[OT} Form-based-authentication and HTTPS

[Matt Raible <ma...@raibledesigns.com>]

I have form-based authentication in my web.xml that requires HTTPS - has
<transport-guarantee>CONFIDENTIAL</transport-guarantee>.  In my opinion,
one of the beautiful things about declarative security is that users can
have bookmarks and return to the same location, and be prompted.

My problem is that (1) I'm using the latest nightly build of struts ;)
and (2) I only want to use https for the login, and http for everything
else.

I'm using Tomcat 4.0.1.

1.  I'd like requests to my secure resources to be automagically routed
to https://<secure resource path> even if they request http://<secure
resource path>.  Is this possible?
2.  Once they've been authenticated, I'd like to switch them back to
http://<secure resource path>.  Is this possible?  I wrote a small
mockup for this using return new ActionForward(unsecureURL, true) to do
a redirect and I got a warning from my browser that I was leaving a
secured resource - and this was just after hitting "Login"  doesn't look
good to the user.  But alas, this is how Yahoo Mail does it - so I can
always argue that, right ;)

Thanks,

Matt