I am using Acegi in a webapplication (with Tomcat), but I have a small problem in the production environment with https.
1) The login-page is https. 2) User types username and password and clicks "Log in". 3) IE 6.0 shows a warning "You are about to be redirected to a connection that is not secure bla bla", user clicks "Yes". 4) User is logged inn, and URL still shows https. The warning doesn't show up again.
I haven't heard any complaints yet, but a careful user might react that the password seemingly is sent over an insecure connection. (However, this warning is NOT shown in IE 7.0, Opera or Firefox.)
I used a HTTP-sniffer tool to see what's going on, and indeed it seems like j_acegi_security_check redirects to an insecure http-connection.
So why does j_acegi_security_check redirect to insecure http when it is called from https? Any settings to fix this? I have tried different settings for Acegi, like forceHttps, set menu.htm to require secure channel, portMapping, serverSideRedirect - but it still redirects to http.
As far as I can see, the problem is either: 1) Something in Acegi that I haven't managed to find out. 2) Maybe something in Tomcat? What? 3) Or maybe something in the reverse proxy controlling traffic to my server? Could that possibly be the case? I don't have access to this proxy, and no knowledge of it unfortunately.