Using security constraints in the web.xml, I know how to automatically swtich from HTTP to HTTPS if a user goes to a resource in a non-secure way which needs to be secure. An obvious example of this is a user login page. See the snippet from web.xml below. This snippet will automatically redirect the browser to HTTPS for any resources in /admin/public/*
Now, however, after the user is logged in I want to switch out of HTTPS and back to regular old HTTP. I tried putting in a new security constraint with transport-guarantee = NONE but this didn't work. Any suggestions?
Java EE Evangelist — Author, EJB 3 in Action 2nd Edition — Java Community Process Member