Not sure if I know what is going on. The forbidden error code is (supposed to be) returned by Glassfish when the transport check fails and the target url is protected by an auth-constraint naming no roles. In that case, redirection to a confidential transport will not help, and forbidden is returned to preclude the redirection.
maybe there is more to your web.xml, and to your policy file. Can you attach the contents of your apps policy files. both granted.policy and excluded.policy. If there were any auth-constraints nameing no roles, they will have been translated into "negative" grants in excluded.policy.
Ron
[Message sent by forum member 'monzillo' (monzillo)]
http://forums.java.net/jive/thread.jspa?messageID=274078