Rajesh <br /> <br />SCJP1.4 SCWCD1.4 SCBCD 1.3 ,SCDJWS(Preparing..)<br /> <br />There is no free will.It is the phenomenon bound by cause and effect.But there is something behind will which is free---Swami Vivekananda...
An absolute link with the 'http://' scheme will do it.
No matter how you do it, there will be some issues to watch for. Many containers won't keep the same session for secure and non secure traffic. In other words, you'll lose your session when you switch.
Also, all recent browsers, by default will generate a popup window warning the user that they are moving away from a secure session. Some users may see this as a bug in your app.
Lastly, as the name implies, non-secure sessions are, well, less secure. Under https, your session ID is encrypted before going over the wire. Without it, the session ID is transmitted as clear text. This makes session hijacking much easier.
I appreciate if you can look in this thread and solve my doubts.
I saw that thread and didn't respond to it earlier because I don't really have a good answer for you. I only use declarative security for some of the smaller, inhouse apps where I work. For the larger apps I use programmatic security. Because of this, I don't really know all the ins and outs of form based authentication.