Tomcat: Issue with redirecting from HTTP to HTTPS

I am doing some modifications to an existi开发者_Go百科ng web application which uses Struts and deploys on Tomcat. I was trying to make my application redirect from HTTP to HTTPS when the user visits one particular page. To do that, I added to my web.xml:

<security-constraint>
  <web-resource-collection>
    <web-resource-name>secured page</web-resource-name>
    <url-pattern>/secured.do</url-pattern>
  </web-resource-collection>
  <user-data-constraint>
    <transport-guarantee>CONFIDENTIAL</transport-guarantee>
  </user-data-constraint>
</security-constraint>

and to my server.xml:

<Connector port="8443"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="true" disableUploadTimeout="true"
acceptCount="100" debug="0" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile=".keystore"
keystorePass="password" />

and it worked. The problem was that once the user is redirected to HTTPS, he doesn't go back to HTTP even when he visits another regular page. My question is, is that behavior normal, and are the configurations mentioned earlier supposed to do that? Or is there something related to the application that is causing this behavior? Thank you

Yes, that is the normal behaviour on Tomcat.

Once it moves into https, it will not redirect other URLs back into http, unless the URL explicitly is for http.

You could try adding this to the non-secure URL pattern block in web.xml, but this still wont auto-redirect to http after an https.

 <user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>

If you really need to, you would have to write a Filter to check if the URL is not part of the secured pattern, then redirect back to http.