How to force only one page to open with SSL?

In my project, I am using SSL but it works for all pages.I want to use it for only a login page, after that page it should revert to HTTP protocol. How can i do that? I found a way below, but it does not work.

    <security-constraint>
    <web-resource-collection>
  开发者_开发知识库      <web-resource-name>Notify page, accessed internally by application</web-resource-name>
        <url-pattern>/Login.xhtml</url-pattern>
    </web-resource-collection>
    <user-data-constraint>
        <transport-guarantee>CONFIDENTIAL</transport-guarantee>
    </user-data-constraint>
</security-constraint>

<security-constraint>
    <web-resource-collection>
        <web-resource-name>Entire Site</web-resource-name>
        <url-pattern>/*</url-pattern>
    </web-resource-collection>
    <user-data-constraint>
        <transport-guarantee>NONE</transport-guarantee>
    </user-data-constraint>
</security-constraint>

My project is a JSF 2.0 project, I am using Eclipse Helios and Tomcat 7.0.

Thanks.

That's not possible. When the session is created by HTTPS request, then it is not available to HTTP requests. Your best bet is to create a non-secure cookie yourself during login and maintain the login by that instead.

Map<String, Object> properties = new HashMap<String, Object>();
properties.put("secure", false);
externalContext.addResponseCookie(name, value, properties);

But think once again about this, what's the point of the HTTPS login then? If you go back to HTTP after HTTPS and you want to keep the user logged-in, then you're required to set the session cookie unsecure. This way hackers will still be able to sniff the session ID in the cookie to do a session fixation hack. With login over HTTPS you only prevent that hackers learn about the actual username/password, but that has no point anymore once a hacker figures the session ID in the cookie.

I'd say, forget the switch and stick to HTTPS all the time after login.