Modern browsers (like Firefox 3) warn the user when a site cannot be trusted even though it uses https. In this case you are using a self-signed certificate (which is the default for GlassFish). In general these can be set up by about just anyone and you have no way knowing whether they really were generated by the site owner - thus they are not trustworthy. Trustworthy are only certificates signed by authorities like Verisign, Thawte or others whose certificates are part of the browser installation.
Now for development environments self-signed certificates of course are fine and you should just click "Add Exception", download the certificate of your local server and accept it.
In production on the other hand you should use a signed certificate. How to set up these in v2 is described here:
http://blogs.sun.com/enterprisetechtips/entry/using_ssl_with_glassfish_v2).
--
Wolfram Rittmeyer
[Message sent by forum member 'writtmeyer' (writtmeyer)]
http://forums.java.net/jive/thread.jspa?messageID=335809