I'm using Spring 3.2 + primefaces 3.5 + hibernate 4.1.9 The security context is:
<http auto-config='false' use-expressions="true" >
<intercept-url pattern="/**/login" access="permitAll" requires-channel="https"/>
<intercept-url pattern="/**/registration" access="permitAll" requires-channel="https" />
<intercept-url pattern="/**/cart" access="permitAll" requires-channel="https" />
<intercept-url pattern="/**/cart/**" access="hasAnyRole('USER','ADMIN')" requires-channel="https" />
<intercept-url pattern="/pages/adm/**" access="hasRole('ADMIN')" requires-channel="https" />
<intercept-url pattern="/*/account**" access="hasAnyRole('USER','ADMIN')" requires-channel="https" />
<intercept-url pattern="/**" requires-channel="any" />
<form-login login-page="/loginRedirect"
authentication-failure-handler-ref="pennyUrlAuthenticationFailureHandler"
authentication-success-handler-ref="pennyAuthSuccessHandler"
default-target-url="/pages/account/orders.xhtml" />
<logout logout-success-url="/" invalidate-session="true"/>
</http>
If I go to a page that requires HTTPS, for the rest of session, it will use the HTTPS protocol, even if the user is not authenticated. If I go to https ://mystite/en/cart, HTTPS will be used for all browsing session.
I do not want to switch HTTPS to HTTP forever, but only if the user is not authenticated. Can I force the HTTP for non-authenticated users?
