Write some custom middleware to handle your logic. We have a similar
requirement at $JOB - SSL on logins, preference pages, anything with a
password form on it, but not on other views. I can't show the code,
but I can describe the logic.
You actually need to specify two things for a URL - is SSL allowed,
and is SSL required.
Your middleware should hook in to process_request.
If the current request is not SSL, check if the URL requires SSL and
redirect to SSL if it does.
If the current request is SSL, check if SSL is allowed, redirect to
non SSL if it doesn't.
If the request is a POST and needs redirection, blow up, this is a
logic error (you can't redirect a POST, and anything requiring this is
doing things in an incorrect order).
There is an easy way to check if SSL is required for a view. In your
urlconf, you can specify additional keyword arguments for a view. Our
middleware checks for the keyword arguments 'ssl_required' and
'ssl_allowed', which neatly allows the configuration for whether a URL
is to be handled by SSL to be included along with all the other URL
configuration.
An important note is that the middleware must remove these additional
arguments, since the views will not be expecting them!
Cheers
Tom