When redirecting from the https CAS application back to an http service after authenticating successfully, IE6 presents the user with a security dialog saying "you are about to be redirected to a connection that is not secure, do you really want to do this?". We can avoid this by using javascript to perform the redirection in the client browser, instead of a server side redirect. NB: This approach works fine for web pages, but does not work for protected image content, which will not execute the returned javascript.
1. Create WEB-INF/view/jsp/default/ui/redirect.jsp to perform the redirection using javascript
<%@page import="org.jasig.cas.authentication.principal.WebApplicationService" %>
<%@page import="org.jasig.cas.web.support.WebUtils" %>
<%
WebApplicationService service = (WebApplicationService) request.getAttribute("service");
String ticket = (String) request.getAttribute("serviceTicketId");
%>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head>
<script type="text/javascript" language="javascript">
<!--
window.location.replace ("<%=service.getResponse(ticket).getUrl()%>");
-->
</script>
<title>Redirect</title>
</head>
<body></body>
</html>
2. Make a redirect view available to CAS by adding it to WEB-INF/classes/default_view.properties
### Redirect view (logged in, javascript redirect to service) redirectView.(class)=org.springframework.web.servlet.view.JstlView redirectView.url=/WEB-INF/view/jsp/default/ui/redirect.jsp
3. Modify WEB-INF/login-webflow.xml to make the redirect end state use the new view
<end-state id="redirect" view="redirectView" />