Setting tapestry.secure-enabled to "false" and removing @Secure annotations solved my problem. Internal users can acces Tomcat directly via HTTP. External users can access Apache httpd via HTTPS, which handles SSL and forwards the request to Tomcat (via AJP).
Works nicely now when Tapestry does not redirect between http and https . Thans for your advice. Regards Martin
