How can I specify a filter to work on all URI excluding one URI. Does <filter-mapping> allow to exclude <url-pattern>? Let me explain my requirements. When the host scheme changes to https let say like https://xyz.com/default1.jsp, the next URI request should be served on http host scheme. I would like to provide access to www.xyz.com/default1.jsp only on https host scheme.
You could create a filter that checks the isSecure() property of HttpServletRequest and redirects to https:.... and map it to that one page.
Note: Jumping back and forth from secure to non-secure can often wreck havoc with your sessions. I know that Tomcat (not sure about all other servers) will start a new and separate session when you move from non-secure to secure.
Browsers will also fire off popup warnings when a user moves from a secure to a non-secure site or if a link to resource on a secure page (such as an image) has a fully qualified, non-secure url.
Originally posted by Ben Souther: ...Note: Jumping back and forth from secure to non-secure can often wreck havoc with your sessions. I know that Tomcat (not sure about all other servers) will start a new and separate session when you move from non-secure to secure....
You scared me more than I could say . Do you think that all session related data will be lost when the host scheme is changed from non-secure to secure. Or you gust meant that new session id will be created. My requirement is analogous to the normal shopping cart. Adding items in non-secure scheme and switch to secure for the payment details. It is just that additionally I want to switch it back to non-secure when payment is confirmed.
It wouldn't be hard to check. Just write some println statements that log the session ID.
What conatiner are you using? Is your shopping cart only going to exist in memory (session) or are you also storing the data in your database? Most major online vendors allow you to add to your cart and come back days or weeks later to resume where you left off. If your cart only exists in session, users won't be able to do that.