I am using form based authentication. In this I want to only specify the Login Page to use SSL when the user enters his password. Post successful authentication the user should be using the normal http & not https.
I am using weblogic 7 & have enabled https on port 7002. In my application web.xml looks like this
<user-data-constraint> <description> Specify how user data is to be transferred </description> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint>
The problem is all the URL's specified in the <url-pattern> (<url-pattern>/jsp/error/*</url-pattern> <url-pattern>/jsp/navigation/*</url-pattern>
will run under https now which If possible I want to avoid
Can we do something like where we can do selective https for some links in the site & then use http for others
First off, why shouldn't the application use HTTPS everywhere? If it is important enough to require a password (which furthermore should not be snooped since you require HTTPS), then isn't the whole thing important enough to run on HTTPS? Have you done load tests to ascertain that the server can't handle an all-HTTPS web app? Or is there some other reason?
If you're still set on using HTTPS just for the login page, then don't declare anything in the web.xml. Just check in the login page that it is accessed over HTTPS (and redirect to its HTTPS URL if it isn't), and then forward to an HTTP URL from there.