In our prior Struts 1.x release of our web portal, all connections were redirected through HTTPS. Unfortunately, there was a fair amount of information on the portal which could have easily been served back to the browser via HTTP rather than using SSL to avoid unnecessary overhead but at the time the easiest solution was simply to stay HTTPS.
As we've moved to Struts 2.1.x, I'm revisiting alternatives. Ideally what I would like to be able to do is secure the authentication process and then potentially move the session back to HTTP to avoid that unnecessary overhead. I've read that you can create a Filter and adjust the Tomcat cookies that are set, but I was curious if there is a more elegant and supported way of doing this? Presently authentication is what I am looking at but down the road, there may be additional actions that we would want to consider securing but maintaining the session between both the HTTP and HTTPS states of the site just to protect the data being sent to and from the browser and server. Thoughts and suggestions?
