please refer hfsj 2nd edition page no. 687. following is step 1 in case of unauthorised client making request to a resource with transport guarantee set to CONFIDENTIAL.
Unauthorized client requests a constrained resource
that has a CONFIDENTIALITY transport guarantee
The Container sees that this
constrained resource has a transport
guarantee. The Container sees that the
request did NOT come in securely...
The Container sends a 301 response to the client, that
tells the browser to redirect the request using a secure connection.
the book shows a diagram where user is making POST request on /BuyStuff.jsp. so initially for the first time the user makes request the payload in POST request goes unencrypted, rigjht ? that means they are visible by the eavesdropper. it is only after the first request does container asks browser to switch to HTTPS over SSL. so for the first time the data/payload is visible. am i missing something ? if i am not then how can we say that the data is protected.(no doubt the login information is secured when user makes the request third time, but what about the payload in POST request)