I did a little more research and found this. this is the original post.
[b]
Putting
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
Will ensure that the URL's protected by auth-constraint cannot be accessed using HTTP, it would then cause a redirect and require https..
But if you are already using https then it will work even if you do not specify the above[/b]
[Message sent by forum member 'tannic2k7' (tannic2k7)]
http://forums.java.net/jive/thread.jspa?messageID=354889