How to Require HTTPS / SSL
To require HTTPS (SSL) for a resource define a security constraint with <transport-guarantee>. Then any attempt to access it without SSL will be redirected to a https URL.
This example requires SSL for two directories:
<security-constraint> <web-resource-collection> <web-resource-name>User Preferences</web-resource-name> <url-pattern>/prefs/*</url-pattern> <url-pattern>/settings/*</url-pattern> </web-resource-collection> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> <!-- "CONFIDENTIAL" means SSL --> </user-data-constraint> </security-constraint>
You can also combine the <user-data-constraint> element with <auth-constraint> to require HTTPS for restricted resources.
