The example code works fine, but it is not really what I need. What I want to try and do is only secure the login page, then after logging in resume a normal http session, not remain in a secure session. The problem appears to be that Glassfish applies the security constraint of the targeted url - in this case /secure/Hello.html, rather than the constraint on the login form. So this means (if I'm right) that unless every resource in your web app is set up with an https security constraint, then there is no way to guarantee a secure login is used. Seems to be a pretty big limitation of using form based authentication...
So how to fix this? Write some code (which defeats the purpose of using declarative security) or use Client Certificate authentication.
[Message sent by forum member 'spencerthomo' (spencerthomo)]
http://forums.java.net/jive/thread.jspa?messageID=241610