Applications should support both secured or unsecured access based on initial access method

The ability to mix secured and unsecured pages with the @Secured annotation means that anything not marked as @Secured will have unsecured URLs' generated. As a result, it is not possible to make an application all secured using firewall rules for external access, but unsecured for internal access.

It would be useful to support, at least for applications using the session, the ability to have the default protocol remembered based on the method of first access. This would support multiple security modes.

A possible configuration flag would be MetaDataContants.SECURE_PAGE_DEFAULT where the available values are "true", "false", "any"

This also helps troubleshoot when you have Apache HTTP -> mod_jk -> Tomcat, where only internal systems can directly hit Tomcat.