How to force HTTPS on a JSP application

If your JSP site still loads over HTTP, forcing HTTPS is one of the most important steps for secure delivery. It protects login forms, session cookies, and user data, and it also avoids browser warnings when visitors reach your application through an unsecured URL. On a hosting platform with Plesk, Apache, and Tomcat, the best approach is usually to combine SSL certificate installation with a redirect from HTTP to HTTPS at the web server or application level.

For JSP hosting and Tomcat hosting, there are a few ways to enforce HTTPS depending on how your application is deployed. If you use a standard web server proxy in front of Tomcat, the redirect is often handled in Apache or Plesk. If your app runs on a private JVM or directly on Tomcat, you may also need to make sure the application is aware that the original request was secure, especially when generating absolute links or handling authentication.

Why forcing HTTPS matters for JSP applications

JSP applications often handle sessions, form submissions, and dynamic content. Without HTTPS, those requests can be read or altered in transit. For public-facing applications, HTTPS is now the expected standard, and many browsers mark HTTP pages as “Not Secure”.

For a JSP site, forcing HTTPS helps you:

  • protect login credentials and personal data
  • secure session cookies and authentication tokens
  • avoid mixed-content issues caused by loading HTTP resources on an HTTPS page
  • improve trust and compatibility with modern browsers
  • support search engine best practices for secure websites

In managed hosting environments, HTTPS enforcement is usually straightforward once the SSL certificate is active and the application is configured correctly.

Before you force HTTPS

Make sure the following is already in place:

  • an SSL/TLS certificate is installed for the domain
  • the domain resolves correctly to the hosting account
  • your JSP application works on HTTP and HTTPS before redirecting
  • any reverse proxy or Apache/Tomcat setup is known

If you use My App Server in a Plesk-based Java hosting setup, you can typically manage Tomcat or a private JVM inside the hosting account and still use the platform’s web server layer for the public domain. That makes HTTPS enforcement easier because the external request can be redirected before it reaches the application.

Recommended ways to force HTTPS on a JSP application

1. Use a web server redirect from HTTP to HTTPS

This is the most common and reliable method. The idea is simple: if a visitor opens http://example.com, the server sends them to https://example.com automatically.

In an Apache-based setup, this can be done with rewrite rules or a virtual host redirect. In Plesk, there is often a built-in option to redirect HTTP to HTTPS for the domain.

Typical benefits of doing this at the server level:

  • the redirect happens before the application code runs
  • it works for all paths, not just the home page
  • it is easier to maintain than hardcoding redirects in JSP pages

2. Redirect inside the JSP application if needed

If you cannot change the web server configuration, you can enforce HTTPS in the application itself. This is useful for smaller deployments or when the app must handle the redirect logic.

However, application-level redirects are usually a fallback, not the first choice. They are less efficient and may be harder to maintain if you have many pages, filters, or frameworks in use.

3. Use Tomcat security constraints

Tomcat supports security constraints in web.xml. You can require confidential transport for certain URL patterns, which tells the container that those pages must be accessed over HTTPS.

This is especially helpful if you want to protect:

  • login pages
  • checkout flows
  • account settings
  • administration sections

In many JSP hosting scenarios, this is combined with an Apache or Plesk redirect so that all traffic is consistently forced to HTTPS before the request reaches Tomcat.

How to force HTTPS in Plesk

If your hosting account uses Plesk, the simplest method is often to enable the option that redirects HTTP traffic to HTTPS. The exact wording may vary depending on the setup, but the goal is the same: make the domain redirect all insecure requests to the secure version.

General steps in Plesk

  1. Open the domain in Plesk.
  2. Confirm that an SSL certificate is installed and assigned to the domain.
  3. Go to the hosting or Apache & nginx settings for the domain.
  4. Enable the option to redirect HTTP to HTTPS, if available.
  5. Save the changes and test both the root domain and key application URLs.

If your application is served through My App Server, the public domain may still be handled by Apache, while Tomcat runs your JSP application behind the scenes. In that case, the redirect should be applied at the domain/web server layer so that every request is normalized before the app responds.

How to force HTTPS with Apache rewrite rules

If you have access to Apache configuration or to an .htaccess file, you can redirect all HTTP requests to HTTPS with rewrite rules. This is one of the most common options for hosted JSP applications.

Example redirect rule

Use a rule similar to the following in the site’s Apache configuration or .htaccess file, if your hosting plan allows it:

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

This rule checks whether the request is not using HTTPS, then sends a permanent redirect to the same URL over HTTPS.

Notes for JSP hosting environments

  • If the site is behind a proxy or load balancer, %{HTTPS} may not reflect the original browser connection unless proxy headers are configured correctly.
  • Use a 301 redirect for permanent enforcement when the HTTPS setup is final.
  • Make sure the certificate covers the domain and any common aliases such as www.

How to force HTTPS in Tomcat for a JSP application

When Tomcat is directly responsible for the application routes, you can enforce HTTPS through configuration and filters. This is useful for JSP hosting where your application runs in a private JVM and you want the container to treat specific URLs as secure.

Use security constraints in web.xml

You can define confidential transport requirements in web.xml. Example:

<security-constraint>
  <web-resource-collection>
    <web-resource-name>Secure Pages</web-resource-name>
    <url-pattern>/*</url-pattern>
  </web-resource-collection>
  <user-data-constraint>
    <transport-guarantee>CONFIDENTIAL</transport-guarantee>
  </user-data-constraint>
</security-constraint>

This tells Tomcat that the selected URLs must be accessed over a secure connection.

Make Tomcat aware of the proxy

If Apache terminates SSL and forwards traffic to Tomcat, Tomcat may see the internal connection as plain HTTP even though the browser used HTTPS. In that case, your app may need proxy-aware configuration so generated links, redirects, and security checks work correctly.

Depending on the setup, this may involve:

  • setting proxy-related attributes in the connector configuration
  • using forwarded headers such as X-Forwarded-Proto
  • configuring the application to respect secure request information

This is important when your JSP pages build absolute URLs, submit forms, or create redirects after login.

How to force HTTPS only for selected JSP paths

In some cases, you may not want to force the entire site immediately. For example, a public marketing site may remain on HTTPS, but you may want to ensure that /login, /account, or /checkout is always secure.

That can be done with either Apache rewrite rules or Tomcat security constraints limited to specific URL patterns.

Example use cases

  • all pages require HTTPS on a production site
  • only authenticated areas require HTTPS during a staged migration
  • certain legacy routes are still being updated

For security and SEO consistency, however, it is usually better to force HTTPS on the entire public site once the certificate and redirects are working correctly.

Common issues when forcing HTTPS on JSP sites

Redirect loops

A redirect loop happens when the server keeps sending the browser back and forth between HTTP and HTTPS. This often occurs when Apache, Tomcat, or the application disagree about whether the request is secure.

To fix this, check:

  • SSL termination point
  • proxy headers
  • application redirect rules
  • any hardcoded URL rewriting inside JSP pages

Mixed content warnings

If your page loads images, scripts, fonts, or CSS from HTTP URLs, the browser may block them or warn the user. After forcing HTTPS, update all internal references to use secure URLs or relative paths.

Common sources of mixed content in JSP applications include:

  • hardcoded links in JSP templates
  • old static asset paths in includes
  • external libraries referenced over HTTP

Session or login problems

If authentication works on HTTP but fails after redirecting to HTTPS, review cookie settings and application security configuration. Session cookies should be marked appropriately for secure transport when needed.

Also verify that your application does not generate login redirects using an incorrect base URL.

Wrong canonical domain

If your site should use www or the non-www version consistently, combine the HTTPS redirect with a single canonical hostname rule. This avoids duplicate content and makes URL handling cleaner.

Best practice setup for JSP hosting with HTTPS

For most hosted JSP applications, the best pattern is:

  1. install the SSL certificate for the domain
  2. enable a global HTTP to HTTPS redirect in Plesk or Apache
  3. configure Tomcat to respect secure proxy headers if Apache is the front end
  4. update hardcoded URLs in JSP files and templates
  5. test login, forms, redirects, and static assets over HTTPS

This approach works well for small and medium Java applications running on a private JVM or Tomcat instance within a hosting account. It keeps the enforcement close to the web layer while allowing the application to run normally behind it.

Example migration checklist

  • SSL certificate installed and valid
  • domain opens correctly with https://
  • http:// redirects to https:// with a 301 status
  • no mixed-content warnings in the browser console
  • JSP pages generate HTTPS links when building absolute URLs
  • Tomcat or proxy headers are configured correctly, if applicable
  • form submissions and authentication flows work after redirect

FAQ

Should I force HTTPS in Apache, Plesk, or Tomcat?

For most hosted JSP applications, the preferred place is Apache or Plesk, because the redirect happens before the request reaches the application. Use Tomcat configuration when you need app-level enforcement for specific URL patterns or when server-level control is not available.

Do I need to change my JSP code after enabling HTTPS?

Sometimes. If your code uses absolute http:// links, builds URLs manually, or depends on the request scheme, you should update those parts to use HTTPS or relative paths. Also check for mixed-content references in templates and static resources.

Why does my JSP app still think the request is HTTP after SSL is enabled?

This usually happens when SSL is terminated by Apache or a proxy before the request reaches Tomcat. The browser is using HTTPS, but Tomcat receives an internal HTTP request. In that case, proxy-aware configuration is needed so the application can detect the original secure protocol.

Can I force HTTPS only for login pages?

Yes. You can protect selected URL patterns using Tomcat security constraints or Apache rewrite rules. This is useful if you want to secure sensitive parts of the application first, though full-site HTTPS is usually the better long-term choice.

What status code should I use for the redirect?

Use 301 for a permanent redirect when HTTPS is fully enabled. If you are testing a new setup and want to avoid caching the redirect too early, a temporary redirect may be used during validation, then changed to 301 later.

Will forcing HTTPS affect SEO?

Proper HTTPS enforcement usually helps SEO rather than hurting it, as long as redirects are clean, canonical URLs are consistent, and there are no duplicate HTTP pages left accessible. Make sure all old HTTP URLs point to the secure version with a single redirect.

Conclusion

Forcing HTTPS on a JSP application is best done at the web server layer, with Apache or Plesk handling the redirect and Tomcat configured correctly behind it. In a managed Java hosting setup such as My App Server, this gives you a practical way to secure your public application without unnecessary complexity. Once the SSL certificate is installed and the redirect is in place, test the full flow carefully: homepage, JSP pages, forms, login, and static assets.

When configured correctly, HTTPS becomes the default for your site, improves user trust, and keeps your JSP application aligned with modern security expectations.

  • 0 Users Found This Useful
Was this answer helpful?