-data-constraint> <transport-guarantee>NONE</transport-guarantee> </user-data-constraint> </security-constraint>
Unfortunately, this approach doesn't work -- the HTTP is not forced and e.g. after login, the HTTPS remains.
Do you know about any solution for this problem? Thanks