You have to add a security-constraint-element to your deployment descriptor web.xml:
<web-app>
<!-- ... -->
<security-constraint>
<web-resource-collection>
<web-resource-name>someName</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<!-- ... -->
</web-app>
[Message sent by forum member 'writtmeyer' (writtmeyer)]
http://forums.java.net/jive/thread.jspa?messageID=269132