I have an servlet with security constraint in it's web.xml like below:

<security-constraint>
    <web-resource-collection>
        <web-resource-name>Admin</web-resource-name>
        <url-pattern>/admin/*</url-pattern>
    </web-resource-collection>
    <user-data-constraint>
        <transport-guarantee>CONFIDENTIAL</transport-guarantee>
    </user-data-constraint>
</security-constraint>

Above forces a switch to https protocol and works fine. But on the secured pages there some relative links to unsecured pages. When users clicks on them they're opened via https which I want to avoid. Converting relative links to absolute is not an option. Servlet spec does not provide means of forcing unsecured connection so I'm going to implement a filter which would redirect user to http:

public void doFilter(ServletRequest request, ServletResponse response, FilterChain filterChain) throws IOException, ServletException {
    if(!isSubjectToAuthConstraint(request)) {
        // Check protocol and redirect to http if https
        // ....
    } else {
        // Do nothing, managed by servlet spec
        filterChain.doFilter(request, response);
    }
}

So I need to know whether request is under security constraint or not. How do I know it programmatically? Is it possible at all?

Hy, in normal case the https port is 443. By entering in the browser https://www.example.com:443/welcome.html the browser extends it to https://www.example.com/welcome.html

Maybe this is what you need:

String serverAddress = "";    
String serverName = request.getServerName( );
String serverPort = "" + request.getServerPort( );

if( request.isSecure( ) ) {
  serverAddress = "https://" + serverName + ":" + serverPort;
} else {
  serverAddress = "http://" + serverName + ":" + serverPort;
}