If I need sticky HTTP sessions, then my hardware load balancer needs to have a ssl decoder to handle the https requests. However by doing that, how can I enforce container security for my web app when the request arriving at the servlet container is plain http ? How can I enforce exclusive https access this way ? Must I configure the in the firewall after the HW load balancer ? Or can I just don't worry about session stickiness in JBoss's clustered environment due its HTTPSession replication assurances ?