try to put this in your wen.xml and set the <url-pattern>/*</url-pattern> to your secured site
<security-constraint> <web-resource-collection> <web-resource-name>SSL Pages</web-resource-name> <url-pattern>/*</url-pattern> <http-method>GET</http-method> <http-method>PUT</http-method> <http-method>POST</http-method> </web-resource-collection> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint>
you have to enable the SSL in your tomcat as well.
Not being the original poster I can't be sure of what he wanted, but what I think he wanted (and would like to do myself) is to access the exact same pages as before login (plus those that the user now has access to, of course) but through https. So there isn't really a specific url-pattern to use here. What I want to do is basically just insert an 's' into the URL.
Why you want the site unsecure before login and secure after login? I think the easiest way is to make a page commonly secure or not (if private information is entered the page should be secure in general)